* Re: net/udp: slab-out-of-bounds Read in udp_recvmsg
[not found] ` <CALRZ7UuGJMuEDfzF=J6ddQD9RZSvqWQZt5-Aer68Mde5SCG79w@mail.gmail.com>
@ 2017-03-15 15:41 ` Dmitry Vyukov
2017-03-15 16:01 ` Eric Dumazet
0 siblings, 1 reply; 5+ messages in thread
From: Dmitry Vyukov @ 2017-03-15 15:41 UTC (permalink / raw)
To: 쪼르
Cc: David Miller, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI,
Patrick McHardy, netdev, LKML, syzkaller
On Wed, Mar 15, 2017 at 4:25 PM, 쪼르 <zzoru007@gmail.com> wrote:
> It seems that attacker can leak kernel memory(slab) by this vulnerability.
> I make a PoC code, and it works well on
> ae50dfd61665086e617cc9e554a1285d52765670.
> but, I found that PoC wasn't work on Ubuntu16.04.02 4.4.0-64-generic
> #85-Ubuntu SMP.
Do you know why it is not working on Ubuntu16.04.02?
Is it because the source bug is not present there? Or maybe you need a
slightly different poc for that version?
> On Wed, Mar 15, 2017 at 5:34 PM, JongHwan Kim <zzoru007@gmail.com> wrote:
>>
>>
>> Hello,
>>
>> I’ve got the following slab-out-of-bounds Read report while running
>> syzkaller
>>
>> fuzzer on ae50dfd61665086e617cc9e554a1285d52765670.
>>
>>
>> ==================================================================
>>
>>
>> Syzkaller hit 'KASAN: slab-out-of-bounds Read in put_cmsg' bug on commit .
>>
>> BUG: KASAN: slab-out-of-bounds in copy_to_user
>> arch/x86/include/asm/uaccess.h:716 [inline] at addr ffff88006bfc4054
>> BUG: KASAN: slab-out-of-bounds in put_cmsg+0x2c4/0x3e0 net/core/scm.c:242
>> at addr ffff88006bfc4054
>> Read of size 4553 by task syz-executor3/7169
>> CPU: 2 PID: 7169 Comm: syz-executor3 Not tainted 4.11.0-rc1+ #6
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>> Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> Call Trace:
>> __dump_stack lib/dump_stack.c:16 [inline]
>> dump_stack+0x115/0x1cf lib/dump_stack.c:52
>> kasan_object_err+0x1c/0x70 mm/kasan/report.c:162
>> print_address_description mm/kasan/report.c:200 [inline]
>> kasan_report_error mm/kasan/report.c:289 [inline]
>> kasan_report.part.1+0x226/0x4f0 mm/kasan/report.c:311
>> kasan_report+0x21/0x30 mm/kasan/report.c:298
>> check_memory_region_inline mm/kasan/kasan.c:326 [inline]
>> check_memory_region+0x137/0x190 mm/kasan/kasan.c:333
>> kasan_check_read+0x11/0x20 mm/kasan/kasan.c:338
>> copy_to_user arch/x86/include/asm/uaccess.h:716 [inline]
>> put_cmsg+0x2c4/0x3e0 net/core/scm.c:242
>> __sock_recv_timestamp+0x4e3/0x6c0 net/socket.c:699
>> sock_recv_timestamp include/net/sock.h:2231 [inline]
>> __sock_recv_ts_and_drops+0x99/0x370 net/socket.c:732
>> sock_recv_ts_and_drops include/net/sock.h:2251 [inline]
>> udp_recvmsg+0xa4c/0x1300 net/ipv4/udp.c:1472
>> inet_recvmsg+0x14c/0x5f0 net/ipv4/af_inet.c:792
>> sock_recvmsg_nosec net/socket.c:740 [inline]
>> sock_recvmsg+0xc9/0x110 net/socket.c:747
>> ___sys_recvmsg+0x265/0x5b0 net/socket.c:2144
>> __sys_recvmsg+0xe2/0x210 net/socket.c:2189
>> SYSC_recvmsg net/socket.c:2201 [inline]
>> SyS_recvmsg+0x2d/0x50 net/socket.c:2196
>> entry_SYSCALL_64_fastpath+0x1f/0xc2
>> RIP: 0033:0x44fb79
>> RSP: 002b:00007f7117f47b58 EFLAGS: 00000212 ORIG_RAX: 000000000000002f
>> RAX: ffffffffffffffda RBX: 0000000000708000 RCX: 000000000044fb79
>> RDX: 0000000000000100 RSI: 00000000209c8fc8 RDI: 0000000000000005
>> RBP: 0000000000000046 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000005
>> R13: 00000000208f8000 R14: 00000000209c8000 R15: 0000000000000000
>> Object at ffff88006bfc4028, in cache kmalloc-1024 size: 1024
>> Allocated:
>> PID = 7169
>> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
>> set_track mm/kasan/kasan.c:525 [inline]
>> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
>> kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:555
>> slab_post_alloc_hook mm/slab.h:456 [inline]
>> slab_alloc_node mm/slub.c:2718 [inline]
>> __kmalloc_node_track_caller+0x11e/0x360 mm/slub.c:4303
>> __kmalloc_reserve.isra.37+0x41/0xd0 net/core/skbuff.c:138
>> __alloc_skb+0x13b/0x740 net/core/skbuff.c:231
>> alloc_skb include/linux/skbuff.h:933 [inline]
>> alloc_skb_with_frags+0x10d/0x700 net/core/skbuff.c:4661
>> sock_alloc_send_pskb+0x7b4/0x9d0 net/core/sock.c:1892
>> sock_alloc_send_skb+0x32/0x40 net/core/sock.c:1909
>> __ip_append_data.isra.49+0x176b/0x2d40 net/ipv4/ip_output.c:1034
>> ip_append_data.part.51+0xe9/0x160 net/ipv4/ip_output.c:1235
>> ip_append_data+0x68/0x80 net/ipv4/ip_output.c:1224
>> udp_sendmsg+0x1a7f/0x2c40 net/ipv4/udp.c:1073
>> inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:761
>> sock_sendmsg_nosec net/socket.c:633 [inline]
>> sock_sendmsg+0xca/0x110 net/socket.c:643
>> SYSC_sendto+0x352/0x5a0 net/socket.c:1685
>> SyS_sendto+0x40/0x50 net/socket.c:1653
>> entry_SYSCALL_64_fastpath+0x1f/0xc2
>> Freed:
>> PID = 0
>> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
>> set_track mm/kasan/kasan.c:525 [inline]
>> kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589
>> slab_free_hook mm/slub.c:1357 [inline]
>> slab_free_freelist_hook mm/slub.c:1379 [inline]
>> slab_free mm/slub.c:2961 [inline]
>> kfree+0xe8/0x2c0 mm/slub.c:3882
>> skb_free_head+0x74/0xb0 net/core/skbuff.c:579
>> skb_release_data+0x442/0x570 net/core/skbuff.c:610
>> skb_release_all+0x4a/0x60 net/core/skbuff.c:669
>> __kfree_skb net/core/skbuff.c:683 [inline]
>> consume_skb+0x153/0x480 net/core/skbuff.c:756
>> __dev_kfree_skb_any+0x58/0x70 net/core/dev.c:2472
>> dev_kfree_skb_any include/linux/netdevice.h:3231 [inline]
>> e1000_unmap_and_free_tx_resource.isra.48+0x1c4/0x390
>> drivers/net/ethernet/intel/e1000/e1000_main.c:1977
>> e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3889
>> [inline]
>> e1000_clean+0x513/0x2640
>> drivers/net/ethernet/intel/e1000/e1000_main.c:3832
>> napi_poll net/core/dev.c:5266 [inline]
>> net_rx_action+0x6d5/0x14b0 net/core/dev.c:5331
>> __do_softirq+0x2d1/0xb1d kernel/softirq.c:284
>> Memory state around the buggy address:
>> ffff88006bfc4300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ffff88006bfc4380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> >ffff88006bfc4400: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
>> ^
>> ffff88006bfc4480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff88006bfc4500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ==================================================================
>> Disabling lock debugging due to kernel taint
>> Kernel panic - not syncing: panic_on_warn set ...
>>
>> CPU: 2 PID: 7169 Comm: syz-executor3 Tainted: G B 4.11.0-rc1+
>> #6
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>> Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> Call Trace:
>> __dump_stack lib/dump_stack.c:16 [inline]
>> dump_stack+0x115/0x1cf lib/dump_stack.c:52
>> panic+0x1b4/0x392 kernel/panic.c:180
>> kasan_end_report+0x50/0x50 mm/kasan/report.c:141
>> kasan_report_error mm/kasan/report.c:293 [inline]
>> kasan_report.part.1+0x422/0x4f0 mm/kasan/report.c:311
>> kasan_report+0x21/0x30 mm/kasan/report.c:298
>> check_memory_region_inline mm/kasan/kasan.c:326 [inline]
>> check_memory_region+0x137/0x190 mm/kasan/kasan.c:333
>> kasan_check_read+0x11/0x20 mm/kasan/kasan.c:338
>> copy_to_user arch/x86/include/asm/uaccess.h:716 [inline]
>> put_cmsg+0x2c4/0x3e0 net/core/scm.c:242
>> __sock_recv_timestamp+0x4e3/0x6c0 net/socket.c:699
>> sock_recv_timestamp include/net/sock.h:2231 [inline]
>> __sock_recv_ts_and_drops+0x99/0x370 net/socket.c:732
>> sock_recv_ts_and_drops include/net/sock.h:2251 [inline]
>> udp_recvmsg+0xa4c/0x1300 net/ipv4/udp.c:1472
>> inet_recvmsg+0x14c/0x5f0 net/ipv4/af_inet.c:792
>> sock_recvmsg_nosec net/socket.c:740 [inline]
>> sock_recvmsg+0xc9/0x110 net/socket.c:747
>> ___sys_recvmsg+0x265/0x5b0 net/socket.c:2144
>> __sys_recvmsg+0xe2/0x210 net/socket.c:2189
>> SYSC_recvmsg net/socket.c:2201 [inline]
>> SyS_recvmsg+0x2d/0x50 net/socket.c:2196
>> entry_SYSCALL_64_fastpath+0x1f/0xc2
>> RIP: 0033:0x44fb79
>> RSP: 002b:00007f7117f47b58 EFLAGS: 00000212 ORIG_RAX: 000000000000002f
>> RAX: ffffffffffffffda RBX: 0000000000708000 RCX: 000000000044fb79
>> RDX: 0000000000000100 RSI: 00000000209c8fc8 RDI: 0000000000000005
>> RBP: 0000000000000046 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000005
>> R13: 00000000208f8000 R14: 00000000209c8000 R15: 0000000000000000
>> Dumping ftrace buffer:
>> (ftrace buffer empty)
>> Kernel Offset: disabled
>> Rebooting in 86400 seconds..
>>
>>
>> Syzkaller reproducer:
>> # {Threaded:true Collide:false Repeat:false Procs:1 Sandbox:setuid
>> Repro:false}
>> mmap(&(0x7f0000000000/0x9c9000)=nil, (0x9c9000), 0x3, 0x32,
>> 0xffffffffffffffff, 0x0)
>> r0 = socket$udp(0x2, 0x2, 0x0)
>> r1 = dup2(r0, r0)
>> setsockopt$sock_int(r0, 0x1, 0x6, &(0x7f0000549000-0x4)=0x906, 0x4)
>> bind$inet(r1, &(0x7f00004de000)={0x2, 0x0, @loopback=0x7f000001, [0x0,
>> 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10)
>> sendto$inet(r0, &(0x7f00001cc000)="", 0x0, 0x8000,
>> &(0x7f00009c5000-0x10)={0x2, 0x2, @broadcast=0xffffffff, [0x0, 0x0, 0x0,
>> 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10)
>> connect$inet(r1, &(0x7f0000994000)={0x2, 0x0, @loopback=0x7f000001, [0x0,
>> 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10)
>> recvmsg(r0, &(0x7f00009c9000-0x38)={&(0x7f000083f000-0x1)=nil, 0x0,
>> &(0x7f00009c9000-0x10)=[{&(0x7f00009c1000)="", 0x0}], 0x1,
>> &(0x7f00009c8000)="", 0x0, 0xfffffffffffff7fd}, 0x100)
>> setsockopt$SO_TIMESTAMPING(r0, 0x1, 0x25, &(0x7f0000104000-0x4)=0x19fe,
>> 0x4)
>> write(r1,
>> &(0x7f00009c4000-0x1000)="9738d2893360cc306cd63cf6f51d0d94090bc87a8db314a96dec1bf054e4fc7acc872318c996115b4727360c631bcb22f07ad51387bca34c27949b818c29441828d58b0ebaaa050b7400639df4b427bdb48eab608e894cf0388a1a3ab51fb2991d20dd45c99904d0519f83fb3efbdf5b339c9c0e881d895e57dbb4b9142ae154b333e8ded71c9a32ed58e5922d2cf648a65d9ff691eaa3955aa1caddb2e900bf9aee42ae33c55a1efb9f81e4520f0ceecc62c3fba89d1624d8d198ae394dcefde620c7dc87d7096d1c60191f160aae87b9bcd172f3a4cd6e1eca6e6d28fcaadf85d373a006001a8e1d08fdc0644a5d1e52d886d75edfd61a5cc55a3accb230709a912963f36992fd650a8e014a4bd03ca57b795d314a4c82dd17ed08ca49de6824eb65b23e31977bf26fe8edd3b5c7276c28389a4e75bc25c10f268be20768edd9e0fc9b103fc14381e3f29e4502b5009891207027c3f06b5fbd845215b25594d9f8db9a8d77f51110795cc40ead2f4c72437c3436c878f950378d141d0ef38ec95d608b7e0cf0bfc77a40b108f045899da908b6e7222aedc00d23d131b439ebeccfd2d4a659e22fc007912179c2c310e7edc7d89b8ade98344deaea0c23e6be6ec74d50b8df807db35dfc77d070a9a336ff54c9b4f157838b169e543d11d396db96c6f1600458b5c50138648246036518504334d99da6346eee8f7529036e4fb8d6e1b56ce992bdaf5731ff1ae6c39dae0823de6a19fa559011f3233a81d215c89bb086b80f8a489856583b87922be8686a41061202214fb64ff01c0f6fe39e7865906eaa48592399a8f77c8526ec369250e0bc82deb501c8b1a41bc122ee4d386b1a53d1f4f45c429bb3796f23465e9fa273684da12063fe2b69b1a80a27fcd3965c45ca4824bf218744f02fe830e3099f71e7472158185462fbccda4c096e5f29b7c261ec2e9eee23ab18855971ee79982f605df2491bb9db4247402c5ce131c53391729f5a2f38b74828e5eb7e1a5b0bd6d66e413dd859681610a1b2c55cd71fdd2be54e2344db70a8cc81345a79f47a8c57dc0499b25790dfeb4e82069e545bff76fa33bca1d4efd3e18436f23bb17bd18a53830e6b8f48056a4de9e4a9bd75e4aab6738617b6a9310a2ee8098cd19a0ea42a857ea81307c480383172b1bcdc0b47072c903e57b31055666c8d3676fe3cee4d8163b6e9f4e3c42fb59786c8bcb4d42615dc1b0c57b3ef66925e94c8b2c94b9e1e76d17430a47ec34e8c6b4a0555b19ae41d12d2e6193d66703294240b31abbb866de6cf471226f798d60ac4053a82270965dafb460040cf904ca2ff7f9ade8651588d5b7275c1cadaed4be75532bdd853045994169f50287078cf2badf9695aea98ab67c5cb6637d97a4877bb9654e25e01045299191e01e73c6205e0d5c54e103ce352ff41da80ba1f4649c64f33b0bf335abae9b159ae1293ed8b1b349a01d8ccf0efbed9df046bf56002ffcc8a69d400c1c88bbfd5dbf68d1ba8113f989b0df7122e55fe6f1b017fe422978c6ea8833b43a94c6c47c63b978b020010e4e5ad61fe2ce6283a59d5bb460c58b3a8d7e03e120d1af3feabf252458feb9a1fed216b6d2dff7aed7138a727307838815b28660e28cc6b2c10ef36f4d58b0c67b4bb33d361c30328ad4a0eabf9b47adcf315aa078ec7c4974de4cf695aa4c2bd60dd0a2d8ba061c262bddd840d1ad36cd27bae9b290fece5e411398ded5abe7f5ef8b60385fec7485b1c6c4b6681f3c4b17eaaba32abb6fb4e67bc83e7e8a3de763b7656674d66f46b0b559c8cbca337b27dae2a07fd17c733f1a999de7927ac25f9daec36fc30f2850af3c4b3beada6395c0804a737e7bfca8386506cd9d53bcba7ad592adf9c6187a052653a863d24e6bf51d282d7217fa3757b745faeef6972413592d48837bac9cdd9ebe601770b17a24f36edffc7ad704b106dc1dee3072be64bcd5a128540e78f9c0fbb74955093743921165f09a9d67ac479c23e1c6307d9d07a16ed4da45d83a0f3d0e0d3139445f98a8772186a953b8084a935a2c75d56cb94fb718bf34de46b97250f78e8d23df816853e8fc754c152a536d665718a484c23cbce8daf33707c8392420c58647b0a89ea9e3b2eb88eb09157972cae4b1e647a0145d2ad9325728189216acae7db16729c678e3584b7ad551b279b2a890a0a0a9d7cbee2a2203d90ef1136ff002a536f02d64c2562fdda1872ad280791d20870c9739d1e9845cbfd0c022db89acdac00f243fd9d48c4035846104c8c3422a3a3d1c4b1a139c3bcc43aaee29f28a69cf07b85e1e5cc5dbb65071a9c78e4e4923ef4c7dfcc1965ac136c8e684cdb2ca713591ae8613675ab45ff030d315e8a87677714ce25aa565fe7114eadc5e6421d7ac6823414dff50ea2f3e1c4b9c1f6432671b0ac713f50818ddd5dde7aa79b69d8afef6f37e69f29fb82c02e66093daa2616ff2c0100fce9831e6f58c199f15775f036fa9e9e6a65520f9faac014984f6c4cedc6e978c739a946d1741fc3f526f341c5dd1f92628ecc264bdecba7f109a113fe29f1f3613cbb6fef936ea538a534198962a3f4dbad2beaad9195f8b600d86dca1fa741cf4940996571d9863c8c3a1c806eec8555c8b3e6b0e0a4f31023134e583769a89e609015ea47fe09e34daaa1e98be593e35d9b3e625b07990392d2ecac7767f0c0216e24b5c1d6d4ece83a76db86aa4f9fb618ec42c934f48985d1f2f57c700189dbe5cb5f1ff4f0b05c0a3e9893729a26cabe9600b720071cd4f103fd3dfee1b9e0f5a36beddc5b112c3126395d1cbc50be436bc0650a61f269c4eb352f57c782afe56f1810c1db425fc1861fa9027bc575abc23bd25f9b6a6b6e623ddb57223e5d3633e3b23f050d23d6de64585b24f94be2dfe999d1768f8a2165cdb92a04fefab3dc9f33b109a0088ee0a3c67eb245077392d5601eb7f25b7002a7389513715f406df606f611033f1777a8f8d835f260a1d8c514bcf8eab68e80ee2e0211f7d651d4517ac88009000000018dbc2056f37cb7b014d10914edeb275fcc2e06d0734cac74625b32ec7295a938d1da64cad9931c4cbc52a9dd5cb2ae14f91eef1b9dc31b1afa6301a0897815e093c53405e121f618eb541693532ecef03acd3556ea056d78a0e0c6a30c5077e5e30a5c9c1ee80f40e3d1c0ee5021f80505778269642ad1d30d41360806c3dfd49666cd72c7d1df7c496f4c63aad7d654455358dbac87fa6f00b9a1b8e432f09751ba4c30e05118f79c7336493394868bd698aca5862940bd64406ddf683911d5059fca2df97c730b063defb4c71e8e0ca4c67a9cc925e2ea96fa0f0f674ba7fc46d7ff79c36fdf18b71a8e606f8b053e91709f6e9ca7734ce5d8b21fdef8545e0ec0659fc4fd9cb31d22ba89ab97bea4cd811d5c11636b4a1fb909ae4907748902c009b3fb5ef93e0a5a125fc5df5fc8e013a9ae0b72f98d26428f351778321c017f73b7cf8473fbbfee7425b3d7d04d593c639495f70b3e16f537643ef5175ad5cdb092f22867c87f39e45976f8fcef4cd4ca7d0b429dd116b8bea828c6fd7faf55173881516d9b0701cabcdaf8b95b4497f0a8589330ff70391fa86de97069c7df7a229a4288b29007d576a9e82f2d9633732d2584bc05d4f784637b5acee4a793e86be8f1e9a5c8c533d7a3536e402dcc217913689484cde2804f754d3e370f208bf0478b60b54931657b7dca825468165daff6529258bd28b1374ef05d9ab669ea517b900c1e5b673d4043c50d8912be5f53a19cd06427c2c2188b3a842280c724d0a338cc68d6ac641f4bafad1e163169f4695400341b5d52773d8857a015050a4f08380d4a1f2d45c49867601f12774a09a4d6eec43ff7f8e52eb35e097a9257114ca71f0f1f0a254f6554e488db9e24df9e9dca24b22656ee1f31cec9b19fa311278f5a23bf951b5bd7dbf79d9e71b4fc9c6b67ff09a15334f0e94c20799cd1c94fab1c5387cd73d73bd9aa37fc36642707ba289256abe1c720cd1337f2d0921635c4a0d694e6d484745fd35c29fc4c95bac5f6e6ffce399b832805a7fa3fe94af3e5def319452a264ba1838b67fc387741fa616eeaea4aad6d62db3da199f7aec8eeee058f065c46bed9c6f6465bef139239f44c8b3acf775118caac5340b7dcc6aca20d54db8ae1a698df4b9d1c904ab28dcfc678e513b0c748f6851d8ff4d8d4820c1ac27bcddd7d7b1ac83f84a1b1c2301de6fd3e0b3d18f7752185b23c47a657f3107ec8a38fa3d380e027d7a3bb7c96c7d918ce532dc4ee57a4928f9982d8dca7243612ec364ee711e1735fab160ab5b59db2f5ad938ef4dc76115640386f982b55742e552a053d4389840e32c8d48dc1118bec0b68ef96af78e88f288d8fd03a6276b022dac40f19e80270dbd5b306db59953d0e9b82f30f2973627d9d0255cdf7b1bba93254de6d9c97a2987c7af2551812c2b21496b56863058a967a00f38b6843619332dd9bf80eb1cebf7b6bcdc3e68af282b614a28159deb244e1fd3801ba8063de23e5924597cecc5320714b79848ea351d71fdea7e5d68d631bab67d7012cf463dd394a9c5f9b7a3feb2a66dbca4374b31ccedb15d0312ad61d41cf4e794d3a7f4f03268088e0e406dee377bc1ad341e12fca27f600a74ca747f348ff9d857dee9fdd720d6ed5fc8403d7d911c282888a29bfa58727e77dae8f4f1800d4caf8b946fbee13efee5c60e40f5d5c6a4d6d1483de6447bd1bdc1f7e70f49de11bb13c70bdd31f8b160d6ec72b59f4ec89cd9e410b92d9ca87a68103640e2a9aeeb099e6767991ad9a275e1a096a55d69904ef991ba1fee639696ce7279645dde58699eeee41ed65996ab29e352886e1142528b4fff1d3ebdf43e5f5400ba457cc5f77f615e8feab552b47fea6f31f0188b9fe614bea3a40d6b71746054f3e93c9b9c99d79a36a0ffb0f05a5160cd6c1eb76a2d14014883ef8922907da186c6ad19fbb71f595d15c2c213d6802001cdab41db1d167ced2d3c897c1cd8a868410f65d2287c7a972931c379659d4c30f7783992db5e7d3f72afdcad45885e4f4d33e506607a4da6dc7ab892f71bf6dfefd13d636d23d711098a22ba3073c026edb33f0fcb7575f446e94be979c1438ceb5af6fdf005f1577b11ab08f47a4d27e2bfe7504ed291c744c2932bc8cb81aabdd909c4427da53f0a304db60ceb334bfc905ee2ff5d75f2a83f56b324174e9a8d1c9f1ee88849db9d6f5c2f8426e708bfd9136ffecc418d9d55bba1898fb1c643995dbfbf9e92412710ed3c94a5473ebd0bc31ec5240b887d2e26e3392385b6851557ccd6053e2066f99928a0599a17519237fa9806c3823390cb80e94d59dfff75d5355d01377eeb00e70033ba158f09c3d93419763ad65a1a01cb83218040b13b4473542666fa94920805242c1abc43c6be7776700843292a53db6febf60ae3748f16c34e3b9ab9ff182a671410ee64c3892253af8bdf9f07da809877ef81d421c1420c7df4d5febbb3b068be514d553339d0ebc726c834dad9eb46620b59501b3899fc392b1445bcad8c10ca5b8ef75d64ae23f16ed42deff64c06f2c0f9f0d3719720d591e1c455f14eaa33611cac4820562ab5ba3f4d0e3648a239c635d14ca30780a7e9de3617bddbd7da726b753e92ec172737bd2ad996ceed3b5aa4a85d4acca07f43f9fc13b4f555b297e394ed7ee6abba24048a0da4c30c02e1f838a3e4b34a8714024027cf1ad4fa07af5cb56d4496bb8122244dc566fa92e0a",
>> 0x1000)
>>
>>
>> C reproducer:
>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>>
>> #ifndef __NR_bind
>> #define __NR_bind 49
>> #endif
>> #ifndef __NR_write
>> #define __NR_write 1
>> #endif
>> #ifndef __NR_recvmsg
>> #define __NR_recvmsg 47
>> #endif
>> #ifndef __NR_mmap
>> #define __NR_mmap 9
>> #endif
>> #ifndef __NR_socket
>> #define __NR_socket 41
>> #endif
>> #ifndef __NR_dup2
>> #define __NR_dup2 33
>> #endif
>> #ifndef __NR_setsockopt
>> #define __NR_setsockopt 54
>> #endif
>> #ifndef __NR_sendto
>> #define __NR_sendto 44
>> #endif
>> #ifndef __NR_connect
>> #define __NR_connect 42
>> #endif
>>
>> #define __STDC_VERSION__ 201112L
>>
>> #define _GNU_SOURCE
>>
>> #include <sys/ioctl.h>
>> #include <sys/mman.h>
>> #include <sys/mount.h>
>> #include <sys/prctl.h>
>> #include <sys/resource.h>
>> #include <sys/socket.h>
>> #include <sys/stat.h>
>> #include <sys/syscall.h>
>> #include <sys/time.h>
>> #include <sys/types.h>
>> #include <sys/wait.h>
>>
>> #include <linux/capability.h>
>> #include <linux/if.h>
>> #include <linux/if_tun.h>
>> #include <linux/kvm.h>
>> #include <linux/sched.h>
>> #include <net/if_arp.h>
>>
>> #include <assert.h>
>> #include <dirent.h>
>> #include <errno.h>
>> #include <fcntl.h>
>> #include <grp.h>
>> #include <pthread.h>
>> #include <setjmp.h>
>> #include <signal.h>
>> #include <stdarg.h>
>> #include <stdbool.h>
>> #include <stddef.h>
>> #include <stdint.h>
>> #include <stdio.h>
>> #include <stdlib.h>
>> #include <string.h>
>> #include <unistd.h>
>>
>> const int kFailStatus = 67;
>> const int kErrorStatus = 68;
>> const int kRetryStatus = 69;
>>
>> __attribute__((noreturn)) void doexit(int status)
>> {
>> volatile unsigned i;
>> syscall(__NR_exit_group, status);
>> for (i = 0;; i++) {
>> }
>> }
>>
>> __attribute__((noreturn)) void fail(const char* msg, ...)
>> {
>> int e = errno;
>> fflush(stdout);
>> va_list args;
>> va_start(args, msg);
>> vfprintf(stderr, msg, args);
>> va_end(args);
>> fprintf(stderr, " (errno %d)\n", e);
>> doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
>> }
>>
>> __attribute__((noreturn)) void exitf(const char* msg, ...)
>> {
>> int e = errno;
>> fflush(stdout);
>> va_list args;
>> va_start(args, msg);
>> vfprintf(stderr, msg, args);
>> va_end(args);
>> fprintf(stderr, " (errno %d)\n", e);
>> doexit(kRetryStatus);
>> }
>>
>> static int flag_debug;
>>
>> void debug(const char* msg, ...)
>> {
>> if (!flag_debug)
>> return;
>> va_list args;
>> va_start(args, msg);
>> vfprintf(stdout, msg, args);
>> va_end(args);
>> fflush(stdout);
>> }
>>
>> __thread int skip_segv;
>> __thread jmp_buf segv_env;
>>
>> static void segv_handler(int sig, siginfo_t* info, void* uctx)
>> {
>> uintptr_t addr = (uintptr_t)info->si_addr;
>> const uintptr_t prog_start = 1 << 20;
>> const uintptr_t prog_end = 100 << 20;
>> if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
>> (addr < prog_start || addr > prog_end)) {
>> debug("SIGSEGV on %p, skipping\n", addr);
>> _longjmp(segv_env, 1);
>> }
>> debug("SIGSEGV on %p, exiting\n", addr);
>> doexit(sig);
>> for (;;) {
>> }
>> }
>>
>> static void install_segv_handler()
>> {
>> struct sigaction sa;
>> memset(&sa, 0, sizeof(sa));
>> sa.sa_sigaction = segv_handler;
>> sa.sa_flags = SA_NODEFER | SA_SIGINFO;
>> sigaction(SIGSEGV, &sa, NULL);
>> sigaction(SIGBUS, &sa, NULL);
>> }
>>
>> #define NONFAILING(...) \
>> { \
>> __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
>> if (_setjmp(segv_env) == 0) { \
>> __VA_ARGS__; \
>> } \
>> __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
>> }
>>
>> #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)
>>
>> #define BITMASK_LEN_OFF(type, bf_off, bf_len) \
>> (type)(BITMASK_LEN(type, (bf_len)) << (bf_off))
>>
>> #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \
>> if ((bf_off) == 0 && (bf_len) == 0) { \
>> *(type*)(addr) = (type)(val); \
>> } else { \
>> type new_val = *(type*)(addr); \
>> new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \
>> new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \
>> *(type*)(addr) = new_val; \
>> }
>>
>> static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
>> uintptr_t a2, uintptr_t a3,
>> uintptr_t a4, uintptr_t a5,
>> uintptr_t a6, uintptr_t a7,
>> uintptr_t a8)
>> {
>> switch (nr) {
>> default:
>> return syscall(nr, a0, a1, a2, a3, a4, a5);
>> }
>> }
>>
>> static void setup_main_process()
>> {
>> struct sigaction sa;
>> memset(&sa, 0, sizeof(sa));
>> sa.sa_handler = SIG_IGN;
>> syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
>> syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
>> install_segv_handler();
>>
>> char tmpdir_template[] = "./syzkaller.XXXXXX";
>> char* tmpdir = mkdtemp(tmpdir_template);
>> if (!tmpdir)
>> fail("failed to mkdtemp");
>> if (chmod(tmpdir, 0777))
>> fail("failed to chmod");
>> if (chdir(tmpdir))
>> fail("failed to chdir");
>> }
>>
>> static void loop();
>>
>> static void sandbox_common()
>> {
>> prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
>> setpgrp();
>> setsid();
>>
>> struct rlimit rlim;
>> rlim.rlim_cur = rlim.rlim_max = 128 << 20;
>> setrlimit(RLIMIT_AS, &rlim);
>> rlim.rlim_cur = rlim.rlim_max = 1 << 20;
>> setrlimit(RLIMIT_FSIZE, &rlim);
>> rlim.rlim_cur = rlim.rlim_max = 1 << 20;
>> setrlimit(RLIMIT_STACK, &rlim);
>> rlim.rlim_cur = rlim.rlim_max = 0;
>> setrlimit(RLIMIT_CORE, &rlim);
>>
>> unshare(CLONE_NEWNS);
>> unshare(CLONE_NEWIPC);
>> unshare(CLONE_IO);
>> }
>>
>> static int do_sandbox_setuid(int executor_pid, bool enable_tun)
>> {
>> int pid = fork();
>> if (pid)
>> return pid;
>>
>> sandbox_common();
>>
>> const int nobody = 65534;
>> if (setgroups(0, NULL))
>> fail("failed to setgroups");
>> if (syscall(SYS_setresgid, nobody, nobody, nobody))
>> fail("failed to setresgid");
>> if (syscall(SYS_setresuid, nobody, nobody, nobody))
>> fail("failed to setresuid");
>>
>> loop();
>> doexit(1);
>> }
>>
>> long r[55];
>> void* thr(void* arg)
>> {
>> switch ((long)arg) {
>> case 0:
>> r[0] =
>> execute_syscall(__NR_mmap, 0x20000000ul, 0x9c9000ul, 0x3ul,
>> 0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
>> break;
>> case 1:
>> r[1] = execute_syscall(__NR_socket, 0x2ul, 0x2ul, 0x0ul, 0, 0, 0, 0,
>> 0, 0);
>> break;
>> case 2:
>> r[2] = execute_syscall(__NR_dup2, r[1], r[1], 0, 0, 0, 0, 0, 0, 0);
>> break;
>> case 3:
>> NONFAILING(*(uint32_t*)0x20548ffc = (uint32_t)0x906);
>> r[4] = execute_syscall(__NR_setsockopt, r[1], 0x1ul, 0x6ul,
>> 0x20548ffcul, 0x4ul, 0, 0, 0, 0);
>> break;
>> case 4:
>> NONFAILING(*(uint16_t*)0x204de000 = (uint16_t)0x2);
>> NONFAILING(*(uint16_t*)0x204de002 = (uint16_t)0x204e);
>> NONFAILING(*(uint32_t*)0x204de004 = (uint32_t)0x100007f);
>> NONFAILING(*(uint8_t*)0x204de008 = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x204de009 = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x204de00a = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x204de00b = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x204de00c = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x204de00d = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x204de00e = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x204de00f = (uint8_t)0x0);
>> r[16] = execute_syscall(__NR_bind, r[2], 0x204de000ul, 0x10ul, 0, 0,
>> 0, 0, 0, 0);
>> break;
>> case 5:
>> NONFAILING(*(uint16_t*)0x209c4ff0 = (uint16_t)0x2);
>> NONFAILING(*(uint16_t*)0x209c4ff2 = (uint16_t)0x224e);
>> NONFAILING(*(uint32_t*)0x209c4ff4 = (uint32_t)0xffffffff);
>> NONFAILING(*(uint8_t*)0x209c4ff8 = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x209c4ff9 = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x209c4ffa = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x209c4ffb = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x209c4ffc = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x209c4ffd = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x209c4ffe = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x209c4fff = (uint8_t)0x0);
>> r[28] = execute_syscall(__NR_sendto, r[1], 0x201cc000ul, 0x0ul,
>> 0x8000ul, 0x209c4ff0ul, 0x10ul, 0, 0, 0);
>> break;
>> case 6:
>> NONFAILING(*(uint16_t*)0x20994000 = (uint16_t)0x2);
>> NONFAILING(*(uint16_t*)0x20994002 = (uint16_t)0x204e);
>> NONFAILING(*(uint32_t*)0x20994004 = (uint32_t)0x100007f);
>> NONFAILING(*(uint8_t*)0x20994008 = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x20994009 = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x2099400a = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x2099400b = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x2099400c = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x2099400d = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x2099400e = (uint8_t)0x0);
>> NONFAILING(*(uint8_t*)0x2099400f = (uint8_t)0x0);
>> r[40] = execute_syscall(__NR_connect, r[2], 0x20994000ul, 0x10ul, 0,
>> 0, 0, 0, 0, 0);
>> break;
>> case 7:
>> NONFAILING(*(uint64_t*)0x209c8fc8 = (uint64_t)0x2083efff);
>> NONFAILING(*(uint32_t*)0x209c8fd0 = (uint32_t)0x0);
>> NONFAILING(*(uint64_t*)0x209c8fd8 = (uint64_t)0x209c8ff0);
>> NONFAILING(*(uint64_t*)0x209c8fe0 = (uint64_t)0x1);
>> NONFAILING(*(uint64_t*)0x209c8fe8 = (uint64_t)0x209c8000);
>> NONFAILING(*(uint64_t*)0x209c8ff0 = (uint64_t)0x0);
>> NONFAILING(*(uint32_t*)0x209c8ff8 = (uint32_t)0xfffffffffffff7fd);
>> NONFAILING(*(uint64_t*)0x209c8ff0 = (uint64_t)0x209c1000);
>> NONFAILING(*(uint64_t*)0x209c8ff8 = (uint64_t)0x0);
>> r[50] = execute_syscall(__NR_recvmsg, r[1], 0x209c8fc8ul, 0x100ul,
>> 0, 0, 0, 0, 0, 0);
>> break;
>> case 8:
>> NONFAILING(*(uint32_t*)0x20103ffc = (uint32_t)0x19fe);
>> r[52] = execute_syscall(__NR_setsockopt, r[1], 0x1ul, 0x25ul,
>> 0x20103ffcul, 0x4ul, 0, 0, 0, 0);
>> break;
>> case 9:
>> NONFAILING(memcpy(
>> (void*)0x209c3000,
>> "\x97\x38\xd2\x89\x33\x60\xcc\x30\x6c\xd6\x3c\xf6\xf5\x1d\x0d"
>> "\x94\x09\x0b\xc8\x7a\x8d\xb3\x14\xa9\x6d\xec\x1b\xf0\x54\xe4"
>> "\xfc\x7a\xcc\x87\x23\x18\xc9\x96\x11\x5b\x47\x27\x36\x0c\x63"
>> "\x1b\xcb\x22\xf0\x7a\xd5\x13\x87\xbc\xa3\x4c\x27\x94\x9b\x81"
>> "\x8c\x29\x44\x18\x28\xd5\x8b\x0e\xba\xaa\x05\x0b\x74\x00\x63"
>> "\x9d\xf4\xb4\x27\xbd\xb4\x8e\xab\x60\x8e\x89\x4c\xf0\x38\x8a"
>> "\x1a\x3a\xb5\x1f\xb2\x99\x1d\x20\xdd\x45\xc9\x99\x04\xd0\x51"
>> "\x9f\x83\xfb\x3e\xfb\xdf\x5b\x33\x9c\x9c\x0e\x88\x1d\x89\x5e"
>> "\x57\xdb\xb4\xb9\x14\x2a\xe1\x54\xb3\x33\xe8\xde\xd7\x1c\x9a"
>> "\x32\xed\x58\xe5\x92\x2d\x2c\xf6\x48\xa6\x5d\x9f\xf6\x91\xea"
>> "\xa3\x95\x5a\xa1\xca\xdd\xb2\xe9\x00\xbf\x9a\xee\x42\xae\x33"
>> "\xc5\x5a\x1e\xfb\x9f\x81\xe4\x52\x0f\x0c\xee\xcc\x62\xc3\xfb"
>> "\xa8\x9d\x16\x24\xd8\xd1\x98\xae\x39\x4d\xce\xfd\xe6\x20\xc7"
>> "\xdc\x87\xd7\x09\x6d\x1c\x60\x19\x1f\x16\x0a\xae\x87\xb9\xbc"
>> "\xd1\x72\xf3\xa4\xcd\x6e\x1e\xca\x6e\x6d\x28\xfc\xaa\xdf\x85"
>> "\xd3\x73\xa0\x06\x00\x1a\x8e\x1d\x08\xfd\xc0\x64\x4a\x5d\x1e"
>> "\x52\xd8\x86\xd7\x5e\xdf\xd6\x1a\x5c\xc5\x5a\x3a\xcc\xb2\x30"
>> "\x70\x9a\x91\x29\x63\xf3\x69\x92\xfd\x65\x0a\x8e\x01\x4a\x4b"
>> "\xd0\x3c\xa5\x7b\x79\x5d\x31\x4a\x4c\x82\xdd\x17\xed\x08\xca"
>> "\x49\xde\x68\x24\xeb\x65\xb2\x3e\x31\x97\x7b\xf2\x6f\xe8\xed"
>> "\xd3\xb5\xc7\x27\x6c\x28\x38\x9a\x4e\x75\xbc\x25\xc1\x0f\x26"
>> "\x8b\xe2\x07\x68\xed\xd9\xe0\xfc\x9b\x10\x3f\xc1\x43\x81\xe3"
>> "\xf2\x9e\x45\x02\xb5\x00\x98\x91\x20\x70\x27\xc3\xf0\x6b\x5f"
>> "\xbd\x84\x52\x15\xb2\x55\x94\xd9\xf8\xdb\x9a\x8d\x77\xf5\x11"
>> "\x10\x79\x5c\xc4\x0e\xad\x2f\x4c\x72\x43\x7c\x34\x36\xc8\x78"
>> "\xf9\x50\x37\x8d\x14\x1d\x0e\xf3\x8e\xc9\x5d\x60\x8b\x7e\x0c"
>> "\xf0\xbf\xc7\x7a\x40\xb1\x08\xf0\x45\x89\x9d\xa9\x08\xb6\xe7"
>> "\x22\x2a\xed\xc0\x0d\x23\xd1\x31\xb4\x39\xeb\xec\xcf\xd2\xd4"
>> "\xa6\x59\xe2\x2f\xc0\x07\x91\x21\x79\xc2\xc3\x10\xe7\xed\xc7"
>> "\xd8\x9b\x8a\xde\x98\x34\x4d\xea\xea\x0c\x23\xe6\xbe\x6e\xc7"
>> "\x4d\x50\xb8\xdf\x80\x7d\xb3\x5d\xfc\x77\xd0\x70\xa9\xa3\x36"
>> "\xff\x54\xc9\xb4\xf1\x57\x83\x8b\x16\x9e\x54\x3d\x11\xd3\x96"
>> "\xdb\x96\xc6\xf1\x60\x04\x58\xb5\xc5\x01\x38\x64\x82\x46\x03"
>> "\x65\x18\x50\x43\x34\xd9\x9d\xa6\x34\x6e\xee\x8f\x75\x29\x03"
>> "\x6e\x4f\xb8\xd6\xe1\xb5\x6c\xe9\x92\xbd\xaf\x57\x31\xff\x1a"
>> "\xe6\xc3\x9d\xae\x08\x23\xde\x6a\x19\xfa\x55\x90\x11\xf3\x23"
>> "\x3a\x81\xd2\x15\xc8\x9b\xb0\x86\xb8\x0f\x8a\x48\x98\x56\x58"
>> "\x3b\x87\x92\x2b\xe8\x68\x6a\x41\x06\x12\x02\x21\x4f\xb6\x4f"
>> "\xf0\x1c\x0f\x6f\xe3\x9e\x78\x65\x90\x6e\xaa\x48\x59\x23\x99"
>> "\xa8\xf7\x7c\x85\x26\xec\x36\x92\x50\xe0\xbc\x82\xde\xb5\x01"
>> "\xc8\xb1\xa4\x1b\xc1\x22\xee\x4d\x38\x6b\x1a\x53\xd1\xf4\xf4"
>> "\x5c\x42\x9b\xb3\x79\x6f\x23\x46\x5e\x9f\xa2\x73\x68\x4d\xa1"
>> "\x20\x63\xfe\x2b\x69\xb1\xa8\x0a\x27\xfc\xd3\x96\x5c\x45\xca"
>> "\x48\x24\xbf\x21\x87\x44\xf0\x2f\xe8\x30\xe3\x09\x9f\x71\xe7"
>> "\x47\x21\x58\x18\x54\x62\xfb\xcc\xda\x4c\x09\x6e\x5f\x29\xb7"
>> "\xc2\x61\xec\x2e\x9e\xee\x23\xab\x18\x85\x59\x71\xee\x79\x98"
>> "\x2f\x60\x5d\xf2\x49\x1b\xb9\xdb\x42\x47\x40\x2c\x5c\xe1\x31"
>> "\xc5\x33\x91\x72\x9f\x5a\x2f\x38\xb7\x48\x28\xe5\xeb\x7e\x1a"
>> "\x5b\x0b\xd6\xd6\x6e\x41\x3d\xd8\x59\x68\x16\x10\xa1\xb2\xc5"
>> "\x5c\xd7\x1f\xdd\x2b\xe5\x4e\x23\x44\xdb\x70\xa8\xcc\x81\x34"
>> "\x5a\x79\xf4\x7a\x8c\x57\xdc\x04\x99\xb2\x57\x90\xdf\xeb\x4e"
>> "\x82\x06\x9e\x54\x5b\xff\x76\xfa\x33\xbc\xa1\xd4\xef\xd3\xe1"
>> "\x84\x36\xf2\x3b\xb1\x7b\xd1\x8a\x53\x83\x0e\x6b\x8f\x48\x05"
>> "\x6a\x4d\xe9\xe4\xa9\xbd\x75\xe4\xaa\xb6\x73\x86\x17\xb6\xa9"
>> "\x31\x0a\x2e\xe8\x09\x8c\xd1\x9a\x0e\xa4\x2a\x85\x7e\xa8\x13"
>> "\x07\xc4\x80\x38\x31\x72\xb1\xbc\xdc\x0b\x47\x07\x2c\x90\x3e"
>> "\x57\xb3\x10\x55\x66\x6c\x8d\x36\x76\xfe\x3c\xee\x4d\x81\x63"
>> "\xb6\xe9\xf4\xe3\xc4\x2f\xb5\x97\x86\xc8\xbc\xb4\xd4\x26\x15"
>> "\xdc\x1b\x0c\x57\xb3\xef\x66\x92\x5e\x94\xc8\xb2\xc9\x4b\x9e"
>> "\x1e\x76\xd1\x74\x30\xa4\x7e\xc3\x4e\x8c\x6b\x4a\x05\x55\xb1"
>> "\x9a\xe4\x1d\x12\xd2\xe6\x19\x3d\x66\x70\x32\x94\x24\x0b\x31"
>> "\xab\xbb\x86\x6d\xe6\xcf\x47\x12\x26\xf7\x98\xd6\x0a\xc4\x05"
>> "\x3a\x82\x27\x09\x65\xda\xfb\x46\x00\x40\xcf\x90\x4c\xa2\xff"
>> "\x7f\x9a\xde\x86\x51\x58\x8d\x5b\x72\x75\xc1\xca\xda\xed\x4b"
>> "\xe7\x55\x32\xbd\xd8\x53\x04\x59\x94\x16\x9f\x50\x28\x70\x78"
>> "\xcf\x2b\xad\xf9\x69\x5a\xea\x98\xab\x67\xc5\xcb\x66\x37\xd9"
>> "\x7a\x48\x77\xbb\x96\x54\xe2\x5e\x01\x04\x52\x99\x19\x1e\x01"
>> "\xe7\x3c\x62\x05\xe0\xd5\xc5\x4e\x10\x3c\xe3\x52\xff\x41\xda"
>> "\x80\xba\x1f\x46\x49\xc6\x4f\x33\xb0\xbf\x33\x5a\xba\xe9\xb1"
>> "\x59\xae\x12\x93\xed\x8b\x1b\x34\x9a\x01\xd8\xcc\xf0\xef\xbe"
>> "\xd9\xdf\x04\x6b\xf5\x60\x02\xff\xcc\x8a\x69\xd4\x00\xc1\xc8"
>> "\x8b\xbf\xd5\xdb\xf6\x8d\x1b\xa8\x11\x3f\x98\x9b\x0d\xf7\x12"
>> "\x2e\x55\xfe\x6f\x1b\x01\x7f\xe4\x22\x97\x8c\x6e\xa8\x83\x3b"
>> "\x43\xa9\x4c\x6c\x47\xc6\x3b\x97\x8b\x02\x00\x10\xe4\xe5\xad"
>> "\x61\xfe\x2c\xe6\x28\x3a\x59\xd5\xbb\x46\x0c\x58\xb3\xa8\xd7"
>> "\xe0\x3e\x12\x0d\x1a\xf3\xfe\xab\xf2\x52\x45\x8f\xeb\x9a\x1f"
>> "\xed\x21\x6b\x6d\x2d\xff\x7a\xed\x71\x38\xa7\x27\x30\x78\x38"
>> "\x81\x5b\x28\x66\x0e\x28\xcc\x6b\x2c\x10\xef\x36\xf4\xd5\x8b"
>> "\x0c\x67\xb4\xbb\x33\xd3\x61\xc3\x03\x28\xad\x4a\x0e\xab\xf9"
>> "\xb4\x7a\xdc\xf3\x15\xaa\x07\x8e\xc7\xc4\x97\x4d\xe4\xcf\x69"
>> "\x5a\xa4\xc2\xbd\x60\xdd\x0a\x2d\x8b\xa0\x61\xc2\x62\xbd\xdd"
>> "\x84\x0d\x1a\xd3\x6c\xd2\x7b\xae\x9b\x29\x0f\xec\xe5\xe4\x11"
>> "\x39\x8d\xed\x5a\xbe\x7f\x5e\xf8\xb6\x03\x85\xfe\xc7\x48\x5b"
>> "\x1c\x6c\x4b\x66\x81\xf3\xc4\xb1\x7e\xaa\xba\x32\xab\xb6\xfb"
>> "\x4e\x67\xbc\x83\xe7\xe8\xa3\xde\x76\x3b\x76\x56\x67\x4d\x66"
>> "\xf4\x6b\x0b\x55\x9c\x8c\xbc\xa3\x37\xb2\x7d\xae\x2a\x07\xfd"
>> "\x17\xc7\x33\xf1\xa9\x99\xde\x79\x27\xac\x25\xf9\xda\xec\x36"
>> "\xfc\x30\xf2\x85\x0a\xf3\xc4\xb3\xbe\xad\xa6\x39\x5c\x08\x04"
>> "\xa7\x37\xe7\xbf\xca\x83\x86\x50\x6c\xd9\xd5\x3b\xcb\xa7\xad"
>> "\x59\x2a\xdf\x9c\x61\x87\xa0\x52\x65\x3a\x86\x3d\x24\xe6\xbf"
>> "\x51\xd2\x82\xd7\x21\x7f\xa3\x75\x7b\x74\x5f\xae\xef\x69\x72"
>> "\x41\x35\x92\xd4\x88\x37\xba\xc9\xcd\xd9\xeb\xe6\x01\x77\x0b"
>> "\x17\xa2\x4f\x36\xed\xff\xc7\xad\x70\x4b\x10\x6d\xc1\xde\xe3"
>> "\x07\x2b\xe6\x4b\xcd\x5a\x12\x85\x40\xe7\x8f\x9c\x0f\xbb\x74"
>> "\x95\x50\x93\x74\x39\x21\x16\x5f\x09\xa9\xd6\x7a\xc4\x79\xc2"
>> "\x3e\x1c\x63\x07\xd9\xd0\x7a\x16\xed\x4d\xa4\x5d\x83\xa0\xf3"
>> "\xd0\xe0\xd3\x13\x94\x45\xf9\x8a\x87\x72\x18\x6a\x95\x3b\x80"
>> "\x84\xa9\x35\xa2\xc7\x5d\x56\xcb\x94\xfb\x71\x8b\xf3\x4d\xe4"
>> "\x6b\x97\x25\x0f\x78\xe8\xd2\x3d\xf8\x16\x85\x3e\x8f\xc7\x54"
>> "\xc1\x52\xa5\x36\xd6\x65\x71\x8a\x48\x4c\x23\xcb\xce\x8d\xaf"
>> "\x33\x70\x7c\x83\x92\x42\x0c\x58\x64\x7b\x0a\x89\xea\x9e\x3b"
>> "\x2e\xb8\x8e\xb0\x91\x57\x97\x2c\xae\x4b\x1e\x64\x7a\x01\x45"
>> "\xd2\xad\x93\x25\x72\x81\x89\x21\x6a\xca\xe7\xdb\x16\x72\x9c"
>> "\x67\x8e\x35\x84\xb7\xad\x55\x1b\x27\x9b\x2a\x89\x0a\x0a\x0a"
>> "\x9d\x7c\xbe\xe2\xa2\x20\x3d\x90\xef\x11\x36\xff\x00\x2a\x53"
>> "\x6f\x02\xd6\x4c\x25\x62\xfd\xda\x18\x72\xad\x28\x07\x91\xd2"
>> "\x08\x70\xc9\x73\x9d\x1e\x98\x45\xcb\xfd\x0c\x02\x2d\xb8\x9a"
>> "\xcd\xac\x00\xf2\x43\xfd\x9d\x48\xc4\x03\x58\x46\x10\x4c\x8c"
>> "\x34\x22\xa3\xa3\xd1\xc4\xb1\xa1\x39\xc3\xbc\xc4\x3a\xae\xe2"
>> "\x9f\x28\xa6\x9c\xf0\x7b\x85\xe1\xe5\xcc\x5d\xbb\x65\x07\x1a"
>> "\x9c\x78\xe4\xe4\x92\x3e\xf4\xc7\xdf\xcc\x19\x65\xac\x13\x6c"
>> "\x8e\x68\x4c\xdb\x2c\xa7\x13\x59\x1a\xe8\x61\x36\x75\xab\x45"
>> "\xff\x03\x0d\x31\x5e\x8a\x87\x67\x77\x14\xce\x25\xaa\x56\x5f"
>> "\xe7\x11\x4e\xad\xc5\xe6\x42\x1d\x7a\xc6\x82\x34\x14\xdf\xf5"
>> "\x0e\xa2\xf3\xe1\xc4\xb9\xc1\xf6\x43\x26\x71\xb0\xac\x71\x3f"
>> "\x50\x81\x8d\xdd\x5d\xde\x7a\xa7\x9b\x69\xd8\xaf\xef\x6f\x37"
>> "\xe6\x9f\x29\xfb\x82\xc0\x2e\x66\x09\x3d\xaa\x26\x16\xff\x2c"
>> "\x01\x00\xfc\xe9\x83\x1e\x6f\x58\xc1\x99\xf1\x57\x75\xf0\x36"
>> "\xfa\x9e\x9e\x6a\x65\x52\x0f\x9f\xaa\xc0\x14\x98\x4f\x6c\x4c"
>> "\xed\xc6\xe9\x78\xc7\x39\xa9\x46\xd1\x74\x1f\xc3\xf5\x26\xf3"
>> "\x41\xc5\xdd\x1f\x92\x62\x8e\xcc\x26\x4b\xde\xcb\xa7\xf1\x09"
>> "\xa1\x13\xfe\x29\xf1\xf3\x61\x3c\xbb\x6f\xef\x93\x6e\xa5\x38"
>> "\xa5\x34\x19\x89\x62\xa3\xf4\xdb\xad\x2b\xea\xad\x91\x95\xf8"
>> "\xb6\x00\xd8\x6d\xca\x1f\xa7\x41\xcf\x49\x40\x99\x65\x71\xd9"
>> "\x86\x3c\x8c\x3a\x1c\x80\x6e\xec\x85\x55\xc8\xb3\xe6\xb0\xe0"
>> "\xa4\xf3\x10\x23\x13\x4e\x58\x37\x69\xa8\x9e\x60\x90\x15\xea"
>> "\x47\xfe\x09\xe3\x4d\xaa\xa1\xe9\x8b\xe5\x93\xe3\x5d\x9b\x3e"
>> "\x62\x5b\x07\x99\x03\x92\xd2\xec\xac\x77\x67\xf0\xc0\x21\x6e"
>> "\x24\xb5\xc1\xd6\xd4\xec\xe8\x3a\x76\xdb\x86\xaa\x4f\x9f\xb6"
>> "\x18\xec\x42\xc9\x34\xf4\x89\x85\xd1\xf2\xf5\x7c\x70\x01\x89"
>> "\xdb\xe5\xcb\x5f\x1f\xf4\xf0\xb0\x5c\x0a\x3e\x98\x93\x72\x9a"
>> "\x26\xca\xbe\x96\x00\xb7\x20\x07\x1c\xd4\xf1\x03\xfd\x3d\xfe"
>> "\xe1\xb9\xe0\xf5\xa3\x6b\xed\xdc\x5b\x11\x2c\x31\x26\x39\x5d"
>> "\x1c\xbc\x50\xbe\x43\x6b\xc0\x65\x0a\x61\xf2\x69\xc4\xeb\x35"
>> "\x2f\x57\xc7\x82\xaf\xe5\x6f\x18\x10\xc1\xdb\x42\x5f\xc1\x86"
>> "\x1f\xa9\x02\x7b\xc5\x75\xab\xc2\x3b\xd2\x5f\x9b\x6a\x6b\x6e"
>> "\x62\x3d\xdb\x57\x22\x3e\x5d\x36\x33\xe3\xb2\x3f\x05\x0d\x23"
>> "\xd6\xde\x64\x58\x5b\x24\xf9\x4b\xe2\xdf\xe9\x99\xd1\x76\x8f"
>> "\x8a\x21\x65\xcd\xb9\x2a\x04\xfe\xfa\xb3\xdc\x9f\x33\xb1\x09"
>> "\xa0\x08\x8e\xe0\xa3\xc6\x7e\xb2\x45\x07\x73\x92\xd5\x60\x1e"
>> "\xb7\xf2\x5b\x70\x02\xa7\x38\x95\x13\x71\x5f\x40\x6d\xf6\x06"
>> "\xf6\x11\x03\x3f\x17\x77\xa8\xf8\xd8\x35\xf2\x60\xa1\xd8\xc5"
>> "\x14\xbc\xf8\xea\xb6\x8e\x80\xee\x2e\x02\x11\xf7\xd6\x51\xd4"
>> "\x51\x7a\xc8\x80\x09\x00\x00\x00\x01\x8d\xbc\x20\x56\xf3\x7c"
>> "\xb7\xb0\x14\xd1\x09\x14\xed\xeb\x27\x5f\xcc\x2e\x06\xd0\x73"
>> "\x4c\xac\x74\x62\x5b\x32\xec\x72\x95\xa9\x38\xd1\xda\x64\xca"
>> "\xd9\x93\x1c\x4c\xbc\x52\xa9\xdd\x5c\xb2\xae\x14\xf9\x1e\xef"
>> "\x1b\x9d\xc3\x1b\x1a\xfa\x63\x01\xa0\x89\x78\x15\xe0\x93\xc5"
>> "\x34\x05\xe1\x21\xf6\x18\xeb\x54\x16\x93\x53\x2e\xce\xf0\x3a"
>> "\xcd\x35\x56\xea\x05\x6d\x78\xa0\xe0\xc6\xa3\x0c\x50\x77\xe5"
>> "\xe3\x0a\x5c\x9c\x1e\xe8\x0f\x40\xe3\xd1\xc0\xee\x50\x21\xf8"
>> "\x05\x05\x77\x82\x69\x64\x2a\xd1\xd3\x0d\x41\x36\x08\x06\xc3"
>> "\xdf\xd4\x96\x66\xcd\x72\xc7\xd1\xdf\x7c\x49\x6f\x4c\x63\xaa"
>> "\xd7\xd6\x54\x45\x53\x58\xdb\xac\x87\xfa\x6f\x00\xb9\xa1\xb8"
>> "\xe4\x32\xf0\x97\x51\xba\x4c\x30\xe0\x51\x18\xf7\x9c\x73\x36"
>> "\x49\x33\x94\x86\x8b\xd6\x98\xac\xa5\x86\x29\x40\xbd\x64\x40"
>> "\x6d\xdf\x68\x39\x11\xd5\x05\x9f\xca\x2d\xf9\x7c\x73\x0b\x06"
>> "\x3d\xef\xb4\xc7\x1e\x8e\x0c\xa4\xc6\x7a\x9c\xc9\x25\xe2\xea"
>> "\x96\xfa\x0f\x0f\x67\x4b\xa7\xfc\x46\xd7\xff\x79\xc3\x6f\xdf"
>> "\x18\xb7\x1a\x8e\x60\x6f\x8b\x05\x3e\x91\x70\x9f\x6e\x9c\xa7"
>> "\x73\x4c\xe5\xd8\xb2\x1f\xde\xf8\x54\x5e\x0e\xc0\x65\x9f\xc4"
>> "\xfd\x9c\xb3\x1d\x22\xba\x89\xab\x97\xbe\xa4\xcd\x81\x1d\x5c"
>> "\x11\x63\x6b\x4a\x1f\xb9\x09\xae\x49\x07\x74\x89\x02\xc0\x09"
>> "\xb3\xfb\x5e\xf9\x3e\x0a\x5a\x12\x5f\xc5\xdf\x5f\xc8\xe0\x13"
>> "\xa9\xae\x0b\x72\xf9\x8d\x26\x42\x8f\x35\x17\x78\x32\x1c\x01"
>> "\x7f\x73\xb7\xcf\x84\x73\xfb\xbf\xee\x74\x25\xb3\xd7\xd0\x4d"
>> "\x59\x3c\x63\x94\x95\xf7\x0b\x3e\x16\xf5\x37\x64\x3e\xf5\x17"
>> "\x5a\xd5\xcd\xb0\x92\xf2\x28\x67\xc8\x7f\x39\xe4\x59\x76\xf8"
>> "\xfc\xef\x4c\xd4\xca\x7d\x0b\x42\x9d\xd1\x16\xb8\xbe\xa8\x28"
>> "\xc6\xfd\x7f\xaf\x55\x17\x38\x81\x51\x6d\x9b\x07\x01\xca\xbc"
>> "\xda\xf8\xb9\x5b\x44\x97\xf0\xa8\x58\x93\x30\xff\x70\x39\x1f"
>> "\xa8\x6d\xe9\x70\x69\xc7\xdf\x7a\x22\x9a\x42\x88\xb2\x90\x07"
>> "\xd5\x76\xa9\xe8\x2f\x2d\x96\x33\x73\x2d\x25\x84\xbc\x05\xd4"
>> "\xf7\x84\x63\x7b\x5a\xce\xe4\xa7\x93\xe8\x6b\xe8\xf1\xe9\xa5"
>> "\xc8\xc5\x33\xd7\xa3\x53\x6e\x40\x2d\xcc\x21\x79\x13\x68\x94"
>> "\x84\xcd\xe2\x80\x4f\x75\x4d\x3e\x37\x0f\x20\x8b\xf0\x47\x8b"
>> "\x60\xb5\x49\x31\x65\x7b\x7d\xca\x82\x54\x68\x16\x5d\xaf\xf6"
>> "\x52\x92\x58\xbd\x28\xb1\x37\x4e\xf0\x5d\x9a\xb6\x69\xea\x51"
>> "\x7b\x90\x0c\x1e\x5b\x67\x3d\x40\x43\xc5\x0d\x89\x12\xbe\x5f"
>> "\x53\xa1\x9c\xd0\x64\x27\xc2\xc2\x18\x8b\x3a\x84\x22\x80\xc7"
>> "\x24\xd0\xa3\x38\xcc\x68\xd6\xac\x64\x1f\x4b\xaf\xad\x1e\x16"
>> "\x31\x69\xf4\x69\x54\x00\x34\x1b\x5d\x52\x77\x3d\x88\x57\xa0"
>> "\x15\x05\x0a\x4f\x08\x38\x0d\x4a\x1f\x2d\x45\xc4\x98\x67\x60"
>> "\x1f\x12\x77\x4a\x09\xa4\xd6\xee\xc4\x3f\xf7\xf8\xe5\x2e\xb3"
>> "\x5e\x09\x7a\x92\x57\x11\x4c\xa7\x1f\x0f\x1f\x0a\x25\x4f\x65"
>> "\x54\xe4\x88\xdb\x9e\x24\xdf\x9e\x9d\xca\x24\xb2\x26\x56\xee"
>> "\x1f\x31\xce\xc9\xb1\x9f\xa3\x11\x27\x8f\x5a\x23\xbf\x95\x1b"
>> "\x5b\xd7\xdb\xf7\x9d\x9e\x71\xb4\xfc\x9c\x6b\x67\xff\x09\xa1"
>> "\x53\x34\xf0\xe9\x4c\x20\x79\x9c\xd1\xc9\x4f\xab\x1c\x53\x87"
>> "\xcd\x73\xd7\x3b\xd9\xaa\x37\xfc\x36\x64\x27\x07\xba\x28\x92"
>> "\x56\xab\xe1\xc7\x20\xcd\x13\x37\xf2\xd0\x92\x16\x35\xc4\xa0"
>> "\xd6\x94\xe6\xd4\x84\x74\x5f\xd3\x5c\x29\xfc\x4c\x95\xba\xc5"
>> "\xf6\xe6\xff\xce\x39\x9b\x83\x28\x05\xa7\xfa\x3f\xe9\x4a\xf3"
>> "\xe5\xde\xf3\x19\x45\x2a\x26\x4b\xa1\x83\x8b\x67\xfc\x38\x77"
>> "\x41\xfa\x61\x6e\xea\xea\x4a\xad\x6d\x62\xdb\x3d\xa1\x99\xf7"
>> "\xae\xc8\xee\xee\x05\x8f\x06\x5c\x46\xbe\xd9\xc6\xf6\x46\x5b"
>> "\xef\x13\x92\x39\xf4\x4c\x8b\x3a\xcf\x77\x51\x18\xca\xac\x53"
>> "\x40\xb7\xdc\xc6\xac\xa2\x0d\x54\xdb\x8a\xe1\xa6\x98\xdf\x4b"
>> "\x9d\x1c\x90\x4a\xb2\x8d\xcf\xc6\x78\xe5\x13\xb0\xc7\x48\xf6"
>> "\x85\x1d\x8f\xf4\xd8\xd4\x82\x0c\x1a\xc2\x7b\xcd\xdd\x7d\x7b"
>> "\x1a\xc8\x3f\x84\xa1\xb1\xc2\x30\x1d\xe6\xfd\x3e\x0b\x3d\x18"
>> "\xf7\x75\x21\x85\xb2\x3c\x47\xa6\x57\xf3\x10\x7e\xc8\xa3\x8f"
>> "\xa3\xd3\x80\xe0\x27\xd7\xa3\xbb\x7c\x96\xc7\xd9\x18\xce\x53"
>> "\x2d\xc4\xee\x57\xa4\x92\x8f\x99\x82\xd8\xdc\xa7\x24\x36\x12"
>> "\xec\x36\x4e\xe7\x11\xe1\x73\x5f\xab\x16\x0a\xb5\xb5\x9d\xb2"
>> "\xf5\xad\x93\x8e\xf4\xdc\x76\x11\x56\x40\x38\x6f\x98\x2b\x55"
>> "\x74\x2e\x55\x2a\x05\x3d\x43\x89\x84\x0e\x32\xc8\xd4\x8d\xc1"
>> "\x11\x8b\xec\x0b\x68\xef\x96\xaf\x78\xe8\x8f\x28\x8d\x8f\xd0"
>> "\x3a\x62\x76\xb0\x22\xda\xc4\x0f\x19\xe8\x02\x70\xdb\xd5\xb3"
>> "\x06\xdb\x59\x95\x3d\x0e\x9b\x82\xf3\x0f\x29\x73\x62\x7d\x9d"
>> "\x02\x55\xcd\xf7\xb1\xbb\xa9\x32\x54\xde\x6d\x9c\x97\xa2\x98"
>> "\x7c\x7a\xf2\x55\x18\x12\xc2\xb2\x14\x96\xb5\x68\x63\x05\x8a"
>> "\x96\x7a\x00\xf3\x8b\x68\x43\x61\x93\x32\xdd\x9b\xf8\x0e\xb1"
>> "\xce\xbf\x7b\x6b\xcd\xc3\xe6\x8a\xf2\x82\xb6\x14\xa2\x81\x59"
>> "\xde\xb2\x44\xe1\xfd\x38\x01\xba\x80\x63\xde\x23\xe5\x92\x45"
>> "\x97\xce\xcc\x53\x20\x71\x4b\x79\x84\x8e\xa3\x51\xd7\x1f\xde"
>> "\xa7\xe5\xd6\x8d\x63\x1b\xab\x67\xd7\x01\x2c\xf4\x63\xdd\x39"
>> "\x4a\x9c\x5f\x9b\x7a\x3f\xeb\x2a\x66\xdb\xca\x43\x74\xb3\x1c"
>> "\xce\xdb\x15\xd0\x31\x2a\xd6\x1d\x41\xcf\x4e\x79\x4d\x3a\x7f"
>> "\x4f\x03\x26\x80\x88\xe0\xe4\x06\xde\xe3\x77\xbc\x1a\xd3\x41"
>> "\xe1\x2f\xca\x27\xf6\x00\xa7\x4c\xa7\x47\xf3\x48\xff\x9d\x85"
>> "\x7d\xee\x9f\xdd\x72\x0d\x6e\xd5\xfc\x84\x03\xd7\xd9\x11\xc2"
>> "\x82\x88\x8a\x29\xbf\xa5\x87\x27\xe7\x7d\xae\x8f\x4f\x18\x00"
>> "\xd4\xca\xf8\xb9\x46\xfb\xee\x13\xef\xee\x5c\x60\xe4\x0f\x5d"
>> "\x5c\x6a\x4d\x6d\x14\x83\xde\x64\x47\xbd\x1b\xdc\x1f\x7e\x70"
>> "\xf4\x9d\xe1\x1b\xb1\x3c\x70\xbd\xd3\x1f\x8b\x16\x0d\x6e\xc7"
>> "\x2b\x59\xf4\xec\x89\xcd\x9e\x41\x0b\x92\xd9\xca\x87\xa6\x81"
>> "\x03\x64\x0e\x2a\x9a\xee\xb0\x99\xe6\x76\x79\x91\xad\x9a\x27"
>> "\x5e\x1a\x09\x6a\x55\xd6\x99\x04\xef\x99\x1b\xa1\xfe\xe6\x39"
>> "\x69\x6c\xe7\x27\x96\x45\xdd\xe5\x86\x99\xee\xee\x41\xed\x65"
>> "\x99\x6a\xb2\x9e\x35\x28\x86\xe1\x14\x25\x28\xb4\xff\xf1\xd3"
>> "\xeb\xdf\x43\xe5\xf5\x40\x0b\xa4\x57\xcc\x5f\x77\xf6\x15\xe8"
>> "\xfe\xab\x55\x2b\x47\xfe\xa6\xf3\x1f\x01\x88\xb9\xfe\x61\x4b"
>> "\xea\x3a\x40\xd6\xb7\x17\x46\x05\x4f\x3e\x93\xc9\xb9\xc9\x9d"
>> "\x79\xa3\x6a\x0f\xfb\x0f\x05\xa5\x16\x0c\xd6\xc1\xeb\x76\xa2"
>> "\xd1\x40\x14\x88\x3e\xf8\x92\x29\x07\xda\x18\x6c\x6a\xd1\x9f"
>> "\xbb\x71\xf5\x95\xd1\x5c\x2c\x21\x3d\x68\x02\x00\x1c\xda\xb4"
>> "\x1d\xb1\xd1\x67\xce\xd2\xd3\xc8\x97\xc1\xcd\x8a\x86\x84\x10"
>> "\xf6\x5d\x22\x87\xc7\xa9\x72\x93\x1c\x37\x96\x59\xd4\xc3\x0f"
>> "\x77\x83\x99\x2d\xb5\xe7\xd3\xf7\x2a\xfd\xca\xd4\x58\x85\xe4"
>> "\xf4\xd3\x3e\x50\x66\x07\xa4\xda\x6d\xc7\xab\x89\x2f\x71\xbf"
>> "\x6d\xfe\xfd\x13\xd6\x36\xd2\x3d\x71\x10\x98\xa2\x2b\xa3\x07"
>> "\x3c\x02\x6e\xdb\x33\xf0\xfc\xb7\x57\x5f\x44\x6e\x94\xbe\x97"
>> "\x9c\x14\x38\xce\xb5\xaf\x6f\xdf\x00\x5f\x15\x77\xb1\x1a\xb0"
>> "\x8f\x47\xa4\xd2\x7e\x2b\xfe\x75\x04\xed\x29\x1c\x74\x4c\x29"
>> "\x32\xbc\x8c\xb8\x1a\xab\xdd\x90\x9c\x44\x27\xda\x53\xf0\xa3"
>> "\x04\xdb\x60\xce\xb3\x34\xbf\xc9\x05\xee\x2f\xf5\xd7\x5f\x2a"
>> "\x83\xf5\x6b\x32\x41\x74\xe9\xa8\xd1\xc9\xf1\xee\x88\x84\x9d"
>> "\xb9\xd6\xf5\xc2\xf8\x42\x6e\x70\x8b\xfd\x91\x36\xff\xec\xc4"
>> "\x18\xd9\xd5\x5b\xba\x18\x98\xfb\x1c\x64\x39\x95\xdb\xfb\xf9"
>> "\xe9\x24\x12\x71\x0e\xd3\xc9\x4a\x54\x73\xeb\xd0\xbc\x31\xec"
>> "\x52\x40\xb8\x87\xd2\xe2\x6e\x33\x92\x38\x5b\x68\x51\x55\x7c"
>> "\xcd\x60\x53\xe2\x06\x6f\x99\x92\x8a\x05\x99\xa1\x75\x19\x23"
>> "\x7f\xa9\x80\x6c\x38\x23\x39\x0c\xb8\x0e\x94\xd5\x9d\xff\xf7"
>> "\x5d\x53\x55\xd0\x13\x77\xee\xb0\x0e\x70\x03\x3b\xa1\x58\xf0"
>> "\x9c\x3d\x93\x41\x97\x63\xad\x65\xa1\xa0\x1c\xb8\x32\x18\x04"
>> "\x0b\x13\xb4\x47\x35\x42\x66\x6f\xa9\x49\x20\x80\x52\x42\xc1"
>> "\xab\xc4\x3c\x6b\xe7\x77\x67\x00\x84\x32\x92\xa5\x3d\xb6\xfe"
>> "\xbf\x60\xae\x37\x48\xf1\x6c\x34\xe3\xb9\xab\x9f\xf1\x82\xa6"
>> "\x71\x41\x0e\xe6\x4c\x38\x92\x25\x3a\xf8\xbd\xf9\xf0\x7d\xa8"
>> "\x09\x87\x7e\xf8\x1d\x42\x1c\x14\x20\xc7\xdf\x4d\x5f\xeb\xbb"
>> "\x3b\x06\x8b\xe5\x14\xd5\x53\x33\x9d\x0e\xbc\x72\x6c\x83\x4d"
>> "\xad\x9e\xb4\x66\x20\xb5\x95\x01\xb3\x89\x9f\xc3\x92\xb1\x44"
>> "\x5b\xca\xd8\xc1\x0c\xa5\xb8\xef\x75\xd6\x4a\xe2\x3f\x16\xed"
>> "\x42\xde\xff\x64\xc0\x6f\x2c\x0f\x9f\x0d\x37\x19\x72\x0d\x59"
>> "\x1e\x1c\x45\x5f\x14\xea\xa3\x36\x11\xca\xc4\x82\x05\x62\xab"
>> "\x5b\xa3\xf4\xd0\xe3\x64\x8a\x23\x9c\x63\x5d\x14\xca\x30\x78"
>> "\x0a\x7e\x9d\xe3\x61\x7b\xdd\xbd\x7d\xa7\x26\xb7\x53\xe9\x2e"
>> "\xc1\x72\x73\x7b\xd2\xad\x99\x6c\xee\xd3\xb5\xaa\x4a\x85\xd4"
>> "\xac\xca\x07\xf4\x3f\x9f\xc1\x3b\x4f\x55\x5b\x29\x7e\x39\x4e"
>> "\xd7\xee\x6a\xbb\xa2\x40\x48\xa0\xda\x4c\x30\xc0\x2e\x1f\x83"
>> "\x8a\x3e\x4b\x34\xa8\x71\x40\x24\x02\x7c\xf1\xad\x4f\xa0\x7a"
>> "\xf5\xcb\x56\xd4\x49\x6b\xb8\x12\x22\x44\xdc\x56\x6f\xa9\x2e"
>> "\x0a",
>> 4096));
>> r[54] = execute_syscall(__NR_write, r[2], 0x209c3000ul, 0x1000ul, 0,
>> 0, 0, 0, 0, 0);
>> break;
>> }
>> return 0;
>> }
>>
>> void loop()
>> {
>> long i;
>> pthread_t th[20];
>>
>> memset(r, -1, sizeof(r));
>> srand(getpid());
>> for (i = 0; i < 10; i++) {
>> pthread_create(&th[i], 0, thr, (void*)i);
>> usleep(10000);
>> }
>> usleep(100000);
>> }
>>
>> int main()
>> {
>> setup_main_process();
>> int pid = do_sandbox_setuid(0, false);
>> int status = 0;
>> while (waitpid(pid, &status, __WALL) != pid) {
>> }
>> return 0;
>> }
>>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net/udp: slab-out-of-bounds Read in udp_recvmsg
2017-03-15 15:41 ` net/udp: slab-out-of-bounds Read in udp_recvmsg Dmitry Vyukov
@ 2017-03-15 16:01 ` Eric Dumazet
2017-03-15 16:10 ` Eric Dumazet
0 siblings, 1 reply; 5+ messages in thread
From: Eric Dumazet @ 2017-03-15 16:01 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: 쪼르,
David Miller, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI,
Patrick McHardy, netdev, LKML, syzkaller
On Wed, 2017-03-15 at 16:41 +0100, Dmitry Vyukov wrote:
> On Wed, Mar 15, 2017 at 4:25 PM, 쪼르 <zzoru007@gmail.com> wrote:
> > It seems that attacker can leak kernel memory(slab) by this vulnerability.
> > I make a PoC code, and it works well on
> > ae50dfd61665086e617cc9e554a1285d52765670.
> > but, I found that PoC wasn't work on Ubuntu16.04.02 4.4.0-64-generic
> > #85-Ubuntu SMP.
>
>
> Do you know why it is not working on Ubuntu16.04.02?
> Is it because the source bug is not present there? Or maybe you need a
> slightly different poc for that version?
>
Seems to be a side effect of a recent commit
( 1c885808e45601b2b6f68b30ac1d999e10b6f606 )
>
> > On Wed, Mar 15, 2017 at 5:34 PM, JongHwan Kim <zzoru007@gmail.com> wrote:
> >>
> >>
> >> Hello,
> >>
> >> I’ve got the following slab-out-of-bounds Read report while running
> >> syzkaller
> >>
> >> fuzzer on ae50dfd61665086e617cc9e554a1285d52765670.
> >>
> >>
> >> ==================================================================
> >>
> >>
> >> Syzkaller hit 'KASAN: slab-out-of-bounds Read in put_cmsg' bug on commit .
> >>
> >> BUG: KASAN: slab-out-of-bounds in copy_to_user
> >> arch/x86/include/asm/uaccess.h:716 [inline] at addr ffff88006bfc4054
> >> BUG: KASAN: slab-out-of-bounds in put_cmsg+0x2c4/0x3e0 net/core/scm.c:242
> >> at addr ffff88006bfc4054
> >> Read of size 4553 by task syz-executor3/7169
> >> CPU: 2 PID: 7169 Comm: syz-executor3 Not tainted 4.11.0-rc1+ #6
> >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> >> Ubuntu-1.8.2-1ubuntu1 04/01/2014
> >> Call Trace:
> >> __dump_stack lib/dump_stack.c:16 [inline]
> >> dump_stack+0x115/0x1cf lib/dump_stack.c:52
> >> kasan_object_err+0x1c/0x70 mm/kasan/report.c:162
> >> print_address_description mm/kasan/report.c:200 [inline]
> >> kasan_report_error mm/kasan/report.c:289 [inline]
> >> kasan_report.part.1+0x226/0x4f0 mm/kasan/report.c:311
> >> kasan_report+0x21/0x30 mm/kasan/report.c:298
> >> check_memory_region_inline mm/kasan/kasan.c:326 [inline]
> >> check_memory_region+0x137/0x190 mm/kasan/kasan.c:333
> >> kasan_check_read+0x11/0x20 mm/kasan/kasan.c:338
> >> copy_to_user arch/x86/include/asm/uaccess.h:716 [inline]
> >> put_cmsg+0x2c4/0x3e0 net/core/scm.c:242
> >> __sock_recv_timestamp+0x4e3/0x6c0 net/socket.c:699
> >> sock_recv_timestamp include/net/sock.h:2231 [inline]
> >> __sock_recv_ts_and_drops+0x99/0x370 net/socket.c:732
> >> sock_recv_ts_and_drops include/net/sock.h:2251 [inline]
> >> udp_recvmsg+0xa4c/0x1300 net/ipv4/udp.c:1472
> >> inet_recvmsg+0x14c/0x5f0 net/ipv4/af_inet.c:792
> >> sock_recvmsg_nosec net/socket.c:740 [inline]
> >> sock_recvmsg+0xc9/0x110 net/socket.c:747
> >> ___sys_recvmsg+0x265/0x5b0 net/socket.c:2144
> >> __sys_recvmsg+0xe2/0x210 net/socket.c:2189
> >> SYSC_recvmsg net/socket.c:2201 [inline]
> >> SyS_recvmsg+0x2d/0x50 net/socket.c:2196
> >> entry_SYSCALL_64_fastpath+0x1f/0xc2
> >> RIP: 0033:0x44fb79
> >> RSP: 002b:00007f7117f47b58 EFLAGS: 00000212 ORIG_RAX: 000000000000002f
> >> RAX: ffffffffffffffda RBX: 0000000000708000 RCX: 000000000044fb79
> >> RDX: 0000000000000100 RSI: 00000000209c8fc8 RDI: 0000000000000005
> >> RBP: 0000000000000046 R08: 0000000000000000 R09: 0000000000000000
> >> R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000005
> >> R13: 00000000208f8000 R14: 00000000209c8000 R15: 0000000000000000
> >> Object at ffff88006bfc4028, in cache kmalloc-1024 size: 1024
> >> Allocated:
> >> PID = 7169
> >> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
> >> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
> >> set_track mm/kasan/kasan.c:525 [inline]
> >> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
> >> kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:555
> >> slab_post_alloc_hook mm/slab.h:456 [inline]
> >> slab_alloc_node mm/slub.c:2718 [inline]
> >> __kmalloc_node_track_caller+0x11e/0x360 mm/slub.c:4303
> >> __kmalloc_reserve.isra.37+0x41/0xd0 net/core/skbuff.c:138
> >> __alloc_skb+0x13b/0x740 net/core/skbuff.c:231
> >> alloc_skb include/linux/skbuff.h:933 [inline]
> >> alloc_skb_with_frags+0x10d/0x700 net/core/skbuff.c:4661
> >> sock_alloc_send_pskb+0x7b4/0x9d0 net/core/sock.c:1892
> >> sock_alloc_send_skb+0x32/0x40 net/core/sock.c:1909
> >> __ip_append_data.isra.49+0x176b/0x2d40 net/ipv4/ip_output.c:1034
> >> ip_append_data.part.51+0xe9/0x160 net/ipv4/ip_output.c:1235
> >> ip_append_data+0x68/0x80 net/ipv4/ip_output.c:1224
> >> udp_sendmsg+0x1a7f/0x2c40 net/ipv4/udp.c:1073
> >> inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:761
> >> sock_sendmsg_nosec net/socket.c:633 [inline]
> >> sock_sendmsg+0xca/0x110 net/socket.c:643
> >> SYSC_sendto+0x352/0x5a0 net/socket.c:1685
> >> SyS_sendto+0x40/0x50 net/socket.c:1653
> >> entry_SYSCALL_64_fastpath+0x1f/0xc2
> >> Freed:
> >> PID = 0
> >> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
> >> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
> >> set_track mm/kasan/kasan.c:525 [inline]
> >> kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589
> >> slab_free_hook mm/slub.c:1357 [inline]
> >> slab_free_freelist_hook mm/slub.c:1379 [inline]
> >> slab_free mm/slub.c:2961 [inline]
> >> kfree+0xe8/0x2c0 mm/slub.c:3882
> >> skb_free_head+0x74/0xb0 net/core/skbuff.c:579
> >> skb_release_data+0x442/0x570 net/core/skbuff.c:610
> >> skb_release_all+0x4a/0x60 net/core/skbuff.c:669
> >> __kfree_skb net/core/skbuff.c:683 [inline]
> >> consume_skb+0x153/0x480 net/core/skbuff.c:756
> >> __dev_kfree_skb_any+0x58/0x70 net/core/dev.c:2472
> >> dev_kfree_skb_any include/linux/netdevice.h:3231 [inline]
> >> e1000_unmap_and_free_tx_resource.isra.48+0x1c4/0x390
> >> drivers/net/ethernet/intel/e1000/e1000_main.c:1977
> >> e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3889
> >> [inline]
> >> e1000_clean+0x513/0x2640
> >> drivers/net/ethernet/intel/e1000/e1000_main.c:3832
> >> napi_poll net/core/dev.c:5266 [inline]
> >> net_rx_action+0x6d5/0x14b0 net/core/dev.c:5331
> >> __do_softirq+0x2d1/0xb1d kernel/softirq.c:284
> >> Memory state around the buggy address:
> >> ffff88006bfc4300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >> ffff88006bfc4380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >> >ffff88006bfc4400: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
> >> ^
> >> ffff88006bfc4480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >> ffff88006bfc4500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >> ==================================================================
> >> Disabling lock debugging due to kernel taint
> >> Kernel panic - not syncing: panic_on_warn set ...
> >>
> >> CPU: 2 PID: 7169 Comm: syz-executor3 Tainted: G B 4.11.0-rc1+
> >> #6
> >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> >> Ubuntu-1.8.2-1ubuntu1 04/01/2014
> >> Call Trace:
> >> __dump_stack lib/dump_stack.c:16 [inline]
> >> dump_stack+0x115/0x1cf lib/dump_stack.c:52
> >> panic+0x1b4/0x392 kernel/panic.c:180
> >> kasan_end_report+0x50/0x50 mm/kasan/report.c:141
> >> kasan_report_error mm/kasan/report.c:293 [inline]
> >> kasan_report.part.1+0x422/0x4f0 mm/kasan/report.c:311
> >> kasan_report+0x21/0x30 mm/kasan/report.c:298
> >> check_memory_region_inline mm/kasan/kasan.c:326 [inline]
> >> check_memory_region+0x137/0x190 mm/kasan/kasan.c:333
> >> kasan_check_read+0x11/0x20 mm/kasan/kasan.c:338
> >> copy_to_user arch/x86/include/asm/uaccess.h:716 [inline]
> >> put_cmsg+0x2c4/0x3e0 net/core/scm.c:242
> >> __sock_recv_timestamp+0x4e3/0x6c0 net/socket.c:699
> >> sock_recv_timestamp include/net/sock.h:2231 [inline]
> >> __sock_recv_ts_and_drops+0x99/0x370 net/socket.c:732
> >> sock_recv_ts_and_drops include/net/sock.h:2251 [inline]
> >> udp_recvmsg+0xa4c/0x1300 net/ipv4/udp.c:1472
> >> inet_recvmsg+0x14c/0x5f0 net/ipv4/af_inet.c:792
> >> sock_recvmsg_nosec net/socket.c:740 [inline]
> >> sock_recvmsg+0xc9/0x110 net/socket.c:747
> >> ___sys_recvmsg+0x265/0x5b0 net/socket.c:2144
> >> __sys_recvmsg+0xe2/0x210 net/socket.c:2189
> >> SYSC_recvmsg net/socket.c:2201 [inline]
> >> SyS_recvmsg+0x2d/0x50 net/socket.c:2196
> >> entry_SYSCALL_64_fastpath+0x1f/0xc2
> >> RIP: 0033:0x44fb79
> >> RSP: 002b:00007f7117f47b58 EFLAGS: 00000212 ORIG_RAX: 000000000000002f
> >> RAX: ffffffffffffffda RBX: 0000000000708000 RCX: 000000000044fb79
> >> RDX: 0000000000000100 RSI: 00000000209c8fc8 RDI: 0000000000000005
> >> RBP: 0000000000000046 R08: 0000000000000000 R09: 0000000000000000
> >> R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000005
> >> R13: 00000000208f8000 R14: 00000000209c8000 R15: 0000000000000000
> >> Dumping ftrace buffer:
> >> (ftrace buffer empty)
> >> Kernel Offset: disabled
> >> Rebooting in 86400 seconds..
> >>
> >>
> >> Syzkaller reproducer:
> >> # {Threaded:true Collide:false Repeat:false Procs:1 Sandbox:setuid
> >> Repro:false}
> >> mmap(&(0x7f0000000000/0x9c9000)=nil, (0x9c9000), 0x3, 0x32,
> >> 0xffffffffffffffff, 0x0)
> >> r0 = socket$udp(0x2, 0x2, 0x0)
> >> r1 = dup2(r0, r0)
> >> setsockopt$sock_int(r0, 0x1, 0x6, &(0x7f0000549000-0x4)=0x906, 0x4)
> >> bind$inet(r1, &(0x7f00004de000)={0x2, 0x0, @loopback=0x7f000001, [0x0,
> >> 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10)
> >> sendto$inet(r0, &(0x7f00001cc000)="", 0x0, 0x8000,
> >> &(0x7f00009c5000-0x10)={0x2, 0x2, @broadcast=0xffffffff, [0x0, 0x0, 0x0,
> >> 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10)
> >> connect$inet(r1, &(0x7f0000994000)={0x2, 0x0, @loopback=0x7f000001, [0x0,
> >> 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10)
> >> recvmsg(r0, &(0x7f00009c9000-0x38)={&(0x7f000083f000-0x1)=nil, 0x0,
> >> &(0x7f00009c9000-0x10)=[{&(0x7f00009c1000)="", 0x0}], 0x1,
> >> &(0x7f00009c8000)="", 0x0, 0xfffffffffffff7fd}, 0x100)
> >> setsockopt$SO_TIMESTAMPING(r0, 0x1, 0x25, &(0x7f0000104000-0x4)=0x19fe,
> >> 0x4)
> >> write(r1,
> >> &(0x7f00009c4000-0x1000)="9738d2893360cc306cd63cf6f51d0d94090bc87a8db314a96dec1bf054e4fc7acc872318c996115b4727360c631bcb22f07ad51387bca34c27949b818c29441828d58b0ebaaa050b7400639df4b427bdb48eab608e894cf0388a1a3ab51fb2991d20dd45c99904d0519f83fb3efbdf5b339c9c0e881d895e57dbb4b9142ae154b333e8ded71c9a32ed58e5922d2cf648a65d9ff691eaa3955aa1caddb2e900bf9aee42ae33c55a1efb9f81e4520f0ceecc62c3fba89d1624d8d198ae394dcefde620c7dc87d7096d1c60191f160aae87b9bcd172f3a4cd6e1eca6e6d28fcaadf85d373a006001a8e1d08fdc0644a5d1e52d886d75edfd61a5cc55a3accb230709a912963f36992fd650a8e014a4bd03ca57b795d314a4c82dd17ed08ca49de6824eb65b23e31977bf26fe8edd3b5c7276c28389a4e75bc25c10f268be20768edd9e0fc9b103fc14381e3f29e4502b5009891207027c3f06b5fbd845215b25594d9f8db9a8d77f51110795cc40ead2f4c72437c3436c878f950378d141d0ef38ec95d608b7e0cf0bfc77a40b108f045899da908b6e7222aedc00d23d131b439ebeccfd2d4a659e22fc007912179c2c310e7edc7d89b8ade98344deaea0c23e6be6ec74d50b8df807db35dfc77d070a9a336ff54c9b4f157838b169e543d11d396db96c6f1600458b5c50138648246036518504334d99da6346eee8f7529036e4fb8d6e1b56ce992bdaf5731ff1ae6c39dae0823de6a19fa559011f3233a81d215c89bb086b80f8a489856583b87922be8686a41061202214fb64ff01c0f6fe39e7865906eaa48592399a8f77c8526ec369250e0bc82deb501c8b1a41bc122ee4d386b1a53d1f4f45c429bb3796f23465e9fa273684da12063fe2b69b1a80a27fcd3965c45ca4824bf218744f02fe830e3099f71e7472158185462fbccda4c096e5f29b7c261ec2e9eee23ab18855971ee79982f605df2491bb9db4247402c5ce131c53391729f5a2f38b74828e5eb7e1a5b0bd6d66e413dd859681610a1b2c55cd71fdd2be54e2344db70a8cc81345a79f47a8c57dc0499b25790dfeb4e82069e545bff76fa33bca1d4efd3e18436f23bb17bd18a53830e6b8f48056a4de9e4a9bd75e4aab6738617b6a9310a2ee8098cd19a0ea42a857ea81307c480383172b1bcdc0b47072c903e57b31055666c8d3676fe3cee4d8163b6e9f4e3c42fb59786c8bcb4d42615dc1b0c57b3ef66925e94c8b2c94b9e1e76d17430a47ec34e8c6b4a0555b19ae41d12d2e6193d66703294240b31abbb866de6cf471226f798d60ac4053a82270965dafb460040cf904ca2ff7f9ade8651588d5b7275c1cadaed4be75532bdd853045994169f50287078cf2badf9695aea98ab67c5cb6637d97a4877bb9654e25e01045299191e01e73c6205e0d5c54e103ce352ff41da80ba1f4649c64f33b0bf335abae9b159ae1293ed8b1b349a01d8ccf0efbed9df046bf56002ffcc8a69d400c1c88bbfd5dbf68d1ba8113f989b0df7122e55fe6f1b017fe422978c6ea8833b43a94c6c47c63b978b020010e4e5ad61fe2ce6283a59d5bb460c58b3a8d7e03e120d1af3feabf252458feb9a1fed216b6d2dff7aed7138a727307838815b28660e28cc6b2c10ef36f4d58b0c67b4bb33d361c30328ad4a0eabf9b47adcf315aa078ec7c4974de4cf695aa4c2bd60dd0a2d8ba061c262bddd840d1ad36cd27bae9b290fece5e411398ded5abe7f5ef8b60385fec7485b1c6c4b6681f3c4b17eaaba32abb6fb4e67bc83e7e8a3de763b7656674d66f46b0b559c8cbca337b27dae2a07fd17c733f1a999de7927ac25f9daec36fc30f2850af3c4b3beada6395c0804a737e7bfca8386506cd9d53bcba7ad592adf9c6187a052653a863d24e6bf51d282d7217fa3757b745faeef6972413592d48837bac9cdd9ebe601770b17a24f36edffc7ad704b106dc1dee3072be64bcd5a128540e78f9c0fbb74955093743921165f09a9d67ac479c23e1c6307d9d07a16ed4da45d83a0f3d0e0d3139445f98a8772186a953b8084a935a2c75d56cb94fb718bf34de46b97250f78e8d23df816853e8fc754c152a536d665718a484c23cbce8daf33707c8392420c58647b0a89ea9e3b2eb88eb09157972cae4b1e647a0145d2ad9325728189216acae7db16729c678e3584b7ad551b279b2a890a0a0a9d7cbee2a2203d90ef1136ff002a536f02d64c2562fdda1872ad280791d20870c9739d1e9845cbfd0c022db89acdac00f243fd9d48c4035846104c8c3422a3a3d1c4b1a139c3bcc43aaee29f28a69cf07b85e1e5cc5dbb65071a9c78e4e4923ef4c7dfcc1965ac136c8e684cdb2ca713591ae8613675ab45ff030d315e8a87677714ce25aa565fe7114eadc5e6421d7ac6823414dff50ea2f3e1c4b9c1f6432671b0ac713f50818ddd5dde7aa79b69d8afef6f37e69f29fb82c02e66093daa2616ff2c0100fce9831e6f58c199f15775f036fa9e9e6a65520f9faac014984f6c4cedc6e978c739a946d1741fc3f526f341c5dd1f92628ecc264bdecba7f109a113fe29f1f3613cbb6fef936ea538a534198962a3f4dbad2beaad9195f8b600d86dca1fa741cf4940996571d9863c8c3a1c806eec8555c8b3e6b0e0a4f31023134e583769a89e609015ea47fe09e34daaa1e98be593e35d9b3e625b07990392d2ecac7767f0c0216e24b5c1d6d4ece83a76db86aa4f9fb618ec42c934f48985d1f2f57c700189dbe5cb5f1ff4f0b05c0a3e9893729a26cabe9600b720071cd4f103fd3dfee1b9e0f5a36beddc5b112c3126395d1cbc50be436bc0650a61f269c4eb352f57c782afe56f1810c1db425fc1861fa9027bc575abc23bd25f9b6a6b6e623ddb57223e5d3633e3b23f050d23d6de64585b24f94be2dfe999d1768f8a2165cdb92a04fefab3dc9f33b109a0088ee0a3c67eb245077392d5601eb7f25b7002a7389513715f406df606f611033f1777a8f8d835f260a1d8c514bcf8eab68e80ee2e0211f7d651d4517ac88009000000018dbc2056f37cb7b014d10914edeb275fcc2e06d0734cac74625b32ec7295a938d1da64cad9931c4cbc52a9dd5cb2ae14f91eef1b9dc31b1afa6301a0897815e093c53405e121f618eb541693532ecef03acd3556ea056d78a0e0c6a30c5077e5e30a5c9c1ee80f40e3d1c0ee5021f80505778269642ad1d30d41360806c3dfd49666cd72c7d1df7c496f4c63aad7d654455358dbac87fa6f00b9a1b8e432f09751ba4c30e05118f79c7336493394868bd698aca5862940bd64406ddf683911d5059fca2df97c730b063defb4c71e8e0ca4c67a9cc925e2ea96fa0f0f674ba7fc46d7ff79c36fdf18b71a8e606f8b053e91709f6e9ca7734ce5d8b21fdef8545e0ec0659fc4fd9cb31d22ba89ab97bea4cd811d5c11636b4a1fb909ae4907748902c009b3fb5ef93e0a5a125fc5df5fc8e013a9ae0b72f98d26428f351778321c017f73b7cf8473fbbfee7425b3d7d04d593c639495f70b3e16f537643ef5175ad5cdb092f22867c87f39e45976f8fcef4cd4ca7d0b429dd116b8bea828c6fd7faf55173881516d9b0701cabcdaf8b95b4497f0a8589330ff70391fa86de97069c7df7a229a4288b29007d576a9e82f2d9633732d2584bc05d4f784637b5acee4a793e86be8f1e9a5c8c533d7a3536e402dcc217913689484cde2804f754d3e370f208bf0478b60b54931657b7dca825468165daff6529258bd28b1374ef05d9ab669ea517b900c1e5b673d4043c50d8912be5f53a19cd06427c2c2188b3a842280c724d0a338cc68d6ac641f4bafad1e163169f4695400341b5d52773d8857a015050a4f08380d4a1f2d45c49867601f12774a09a4d6eec43ff7f8e52eb35e097a9257114ca71f0f1f0a254f6554e488db9e24df9e9dca24b22656ee1f31cec9b19fa311278f5a23bf951b5bd7dbf79d9e71b4fc9c6b67ff09a15334f0e94c20799cd1c94fab1c5387cd73d73bd9aa37fc36642707ba289256abe1c720cd1337f2d0921635c4a0d694e6d484745fd35c29fc4c95bac5f6e6ffce399b832805a7fa3fe94af3e5def319452a264ba1838b67fc387741fa616eeaea4aad6d62db3da199f7aec8eeee058f065c46bed9c6f6465bef139239f44c8b3acf775118caac5340b7dcc6aca20d54db8ae1a698df4b9d1c904ab28dcfc678e513b0c748f6851d8ff4d8d4820c1ac27bcddd7d7b1ac83f84a1b1c2301de6fd3e0b3d18f7752185b23c47a657f3107ec8a38fa3d380e027d7a3bb7c96c7d918ce532dc4ee57a4928f9982d8dca7243612ec364ee711e1735fab160ab5b59db2f5ad938ef4dc76115640386f982b55742e552a053d4389840e32c8d48dc1118bec0b68ef96af78e88f288d8fd03a6276b022dac40f19e80270dbd5b306db59953d0e9b82f30f2973627d9d0255cdf7b1bba93254de6d9c97a2987c7af2551812c2b21496b56863058a967a00f38b6843619332dd9bf80eb1cebf7b6bcdc3e68af282b614a28159deb244e1fd3801ba8063de23e5924597cecc5320714b79848ea351d71fdea7e5d68d631bab67d7012cf463dd394a9c5f9b7a3feb2a66dbca4374b31ccedb15d0312ad61d41cf4e794d3a7f4f03268088e0e406dee377bc1ad341e12fca27f600a74ca747f348ff9d857dee9fdd720d6ed5fc8403d7d911c282888a29bfa58727e77dae8f4f1800d4caf8b946fbee13efee5c60e40f5d5c6a4d6d1483de6447bd1bdc1f7e70f49de11bb13c70bdd31f8b160d6ec72b59f4ec89cd9e410b92d9ca87a68103640e2a9aeeb099e6767991ad9a275e1a096a55d69904ef991ba1fee639696ce7279645dde58699eeee41ed65996ab29e352886e1142528b4fff1d3ebdf43e5f5400ba457cc5f77f615e8feab552b47fea6f31f0188b9fe614bea3a40d6b71746054f3e93c9b9c99d79a36a0ffb0f05a5160cd6c1eb76a2d14014883ef8922907da186c6ad19fbb71f595d15c2c213d6802001cdab41db1d167ced2d3c897c1cd8a868410f65d2287c7a972931c379659d4c30f7783992db5e7d3f72afdcad45885e4f4d33e506607a4da6dc7ab892f71bf6dfefd13d636d23d711098a22ba3073c026edb33f0fcb7575f446e94be979c1438ceb5af6fdf005f1577b11ab08f47a4d27e2bfe7504ed291c744c2932bc8cb81aabdd909c4427da53f0a304db60ceb334bfc905ee2ff5d75f2a83f56b324174e9a8d1c9f1ee88849db9d6f5c2f8426e708bfd9136ffecc418d9d55bba1898fb1c643995dbfbf9e92412710ed3c94a5473ebd0bc31ec5240b887d2e26e3392385b6851557ccd6053e2066f99928a0599a17519237fa9806c3823390cb80e94d59dfff75d5355d01377eeb00e70033ba158f09c3d93419763ad65a1a01cb83218040b13b4473542666fa94920805242c1abc43c6be7776700843292a53db6febf60ae3748f16c34e3b9ab9ff182a671410ee64c3892253af8bdf9f07da809877ef81d421c1420c7df4d5febbb3b068be514d553339d0ebc726c834dad9eb46620b59501b3899fc392b1445bcad8c10ca5b8ef75d64ae23f16ed42deff64c06f2c0f9f0d3719720d591e1c455f14eaa33611cac4820562ab5ba3f4d0e3648a239c635d14ca30780a7e9de3617bddbd7da726b753e92ec172737bd2ad996ceed3b5aa4a85d4acca07f43f9fc13b4f555b297e394ed7ee6abba24048a0da4c30c02e1f838a3e4b34a8714024027cf1ad4fa07af5cb56d4496bb8122244dc566fa92e0a",
> >> 0x1000)
> >>
> >>
> >> C reproducer:
> >> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> >>
> >> #ifndef __NR_bind
> >> #define __NR_bind 49
> >> #endif
> >> #ifndef __NR_write
> >> #define __NR_write 1
> >> #endif
> >> #ifndef __NR_recvmsg
> >> #define __NR_recvmsg 47
> >> #endif
> >> #ifndef __NR_mmap
> >> #define __NR_mmap 9
> >> #endif
> >> #ifndef __NR_socket
> >> #define __NR_socket 41
> >> #endif
> >> #ifndef __NR_dup2
> >> #define __NR_dup2 33
> >> #endif
> >> #ifndef __NR_setsockopt
> >> #define __NR_setsockopt 54
> >> #endif
> >> #ifndef __NR_sendto
> >> #define __NR_sendto 44
> >> #endif
> >> #ifndef __NR_connect
> >> #define __NR_connect 42
> >> #endif
> >>
> >> #define __STDC_VERSION__ 201112L
> >>
> >> #define _GNU_SOURCE
> >>
> >> #include <sys/ioctl.h>
> >> #include <sys/mman.h>
> >> #include <sys/mount.h>
> >> #include <sys/prctl.h>
> >> #include <sys/resource.h>
> >> #include <sys/socket.h>
> >> #include <sys/stat.h>
> >> #include <sys/syscall.h>
> >> #include <sys/time.h>
> >> #include <sys/types.h>
> >> #include <sys/wait.h>
> >>
> >> #include <linux/capability.h>
> >> #include <linux/if.h>
> >> #include <linux/if_tun.h>
> >> #include <linux/kvm.h>
> >> #include <linux/sched.h>
> >> #include <net/if_arp.h>
> >>
> >> #include <assert.h>
> >> #include <dirent.h>
> >> #include <errno.h>
> >> #include <fcntl.h>
> >> #include <grp.h>
> >> #include <pthread.h>
> >> #include <setjmp.h>
> >> #include <signal.h>
> >> #include <stdarg.h>
> >> #include <stdbool.h>
> >> #include <stddef.h>
> >> #include <stdint.h>
> >> #include <stdio.h>
> >> #include <stdlib.h>
> >> #include <string.h>
> >> #include <unistd.h>
> >>
> >> const int kFailStatus = 67;
> >> const int kErrorStatus = 68;
> >> const int kRetryStatus = 69;
> >>
> >> __attribute__((noreturn)) void doexit(int status)
> >> {
> >> volatile unsigned i;
> >> syscall(__NR_exit_group, status);
> >> for (i = 0;; i++) {
> >> }
> >> }
> >>
> >> __attribute__((noreturn)) void fail(const char* msg, ...)
> >> {
> >> int e = errno;
> >> fflush(stdout);
> >> va_list args;
> >> va_start(args, msg);
> >> vfprintf(stderr, msg, args);
> >> va_end(args);
> >> fprintf(stderr, " (errno %d)\n", e);
> >> doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
> >> }
> >>
> >> __attribute__((noreturn)) void exitf(const char* msg, ...)
> >> {
> >> int e = errno;
> >> fflush(stdout);
> >> va_list args;
> >> va_start(args, msg);
> >> vfprintf(stderr, msg, args);
> >> va_end(args);
> >> fprintf(stderr, " (errno %d)\n", e);
> >> doexit(kRetryStatus);
> >> }
> >>
> >> static int flag_debug;
> >>
> >> void debug(const char* msg, ...)
> >> {
> >> if (!flag_debug)
> >> return;
> >> va_list args;
> >> va_start(args, msg);
> >> vfprintf(stdout, msg, args);
> >> va_end(args);
> >> fflush(stdout);
> >> }
> >>
> >> __thread int skip_segv;
> >> __thread jmp_buf segv_env;
> >>
> >> static void segv_handler(int sig, siginfo_t* info, void* uctx)
> >> {
> >> uintptr_t addr = (uintptr_t)info->si_addr;
> >> const uintptr_t prog_start = 1 << 20;
> >> const uintptr_t prog_end = 100 << 20;
> >> if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
> >> (addr < prog_start || addr > prog_end)) {
> >> debug("SIGSEGV on %p, skipping\n", addr);
> >> _longjmp(segv_env, 1);
> >> }
> >> debug("SIGSEGV on %p, exiting\n", addr);
> >> doexit(sig);
> >> for (;;) {
> >> }
> >> }
> >>
> >> static void install_segv_handler()
> >> {
> >> struct sigaction sa;
> >> memset(&sa, 0, sizeof(sa));
> >> sa.sa_sigaction = segv_handler;
> >> sa.sa_flags = SA_NODEFER | SA_SIGINFO;
> >> sigaction(SIGSEGV, &sa, NULL);
> >> sigaction(SIGBUS, &sa, NULL);
> >> }
> >>
> >> #define NONFAILING(...) \
> >> { \
> >> __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
> >> if (_setjmp(segv_env) == 0) { \
> >> __VA_ARGS__; \
> >> } \
> >> __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
> >> }
> >>
> >> #define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)
> >>
> >> #define BITMASK_LEN_OFF(type, bf_off, bf_len) \
> >> (type)(BITMASK_LEN(type, (bf_len)) << (bf_off))
> >>
> >> #define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \
> >> if ((bf_off) == 0 && (bf_len) == 0) { \
> >> *(type*)(addr) = (type)(val); \
> >> } else { \
> >> type new_val = *(type*)(addr); \
> >> new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \
> >> new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \
> >> *(type*)(addr) = new_val; \
> >> }
> >>
> >> static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
> >> uintptr_t a2, uintptr_t a3,
> >> uintptr_t a4, uintptr_t a5,
> >> uintptr_t a6, uintptr_t a7,
> >> uintptr_t a8)
> >> {
> >> switch (nr) {
> >> default:
> >> return syscall(nr, a0, a1, a2, a3, a4, a5);
> >> }
> >> }
> >>
> >> static void setup_main_process()
> >> {
> >> struct sigaction sa;
> >> memset(&sa, 0, sizeof(sa));
> >> sa.sa_handler = SIG_IGN;
> >> syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
> >> syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
> >> install_segv_handler();
> >>
> >> char tmpdir_template[] = "./syzkaller.XXXXXX";
> >> char* tmpdir = mkdtemp(tmpdir_template);
> >> if (!tmpdir)
> >> fail("failed to mkdtemp");
> >> if (chmod(tmpdir, 0777))
> >> fail("failed to chmod");
> >> if (chdir(tmpdir))
> >> fail("failed to chdir");
> >> }
> >>
> >> static void loop();
> >>
> >> static void sandbox_common()
> >> {
> >> prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
> >> setpgrp();
> >> setsid();
> >>
> >> struct rlimit rlim;
> >> rlim.rlim_cur = rlim.rlim_max = 128 << 20;
> >> setrlimit(RLIMIT_AS, &rlim);
> >> rlim.rlim_cur = rlim.rlim_max = 1 << 20;
> >> setrlimit(RLIMIT_FSIZE, &rlim);
> >> rlim.rlim_cur = rlim.rlim_max = 1 << 20;
> >> setrlimit(RLIMIT_STACK, &rlim);
> >> rlim.rlim_cur = rlim.rlim_max = 0;
> >> setrlimit(RLIMIT_CORE, &rlim);
> >>
> >> unshare(CLONE_NEWNS);
> >> unshare(CLONE_NEWIPC);
> >> unshare(CLONE_IO);
> >> }
> >>
> >> static int do_sandbox_setuid(int executor_pid, bool enable_tun)
> >> {
> >> int pid = fork();
> >> if (pid)
> >> return pid;
> >>
> >> sandbox_common();
> >>
> >> const int nobody = 65534;
> >> if (setgroups(0, NULL))
> >> fail("failed to setgroups");
> >> if (syscall(SYS_setresgid, nobody, nobody, nobody))
> >> fail("failed to setresgid");
> >> if (syscall(SYS_setresuid, nobody, nobody, nobody))
> >> fail("failed to setresuid");
> >>
> >> loop();
> >> doexit(1);
> >> }
> >>
> >> long r[55];
> >> void* thr(void* arg)
> >> {
> >> switch ((long)arg) {
> >> case 0:
> >> r[0] =
> >> execute_syscall(__NR_mmap, 0x20000000ul, 0x9c9000ul, 0x3ul,
> >> 0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
> >> break;
> >> case 1:
> >> r[1] = execute_syscall(__NR_socket, 0x2ul, 0x2ul, 0x0ul, 0, 0, 0, 0,
> >> 0, 0);
> >> break;
> >> case 2:
> >> r[2] = execute_syscall(__NR_dup2, r[1], r[1], 0, 0, 0, 0, 0, 0, 0);
> >> break;
> >> case 3:
> >> NONFAILING(*(uint32_t*)0x20548ffc = (uint32_t)0x906);
> >> r[4] = execute_syscall(__NR_setsockopt, r[1], 0x1ul, 0x6ul,
> >> 0x20548ffcul, 0x4ul, 0, 0, 0, 0);
> >> break;
> >> case 4:
> >> NONFAILING(*(uint16_t*)0x204de000 = (uint16_t)0x2);
> >> NONFAILING(*(uint16_t*)0x204de002 = (uint16_t)0x204e);
> >> NONFAILING(*(uint32_t*)0x204de004 = (uint32_t)0x100007f);
> >> NONFAILING(*(uint8_t*)0x204de008 = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x204de009 = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x204de00a = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x204de00b = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x204de00c = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x204de00d = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x204de00e = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x204de00f = (uint8_t)0x0);
> >> r[16] = execute_syscall(__NR_bind, r[2], 0x204de000ul, 0x10ul, 0, 0,
> >> 0, 0, 0, 0);
> >> break;
> >> case 5:
> >> NONFAILING(*(uint16_t*)0x209c4ff0 = (uint16_t)0x2);
> >> NONFAILING(*(uint16_t*)0x209c4ff2 = (uint16_t)0x224e);
> >> NONFAILING(*(uint32_t*)0x209c4ff4 = (uint32_t)0xffffffff);
> >> NONFAILING(*(uint8_t*)0x209c4ff8 = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x209c4ff9 = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x209c4ffa = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x209c4ffb = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x209c4ffc = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x209c4ffd = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x209c4ffe = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x209c4fff = (uint8_t)0x0);
> >> r[28] = execute_syscall(__NR_sendto, r[1], 0x201cc000ul, 0x0ul,
> >> 0x8000ul, 0x209c4ff0ul, 0x10ul, 0, 0, 0);
> >> break;
> >> case 6:
> >> NONFAILING(*(uint16_t*)0x20994000 = (uint16_t)0x2);
> >> NONFAILING(*(uint16_t*)0x20994002 = (uint16_t)0x204e);
> >> NONFAILING(*(uint32_t*)0x20994004 = (uint32_t)0x100007f);
> >> NONFAILING(*(uint8_t*)0x20994008 = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x20994009 = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x2099400a = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x2099400b = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x2099400c = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x2099400d = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x2099400e = (uint8_t)0x0);
> >> NONFAILING(*(uint8_t*)0x2099400f = (uint8_t)0x0);
> >> r[40] = execute_syscall(__NR_connect, r[2], 0x20994000ul, 0x10ul, 0,
> >> 0, 0, 0, 0, 0);
> >> break;
> >> case 7:
> >> NONFAILING(*(uint64_t*)0x209c8fc8 = (uint64_t)0x2083efff);
> >> NONFAILING(*(uint32_t*)0x209c8fd0 = (uint32_t)0x0);
> >> NONFAILING(*(uint64_t*)0x209c8fd8 = (uint64_t)0x209c8ff0);
> >> NONFAILING(*(uint64_t*)0x209c8fe0 = (uint64_t)0x1);
> >> NONFAILING(*(uint64_t*)0x209c8fe8 = (uint64_t)0x209c8000);
> >> NONFAILING(*(uint64_t*)0x209c8ff0 = (uint64_t)0x0);
> >> NONFAILING(*(uint32_t*)0x209c8ff8 = (uint32_t)0xfffffffffffff7fd);
> >> NONFAILING(*(uint64_t*)0x209c8ff0 = (uint64_t)0x209c1000);
> >> NONFAILING(*(uint64_t*)0x209c8ff8 = (uint64_t)0x0);
> >> r[50] = execute_syscall(__NR_recvmsg, r[1], 0x209c8fc8ul, 0x100ul,
> >> 0, 0, 0, 0, 0, 0);
> >> break;
> >> case 8:
> >> NONFAILING(*(uint32_t*)0x20103ffc = (uint32_t)0x19fe);
> >> r[52] = execute_syscall(__NR_setsockopt, r[1], 0x1ul, 0x25ul,
> >> 0x20103ffcul, 0x4ul, 0, 0, 0, 0);
> >> break;
> >> case 9:
> >> NONFAILING(memcpy(
> >> (void*)0x209c3000,
> >> "\x97\x38\xd2\x89\x33\x60\xcc\x30\x6c\xd6\x3c\xf6\xf5\x1d\x0d"
> >> "\x94\x09\x0b\xc8\x7a\x8d\xb3\x14\xa9\x6d\xec\x1b\xf0\x54\xe4"
> >> "\xfc\x7a\xcc\x87\x23\x18\xc9\x96\x11\x5b\x47\x27\x36\x0c\x63"
> >> "\x1b\xcb\x22\xf0\x7a\xd5\x13\x87\xbc\xa3\x4c\x27\x94\x9b\x81"
> >> "\x8c\x29\x44\x18\x28\xd5\x8b\x0e\xba\xaa\x05\x0b\x74\x00\x63"
> >> "\x9d\xf4\xb4\x27\xbd\xb4\x8e\xab\x60\x8e\x89\x4c\xf0\x38\x8a"
> >> "\x1a\x3a\xb5\x1f\xb2\x99\x1d\x20\xdd\x45\xc9\x99\x04\xd0\x51"
> >> "\x9f\x83\xfb\x3e\xfb\xdf\x5b\x33\x9c\x9c\x0e\x88\x1d\x89\x5e"
> >> "\x57\xdb\xb4\xb9\x14\x2a\xe1\x54\xb3\x33\xe8\xde\xd7\x1c\x9a"
> >> "\x32\xed\x58\xe5\x92\x2d\x2c\xf6\x48\xa6\x5d\x9f\xf6\x91\xea"
> >> "\xa3\x95\x5a\xa1\xca\xdd\xb2\xe9\x00\xbf\x9a\xee\x42\xae\x33"
> >> "\xc5\x5a\x1e\xfb\x9f\x81\xe4\x52\x0f\x0c\xee\xcc\x62\xc3\xfb"
> >> "\xa8\x9d\x16\x24\xd8\xd1\x98\xae\x39\x4d\xce\xfd\xe6\x20\xc7"
> >> "\xdc\x87\xd7\x09\x6d\x1c\x60\x19\x1f\x16\x0a\xae\x87\xb9\xbc"
> >> "\xd1\x72\xf3\xa4\xcd\x6e\x1e\xca\x6e\x6d\x28\xfc\xaa\xdf\x85"
> >> "\xd3\x73\xa0\x06\x00\x1a\x8e\x1d\x08\xfd\xc0\x64\x4a\x5d\x1e"
> >> "\x52\xd8\x86\xd7\x5e\xdf\xd6\x1a\x5c\xc5\x5a\x3a\xcc\xb2\x30"
> >> "\x70\x9a\x91\x29\x63\xf3\x69\x92\xfd\x65\x0a\x8e\x01\x4a\x4b"
> >> "\xd0\x3c\xa5\x7b\x79\x5d\x31\x4a\x4c\x82\xdd\x17\xed\x08\xca"
> >> "\x49\xde\x68\x24\xeb\x65\xb2\x3e\x31\x97\x7b\xf2\x6f\xe8\xed"
> >> "\xd3\xb5\xc7\x27\x6c\x28\x38\x9a\x4e\x75\xbc\x25\xc1\x0f\x26"
> >> "\x8b\xe2\x07\x68\xed\xd9\xe0\xfc\x9b\x10\x3f\xc1\x43\x81\xe3"
> >> "\xf2\x9e\x45\x02\xb5\x00\x98\x91\x20\x70\x27\xc3\xf0\x6b\x5f"
> >> "\xbd\x84\x52\x15\xb2\x55\x94\xd9\xf8\xdb\x9a\x8d\x77\xf5\x11"
> >> "\x10\x79\x5c\xc4\x0e\xad\x2f\x4c\x72\x43\x7c\x34\x36\xc8\x78"
> >> "\xf9\x50\x37\x8d\x14\x1d\x0e\xf3\x8e\xc9\x5d\x60\x8b\x7e\x0c"
> >> "\xf0\xbf\xc7\x7a\x40\xb1\x08\xf0\x45\x89\x9d\xa9\x08\xb6\xe7"
> >> "\x22\x2a\xed\xc0\x0d\x23\xd1\x31\xb4\x39\xeb\xec\xcf\xd2\xd4"
> >> "\xa6\x59\xe2\x2f\xc0\x07\x91\x21\x79\xc2\xc3\x10\xe7\xed\xc7"
> >> "\xd8\x9b\x8a\xde\x98\x34\x4d\xea\xea\x0c\x23\xe6\xbe\x6e\xc7"
> >> "\x4d\x50\xb8\xdf\x80\x7d\xb3\x5d\xfc\x77\xd0\x70\xa9\xa3\x36"
> >> "\xff\x54\xc9\xb4\xf1\x57\x83\x8b\x16\x9e\x54\x3d\x11\xd3\x96"
> >> "\xdb\x96\xc6\xf1\x60\x04\x58\xb5\xc5\x01\x38\x64\x82\x46\x03"
> >> "\x65\x18\x50\x43\x34\xd9\x9d\xa6\x34\x6e\xee\x8f\x75\x29\x03"
> >> "\x6e\x4f\xb8\xd6\xe1\xb5\x6c\xe9\x92\xbd\xaf\x57\x31\xff\x1a"
> >> "\xe6\xc3\x9d\xae\x08\x23\xde\x6a\x19\xfa\x55\x90\x11\xf3\x23"
> >> "\x3a\x81\xd2\x15\xc8\x9b\xb0\x86\xb8\x0f\x8a\x48\x98\x56\x58"
> >> "\x3b\x87\x92\x2b\xe8\x68\x6a\x41\x06\x12\x02\x21\x4f\xb6\x4f"
> >> "\xf0\x1c\x0f\x6f\xe3\x9e\x78\x65\x90\x6e\xaa\x48\x59\x23\x99"
> >> "\xa8\xf7\x7c\x85\x26\xec\x36\x92\x50\xe0\xbc\x82\xde\xb5\x01"
> >> "\xc8\xb1\xa4\x1b\xc1\x22\xee\x4d\x38\x6b\x1a\x53\xd1\xf4\xf4"
> >> "\x5c\x42\x9b\xb3\x79\x6f\x23\x46\x5e\x9f\xa2\x73\x68\x4d\xa1"
> >> "\x20\x63\xfe\x2b\x69\xb1\xa8\x0a\x27\xfc\xd3\x96\x5c\x45\xca"
> >> "\x48\x24\xbf\x21\x87\x44\xf0\x2f\xe8\x30\xe3\x09\x9f\x71\xe7"
> >> "\x47\x21\x58\x18\x54\x62\xfb\xcc\xda\x4c\x09\x6e\x5f\x29\xb7"
> >> "\xc2\x61\xec\x2e\x9e\xee\x23\xab\x18\x85\x59\x71\xee\x79\x98"
> >> "\x2f\x60\x5d\xf2\x49\x1b\xb9\xdb\x42\x47\x40\x2c\x5c\xe1\x31"
> >> "\xc5\x33\x91\x72\x9f\x5a\x2f\x38\xb7\x48\x28\xe5\xeb\x7e\x1a"
> >> "\x5b\x0b\xd6\xd6\x6e\x41\x3d\xd8\x59\x68\x16\x10\xa1\xb2\xc5"
> >> "\x5c\xd7\x1f\xdd\x2b\xe5\x4e\x23\x44\xdb\x70\xa8\xcc\x81\x34"
> >> "\x5a\x79\xf4\x7a\x8c\x57\xdc\x04\x99\xb2\x57\x90\xdf\xeb\x4e"
> >> "\x82\x06\x9e\x54\x5b\xff\x76\xfa\x33\xbc\xa1\xd4\xef\xd3\xe1"
> >> "\x84\x36\xf2\x3b\xb1\x7b\xd1\x8a\x53\x83\x0e\x6b\x8f\x48\x05"
> >> "\x6a\x4d\xe9\xe4\xa9\xbd\x75\xe4\xaa\xb6\x73\x86\x17\xb6\xa9"
> >> "\x31\x0a\x2e\xe8\x09\x8c\xd1\x9a\x0e\xa4\x2a\x85\x7e\xa8\x13"
> >> "\x07\xc4\x80\x38\x31\x72\xb1\xbc\xdc\x0b\x47\x07\x2c\x90\x3e"
> >> "\x57\xb3\x10\x55\x66\x6c\x8d\x36\x76\xfe\x3c\xee\x4d\x81\x63"
> >> "\xb6\xe9\xf4\xe3\xc4\x2f\xb5\x97\x86\xc8\xbc\xb4\xd4\x26\x15"
> >> "\xdc\x1b\x0c\x57\xb3\xef\x66\x92\x5e\x94\xc8\xb2\xc9\x4b\x9e"
> >> "\x1e\x76\xd1\x74\x30\xa4\x7e\xc3\x4e\x8c\x6b\x4a\x05\x55\xb1"
> >> "\x9a\xe4\x1d\x12\xd2\xe6\x19\x3d\x66\x70\x32\x94\x24\x0b\x31"
> >> "\xab\xbb\x86\x6d\xe6\xcf\x47\x12\x26\xf7\x98\xd6\x0a\xc4\x05"
> >> "\x3a\x82\x27\x09\x65\xda\xfb\x46\x00\x40\xcf\x90\x4c\xa2\xff"
> >> "\x7f\x9a\xde\x86\x51\x58\x8d\x5b\x72\x75\xc1\xca\xda\xed\x4b"
> >> "\xe7\x55\x32\xbd\xd8\x53\x04\x59\x94\x16\x9f\x50\x28\x70\x78"
> >> "\xcf\x2b\xad\xf9\x69\x5a\xea\x98\xab\x67\xc5\xcb\x66\x37\xd9"
> >> "\x7a\x48\x77\xbb\x96\x54\xe2\x5e\x01\x04\x52\x99\x19\x1e\x01"
> >> "\xe7\x3c\x62\x05\xe0\xd5\xc5\x4e\x10\x3c\xe3\x52\xff\x41\xda"
> >> "\x80\xba\x1f\x46\x49\xc6\x4f\x33\xb0\xbf\x33\x5a\xba\xe9\xb1"
> >> "\x59\xae\x12\x93\xed\x8b\x1b\x34\x9a\x01\xd8\xcc\xf0\xef\xbe"
> >> "\xd9\xdf\x04\x6b\xf5\x60\x02\xff\xcc\x8a\x69\xd4\x00\xc1\xc8"
> >> "\x8b\xbf\xd5\xdb\xf6\x8d\x1b\xa8\x11\x3f\x98\x9b\x0d\xf7\x12"
> >> "\x2e\x55\xfe\x6f\x1b\x01\x7f\xe4\x22\x97\x8c\x6e\xa8\x83\x3b"
> >> "\x43\xa9\x4c\x6c\x47\xc6\x3b\x97\x8b\x02\x00\x10\xe4\xe5\xad"
> >> "\x61\xfe\x2c\xe6\x28\x3a\x59\xd5\xbb\x46\x0c\x58\xb3\xa8\xd7"
> >> "\xe0\x3e\x12\x0d\x1a\xf3\xfe\xab\xf2\x52\x45\x8f\xeb\x9a\x1f"
> >> "\xed\x21\x6b\x6d\x2d\xff\x7a\xed\x71\x38\xa7\x27\x30\x78\x38"
> >> "\x81\x5b\x28\x66\x0e\x28\xcc\x6b\x2c\x10\xef\x36\xf4\xd5\x8b"
> >> "\x0c\x67\xb4\xbb\x33\xd3\x61\xc3\x03\x28\xad\x4a\x0e\xab\xf9"
> >> "\xb4\x7a\xdc\xf3\x15\xaa\x07\x8e\xc7\xc4\x97\x4d\xe4\xcf\x69"
> >> "\x5a\xa4\xc2\xbd\x60\xdd\x0a\x2d\x8b\xa0\x61\xc2\x62\xbd\xdd"
> >> "\x84\x0d\x1a\xd3\x6c\xd2\x7b\xae\x9b\x29\x0f\xec\xe5\xe4\x11"
> >> "\x39\x8d\xed\x5a\xbe\x7f\x5e\xf8\xb6\x03\x85\xfe\xc7\x48\x5b"
> >> "\x1c\x6c\x4b\x66\x81\xf3\xc4\xb1\x7e\xaa\xba\x32\xab\xb6\xfb"
> >> "\x4e\x67\xbc\x83\xe7\xe8\xa3\xde\x76\x3b\x76\x56\x67\x4d\x66"
> >> "\xf4\x6b\x0b\x55\x9c\x8c\xbc\xa3\x37\xb2\x7d\xae\x2a\x07\xfd"
> >> "\x17\xc7\x33\xf1\xa9\x99\xde\x79\x27\xac\x25\xf9\xda\xec\x36"
> >> "\xfc\x30\xf2\x85\x0a\xf3\xc4\xb3\xbe\xad\xa6\x39\x5c\x08\x04"
> >> "\xa7\x37\xe7\xbf\xca\x83\x86\x50\x6c\xd9\xd5\x3b\xcb\xa7\xad"
> >> "\x59\x2a\xdf\x9c\x61\x87\xa0\x52\x65\x3a\x86\x3d\x24\xe6\xbf"
> >> "\x51\xd2\x82\xd7\x21\x7f\xa3\x75\x7b\x74\x5f\xae\xef\x69\x72"
> >> "\x41\x35\x92\xd4\x88\x37\xba\xc9\xcd\xd9\xeb\xe6\x01\x77\x0b"
> >> "\x17\xa2\x4f\x36\xed\xff\xc7\xad\x70\x4b\x10\x6d\xc1\xde\xe3"
> >> "\x07\x2b\xe6\x4b\xcd\x5a\x12\x85\x40\xe7\x8f\x9c\x0f\xbb\x74"
> >> "\x95\x50\x93\x74\x39\x21\x16\x5f\x09\xa9\xd6\x7a\xc4\x79\xc2"
> >> "\x3e\x1c\x63\x07\xd9\xd0\x7a\x16\xed\x4d\xa4\x5d\x83\xa0\xf3"
> >> "\xd0\xe0\xd3\x13\x94\x45\xf9\x8a\x87\x72\x18\x6a\x95\x3b\x80"
> >> "\x84\xa9\x35\xa2\xc7\x5d\x56\xcb\x94\xfb\x71\x8b\xf3\x4d\xe4"
> >> "\x6b\x97\x25\x0f\x78\xe8\xd2\x3d\xf8\x16\x85\x3e\x8f\xc7\x54"
> >> "\xc1\x52\xa5\x36\xd6\x65\x71\x8a\x48\x4c\x23\xcb\xce\x8d\xaf"
> >> "\x33\x70\x7c\x83\x92\x42\x0c\x58\x64\x7b\x0a\x89\xea\x9e\x3b"
> >> "\x2e\xb8\x8e\xb0\x91\x57\x97\x2c\xae\x4b\x1e\x64\x7a\x01\x45"
> >> "\xd2\xad\x93\x25\x72\x81\x89\x21\x6a\xca\xe7\xdb\x16\x72\x9c"
> >> "\x67\x8e\x35\x84\xb7\xad\x55\x1b\x27\x9b\x2a\x89\x0a\x0a\x0a"
> >> "\x9d\x7c\xbe\xe2\xa2\x20\x3d\x90\xef\x11\x36\xff\x00\x2a\x53"
> >> "\x6f\x02\xd6\x4c\x25\x62\xfd\xda\x18\x72\xad\x28\x07\x91\xd2"
> >> "\x08\x70\xc9\x73\x9d\x1e\x98\x45\xcb\xfd\x0c\x02\x2d\xb8\x9a"
> >> "\xcd\xac\x00\xf2\x43\xfd\x9d\x48\xc4\x03\x58\x46\x10\x4c\x8c"
> >> "\x34\x22\xa3\xa3\xd1\xc4\xb1\xa1\x39\xc3\xbc\xc4\x3a\xae\xe2"
> >> "\x9f\x28\xa6\x9c\xf0\x7b\x85\xe1\xe5\xcc\x5d\xbb\x65\x07\x1a"
> >> "\x9c\x78\xe4\xe4\x92\x3e\xf4\xc7\xdf\xcc\x19\x65\xac\x13\x6c"
> >> "\x8e\x68\x4c\xdb\x2c\xa7\x13\x59\x1a\xe8\x61\x36\x75\xab\x45"
> >> "\xff\x03\x0d\x31\x5e\x8a\x87\x67\x77\x14\xce\x25\xaa\x56\x5f"
> >> "\xe7\x11\x4e\xad\xc5\xe6\x42\x1d\x7a\xc6\x82\x34\x14\xdf\xf5"
> >> "\x0e\xa2\xf3\xe1\xc4\xb9\xc1\xf6\x43\x26\x71\xb0\xac\x71\x3f"
> >> "\x50\x81\x8d\xdd\x5d\xde\x7a\xa7\x9b\x69\xd8\xaf\xef\x6f\x37"
> >> "\xe6\x9f\x29\xfb\x82\xc0\x2e\x66\x09\x3d\xaa\x26\x16\xff\x2c"
> >> "\x01\x00\xfc\xe9\x83\x1e\x6f\x58\xc1\x99\xf1\x57\x75\xf0\x36"
> >> "\xfa\x9e\x9e\x6a\x65\x52\x0f\x9f\xaa\xc0\x14\x98\x4f\x6c\x4c"
> >> "\xed\xc6\xe9\x78\xc7\x39\xa9\x46\xd1\x74\x1f\xc3\xf5\x26\xf3"
> >> "\x41\xc5\xdd\x1f\x92\x62\x8e\xcc\x26\x4b\xde\xcb\xa7\xf1\x09"
> >> "\xa1\x13\xfe\x29\xf1\xf3\x61\x3c\xbb\x6f\xef\x93\x6e\xa5\x38"
> >> "\xa5\x34\x19\x89\x62\xa3\xf4\xdb\xad\x2b\xea\xad\x91\x95\xf8"
> >> "\xb6\x00\xd8\x6d\xca\x1f\xa7\x41\xcf\x49\x40\x99\x65\x71\xd9"
> >> "\x86\x3c\x8c\x3a\x1c\x80\x6e\xec\x85\x55\xc8\xb3\xe6\xb0\xe0"
> >> "\xa4\xf3\x10\x23\x13\x4e\x58\x37\x69\xa8\x9e\x60\x90\x15\xea"
> >> "\x47\xfe\x09\xe3\x4d\xaa\xa1\xe9\x8b\xe5\x93\xe3\x5d\x9b\x3e"
> >> "\x62\x5b\x07\x99\x03\x92\xd2\xec\xac\x77\x67\xf0\xc0\x21\x6e"
> >> "\x24\xb5\xc1\xd6\xd4\xec\xe8\x3a\x76\xdb\x86\xaa\x4f\x9f\xb6"
> >> "\x18\xec\x42\xc9\x34\xf4\x89\x85\xd1\xf2\xf5\x7c\x70\x01\x89"
> >> "\xdb\xe5\xcb\x5f\x1f\xf4\xf0\xb0\x5c\x0a\x3e\x98\x93\x72\x9a"
> >> "\x26\xca\xbe\x96\x00\xb7\x20\x07\x1c\xd4\xf1\x03\xfd\x3d\xfe"
> >> "\xe1\xb9\xe0\xf5\xa3\x6b\xed\xdc\x5b\x11\x2c\x31\x26\x39\x5d"
> >> "\x1c\xbc\x50\xbe\x43\x6b\xc0\x65\x0a\x61\xf2\x69\xc4\xeb\x35"
> >> "\x2f\x57\xc7\x82\xaf\xe5\x6f\x18\x10\xc1\xdb\x42\x5f\xc1\x86"
> >> "\x1f\xa9\x02\x7b\xc5\x75\xab\xc2\x3b\xd2\x5f\x9b\x6a\x6b\x6e"
> >> "\x62\x3d\xdb\x57\x22\x3e\x5d\x36\x33\xe3\xb2\x3f\x05\x0d\x23"
> >> "\xd6\xde\x64\x58\x5b\x24\xf9\x4b\xe2\xdf\xe9\x99\xd1\x76\x8f"
> >> "\x8a\x21\x65\xcd\xb9\x2a\x04\xfe\xfa\xb3\xdc\x9f\x33\xb1\x09"
> >> "\xa0\x08\x8e\xe0\xa3\xc6\x7e\xb2\x45\x07\x73\x92\xd5\x60\x1e"
> >> "\xb7\xf2\x5b\x70\x02\xa7\x38\x95\x13\x71\x5f\x40\x6d\xf6\x06"
> >> "\xf6\x11\x03\x3f\x17\x77\xa8\xf8\xd8\x35\xf2\x60\xa1\xd8\xc5"
> >> "\x14\xbc\xf8\xea\xb6\x8e\x80\xee\x2e\x02\x11\xf7\xd6\x51\xd4"
> >> "\x51\x7a\xc8\x80\x09\x00\x00\x00\x01\x8d\xbc\x20\x56\xf3\x7c"
> >> "\xb7\xb0\x14\xd1\x09\x14\xed\xeb\x27\x5f\xcc\x2e\x06\xd0\x73"
> >> "\x4c\xac\x74\x62\x5b\x32\xec\x72\x95\xa9\x38\xd1\xda\x64\xca"
> >> "\xd9\x93\x1c\x4c\xbc\x52\xa9\xdd\x5c\xb2\xae\x14\xf9\x1e\xef"
> >> "\x1b\x9d\xc3\x1b\x1a\xfa\x63\x01\xa0\x89\x78\x15\xe0\x93\xc5"
> >> "\x34\x05\xe1\x21\xf6\x18\xeb\x54\x16\x93\x53\x2e\xce\xf0\x3a"
> >> "\xcd\x35\x56\xea\x05\x6d\x78\xa0\xe0\xc6\xa3\x0c\x50\x77\xe5"
> >> "\xe3\x0a\x5c\x9c\x1e\xe8\x0f\x40\xe3\xd1\xc0\xee\x50\x21\xf8"
> >> "\x05\x05\x77\x82\x69\x64\x2a\xd1\xd3\x0d\x41\x36\x08\x06\xc3"
> >> "\xdf\xd4\x96\x66\xcd\x72\xc7\xd1\xdf\x7c\x49\x6f\x4c\x63\xaa"
> >> "\xd7\xd6\x54\x45\x53\x58\xdb\xac\x87\xfa\x6f\x00\xb9\xa1\xb8"
> >> "\xe4\x32\xf0\x97\x51\xba\x4c\x30\xe0\x51\x18\xf7\x9c\x73\x36"
> >> "\x49\x33\x94\x86\x8b\xd6\x98\xac\xa5\x86\x29\x40\xbd\x64\x40"
> >> "\x6d\xdf\x68\x39\x11\xd5\x05\x9f\xca\x2d\xf9\x7c\x73\x0b\x06"
> >> "\x3d\xef\xb4\xc7\x1e\x8e\x0c\xa4\xc6\x7a\x9c\xc9\x25\xe2\xea"
> >> "\x96\xfa\x0f\x0f\x67\x4b\xa7\xfc\x46\xd7\xff\x79\xc3\x6f\xdf"
> >> "\x18\xb7\x1a\x8e\x60\x6f\x8b\x05\x3e\x91\x70\x9f\x6e\x9c\xa7"
> >> "\x73\x4c\xe5\xd8\xb2\x1f\xde\xf8\x54\x5e\x0e\xc0\x65\x9f\xc4"
> >> "\xfd\x9c\xb3\x1d\x22\xba\x89\xab\x97\xbe\xa4\xcd\x81\x1d\x5c"
> >> "\x11\x63\x6b\x4a\x1f\xb9\x09\xae\x49\x07\x74\x89\x02\xc0\x09"
> >> "\xb3\xfb\x5e\xf9\x3e\x0a\x5a\x12\x5f\xc5\xdf\x5f\xc8\xe0\x13"
> >> "\xa9\xae\x0b\x72\xf9\x8d\x26\x42\x8f\x35\x17\x78\x32\x1c\x01"
> >> "\x7f\x73\xb7\xcf\x84\x73\xfb\xbf\xee\x74\x25\xb3\xd7\xd0\x4d"
> >> "\x59\x3c\x63\x94\x95\xf7\x0b\x3e\x16\xf5\x37\x64\x3e\xf5\x17"
> >> "\x5a\xd5\xcd\xb0\x92\xf2\x28\x67\xc8\x7f\x39\xe4\x59\x76\xf8"
> >> "\xfc\xef\x4c\xd4\xca\x7d\x0b\x42\x9d\xd1\x16\xb8\xbe\xa8\x28"
> >> "\xc6\xfd\x7f\xaf\x55\x17\x38\x81\x51\x6d\x9b\x07\x01\xca\xbc"
> >> "\xda\xf8\xb9\x5b\x44\x97\xf0\xa8\x58\x93\x30\xff\x70\x39\x1f"
> >> "\xa8\x6d\xe9\x70\x69\xc7\xdf\x7a\x22\x9a\x42\x88\xb2\x90\x07"
> >> "\xd5\x76\xa9\xe8\x2f\x2d\x96\x33\x73\x2d\x25\x84\xbc\x05\xd4"
> >> "\xf7\x84\x63\x7b\x5a\xce\xe4\xa7\x93\xe8\x6b\xe8\xf1\xe9\xa5"
> >> "\xc8\xc5\x33\xd7\xa3\x53\x6e\x40\x2d\xcc\x21\x79\x13\x68\x94"
> >> "\x84\xcd\xe2\x80\x4f\x75\x4d\x3e\x37\x0f\x20\x8b\xf0\x47\x8b"
> >> "\x60\xb5\x49\x31\x65\x7b\x7d\xca\x82\x54\x68\x16\x5d\xaf\xf6"
> >> "\x52\x92\x58\xbd\x28\xb1\x37\x4e\xf0\x5d\x9a\xb6\x69\xea\x51"
> >> "\x7b\x90\x0c\x1e\x5b\x67\x3d\x40\x43\xc5\x0d\x89\x12\xbe\x5f"
> >> "\x53\xa1\x9c\xd0\x64\x27\xc2\xc2\x18\x8b\x3a\x84\x22\x80\xc7"
> >> "\x24\xd0\xa3\x38\xcc\x68\xd6\xac\x64\x1f\x4b\xaf\xad\x1e\x16"
> >> "\x31\x69\xf4\x69\x54\x00\x34\x1b\x5d\x52\x77\x3d\x88\x57\xa0"
> >> "\x15\x05\x0a\x4f\x08\x38\x0d\x4a\x1f\x2d\x45\xc4\x98\x67\x60"
> >> "\x1f\x12\x77\x4a\x09\xa4\xd6\xee\xc4\x3f\xf7\xf8\xe5\x2e\xb3"
> >> "\x5e\x09\x7a\x92\x57\x11\x4c\xa7\x1f\x0f\x1f\x0a\x25\x4f\x65"
> >> "\x54\xe4\x88\xdb\x9e\x24\xdf\x9e\x9d\xca\x24\xb2\x26\x56\xee"
> >> "\x1f\x31\xce\xc9\xb1\x9f\xa3\x11\x27\x8f\x5a\x23\xbf\x95\x1b"
> >> "\x5b\xd7\xdb\xf7\x9d\x9e\x71\xb4\xfc\x9c\x6b\x67\xff\x09\xa1"
> >> "\x53\x34\xf0\xe9\x4c\x20\x79\x9c\xd1\xc9\x4f\xab\x1c\x53\x87"
> >> "\xcd\x73\xd7\x3b\xd9\xaa\x37\xfc\x36\x64\x27\x07\xba\x28\x92"
> >> "\x56\xab\xe1\xc7\x20\xcd\x13\x37\xf2\xd0\x92\x16\x35\xc4\xa0"
> >> "\xd6\x94\xe6\xd4\x84\x74\x5f\xd3\x5c\x29\xfc\x4c\x95\xba\xc5"
> >> "\xf6\xe6\xff\xce\x39\x9b\x83\x28\x05\xa7\xfa\x3f\xe9\x4a\xf3"
> >> "\xe5\xde\xf3\x19\x45\x2a\x26\x4b\xa1\x83\x8b\x67\xfc\x38\x77"
> >> "\x41\xfa\x61\x6e\xea\xea\x4a\xad\x6d\x62\xdb\x3d\xa1\x99\xf7"
> >> "\xae\xc8\xee\xee\x05\x8f\x06\x5c\x46\xbe\xd9\xc6\xf6\x46\x5b"
> >> "\xef\x13\x92\x39\xf4\x4c\x8b\x3a\xcf\x77\x51\x18\xca\xac\x53"
> >> "\x40\xb7\xdc\xc6\xac\xa2\x0d\x54\xdb\x8a\xe1\xa6\x98\xdf\x4b"
> >> "\x9d\x1c\x90\x4a\xb2\x8d\xcf\xc6\x78\xe5\x13\xb0\xc7\x48\xf6"
> >> "\x85\x1d\x8f\xf4\xd8\xd4\x82\x0c\x1a\xc2\x7b\xcd\xdd\x7d\x7b"
> >> "\x1a\xc8\x3f\x84\xa1\xb1\xc2\x30\x1d\xe6\xfd\x3e\x0b\x3d\x18"
> >> "\xf7\x75\x21\x85\xb2\x3c\x47\xa6\x57\xf3\x10\x7e\xc8\xa3\x8f"
> >> "\xa3\xd3\x80\xe0\x27\xd7\xa3\xbb\x7c\x96\xc7\xd9\x18\xce\x53"
> >> "\x2d\xc4\xee\x57\xa4\x92\x8f\x99\x82\xd8\xdc\xa7\x24\x36\x12"
> >> "\xec\x36\x4e\xe7\x11\xe1\x73\x5f\xab\x16\x0a\xb5\xb5\x9d\xb2"
> >> "\xf5\xad\x93\x8e\xf4\xdc\x76\x11\x56\x40\x38\x6f\x98\x2b\x55"
> >> "\x74\x2e\x55\x2a\x05\x3d\x43\x89\x84\x0e\x32\xc8\xd4\x8d\xc1"
> >> "\x11\x8b\xec\x0b\x68\xef\x96\xaf\x78\xe8\x8f\x28\x8d\x8f\xd0"
> >> "\x3a\x62\x76\xb0\x22\xda\xc4\x0f\x19\xe8\x02\x70\xdb\xd5\xb3"
> >> "\x06\xdb\x59\x95\x3d\x0e\x9b\x82\xf3\x0f\x29\x73\x62\x7d\x9d"
> >> "\x02\x55\xcd\xf7\xb1\xbb\xa9\x32\x54\xde\x6d\x9c\x97\xa2\x98"
> >> "\x7c\x7a\xf2\x55\x18\x12\xc2\xb2\x14\x96\xb5\x68\x63\x05\x8a"
> >> "\x96\x7a\x00\xf3\x8b\x68\x43\x61\x93\x32\xdd\x9b\xf8\x0e\xb1"
> >> "\xce\xbf\x7b\x6b\xcd\xc3\xe6\x8a\xf2\x82\xb6\x14\xa2\x81\x59"
> >> "\xde\xb2\x44\xe1\xfd\x38\x01\xba\x80\x63\xde\x23\xe5\x92\x45"
> >> "\x97\xce\xcc\x53\x20\x71\x4b\x79\x84\x8e\xa3\x51\xd7\x1f\xde"
> >> "\xa7\xe5\xd6\x8d\x63\x1b\xab\x67\xd7\x01\x2c\xf4\x63\xdd\x39"
> >> "\x4a\x9c\x5f\x9b\x7a\x3f\xeb\x2a\x66\xdb\xca\x43\x74\xb3\x1c"
> >> "\xce\xdb\x15\xd0\x31\x2a\xd6\x1d\x41\xcf\x4e\x79\x4d\x3a\x7f"
> >> "\x4f\x03\x26\x80\x88\xe0\xe4\x06\xde\xe3\x77\xbc\x1a\xd3\x41"
> >> "\xe1\x2f\xca\x27\xf6\x00\xa7\x4c\xa7\x47\xf3\x48\xff\x9d\x85"
> >> "\x7d\xee\x9f\xdd\x72\x0d\x6e\xd5\xfc\x84\x03\xd7\xd9\x11\xc2"
> >> "\x82\x88\x8a\x29\xbf\xa5\x87\x27\xe7\x7d\xae\x8f\x4f\x18\x00"
> >> "\xd4\xca\xf8\xb9\x46\xfb\xee\x13\xef\xee\x5c\x60\xe4\x0f\x5d"
> >> "\x5c\x6a\x4d\x6d\x14\x83\xde\x64\x47\xbd\x1b\xdc\x1f\x7e\x70"
> >> "\xf4\x9d\xe1\x1b\xb1\x3c\x70\xbd\xd3\x1f\x8b\x16\x0d\x6e\xc7"
> >> "\x2b\x59\xf4\xec\x89\xcd\x9e\x41\x0b\x92\xd9\xca\x87\xa6\x81"
> >> "\x03\x64\x0e\x2a\x9a\xee\xb0\x99\xe6\x76\x79\x91\xad\x9a\x27"
> >> "\x5e\x1a\x09\x6a\x55\xd6\x99\x04\xef\x99\x1b\xa1\xfe\xe6\x39"
> >> "\x69\x6c\xe7\x27\x96\x45\xdd\xe5\x86\x99\xee\xee\x41\xed\x65"
> >> "\x99\x6a\xb2\x9e\x35\x28\x86\xe1\x14\x25\x28\xb4\xff\xf1\xd3"
> >> "\xeb\xdf\x43\xe5\xf5\x40\x0b\xa4\x57\xcc\x5f\x77\xf6\x15\xe8"
> >> "\xfe\xab\x55\x2b\x47\xfe\xa6\xf3\x1f\x01\x88\xb9\xfe\x61\x4b"
> >> "\xea\x3a\x40\xd6\xb7\x17\x46\x05\x4f\x3e\x93\xc9\xb9\xc9\x9d"
> >> "\x79\xa3\x6a\x0f\xfb\x0f\x05\xa5\x16\x0c\xd6\xc1\xeb\x76\xa2"
> >> "\xd1\x40\x14\x88\x3e\xf8\x92\x29\x07\xda\x18\x6c\x6a\xd1\x9f"
> >> "\xbb\x71\xf5\x95\xd1\x5c\x2c\x21\x3d\x68\x02\x00\x1c\xda\xb4"
> >> "\x1d\xb1\xd1\x67\xce\xd2\xd3\xc8\x97\xc1\xcd\x8a\x86\x84\x10"
> >> "\xf6\x5d\x22\x87\xc7\xa9\x72\x93\x1c\x37\x96\x59\xd4\xc3\x0f"
> >> "\x77\x83\x99\x2d\xb5\xe7\xd3\xf7\x2a\xfd\xca\xd4\x58\x85\xe4"
> >> "\xf4\xd3\x3e\x50\x66\x07\xa4\xda\x6d\xc7\xab\x89\x2f\x71\xbf"
> >> "\x6d\xfe\xfd\x13\xd6\x36\xd2\x3d\x71\x10\x98\xa2\x2b\xa3\x07"
> >> "\x3c\x02\x6e\xdb\x33\xf0\xfc\xb7\x57\x5f\x44\x6e\x94\xbe\x97"
> >> "\x9c\x14\x38\xce\xb5\xaf\x6f\xdf\x00\x5f\x15\x77\xb1\x1a\xb0"
> >> "\x8f\x47\xa4\xd2\x7e\x2b\xfe\x75\x04\xed\x29\x1c\x74\x4c\x29"
> >> "\x32\xbc\x8c\xb8\x1a\xab\xdd\x90\x9c\x44\x27\xda\x53\xf0\xa3"
> >> "\x04\xdb\x60\xce\xb3\x34\xbf\xc9\x05\xee\x2f\xf5\xd7\x5f\x2a"
> >> "\x83\xf5\x6b\x32\x41\x74\xe9\xa8\xd1\xc9\xf1\xee\x88\x84\x9d"
> >> "\xb9\xd6\xf5\xc2\xf8\x42\x6e\x70\x8b\xfd\x91\x36\xff\xec\xc4"
> >> "\x18\xd9\xd5\x5b\xba\x18\x98\xfb\x1c\x64\x39\x95\xdb\xfb\xf9"
> >> "\xe9\x24\x12\x71\x0e\xd3\xc9\x4a\x54\x73\xeb\xd0\xbc\x31\xec"
> >> "\x52\x40\xb8\x87\xd2\xe2\x6e\x33\x92\x38\x5b\x68\x51\x55\x7c"
> >> "\xcd\x60\x53\xe2\x06\x6f\x99\x92\x8a\x05\x99\xa1\x75\x19\x23"
> >> "\x7f\xa9\x80\x6c\x38\x23\x39\x0c\xb8\x0e\x94\xd5\x9d\xff\xf7"
> >> "\x5d\x53\x55\xd0\x13\x77\xee\xb0\x0e\x70\x03\x3b\xa1\x58\xf0"
> >> "\x9c\x3d\x93\x41\x97\x63\xad\x65\xa1\xa0\x1c\xb8\x32\x18\x04"
> >> "\x0b\x13\xb4\x47\x35\x42\x66\x6f\xa9\x49\x20\x80\x52\x42\xc1"
> >> "\xab\xc4\x3c\x6b\xe7\x77\x67\x00\x84\x32\x92\xa5\x3d\xb6\xfe"
> >> "\xbf\x60\xae\x37\x48\xf1\x6c\x34\xe3\xb9\xab\x9f\xf1\x82\xa6"
> >> "\x71\x41\x0e\xe6\x4c\x38\x92\x25\x3a\xf8\xbd\xf9\xf0\x7d\xa8"
> >> "\x09\x87\x7e\xf8\x1d\x42\x1c\x14\x20\xc7\xdf\x4d\x5f\xeb\xbb"
> >> "\x3b\x06\x8b\xe5\x14\xd5\x53\x33\x9d\x0e\xbc\x72\x6c\x83\x4d"
> >> "\xad\x9e\xb4\x66\x20\xb5\x95\x01\xb3\x89\x9f\xc3\x92\xb1\x44"
> >> "\x5b\xca\xd8\xc1\x0c\xa5\xb8\xef\x75\xd6\x4a\xe2\x3f\x16\xed"
> >> "\x42\xde\xff\x64\xc0\x6f\x2c\x0f\x9f\x0d\x37\x19\x72\x0d\x59"
> >> "\x1e\x1c\x45\x5f\x14\xea\xa3\x36\x11\xca\xc4\x82\x05\x62\xab"
> >> "\x5b\xa3\xf4\xd0\xe3\x64\x8a\x23\x9c\x63\x5d\x14\xca\x30\x78"
> >> "\x0a\x7e\x9d\xe3\x61\x7b\xdd\xbd\x7d\xa7\x26\xb7\x53\xe9\x2e"
> >> "\xc1\x72\x73\x7b\xd2\xad\x99\x6c\xee\xd3\xb5\xaa\x4a\x85\xd4"
> >> "\xac\xca\x07\xf4\x3f\x9f\xc1\x3b\x4f\x55\x5b\x29\x7e\x39\x4e"
> >> "\xd7\xee\x6a\xbb\xa2\x40\x48\xa0\xda\x4c\x30\xc0\x2e\x1f\x83"
> >> "\x8a\x3e\x4b\x34\xa8\x71\x40\x24\x02\x7c\xf1\xad\x4f\xa0\x7a"
> >> "\xf5\xcb\x56\xd4\x49\x6b\xb8\x12\x22\x44\xdc\x56\x6f\xa9\x2e"
> >> "\x0a",
> >> 4096));
> >> r[54] = execute_syscall(__NR_write, r[2], 0x209c3000ul, 0x1000ul, 0,
> >> 0, 0, 0, 0, 0);
> >> break;
> >> }
> >> return 0;
> >> }
> >>
> >> void loop()
> >> {
> >> long i;
> >> pthread_t th[20];
> >>
> >> memset(r, -1, sizeof(r));
> >> srand(getpid());
> >> for (i = 0; i < 10; i++) {
> >> pthread_create(&th[i], 0, thr, (void*)i);
> >> usleep(10000);
> >> }
> >> usleep(100000);
> >> }
> >>
> >> int main()
> >> {
> >> setup_main_process();
> >> int pid = do_sandbox_setuid(0, false);
> >> int status = 0;
> >> while (waitpid(pid, &status, __WALL) != pid) {
> >> }
> >> return 0;
> >> }
> >>
> >
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net/udp: slab-out-of-bounds Read in udp_recvmsg
2017-03-15 16:01 ` Eric Dumazet
@ 2017-03-15 16:10 ` Eric Dumazet
2017-03-15 22:08 ` David Miller
0 siblings, 1 reply; 5+ messages in thread
From: Eric Dumazet @ 2017-03-15 16:10 UTC (permalink / raw)
To: Dmitry Vyukov, Yuchung Cheng, Soheil Hassas Yeganeh, Cardwell
Cc: 쪼르,
David Miller, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI,
Patrick McHardy, netdev, LKML, syzkaller
On Wed, 2017-03-15 at 09:01 -0700, Eric Dumazet wrote:
> On Wed, 2017-03-15 at 16:41 +0100, Dmitry Vyukov wrote:
> > On Wed, Mar 15, 2017 at 4:25 PM, 쪼르 <zzoru007@gmail.com> wrote:
> > > It seems that attacker can leak kernel memory(slab) by this vulnerability.
> > > I make a PoC code, and it works well on
> > > ae50dfd61665086e617cc9e554a1285d52765670.
> > > but, I found that PoC wasn't work on Ubuntu16.04.02 4.4.0-64-generic
> > > #85-Ubuntu SMP.
> >
> >
> > Do you know why it is not working on Ubuntu16.04.02?
> > Is it because the source bug is not present there? Or maybe you need a
> > slightly different poc for that version?
> >
>
> Seems to be a side effect of a recent commit
>
> ( 1c885808e45601b2b6f68b30ac1d999e10b6f606 )
Can you try this fix ?
diff --git a/net/socket.c b/net/socket.c
index e034fe4164beec7731c68ba2bc6920627741561b..9b9a8eca81efa4d310be4376eb07c12614f7b562 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -692,12 +692,17 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
ktime_to_timespec_cond(shhwtstamps->hwtstamp, tss.ts + 2))
empty = 0;
if (!empty) {
+ unsigned int hlen = skb_headlen(skb);
+
put_cmsg(msg, SOL_SOCKET,
SCM_TIMESTAMPING, sizeof(tss), &tss);
- if (skb->len && (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))
+ if (hlen &&
+ (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) &&
+ sk->sk_protocol == IPPROTO_TCP &&
+ sk->sk_type == SOCK_STREAM)
put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS,
- skb->len, skb->data);
+ hlen, skb->data);
}
}
EXPORT_SYMBOL_GPL(__sock_recv_timestamp);
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: net/udp: slab-out-of-bounds Read in udp_recvmsg
2017-03-15 16:10 ` Eric Dumazet
@ 2017-03-15 22:08 ` David Miller
2017-03-15 22:45 ` Eric Dumazet
0 siblings, 1 reply; 5+ messages in thread
From: David Miller @ 2017-03-15 22:08 UTC (permalink / raw)
To: eric.dumazet
Cc: dvyukov, ycheng, soheil, ncardwell, zzoru007, kuznet, jmorris,
yoshfuji, kaber, netdev, linux-kernel, syzkaller
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Wed, 15 Mar 2017 09:10:33 -0700
> @@ -692,12 +692,17 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
> ktime_to_timespec_cond(shhwtstamps->hwtstamp, tss.ts + 2))
> empty = 0;
> if (!empty) {
> + unsigned int hlen = skb_headlen(skb);
> +
> put_cmsg(msg, SOL_SOCKET,
> SCM_TIMESTAMPING, sizeof(tss), &tss);
>
> - if (skb->len && (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))
> + if (hlen &&
> + (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) &&
> + sk->sk_protocol == IPPROTO_TCP &&
> + sk->sk_type == SOCK_STREAM)
> put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS,
> - skb->len, skb->data);
> + hlen, skb->data);
Hmmm, what is the true intention of SOF_TIMESTAMPING_OPT_STATS then? The
existing code seems to want to dump the entire SKB into the cmsg, and if
that's the case then the fix is to linearlize the skb before the put_cmsg()
or have a way to put a non-linear SKB into a cmsg.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: net/udp: slab-out-of-bounds Read in udp_recvmsg
2017-03-15 22:08 ` David Miller
@ 2017-03-15 22:45 ` Eric Dumazet
0 siblings, 0 replies; 5+ messages in thread
From: Eric Dumazet @ 2017-03-15 22:45 UTC (permalink / raw)
To: David Miller
Cc: dvyukov, ycheng, soheil, ncardwell, zzoru007, kuznet, jmorris,
yoshfuji, kaber, netdev, linux-kernel, syzkaller
On Wed, 2017-03-15 at 15:08 -0700, David Miller wrote:
> From: Eric Dumazet <eric.dumazet@gmail.com>
> Date: Wed, 15 Mar 2017 09:10:33 -0700
>
> > @@ -692,12 +692,17 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
> > ktime_to_timespec_cond(shhwtstamps->hwtstamp, tss.ts + 2))
> > empty = 0;
> > if (!empty) {
> > + unsigned int hlen = skb_headlen(skb);
> > +
> > put_cmsg(msg, SOL_SOCKET,
> > SCM_TIMESTAMPING, sizeof(tss), &tss);
> >
> > - if (skb->len && (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))
> > + if (hlen &&
> > + (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) &&
> > + sk->sk_protocol == IPPROTO_TCP &&
> > + sk->sk_type == SOCK_STREAM)
> > put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS,
> > - skb->len, skb->data);
> > + hlen, skb->data);
>
> Hmmm, what is the true intention of SOF_TIMESTAMPING_OPT_STATS then? The
> existing code seems to want to dump the entire SKB into the cmsg, and if
> that's the case then the fix is to linearlize the skb before the put_cmsg()
> or have a way to put a non-linear SKB into a cmsg.
I simply matched the conditions in __skb_tstamp_tx() which builds the
skb :
+ if (tsonly) {
+#ifdef CONFIG_INET
+ if ((sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) &&
+ sk->sk_protocol == IPPROTO_TCP &&
+ sk->sk_type == SOCK_STREAM)
+ skb = tcp_get_timestamping_opt_stats(sk);
+ else
+#endif
+ skb = alloc_skb(0, GFP_ATOMIC);
+ } else {
And note that I should have also used the #ifdef
A proper fix would be to find a bit in skb->cb[] to avoid duplicating
the test...
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-03-15 22:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <1D28E435-EDFC-4E01-A3CE-28C83FBD27F4@gmail.com>
[not found] ` <CALRZ7UuGJMuEDfzF=J6ddQD9RZSvqWQZt5-Aer68Mde5SCG79w@mail.gmail.com>
2017-03-15 15:41 ` net/udp: slab-out-of-bounds Read in udp_recvmsg Dmitry Vyukov
2017-03-15 16:01 ` Eric Dumazet
2017-03-15 16:10 ` Eric Dumazet
2017-03-15 22:08 ` David Miller
2017-03-15 22:45 ` Eric Dumazet
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.