// https://syzkaller.appspot.com/bug?id=5199b695d40ee67d4754c9f4c2e7c7a59256bd8d
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <arpa/inet.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <net/if.h>
#include <net/if_arp.h>
#include <netinet/in.h>
#include <pthread.h>
#include <sched.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include <linux/futex.h>
#include <linux/if_addr.h>
#include <linux/if_ether.h>
#include <linux/if_link.h>
#include <linux/if_tun.h>
#include <linux/in6.h>
#include <linux/ip.h>
#include <linux/kvm.h>
#include <linux/neighbour.h>
#include <linux/net.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#include <linux/tcp.h>
#include <linux/veth.h>
unsigned long long procid;
static __thread int skip_segv;
static __thread jmp_buf segv_env;
static void segv_handler(int sig, siginfo_t* info, void* ctx)
{
uintptr_t addr = (uintptr_t)info->si_addr;
const uintptr_t prog_start = 1 << 20;
const uintptr_t prog_end = 100 << 20;
if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
(addr < prog_start || addr > prog_end)) {
_longjmp(segv_env, 1);
}
exit(sig);
}
static void install_segv_handler(void)
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_IGN;
syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}
#define NONFAILING(...) \
{ \
__atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
if (_setjmp(segv_env) == 0) { \
__VA_ARGS__; \
} \
__atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
}
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i;
for (i = 0; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
typedef struct {
int state;
} event_t;
static void event_init(event_t* ev)
{
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
if (ev->state)
exit(1);
__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG);
}
static void event_wait(event_t* ev)
{
while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
}
static int event_isset(event_t* ev)
{
return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
for (;;) {
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED))
return 1;
now = current_time_ms();
if (now - start > timeout)
return 0;
}
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static struct {
char* pos;
int nesting;
struct nlattr* nested[8];
char buf[1024];
} nlmsg;
static void netlink_init(int typ, int flags, const void* data, int size)
{
memset(&nlmsg, 0, sizeof(nlmsg));
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
hdr->nlmsg_type = typ;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
memcpy(hdr + 1, data, size);
nlmsg.pos = (char*)(hdr + 1) + NLMSG_ALIGN(size);
}
static void netlink_attr(int typ, const void* data, int size)
{
struct nlattr* attr = (struct nlattr*)nlmsg.pos;
attr->nla_len = sizeof(*attr) + size;
attr->nla_type = typ;
memcpy(attr + 1, data, size);
nlmsg.pos += NLMSG_ALIGN(attr->nla_len);
}
static void netlink_nest(int typ)
{
struct nlattr* attr = (struct nlattr*)nlmsg.pos;
attr->nla_type = typ;
nlmsg.pos += sizeof(*attr);
nlmsg.nested[nlmsg.nesting++] = attr;
}
static void netlink_done(void)
{
struct nlattr* attr = nlmsg.nested[--nlmsg.nesting];
attr->nla_len = nlmsg.pos - (char*)attr;
}
static int netlink_send(int sock)
{
if (nlmsg.pos > nlmsg.buf + sizeof(nlmsg.buf) || nlmsg.nesting)
exit(1);
struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg.buf;
hdr->nlmsg_len = nlmsg.pos - nlmsg.buf;
struct sockaddr_nl addr;
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
unsigned n = sendto(sock, nlmsg.buf, hdr->nlmsg_len, 0,
(struct sockaddr*)&addr, sizeof(addr));
if (n != hdr->nlmsg_len)
exit(1);
n = recv(sock, nlmsg.buf, sizeof(nlmsg.buf), 0);
if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))
exit(1);
if (hdr->nlmsg_type != NLMSG_ERROR)
exit(1);
return -((struct nlmsgerr*)(hdr + 1))->error;
}
static void netlink_add_device_impl(const char* type, const char* name)
{
struct ifinfomsg hdr;
memset(&hdr, 0, sizeof(hdr));
netlink_init(RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr));
if (name)
netlink_attr(IFLA_IFNAME, name, strlen(name));
netlink_nest(IFLA_LINKINFO);
netlink_attr(IFLA_INFO_KIND, type, strlen(type));
}
static void netlink_add_device(int sock, const char* type, const char* name)
{
netlink_add_device_impl(type, name);
netlink_done();
int err = netlink_send(sock);
(void)err;
}
static void netlink_add_veth(int sock, const char* name, const char* peer)
{
netlink_add_device_impl("veth", name);
netlink_nest(IFLA_INFO_DATA);
netlink_nest(VETH_INFO_PEER);
nlmsg.pos += sizeof(struct ifinfomsg);
netlink_attr(IFLA_IFNAME, peer, strlen(peer));
netlink_done();
netlink_done();
netlink_done();
int err = netlink_send(sock);
(void)err;
}
static void netlink_add_hsr(int sock, const char* name, const char* slave1,
const char* slave2)
{
netlink_add_device_impl("hsr", name);
netlink_nest(IFLA_INFO_DATA);
int ifindex1 = if_nametoindex(slave1);
netlink_attr(IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1));
int ifindex2 = if_nametoindex(slave2);
netlink_attr(IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2));
netlink_done();
netlink_done();
int err = netlink_send(sock);
(void)err;
}
static void netlink_device_change(int sock, const char* name, bool up,
const char* master, const void* mac,
int macsize)
{
struct ifinfomsg hdr;
memset(&hdr, 0, sizeof(hdr));
if (up)
hdr.ifi_flags = hdr.ifi_change = IFF_UP;
netlink_init(RTM_NEWLINK, 0, &hdr, sizeof(hdr));
netlink_attr(IFLA_IFNAME, name, strlen(name));
if (master) {
int ifindex = if_nametoindex(master);
netlink_attr(IFLA_MASTER, &ifindex, sizeof(ifindex));
}
if (macsize)
netlink_attr(IFLA_ADDRESS, mac, macsize);
int err = netlink_send(sock);
(void)err;
}
static int netlink_add_addr(int sock, const char* dev, const void* addr,
int addrsize)
{
struct ifaddrmsg hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6;
hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120;
hdr.ifa_scope = RT_SCOPE_UNIVERSE;
hdr.ifa_index = if_nametoindex(dev);
netlink_init(RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr));
netlink_attr(IFA_LOCAL, addr, addrsize);
netlink_attr(IFA_ADDRESS, addr, addrsize);
return netlink_send(sock);
}
static void netlink_add_addr4(int sock, const char* dev, const char* addr)
{
struct in_addr in_addr;
inet_pton(AF_INET, addr, &in_addr);
int err = netlink_add_addr(sock, dev, &in_addr, sizeof(in_addr));
(void)err;
}
static void netlink_add_addr6(int sock, const char* dev, const char* addr)
{
struct in6_addr in6_addr;
inet_pton(AF_INET6, addr, &in6_addr);
int err = netlink_add_addr(sock, dev, &in6_addr, sizeof(in6_addr));
(void)err;
}
static void netlink_add_neigh(int sock, const char* name, const void* addr,
int addrsize, const void* mac, int macsize)
{
struct ndmsg hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6;
hdr.ndm_ifindex = if_nametoindex(name);
hdr.ndm_state = NUD_PERMANENT;
netlink_init(RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr));
netlink_attr(NDA_DST, addr, addrsize);
netlink_attr(NDA_LLADDR, mac, macsize);
int err = netlink_send(sock);
(void)err;
}
static int tunfd = -1;
static int tun_frags_enabled;
#define SYZ_TUN_MAX_PACKET_SIZE 1000
#define TUN_IFACE "syz_tun"
#define LOCAL_MAC 0xaaaaaaaaaaaa
#define REMOTE_MAC 0xaaaaaaaaaabb
#define LOCAL_IPV4 "172.20.20.170"
#define REMOTE_IPV4 "172.20.20.187"
#define LOCAL_IPV6 "fe80::aa"
#define REMOTE_IPV6 "fe80::bb"
#define IFF_NAPI 0x0010
#define IFF_NAPI_FRAGS 0x0020
static void initialize_tun(void)
{
tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK);
if (tunfd == -1) {
printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n");
printf("otherwise fuzzing or reproducing might not work as intended\n");
return;
}
const int kTunFd = 240;
if (dup2(tunfd, kTunFd) < 0)
exit(1);
close(tunfd);
tunfd = kTunFd;
struct ifreq ifr;
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ);
ifr.ifr_flags = IFF_TAP | IFF_NO_PI | IFF_NAPI | IFF_NAPI_FRAGS;
if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) {
ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0)
exit(1);
}
if (ioctl(tunfd, TUNGETIFF, (void*)&ifr) < 0)
exit(1);
tun_frags_enabled = (ifr.ifr_flags & IFF_NAPI_FRAGS) != 0;
char sysctl[64];
sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE);
write_file(sysctl, "0");
sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE);
write_file(sysctl, "0");
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (sock == -1)
exit(1);
netlink_add_addr4(sock, TUN_IFACE, LOCAL_IPV4);
netlink_add_addr6(sock, TUN_IFACE, LOCAL_IPV6);
uint64_t macaddr = REMOTE_MAC;
struct in_addr in_addr;
inet_pton(AF_INET, REMOTE_IPV4, &in_addr);
netlink_add_neigh(sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr,
ETH_ALEN);
struct in6_addr in6_addr;
inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr);
netlink_add_neigh(sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr,
ETH_ALEN);
macaddr = LOCAL_MAC;
netlink_device_change(sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN);
close(sock);
}
#define DEV_IPV4 "172.20.20.%d"
#define DEV_IPV6 "fe80::%02hx"
#define DEV_MAC 0x00aaaaaaaaaa
static void initialize_netdevices(void)
{
char netdevsim[16];
sprintf(netdevsim, "netdevsim%d", (int)procid);
struct {
const char* type;
const char* dev;
} devtypes[] = {
{"ip6gretap", "ip6gretap0"}, {"bridge", "bridge0"},
{"vcan", "vcan0"}, {"bond", "bond0"},
{"team", "team0"}, {"dummy", "dummy0"},
{"nlmon", "nlmon0"}, {"caif", "caif0"},
{"batadv", "batadv0"}, {"vxcan", "vxcan1"},
{"netdevsim", netdevsim}, {"veth", 0},
};
const char* devmasters[] = {"bridge", "bond", "team"};
struct {
const char* name;
int macsize;
bool noipv6;
} devices[] = {
{"lo", ETH_ALEN},
{"sit0", 0},
{"bridge0", ETH_ALEN},
{"vcan0", 0, true},
{"tunl0", 0},
{"gre0", 0},
{"gretap0", ETH_ALEN},
{"ip_vti0", 0},
{"ip6_vti0", 0},
{"ip6tnl0", 0},
{"ip6gre0", 0},
{"ip6gretap0", ETH_ALEN},
{"erspan0", ETH_ALEN},
{"bond0", ETH_ALEN},
{"veth0", ETH_ALEN},
{"veth1", ETH_ALEN},
{"team0", ETH_ALEN},
{"veth0_to_bridge", ETH_ALEN},
{"veth1_to_bridge", ETH_ALEN},
{"veth0_to_bond", ETH_ALEN},
{"veth1_to_bond", ETH_ALEN},
{"veth0_to_team", ETH_ALEN},
{"veth1_to_team", ETH_ALEN},
{"veth0_to_hsr", ETH_ALEN},
{"veth1_to_hsr", ETH_ALEN},
{"hsr0", 0},
{"dummy0", ETH_ALEN},
{"nlmon0", 0},
{"vxcan1", 0, true},
{"caif0", ETH_ALEN},
{"batadv0", ETH_ALEN},
{netdevsim, ETH_ALEN},
};
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (sock == -1)
exit(1);
unsigned i;
for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++)
netlink_add_device(sock, devtypes[i].type, devtypes[i].dev);
for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) {
char master[32], slave0[32], veth0[32], slave1[32], veth1[32];
sprintf(slave0, "%s_slave_0", devmasters[i]);
sprintf(veth0, "veth0_to_%s", devmasters[i]);
netlink_add_veth(sock, slave0, veth0);
sprintf(slave1, "%s_slave_1", devmasters[i]);
sprintf(veth1, "veth1_to_%s", devmasters[i]);
netlink_add_veth(sock, slave1, veth1);
sprintf(master, "%s0", devmasters[i]);
netlink_device_change(sock, slave0, false, master, 0, 0);
netlink_device_change(sock, slave1, false, master, 0, 0);
}
netlink_device_change(sock, "bridge_slave_0", true, 0, 0, 0);
netlink_device_change(sock, "bridge_slave_1", true, 0, 0, 0);
netlink_add_veth(sock, "hsr_slave_0", "veth0_to_hsr");
netlink_add_veth(sock, "hsr_slave_1", "veth1_to_hsr");
netlink_add_hsr(sock, "hsr0", "hsr_slave_0", "hsr_slave_1");
netlink_device_change(sock, "hsr_slave_0", true, 0, 0, 0);
netlink_device_change(sock, "hsr_slave_1", true, 0, 0, 0);
for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) {
char addr[32];
sprintf(addr, DEV_IPV4, i + 10);
netlink_add_addr4(sock, devices[i].name, addr);
if (!devices[i].noipv6) {
sprintf(addr, DEV_IPV6, i + 10);
netlink_add_addr6(sock, devices[i].name, addr);
}
uint64_t macaddr = DEV_MAC + ((i + 10ull) << 40);
netlink_device_change(sock, devices[i].name, true, 0, &macaddr,
devices[i].macsize);
}
close(sock);
}
static void initialize_netdevices_init(void)
{
int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (sock == -1)
exit(1);
struct {
const char* type;
int macsize;
bool noipv6;
bool noup;
} devtypes[] = {
{"nr", 7, true}, {"rose", 5, true, true},
};
unsigned i;
for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) {
char dev[32], addr[32];
sprintf(dev, "%s%d", devtypes[i].type, (int)procid);
sprintf(addr, "172.30.%d.%d", i, (int)procid + 1);
netlink_add_addr4(sock, dev, addr);
if (!devtypes[i].noipv6) {
sprintf(addr, "fe88::%02hx:%02hx", i, (int)procid + 1);
netlink_add_addr6(sock, dev, addr);
}
int macsize = devtypes[i].macsize;
uint64_t macaddr = 0xbbbbbb +
((unsigned long long)i << (8 * (macsize - 2))) +
(procid << (8 * (macsize - 1)));
netlink_device_change(sock, dev, !devtypes[i].noup, 0, &macaddr, macsize);
}
close(sock);
}
const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0"
"\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e"
"\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba"
"\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01"
"\xc7\x06\x06\x01\x2b\x00\xcb";
const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0";
const char kvm_asm32_vm86[] =
"\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00";
const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22"
"\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00"
"\x00\x00\x00\xd0\x00";
const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22"
"\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7"
"\xc0\xd8\x00\x00\x00\x0f\x00\xd8";
const char kvm_asm64_init_vm[] =
"\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00"
"\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f"
"\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22"
"\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89"
"\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3"
"\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48"
"\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2"
"\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e"
"\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7"
"\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48"
"\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0"
"\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0"
"\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48"
"\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7"
"\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0"
"\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00"
"\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7"
"\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0"
"\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48"
"\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7"
"\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0"
"\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00"
"\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00"
"\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0"
"\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79"
"\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48"
"\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7"
"\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2"
"\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c"
"\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c"
"\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00"
"\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00"
"\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00"
"\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48"
"\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7"
"\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0"
"\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00"
"\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00"
"\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20"
"\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7"
"\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2"
"\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e"
"\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40"
"\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00"
"\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00"
"\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48"
"\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7"
"\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0"
"\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00"
"\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00"
"\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00"
"\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00"
"\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f"
"\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79"
"\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0"
"\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48"
"\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7"
"\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2"
"\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12"
"\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68"
"\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00"
"\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00"
"\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48"
"\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7"
"\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0"
"\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff"
"\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff"
"\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f"
"\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00"
"\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f"
"\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79"
"\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0"
"\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48"
"\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7"
"\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2"
"\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c"
"\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48"
"\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00"
"\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00"
"\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48"
"\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7"
"\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0"
"\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00"
"\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00"
"\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00"
"\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00"
"\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f"
"\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0"
"\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20"
"\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18"
"\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31"
"\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44"
"\x00\x00\x0f\x78\xd0\xf4";
const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48"
"\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7"
"\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3"
"\x1e\x68\x00\x00\x0f\x78\xdb\xf4";
const char kvm_asm64_cpl3[] =
"\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00"
"\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e"
"\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24"
"\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08"
"\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb";
#define ADDR_TEXT 0x0000
#define ADDR_GDT 0x1000
#define ADDR_LDT 0x1800
#define ADDR_PML4 0x2000
#define ADDR_PDP 0x3000
#define ADDR_PD 0x4000
#define ADDR_STACK0 0x0f80
#define ADDR_VAR_HLT 0x2800
#define ADDR_VAR_SYSRET 0x2808
#define ADDR_VAR_SYSEXIT 0x2810
#define ADDR_VAR_IDT 0x3800
#define ADDR_VAR_TSS64 0x3a00
#define ADDR_VAR_TSS64_CPL3 0x3c00
#define ADDR_VAR_TSS16 0x3d00
#define ADDR_VAR_TSS16_2 0x3e00
#define ADDR_VAR_TSS16_CPL3 0x3f00
#define ADDR_VAR_TSS32 0x4800
#define ADDR_VAR_TSS32_2 0x4a00
#define ADDR_VAR_TSS32_CPL3 0x4c00
#define ADDR_VAR_TSS32_VM86 0x4e00
#define ADDR_VAR_VMXON_PTR 0x5f00
#define ADDR_VAR_VMCS_PTR 0x5f08
#define ADDR_VAR_VMEXIT_PTR 0x5f10
#define ADDR_VAR_VMWRITE_FLD 0x5f18
#define ADDR_VAR_VMWRITE_VAL 0x5f20
#define ADDR_VAR_VMXON 0x6000
#define ADDR_VAR_VMCS 0x7000
#define ADDR_VAR_VMEXIT_CODE 0x9000
#define ADDR_VAR_USER_CODE 0x9100
#define ADDR_VAR_USER_CODE2 0x9120
#define SEL_LDT (1 << 3)
#define SEL_CS16 (2 << 3)
#define SEL_DS16 (3 << 3)
#define SEL_CS16_CPL3 ((4 << 3) + 3)
#define SEL_DS16_CPL3 ((5 << 3) + 3)
#define SEL_CS32 (6 << 3)
#define SEL_DS32 (7 << 3)
#define SEL_CS32_CPL3 ((8 << 3) + 3)
#define SEL_DS32_CPL3 ((9 << 3) + 3)
#define SEL_CS64 (10 << 3)
#define SEL_DS64 (11 << 3)
#define SEL_CS64_CPL3 ((12 << 3) + 3)
#define SEL_DS64_CPL3 ((13 << 3) + 3)
#define SEL_CGATE16 (14 << 3)
#define SEL_TGATE16 (15 << 3)
#define SEL_CGATE32 (16 << 3)
#define SEL_TGATE32 (17 << 3)
#define SEL_CGATE64 (18 << 3)
#define SEL_CGATE64_HI (19 << 3)
#define SEL_TSS16 (20 << 3)
#define SEL_TSS16_2 (21 << 3)
#define SEL_TSS16_CPL3 ((22 << 3) + 3)
#define SEL_TSS32 (23 << 3)
#define SEL_TSS32_2 (24 << 3)
#define SEL_TSS32_CPL3 ((25 << 3) + 3)
#define SEL_TSS32_VM86 (26 << 3)
#define SEL_TSS64 (27 << 3)
#define SEL_TSS64_HI (28 << 3)
#define SEL_TSS64_CPL3 ((29 << 3) + 3)
#define SEL_TSS64_CPL3_HI (30 << 3)
#define MSR_IA32_FEATURE_CONTROL 0x3a
#define MSR_IA32_VMX_BASIC 0x480
#define MSR_IA32_SMBASE 0x9e
#define MSR_IA32_SYSENTER_CS 0x174
#define MSR_IA32_SYSENTER_ESP 0x175
#define MSR_IA32_SYSENTER_EIP 0x176
#define MSR_IA32_STAR 0xC0000081
#define MSR_IA32_LSTAR 0xC0000082
#define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B
#define NEXT_INSN $0xbadc0de
#define PREFIX_SIZE 0xba1d
#define KVM_SMI _IO(KVMIO, 0xb7)
#define CR0_PE 1
#define CR0_MP (1 << 1)
#define CR0_EM (1 << 2)
#define CR0_TS (1 << 3)
#define CR0_ET (1 << 4)
#define CR0_NE (1 << 5)
#define CR0_WP (1 << 16)
#define CR0_AM (1 << 18)
#define CR0_NW (1 << 29)
#define CR0_CD (1 << 30)
#define CR0_PG (1 << 31)
#define CR4_VME 1
#define CR4_PVI (1 << 1)
#define CR4_TSD (1 << 2)
#define CR4_DE (1 << 3)
#define CR4_PSE (1 << 4)
#define CR4_PAE (1 << 5)
#define CR4_MCE (1 << 6)
#define CR4_PGE (1 << 7)
#define CR4_PCE (1 << 8)
#define CR4_OSFXSR (1 << 8)
#define CR4_OSXMMEXCPT (1 << 10)
#define CR4_UMIP (1 << 11)
#define CR4_VMXE (1 << 13)
#define CR4_SMXE (1 << 14)
#define CR4_FSGSBASE (1 << 16)
#define CR4_PCIDE (1 << 17)
#define CR4_OSXSAVE (1 << 18)
#define CR4_SMEP (1 << 20)
#define CR4_SMAP (1 << 21)
#define CR4_PKE (1 << 22)
#define EFER_SCE 1
#define EFER_LME (1 << 8)
#define EFER_LMA (1 << 10)
#define EFER_NXE (1 << 11)
#define EFER_SVME (1 << 12)
#define EFER_LMSLE (1 << 13)
#define EFER_FFXSR (1 << 14)
#define EFER_TCE (1 << 15)
#define PDE32_PRESENT 1
#define PDE32_RW (1 << 1)
#define PDE32_USER (1 << 2)
#define PDE32_PS (1 << 7)
#define PDE64_PRESENT 1
#define PDE64_RW (1 << 1)
#define PDE64_USER (1 << 2)
#define PDE64_ACCESSED (1 << 5)
#define PDE64_DIRTY (1 << 6)
#define PDE64_PS (1 << 7)
#define PDE64_G (1 << 8)
struct tss16 {
uint16_t prev;
uint16_t sp0;
uint16_t ss0;
uint16_t sp1;
uint16_t ss1;
uint16_t sp2;
uint16_t ss2;
uint16_t ip;
uint16_t flags;
uint16_t ax;
uint16_t cx;
uint16_t dx;
uint16_t bx;
uint16_t sp;
uint16_t bp;
uint16_t si;
uint16_t di;
uint16_t es;
uint16_t cs;
uint16_t ss;
uint16_t ds;
uint16_t ldt;
} __attribute__((packed));
struct tss32 {
uint16_t prev, prevh;
uint32_t sp0;
uint16_t ss0, ss0h;
uint32_t sp1;
uint16_t ss1, ss1h;
uint32_t sp2;
uint16_t ss2, ss2h;
uint32_t cr3;
uint32_t ip;
uint32_t flags;
uint32_t ax;
uint32_t cx;
uint32_t dx;
uint32_t bx;
uint32_t sp;
uint32_t bp;
uint32_t si;
uint32_t di;
uint16_t es, esh;
uint16_t cs, csh;
uint16_t ss, ssh;
uint16_t ds, dsh;
uint16_t fs, fsh;
uint16_t gs, gsh;
uint16_t ldt, ldth;
uint16_t trace;
uint16_t io_bitmap;
} __attribute__((packed));
struct tss64 {
uint32_t reserved0;
uint64_t rsp[3];
uint64_t reserved1;
uint64_t ist[7];
uint64_t reserved2;
uint32_t reserved3;
uint32_t io_bitmap;
} __attribute__((packed));
static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt,
struct kvm_segment* seg)
{
uint16_t index = seg->selector >> 3;
uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit;
uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 |
(uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 |
(uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 |
(limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 |
(uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 |
(uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56;
NONFAILING(dt[index] = sd);
NONFAILING(lt[index] = sd);
}
static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt,
struct kvm_segment* seg)
{
fill_segment_descriptor(dt, lt, seg);
uint16_t index = seg->selector >> 3;
NONFAILING(dt[index + 1] = 0);
NONFAILING(lt[index + 1] = 0);
}
static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3)
{
char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)];
memset(buf, 0, sizeof(buf));
struct kvm_msrs* msrs = (struct kvm_msrs*)buf;
struct kvm_msr_entry* entries = msrs->entries;
msrs->nmsrs = 5;
entries[0].index = MSR_IA32_SYSENTER_CS;
entries[0].data = sel_cs;
entries[1].index = MSR_IA32_SYSENTER_ESP;
entries[1].data = ADDR_STACK0;
entries[2].index = MSR_IA32_SYSENTER_EIP;
entries[2].data = ADDR_VAR_SYSEXIT;
entries[3].index = MSR_IA32_STAR;
entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48);
entries[4].index = MSR_IA32_LSTAR;
entries[4].data = ADDR_VAR_SYSRET;
ioctl(cpufd, KVM_SET_MSRS, msrs);
}
static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem,
uintptr_t guest_mem)
{
sregs->idt.base = guest_mem + ADDR_VAR_IDT;
sregs->idt.limit = 0x1ff;
uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base);
int i;
for (i = 0; i < 32; i++) {
struct kvm_segment gate;
gate.selector = i << 3;
switch (i % 6) {
case 0:
gate.type = 6;
gate.base = SEL_CS16;
break;
case 1:
gate.type = 7;
gate.base = SEL_CS16;
break;
case 2:
gate.type = 3;
gate.base = SEL_TGATE16;
break;
case 3:
gate.type = 14;
gate.base = SEL_CS32;
break;
case 4:
gate.type = 15;
gate.base = SEL_CS32;
break;
case 6:
gate.type = 11;
gate.base = SEL_TGATE32;
break;
}
gate.limit = guest_mem + ADDR_VAR_USER_CODE2;
gate.present = 1;
gate.dpl = 0;
gate.s = 0;
gate.g = 0;
gate.db = 0;
gate.l = 0;
gate.avl = 0;
fill_segment_descriptor(idt, idt, &gate);
}
}
static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem,
uintptr_t guest_mem)
{
sregs->idt.base = guest_mem + ADDR_VAR_IDT;
sregs->idt.limit = 0x1ff;
uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base);
int i;
for (i = 0; i < 32; i++) {
struct kvm_segment gate;
gate.selector = (i * 2) << 3;
gate.type = (i & 1) ? 14 : 15;
gate.base = SEL_CS64;
gate.limit = guest_mem + ADDR_VAR_USER_CODE2;
gate.present = 1;
gate.dpl = 0;
gate.s = 0;
gate.g = 0;
gate.db = 0;
gate.l = 0;
gate.avl = 0;
fill_segment_descriptor_dword(idt, idt, &gate);
}
}
struct kvm_text {
uintptr_t typ;
const void* text;
uintptr_t size;
};
struct kvm_opt {
uint64_t typ;
uint64_t val;
};
#define KVM_SETUP_PAGING (1 << 0)
#define KVM_SETUP_PAE (1 << 1)
#define KVM_SETUP_PROTECTED (1 << 2)
#define KVM_SETUP_CPL3 (1 << 3)
#define KVM_SETUP_VIRT86 (1 << 4)
#define KVM_SETUP_SMM (1 << 5)
#define KVM_SETUP_VM (1 << 6)
static uintptr_t syz_kvm_setup_cpu(uintptr_t a0, uintptr_t a1, uintptr_t a2,
uintptr_t a3, uintptr_t a4, uintptr_t a5,
uintptr_t a6, uintptr_t a7)
{
const int vmfd = a0;
const int cpufd = a1;
char* const host_mem = (char*)a2;
const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3;
const uintptr_t text_count = a4;
const uintptr_t flags = a5;
const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6;
uintptr_t opt_count = a7;
const uintptr_t page_size = 4 << 10;
const uintptr_t ioapic_page = 10;
const uintptr_t guest_mem_size = 24 * page_size;
const uintptr_t guest_mem = 0;
(void)text_count;
int text_type = 0;
const void* text = 0;
uintptr_t text_size = 0;
NONFAILING(text_type = text_array_ptr[0].typ);
NONFAILING(text = text_array_ptr[0].text);
NONFAILING(text_size = text_array_ptr[0].size);
uintptr_t i;
for (i = 0; i < guest_mem_size / page_size; i++) {
struct kvm_userspace_memory_region memreg;
memreg.slot = i;
memreg.flags = 0;
memreg.guest_phys_addr = guest_mem + i * page_size;
if (i == ioapic_page)
memreg.guest_phys_addr = 0xfec00000;
memreg.memory_size = page_size;
memreg.userspace_addr = (uintptr_t)host_mem + i * page_size;
ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg);
}
struct kvm_userspace_memory_region memreg;
memreg.slot = 1 + (1 << 16);
memreg.flags = 0;
memreg.guest_phys_addr = 0x30000;
memreg.memory_size = 64 << 10;
memreg.userspace_addr = (uintptr_t)host_mem;
ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg);
struct kvm_sregs sregs;
if (ioctl(cpufd, KVM_GET_SREGS, &sregs))
return -1;
struct kvm_regs regs;
memset(®s, 0, sizeof(regs));
regs.rip = guest_mem + ADDR_TEXT;
regs.rsp = ADDR_STACK0;
sregs.gdt.base = guest_mem + ADDR_GDT;
sregs.gdt.limit = 256 * sizeof(uint64_t) - 1;
uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base);
struct kvm_segment seg_ldt;
seg_ldt.selector = SEL_LDT;
seg_ldt.type = 2;
seg_ldt.base = guest_mem + ADDR_LDT;
seg_ldt.limit = 256 * sizeof(uint64_t) - 1;
seg_ldt.present = 1;
seg_ldt.dpl = 0;
seg_ldt.s = 0;
seg_ldt.g = 0;
seg_ldt.db = 1;
seg_ldt.l = 0;
sregs.ldt = seg_ldt;
uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base);
struct kvm_segment seg_cs16;
seg_cs16.selector = SEL_CS16;
seg_cs16.type = 11;
seg_cs16.base = 0;
seg_cs16.limit = 0xfffff;
seg_cs16.present = 1;
seg_cs16.dpl = 0;
seg_cs16.s = 1;
seg_cs16.g = 0;
seg_cs16.db = 0;
seg_cs16.l = 0;
struct kvm_segment seg_ds16 = seg_cs16;
seg_ds16.selector = SEL_DS16;
seg_ds16.type = 3;
struct kvm_segment seg_cs16_cpl3 = seg_cs16;
seg_cs16_cpl3.selector = SEL_CS16_CPL3;
seg_cs16_cpl3.dpl = 3;
struct kvm_segment seg_ds16_cpl3 = seg_ds16;
seg_ds16_cpl3.selector = SEL_DS16_CPL3;
seg_ds16_cpl3.dpl = 3;
struct kvm_segment seg_cs32 = seg_cs16;
seg_cs32.selector = SEL_CS32;
seg_cs32.db = 1;
struct kvm_segment seg_ds32 = seg_ds16;
seg_ds32.selector = SEL_DS32;
seg_ds32.db = 1;
struct kvm_segment seg_cs32_cpl3 = seg_cs32;
seg_cs32_cpl3.selector = SEL_CS32_CPL3;
seg_cs32_cpl3.dpl = 3;
struct kvm_segment seg_ds32_cpl3 = seg_ds32;
seg_ds32_cpl3.selector = SEL_DS32_CPL3;
seg_ds32_cpl3.dpl = 3;
struct kvm_segment seg_cs64 = seg_cs16;
seg_cs64.selector = SEL_CS64;
seg_cs64.l = 1;
struct kvm_segment seg_ds64 = seg_ds32;
seg_ds64.selector = SEL_DS64;
struct kvm_segment seg_cs64_cpl3 = seg_cs64;
seg_cs64_cpl3.selector = SEL_CS64_CPL3;
seg_cs64_cpl3.dpl = 3;
struct kvm_segment seg_ds64_cpl3 = seg_ds64;
seg_ds64_cpl3.selector = SEL_DS64_CPL3;
seg_ds64_cpl3.dpl = 3;
struct kvm_segment seg_tss32;
seg_tss32.selector = SEL_TSS32;
seg_tss32.type = 9;
seg_tss32.base = ADDR_VAR_TSS32;
seg_tss32.limit = 0x1ff;
seg_tss32.present = 1;
seg_tss32.dpl = 0;
seg_tss32.s = 0;
seg_tss32.g = 0;
seg_tss32.db = 0;
seg_tss32.l = 0;
struct kvm_segment seg_tss32_2 = seg_tss32;
seg_tss32_2.selector = SEL_TSS32_2;
seg_tss32_2.base = ADDR_VAR_TSS32_2;
struct kvm_segment seg_tss32_cpl3 = seg_tss32;
seg_tss32_cpl3.selector = SEL_TSS32_CPL3;
seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3;
struct kvm_segment seg_tss32_vm86 = seg_tss32;
seg_tss32_vm86.selector = SEL_TSS32_VM86;
seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86;
struct kvm_segment seg_tss16 = seg_tss32;
seg_tss16.selector = SEL_TSS16;
seg_tss16.base = ADDR_VAR_TSS16;
seg_tss16.limit = 0xff;
seg_tss16.type = 1;
struct kvm_segment seg_tss16_2 = seg_tss16;
seg_tss16_2.selector = SEL_TSS16_2;
seg_tss16_2.base = ADDR_VAR_TSS16_2;
seg_tss16_2.dpl = 0;
struct kvm_segment seg_tss16_cpl3 = seg_tss16;
seg_tss16_cpl3.selector = SEL_TSS16_CPL3;
seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3;
seg_tss16_cpl3.dpl = 3;
struct kvm_segment seg_tss64 = seg_tss32;
seg_tss64.selector = SEL_TSS64;
seg_tss64.base = ADDR_VAR_TSS64;
seg_tss64.limit = 0x1ff;
struct kvm_segment seg_tss64_cpl3 = seg_tss64;
seg_tss64_cpl3.selector = SEL_TSS64_CPL3;
seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3;
seg_tss64_cpl3.dpl = 3;
struct kvm_segment seg_cgate16;
seg_cgate16.selector = SEL_CGATE16;
seg_cgate16.type = 4;
seg_cgate16.base = SEL_CS16 | (2 << 16);
seg_cgate16.limit = ADDR_VAR_USER_CODE2;
seg_cgate16.present = 1;
seg_cgate16.dpl = 0;
seg_cgate16.s = 0;
seg_cgate16.g = 0;
seg_cgate16.db = 0;
seg_cgate16.l = 0;
seg_cgate16.avl = 0;
struct kvm_segment seg_tgate16 = seg_cgate16;
seg_tgate16.selector = SEL_TGATE16;
seg_tgate16.type = 3;
seg_cgate16.base = SEL_TSS16_2;
seg_tgate16.limit = 0;
struct kvm_segment seg_cgate32 = seg_cgate16;
seg_cgate32.selector = SEL_CGATE32;
seg_cgate32.type = 12;
seg_cgate32.base = SEL_CS32 | (2 << 16);
struct kvm_segment seg_tgate32 = seg_cgate32;
seg_tgate32.selector = SEL_TGATE32;
seg_tgate32.type = 11;
seg_tgate32.base = SEL_TSS32_2;
seg_tgate32.limit = 0;
struct kvm_segment seg_cgate64 = seg_cgate16;
seg_cgate64.selector = SEL_CGATE64;
seg_cgate64.type = 12;
seg_cgate64.base = SEL_CS64;
int kvmfd = open("/dev/kvm", O_RDWR);
char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)];
memset(buf, 0, sizeof(buf));
struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf;
cpuid->nent = 128;
ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid);
ioctl(cpufd, KVM_SET_CPUID2, cpuid);
close(kvmfd);
const char* text_prefix = 0;
int text_prefix_size = 0;
char* host_text = host_mem + ADDR_TEXT;
if (text_type == 8) {
if (flags & KVM_SETUP_SMM) {
if (flags & KVM_SETUP_PROTECTED) {
sregs.cs = seg_cs16;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16;
sregs.cr0 |= CR0_PE;
} else {
sregs.cs.selector = 0;
sregs.cs.base = 0;
}
NONFAILING(*(host_mem + ADDR_TEXT) = 0xf4);
host_text = host_mem + 0x8000;
ioctl(cpufd, KVM_SMI, 0);
} else if (flags & KVM_SETUP_VIRT86) {
sregs.cs = seg_cs32;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32;
sregs.cr0 |= CR0_PE;
sregs.efer |= EFER_SCE;
setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3);
setup_32bit_idt(&sregs, host_mem, guest_mem);
if (flags & KVM_SETUP_PAGING) {
uint64_t pd_addr = guest_mem + ADDR_PD;
uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD);
NONFAILING(pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS);
sregs.cr3 = pd_addr;
sregs.cr4 |= CR4_PSE;
text_prefix = kvm_asm32_paged_vm86;
text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1;
} else {
text_prefix = kvm_asm32_vm86;
text_prefix_size = sizeof(kvm_asm32_vm86) - 1;
}
} else {
sregs.cs.selector = 0;
sregs.cs.base = 0;
}
} else if (text_type == 16) {
if (flags & KVM_SETUP_CPL3) {
sregs.cs = seg_cs16;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16;
text_prefix = kvm_asm16_cpl3;
text_prefix_size = sizeof(kvm_asm16_cpl3) - 1;
} else {
sregs.cr0 |= CR0_PE;
sregs.cs = seg_cs16;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16;
}
} else if (text_type == 32) {
sregs.cr0 |= CR0_PE;
sregs.efer |= EFER_SCE;
setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3);
setup_32bit_idt(&sregs, host_mem, guest_mem);
if (flags & KVM_SETUP_SMM) {
sregs.cs = seg_cs32;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32;
NONFAILING(*(host_mem + ADDR_TEXT) = 0xf4);
host_text = host_mem + 0x8000;
ioctl(cpufd, KVM_SMI, 0);
} else if (flags & KVM_SETUP_PAGING) {
sregs.cs = seg_cs32;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32;
uint64_t pd_addr = guest_mem + ADDR_PD;
uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD);
NONFAILING(pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS);
sregs.cr3 = pd_addr;
sregs.cr4 |= CR4_PSE;
text_prefix = kvm_asm32_paged;
text_prefix_size = sizeof(kvm_asm32_paged) - 1;
} else if (flags & KVM_SETUP_CPL3) {
sregs.cs = seg_cs32_cpl3;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3;
} else {
sregs.cs = seg_cs32;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32;
}
} else {
sregs.efer |= EFER_LME | EFER_SCE;
sregs.cr0 |= CR0_PE;
setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3);
setup_64bit_idt(&sregs, host_mem, guest_mem);
sregs.cs = seg_cs32;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32;
uint64_t pml4_addr = guest_mem + ADDR_PML4;
uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4);
uint64_t pdpt_addr = guest_mem + ADDR_PDP;
uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP);
uint64_t pd_addr = guest_mem + ADDR_PD;
uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD);
NONFAILING(pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr);
NONFAILING(pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr);
NONFAILING(pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS);
sregs.cr3 = pml4_addr;
sregs.cr4 |= CR4_PAE;
if (flags & KVM_SETUP_VM) {
sregs.cr0 |= CR0_NE;
NONFAILING(*((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) =
ADDR_VAR_VMXON);
NONFAILING(*((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS);
NONFAILING(memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit,
sizeof(kvm_asm64_vm_exit) - 1));
NONFAILING(*((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) =
ADDR_VAR_VMEXIT_CODE);
text_prefix = kvm_asm64_init_vm;
text_prefix_size = sizeof(kvm_asm64_init_vm) - 1;
} else if (flags & KVM_SETUP_CPL3) {
text_prefix = kvm_asm64_cpl3;
text_prefix_size = sizeof(kvm_asm64_cpl3) - 1;
} else {
text_prefix = kvm_asm64_enable_long;
text_prefix_size = sizeof(kvm_asm64_enable_long) - 1;
}
}
struct tss16 tss16;
memset(&tss16, 0, sizeof(tss16));
tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16;
tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0;
tss16.ip = ADDR_VAR_USER_CODE2;
tss16.flags = (1 << 1);
tss16.cs = SEL_CS16;
tss16.es = tss16.ds = tss16.ss = SEL_DS16;
tss16.ldt = SEL_LDT;
struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base);
NONFAILING(memcpy(tss16_addr, &tss16, sizeof(tss16)));
memset(&tss16, 0, sizeof(tss16));
tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16;
tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0;
tss16.ip = ADDR_VAR_USER_CODE2;
tss16.flags = (1 << 1);
tss16.cs = SEL_CS16_CPL3;
tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3;
tss16.ldt = SEL_LDT;
struct tss16* tss16_cpl3_addr =
(struct tss16*)(host_mem + seg_tss16_cpl3.base);
NONFAILING(memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)));
struct tss32 tss32;
memset(&tss32, 0, sizeof(tss32));
tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32;
tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0;
tss32.ip = ADDR_VAR_USER_CODE;
tss32.flags = (1 << 1) | (1 << 17);
tss32.ldt = SEL_LDT;
tss32.cr3 = sregs.cr3;
tss32.io_bitmap = offsetof(struct tss32, io_bitmap);
struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base);
NONFAILING(memcpy(tss32_addr, &tss32, sizeof(tss32)));
memset(&tss32, 0, sizeof(tss32));
tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32;
tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0;
tss32.ip = ADDR_VAR_USER_CODE;
tss32.flags = (1 << 1);
tss32.cr3 = sregs.cr3;
tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32;
tss32.cs = SEL_CS32;
tss32.ldt = SEL_LDT;
tss32.cr3 = sregs.cr3;
tss32.io_bitmap = offsetof(struct tss32, io_bitmap);
struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base);
NONFAILING(memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)));
struct tss64 tss64;
memset(&tss64, 0, sizeof(tss64));
tss64.rsp[0] = ADDR_STACK0;
tss64.rsp[1] = ADDR_STACK0;
tss64.rsp[2] = ADDR_STACK0;
tss64.io_bitmap = offsetof(struct tss64, io_bitmap);
struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base);
NONFAILING(memcpy(tss64_addr, &tss64, sizeof(tss64)));
memset(&tss64, 0, sizeof(tss64));
tss64.rsp[0] = ADDR_STACK0;
tss64.rsp[1] = ADDR_STACK0;
tss64.rsp[2] = ADDR_STACK0;
tss64.io_bitmap = offsetof(struct tss64, io_bitmap);
struct tss64* tss64_cpl3_addr =
(struct tss64*)(host_mem + seg_tss64_cpl3.base);
NONFAILING(memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)));
if (text_size > 1000)
text_size = 1000;
if (text_prefix) {
NONFAILING(memcpy(host_text, text_prefix, text_prefix_size));
void* patch = 0;
NONFAILING(patch =
memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4));
if (patch)
NONFAILING(*((uint32_t*)patch) =
guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6);
uint16_t magic = PREFIX_SIZE;
patch = 0;
NONFAILING(patch =
memmem(host_text, text_prefix_size, &magic, sizeof(magic)));
if (patch)
NONFAILING(*((uint16_t*)patch) =
guest_mem + ADDR_TEXT + text_prefix_size);
}
NONFAILING(memcpy((void*)(host_text + text_prefix_size), text, text_size));
NONFAILING(*(host_text + text_prefix_size + text_size) = 0xf4);
NONFAILING(memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size));
NONFAILING(*(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4);
NONFAILING(*(host_mem + ADDR_VAR_HLT) = 0xf4);
NONFAILING(memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3));
NONFAILING(memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3));
NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0);
NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0);
if (opt_count > 2)
opt_count = 2;
for (i = 0; i < opt_count; i++) {
uint64_t typ = 0;
uint64_t val = 0;
NONFAILING(typ = opt_array_ptr[i].typ);
NONFAILING(val = opt_array_ptr[i].val);
switch (typ % 9) {
case 0:
sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM |
CR0_NW | CR0_CD);
break;
case 1:
sregs.cr4 ^=
val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE |
CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE |
CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP |
CR4_SMAP | CR4_PKE);
break;
case 2:
sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE |
EFER_FFXSR | EFER_TCE);
break;
case 3:
val &=
((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) |
(1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21));
regs.rflags ^= val;
NONFAILING(tss16_addr->flags ^= val);
NONFAILING(tss16_cpl3_addr->flags ^= val);
NONFAILING(tss32_addr->flags ^= val);
NONFAILING(tss32_cpl3_addr->flags ^= val);
break;
case 4:
seg_cs16.type = val & 0xf;
seg_cs32.type = val & 0xf;
seg_cs64.type = val & 0xf;
break;
case 5:
seg_cs16_cpl3.type = val & 0xf;
seg_cs32_cpl3.type = val & 0xf;
seg_cs64_cpl3.type = val & 0xf;
break;
case 6:
seg_ds16.type = val & 0xf;
seg_ds32.type = val & 0xf;
seg_ds64.type = val & 0xf;
break;
case 7:
seg_ds16_cpl3.type = val & 0xf;
seg_ds32_cpl3.type = val & 0xf;
seg_ds64_cpl3.type = val & 0xf;
break;
case 8:
NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) =
(val & 0xffff));
NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16));
break;
default:
exit(1);
}
}
regs.rflags |= 2;
fill_segment_descriptor(gdt, ldt, &seg_ldt);
fill_segment_descriptor(gdt, ldt, &seg_cs16);
fill_segment_descriptor(gdt, ldt, &seg_ds16);
fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_cs32);
fill_segment_descriptor(gdt, ldt, &seg_ds32);
fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_cs64);
fill_segment_descriptor(gdt, ldt, &seg_ds64);
fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_tss32);
fill_segment_descriptor(gdt, ldt, &seg_tss32_2);
fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86);
fill_segment_descriptor(gdt, ldt, &seg_tss16);
fill_segment_descriptor(gdt, ldt, &seg_tss16_2);
fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3);
fill_segment_descriptor_dword(gdt, ldt, &seg_tss64);
fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_cgate16);
fill_segment_descriptor(gdt, ldt, &seg_tgate16);
fill_segment_descriptor(gdt, ldt, &seg_cgate32);
fill_segment_descriptor(gdt, ldt, &seg_tgate32);
fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64);
if (ioctl(cpufd, KVM_SET_SREGS, &sregs))
return -1;
if (ioctl(cpufd, KVM_SET_REGS, ®s))
return -1;
return 0;
}
static void setup_common()
{
if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
}
}
static void loop();
static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
setsid();
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = (200 << 20);
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 32 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 136 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
if (unshare(CLONE_NEWNS)) {
}
if (unshare(CLONE_NEWIPC)) {
}
if (unshare(0x02000000)) {
}
if (unshare(CLONE_NEWUTS)) {
}
if (unshare(CLONE_SYSVSEM)) {
}
typedef struct {
const char* name;
const char* value;
} sysctl_t;
static const sysctl_t sysctls[] = {
{"/proc/sys/kernel/shmmax", "16777216"},
{"/proc/sys/kernel/shmall", "536870912"},
{"/proc/sys/kernel/shmmni", "1024"},
{"/proc/sys/kernel/msgmax", "8192"},
{"/proc/sys/kernel/msgmni", "1024"},
{"/proc/sys/kernel/msgmnb", "1024"},
{"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
};
unsigned i;
for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
write_file(sysctls[i].name, sysctls[i].value);
}
int wait_for_loop(int pid)
{
if (pid < 0)
exit(1);
int status = 0;
while (waitpid(-1, &status, __WALL) != pid) {
}
return WEXITSTATUS(status);
}
static int do_sandbox_none(void)
{
if (unshare(CLONE_NEWPID)) {
}
int pid = fork();
if (pid != 0)
return wait_for_loop(pid);
setup_common();
sandbox_common();
initialize_netdevices_init();
if (unshare(CLONE_NEWNET)) {
}
initialize_tun();
initialize_netdevices();
loop();
exit(1);
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void loop(void)
{
int i, call, thread;
int collide = 0;
again:
for (call = 0; call < 6; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0]));
thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
if (collide && (call % 2) == 0)
break;
event_timedwait(&th->done, 45);
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
if (!collide) {
collide = 1;
goto again;
}
}
uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
void execute_call(int call)
{
long res;
switch (call) {
case 0:
NONFAILING(memcpy((void*)0x20000040, "/dev/kvm\000", 9));
res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
if (res != -1)
r[0] = res;
break;
case 1:
res = syscall(__NR_ioctl, r[0], 0xae01, 0);
if (res != -1)
r[1] = res;
break;
case 2:
res = syscall(__NR_ioctl, r[1], 0xae41, 0);
if (res != -1)
r[2] = res;
break;
case 3:
syz_kvm_setup_cpu(-1, r[2], 0x20fe8000, 0, 0, 0, 0, 0);
break;
case 4:
NONFAILING(*(uint16_t*)0x20008400 = 0);
NONFAILING(*(uint16_t*)0x20008402 = 0);
NONFAILING(*(uint32_t*)0x20008404 = 0x2409);
NONFAILING(*(uint64_t*)0x20008408 = 0);
NONFAILING(*(uint64_t*)0x20008410 = 0x2000000);
NONFAILING(*(uint16_t*)0x20008418 = 0);
NONFAILING(*(uint8_t*)0x20008420 = 0);
NONFAILING(*(uint8_t*)0x20008421 = 0);
NONFAILING(*(uint8_t*)0x20008422 = 0);
NONFAILING(*(uint8_t*)0x20008423 = 0);
NONFAILING(*(uint8_t*)0x20008424 = 0);
NONFAILING(*(uint8_t*)0x20008425 = 0);
NONFAILING(*(uint8_t*)0x20008426 = 0);
NONFAILING(*(uint8_t*)0x20008427 = 0);
NONFAILING(*(uint8_t*)0x20008428 = 0);
NONFAILING(*(uint8_t*)0x20008429 = 0);
NONFAILING(*(uint8_t*)0x2000842a = 0);
NONFAILING(*(uint8_t*)0x2000842b = 0);
NONFAILING(*(uint8_t*)0x2000842c = 0);
NONFAILING(*(uint8_t*)0x2000842d = 0);
NONFAILING(*(uint8_t*)0x2000842e = 0);
NONFAILING(*(uint8_t*)0x2000842f = 0);
NONFAILING(*(uint8_t*)0x20008430 = 0);
NONFAILING(*(uint8_t*)0x20008431 = 0);
NONFAILING(*(uint8_t*)0x20008432 = 0);
NONFAILING(*(uint8_t*)0x20008433 = 0);
NONFAILING(*(uint8_t*)0x20008434 = 0);
NONFAILING(*(uint8_t*)0x20008435 = 0);
NONFAILING(*(uint8_t*)0x20008436 = 0);
NONFAILING(*(uint8_t*)0x20008437 = 0);
NONFAILING(*(uint8_t*)0x20008438 = 0);
NONFAILING(*(uint8_t*)0x20008439 = 0);
NONFAILING(*(uint8_t*)0x2000843a = 0);
NONFAILING(*(uint8_t*)0x2000843b = 0);
NONFAILING(*(uint8_t*)0x2000843c = 0);
NONFAILING(*(uint8_t*)0x2000843d = 0);
NONFAILING(*(uint8_t*)0x2000843e = 0);
NONFAILING(*(uint8_t*)0x2000843f = 0);
NONFAILING(*(uint8_t*)0x20008440 = 0);
NONFAILING(*(uint8_t*)0x20008441 = 0);
NONFAILING(*(uint8_t*)0x20008442 = 0);
NONFAILING(*(uint8_t*)0x20008443 = 0);
NONFAILING(*(uint8_t*)0x20008444 = 0);
NONFAILING(*(uint8_t*)0x20008445 = 0);
NONFAILING(*(uint8_t*)0x20008446 = 0);
NONFAILING(*(uint8_t*)0x20008447 = 0);
NONFAILING(*(uint8_t*)0x20008448 = 0);
NONFAILING(*(uint8_t*)0x20008449 = 0);
NONFAILING(*(uint8_t*)0x2000844a = 0);
NONFAILING(*(uint8_t*)0x2000844b = 0);
NONFAILING(*(uint8_t*)0x2000844c = 0);
NONFAILING(*(uint8_t*)0x2000844d = 0);
NONFAILING(*(uint8_t*)0x2000844e = 0);
NONFAILING(*(uint8_t*)0x2000844f = 0);
NONFAILING(*(uint8_t*)0x20008450 = 0);
NONFAILING(*(uint8_t*)0x20008451 = 0);
NONFAILING(*(uint8_t*)0x20008452 = 0);
NONFAILING(*(uint8_t*)0x20008453 = 0);
NONFAILING(*(uint8_t*)0x20008454 = 0);
NONFAILING(*(uint8_t*)0x20008455 = 0);
NONFAILING(*(uint8_t*)0x20008456 = 0);
NONFAILING(*(uint8_t*)0x20008457 = 0);
NONFAILING(*(uint8_t*)0x20008458 = 0);
NONFAILING(*(uint8_t*)0x20008459 = 0);
NONFAILING(*(uint8_t*)0x2000845a = 0);
NONFAILING(*(uint8_t*)0x2000845b = 0);
NONFAILING(*(uint8_t*)0x2000845c = 0);
NONFAILING(*(uint8_t*)0x2000845d = 0);
NONFAILING(*(uint8_t*)0x2000845e = 0);
NONFAILING(*(uint8_t*)0x2000845f = 0);
NONFAILING(*(uint8_t*)0x20008460 = 0);
NONFAILING(*(uint8_t*)0x20008461 = 0);
NONFAILING(*(uint8_t*)0x20008462 = 0);
NONFAILING(*(uint8_t*)0x20008463 = 0);
NONFAILING(*(uint8_t*)0x20008464 = 0);
NONFAILING(*(uint8_t*)0x20008465 = 0);
NONFAILING(*(uint8_t*)0x20008466 = 0);
NONFAILING(*(uint8_t*)0x20008467 = 0);
NONFAILING(*(uint8_t*)0x20008468 = 0);
NONFAILING(*(uint8_t*)0x20008469 = 0);
NONFAILING(*(uint8_t*)0x2000846a = 0);
NONFAILING(*(uint8_t*)0x2000846b = 0);
NONFAILING(*(uint8_t*)0x2000846c = 0);
NONFAILING(*(uint8_t*)0x2000846d = 0);
NONFAILING(*(uint8_t*)0x2000846e = 0);
NONFAILING(*(uint8_t*)0x2000846f = 0);
NONFAILING(*(uint8_t*)0x20008470 = 0);
NONFAILING(*(uint8_t*)0x20008471 = 0);
NONFAILING(*(uint8_t*)0x20008472 = 0);
NONFAILING(*(uint8_t*)0x20008473 = 0);
NONFAILING(*(uint8_t*)0x20008474 = 0);
NONFAILING(*(uint8_t*)0x20008475 = 0);
NONFAILING(*(uint8_t*)0x20008476 = 0);
NONFAILING(*(uint8_t*)0x20008477 = 0);
NONFAILING(*(uint8_t*)0x20008478 = 0);
NONFAILING(*(uint8_t*)0x20008479 = 0);
NONFAILING(*(uint8_t*)0x2000847a = 0);
NONFAILING(*(uint8_t*)0x2000847b = 0);
NONFAILING(*(uint8_t*)0x2000847c = 0);
NONFAILING(*(uint8_t*)0x2000847d = 0);
NONFAILING(*(uint8_t*)0x2000847e = 0);
NONFAILING(*(uint8_t*)0x2000847f = 0);
NONFAILING(memcpy(
(void*)0x20008480,
"\x4b\xa4\x22\x97\xc6\x6f\xd3\x5e\xa9\x7f\x89\x63\xa9\x19\xb0\x0d\xd1"
"\x08\x99\x16\x3a\xe2\x12\xb4\x68\xc2\xd4\x8d\x07\x5d\x43\x63\x17\x34"
"\xc9\x3b\x72\xf1\xc7\xc2\xb7\x34\x5c\x8e\xf5\x0a\xde\x2e\x0b\x65\x95"
"\x31\x30\x07\x3c\x0d\x31\xb9\xc1\xb8\xab\x2f\xb2\xb2\xb6\xa1\xa0\x64"
"\x50\x88\xdc\x16\xc7\xfa\xc1\x21\x86\xb4\xb6\x35\xb0\xac\x83\x30\x50"
"\xa3\x58\xb6\x89\x57\xcd\xaf\xb4\xc9\xae\xa5\xbc\x76\x08\x26\x6a\xca"
"\x2f\xb3\x8e\x57\x67\x36\x91\x02\x18\x67\x1d\x4f\xda\x08\x97\xe1\x8f"
"\x0c\x70\xec\x97\x37\x75\xe6\xde\xe8\x20\x4f\xb1\x55\x80\x54\x74\x39"
"\xb7\x75\xc4\x31\x54\x15\x64\x12\xb8\xd7\x5f\x9f\xde\x4c\xcf\x7d\x2b"
"\xbe\xb2\x8d\x8c\xab\x59\x2b\xe8\x98\x00\x09\xaf\x40\xe3\xdd\x84\xf8"
"\xb8\xfa\xcd\x6d\xfa\x70\x6c\xf7\xc1\xb6\x45\x5e\xe2\xbb\xf2\x47\xae"
"\x4b\x4b\x7f\x40\x3f\x63\x8d\xf0\x1e\x7b\x4c\x67\x03\xd8\x42\x46\xeb"
"\xbd\x78\xe5\x8d\x46\x17\x0b\x38\xa3\xb7\x1b\x5e\xbf\x7a\xc8\x31\xe0"
"\xe1\xaa\xff\x1a\x0c\xf8\xdd\x3a\xfb\xdc\x42\x3f\xde\x82\xe3\xd1\x25"
"\xc3\xc1\xa2\x2e\x32\x59\x32\x09\xe4\x67\xc7\xf5\xcc\xdf\xa6\x3c\x33"
"\x44\xec\x02\xac\x43\x44\x03\x28\xb8\x3c\x1d\x75\x04\xa5\x44\x61\x72"
"\x19\xe2\x78\x46\xd7\x9c\x45\x2e\xfc\x03\x6f\xfc\xf7\xec\xdd\x0b\xb2"
"\x85\xbc\xc4\x04\x2f\xef\xaa\x7e\xc6\x4f\x39\x4d\x2a\x5e\xd0\x1c\xb3"
"\xac\x27\x4a\xa0\x63\x80\xbf\x03\xe2\x2b\x41\x2d\x0a\x39\xc0\xd4\x9b"
"\x89\x0a\x24\xaa\x22\x4e\xab\xba\x5d\x84\x7f\xea\x10\x28\x40\xdc\xfd"
"\xd7\x35\x8a\xf5\xe8\xec\xf3\x78\x74\xb1\x87\x11\x8c\xc5\x72\x6d\xee"
"\x50\x8e\x98\xea\x4f\x7f\xe2\x66\xb3\x2b\x01\xb1\xa0\xcc\x4e\xb2\x08"
"\x2b\xa9\xde\x78\x3d\xbc\xf1\x8b\x8b\x60\x1d\x7f\x67\xe8\x45\x0c\x6c"
"\xac\x9b\x73\x69\x3b\x05\x60\x8e\xc7\xc1\x43\xc7\xdf\x7b\x57\xd4\xe9"
"\x51\x1e\x8b\xa7\xb2\xa8\x46\x89\xe3\xcc\x48\xed\xfc\xad\x1a\x22\x24"
"\x22\xa6\x04\xa2\x49\xe7\x3e\x33\x62\x9e\xf3\xa0\x0f\xea\x1f\xa3\xc7"
"\xdc\x36\xdc\xa4\x44\x6f\x52\x62\xf9\xb8\x7c\x91\x23\xe9\x3b\xfc\xcd"
"\xb8\x9f\x66\x37\x0c\x69\x48\x2d\xbd\x70\xa0\x99\x5f\x07\xff\x29\xa8"
"\xfd\x7a\xe1\x56\x9a\x10\xae\x15\x85\x17\x9e\xdf\xdb\xe8\xc7\x27\xee"
"\x91\x4b\x96\x50\xed\x6d\x5f\x4c\x57\xd3\x63\x59\xbb\x14\x02\x46\xa0"
"\xc7\xee\x91\xb7\x70\xcc\xe5\xd5\xd4\x1b\x9b\xb7\x86\x93\x57\x51\x5f"
"\x3e\xc2\x89\x76\x6b\xfd\xf8\x83\xa5\xda\x35\xe4\x50\x15\xea\x40\xc5"
"\xee\xeb\x0d\x98\x93\xc9\x88\x19\x32\x68\x6f\x9f\x69\x42\x42\x9e\xa7"
"\x00\xc5\x48\x92\x53\x13\xc7\xf3\x30\x63\xfc\x3a\xcf\x49\xf9\x07\xaf"
"\x83\x23\x2c\x4c\x57\xdc\x53\x92\xc1\x33\x90\xb4\x77\xa4\x6f\xd1\xf9"
"\xcf\x01\x6f\x52\x2c\xbb\xfa\x77\x93\x3f\x1c\x43\x35\xb4\x4a\xd8\xa2"
"\x6d\xab\x93\x33\x75\x72\x50\x9d\x91\x24\xbf\x58\x1a\x26\xdb\xac\x50"
"\x00\x05\xf6\x5b\xbe\xdd\x87\x3f\xa9\x16\x42\x35\x7b\xdc\x3e\x3f\x7a"
"\xca\xe2\xde\x3b\x07\x32\xc6\xcf\xb9\x96\xc6\xb3\xb0\x98\xef\x82\x1a"
"\x9d\x66\x5c\x2b\x15\x6a\xb7\x12\x44\x69\x61\xa7\x18\x67\x58\x6d\x9b"
"\xe3\x12\x40\x12\x5c\x68\xdd\xf7\x35\x67\xfd\x98\x91\x54\x64\xa4\x7a"
"\xf1\xd2\x5b\xcd\x50\xee\xa3\xb4\x3c\x88\x08\xbd\xd0\xc2\x78\x77\x0a"
"\xfe\x6d\x38\xf5\x0c\x62\xbe\x2d\x6a\x90\x99\x0b\x9e\x94\xd6\xd2\x33"
"\x42\x9f\x7d\x4e\x58\x5b\x1a\x9e\xae\x12\xe5\xda\x51\xd5\xcc\x31\x7d"
"\xbe\x62\x8c\x9a\x2e\xfa\xaf\x8d\x62\x54\x95\xc9\x9e\x8d\x75\x54\xd2"
"\x48\xbd\x34\x2f\x51\xf7\x1d\xa0\x2f\x34\x58\x5b\x11\xb5\xe2\x70\x40"
"\x11\x33\xe6\x53\x6d\xb5\x2b\xc7\x91\xc7\x63\x49\x03\xd1\x12\x98\x91"
"\xc3\xcb\xb2\xa8\xf1\xb7\x65\xfc\x5b\xe7\x21\x20\xa2\xc8\xfb\x78\x87"
"\xdd\xf9\x23\xb0\x50\xaf\x27\x47\x93\xfa\x99\x50\x81\x13\x42\x5d\xab"
"\x9f\xdd\xff\x43\x6e\x96\x53\xa5\x76\x13\x34\x21\xfd\x90\xeb\x27\x39"
"\x08\xb6\x2c\x10\xb3\x1f\xd2\x20\x71\x67\x70\xc4\xf8\x63\xa6\x1b\x15"
"\x3d\xd2\x2a\x1f\x8e\x4a\x30\xff\x1d\xd8\xa1\x8f\x5d\x18\x2d\x91\xaf"
"\x3f\xb2\xd9\x90\x36\xe5\x6e\x47\x89\x6e\x30\x72\xdd\xd6\xeb\xe0\xdb"
"\x3f\xaa\x83\xbc\xaa\xf8\x2b\xb1\x9d\x7a\x33\xf5\xe2\xa2\x26\xdf\xa3"
"\xfa\x8a\xe5\xc0\x66\x49\x5f\xd0\x08\x79\x6a\x62\x3c\xba\xbc\x9a\xa4"
"\x68\x49\x20\xb9\xaf\x94\x54\xc7\x3b\x85\x45\x5e\x7f\x4d\xf1\x4e\x55"
"\x88\xd7\x8a\xb4\xc4\xe4\x79\x6a\xbc\xa7\xd5\xeb\xe9\x1f\xec\x4e\xf3"
"\xfa\xd3\x38\x0e\xf9\x51\xa0\x44\x81\x8a\x3a\x10\xe9\x7a\xa0\xf1\xb4"
"\xc7\xef\xf8\xc3\x56\x29\xe1\x26\x15\xb0\x9d\x06\xb8\x39\x07\x3f\x0d"
"\x39\xa3\x2d\x45\x0f\x9b\x23\xfa\x1a\x05\xe7\xce\x2b\x6f\x60\x74\xe3"
"\x25\x04\xeb\x70\x66\x77\xe8\xab\x3a\x7c\x77\xb9\xec\x45\x92\x18\x9e"
"\xba\x86\xf0\x96\xcd\x44\x98\x2c\x8b\x4f\xd8\x20\x37\x47\x92\x86\xb4"
"\xaf\x64\x96\xdf\x0b\xe9\x47\x4f\xb1\xcd\xc3\x30\x02\xa2\x38\x4a\xa4"
"\xfa\x0c\xf9\x6f\x19\x92\x51\xc4\x03\x5b\x10\xca\x1e\x1d\xaa\x52\x13"
"\x97\x8b\x0f\xa9\xc7\xee\x8f\x03\x30\x5b\x22\x87\xe1\xcd\xaa\x92\x4a"
"\x19\xff\x29\x57\x17\xd2\xef\x0e\xba\x78\x59\xd5\xe9\xec\x21\xa3\x97"
"\x05\xee\x8b\x00\x2b\x4e\xd6\x58\xb4\xc9\xb9\xd0\x02\xba\xed\x1c\x86"
"\x13\x36\x55\xcf\xfa\xc3\x2f\x81\x14\x08\x19\x66\x7d\x49\x25\xc6\x24"
"\x79\xc7\xcb\x0c\xf8\xa6\x84\xd8\x8a\xcc\x0d\xd8\x72\xa3\x1f\x7e\x34"
"\xee\x07\x9e\xb4\x20\xa7\x32\xfa\xfb\x96\x81\xe2\x79\x05\xcf\x72\x36"
"\x80\x4e\x1d\xa6\xf4\xf7\xfd\xd6\x74\x78\x4b\x63\x31\x3e\x2a\x0e\xc7"
"\x60\x62\xc1\xb3\xf9\xcc\xd7\x8a\x7c\x85\x5d\xe7\xcb\x2b\xe1\x25\xc3"
"\xc8\xd8\x74\x1c\xd9\x83\x3c\x94\x91\x98\x53\x25\xeb\xee\x15\x47\x0c"
"\xd1\x81\x12\xe2\x25\x3c\x87\x1b\x20\xc0\xca\xb4\xdb\xcb\x58\xdc\xf9"
"\xe6\x8d\xbf\xb2\x5a\x1d\xdd\x92\xbf\x04\x32\xb7\xa4\x1e\x96\x33\x54"
"\x78\xf0\xb6\x72\xae\x70\x43\x3c\x61\x72\x73\x83\xb2\x3e\xb0\x73\xd0"
"\x4c\x03\xfb\x20\xd8\x64\x10\x79\xff\x9e\x20\xf2\xaa\xbe\xa0\x60\x68"
"\x8d\x5e\x3b\x2c\x1e\xd6\x01\x68\xee\x03\xc6\xe3\x1e\xa5\x80\x87\x92"
"\x17\x6e\x92\x00\x70\xa5\xf5\xe6\xe3\x88\xa0\xf7\x73\xa1\x20\x87\xa2"
"\x00\x15\xab\xa7\x82\xfe\x6d\xa3\x99\xd0\x8d\x8e\x88\x80\xaa\x44\x80"
"\x0e\x46\x19\x71\xfe\x5c\xb8\x2d\x91\xa6\xb0\xf4\xd0\x9e\x01\xd9\xe3"
"\x42\x36\x9f\x59\x8c\x70\x2d\x01\xc4\x9c\xe9\x99\xe7\x1d\xd3\x75\x11"
"\x4d\x31\xb6\x1d\xc8\x8e\x98\xd9\x2a\xc7\x61\x4a\x94\xce\x6c\x96\x0e"
"\x3e\x78\x32\xb1\xb7\x1b\xe4\xd2\x49\x0f\x81\xa0\x44\x77\x6d\xd5\x16"
"\xd4\xa0\x0f\x5e\x07\x91\xf6\x06\xec\xcc\x29\xb9\x77\x50\xa3\x62\xed"
"\xca\x41\xac\x14\xc7\x55\xc9\x30\x8b\xe7\xbe\xbb\xeb\x2f\x32\xdf\x26"
"\x55\x53\x6f\x8f\x0e\x64\xbb\xf5\x3a\x1a\x93\x60\xa1\x03\x68\x49\x9d"
"\x11\x91\x62\xde\x8c\x9a\x5b\x35\xa2\xaa\x16\x0d\x27\x7d\x05\x71\x5c"
"\xa8\x36\x20\xfe\x8b\x09\xf6\x1a\x6a\x7c\x79\x2e\x65\x96\x72\xd2\xf2"
"\x05\xfc\x33\xb0\x5c\x58\x31\x6a\xbe\x47\xa0\x6d\xaf\x66\xb1\x19\x43"
"\x42\x46\x5d\xc8\x2c\xc4\x7f\x19\x4d\x7c\x9f\xd7\x20\xed\x3e\x50\xe3"
"\xe9\xcd\xb8\xf1\xf7\xf4\xcf\xc3\x8a\x53\xc0\xc9\x0b\x8a\xc9\x64\x37"
"\xb4\xc5\x6e\xb8\xc7\xae\x4f\xf9\x98\xec\xed\x14\xec\x7d\xf6\xae\x59"
"\xba\x2d\xa2\xbc\xb7\x59\xe6\xea\xe3\x8f\xf5\x7b\xaa\x0d\x9e\x44\xde"
"\xbc\xf8\x95\xa7\xb0\x0e\xac\xad\x1f\xeb\xc8\xae\x30\x16\xce\x65\x97"
"\x3e\x24\x0f\xc6\xac\x69\xcd\x99\x12\xfa\x44\x70\xb4\x8c\x6b\x1b\xab"
"\xf7\xf6\xf1\x53\xee\x75\x16\xa5\x73\x23\xbe\x4e\xaf\x56\x8f\x97\xa6"
"\x27\xdb\x62\x2a\xa8\x64\x90\x65\x49\x56\x22\x9d\x49\x4b\xb3\xb2\x80"
"\xfb\x95\x80\x67\xea\x8b\xbf\x9a\x7c\x62\x11\x06\x45\xa0\xc7\xdc\xaf"
"\xa0\x90\x3d\x36\x0d\xc7\xe5\x02\xef\xf3\x61\x94\x37\xcf\x86\x16\x9d"
"\x05\x63\xa4\x3f\xba\x29\x19\xd8\xd3\x96\x5e\x74\xd2\x77\x7a\xfb\x7a"
"\xbf\xba\x4f\x67\x8d\x21\x2b\xb2\x1d\xac\x8a\x55\xc0\xd9\xbb\x33\x0b"
"\x74\x2c\xab\x23\x58\xc7\x34\xbe\xaf\x28\x36\x1a\x74\xd7\x59\x38\x43"
"\x61\x41\x12\x76\xe7\xa5\x01\xd8\x7e\xc8\x70\x3b\x86\xee\x49\x11\x6a"
"\x02\x2d\x0e\xab\xca\x99\xe2\x69\xbd\x89\xfa\xad\x1c\x6c\x34\x26\xf3"
"\x9a\x38\xf6\x2f\x47\xde\x3a\xab\x6f\x8d\xba\xd6\xee\xfe\x83\x58\x0d"
"\x3a\x3f\x1d\xd2\x40\x77\x28\xb0\x57\x77\x8a\x66\x38\x83\xae\xf2\x49"
"\xaf\xc1\x58\x35\x77\x55\xdc\x9a\xee\x6b\x78\x84\x91\xe4\xfe\xe5\x3e"
"\xbb\xf1\x59\xff\x51\x1b\xd4\x3b\xe7\xae\x33\xfa\xe5\x6e\x90\xd8\xd4"
"\x95\x42\x48\xc2\x7d\x81\x0e\xc2\xb6\x3b\x6c\xee\x62\x37\xcd\x50\x9f"
"\xfb\x99\x8b\x54\xac\xe3\xc6\x50\xcb\xb5\x1f\x1d\x26\x21\xcd\x41\x14"
"\x07\x82\x60\x70\x39\x20\xec\x80\xd7\xc3\x6e\x15\xbc\xb8\x88\x8b\xf3"
"\x0f\x07\x6f\xf0\xf2\x0e\x68\xc0\x63\x13\x84\x26\xdc\x0d\x92\xbc\xb6"
"\x7d\x29\x44\x51\x2e\x6f\x48\xae\x0b\xca\xde\xb5\xb5\xb7\xdd\xb3\x23"
"\x26\xf0\x7b\x64\xf0\x8a\x83\x33\x3b\x9c\xe9\xb4\x06\x5a\x4c\x6e\x5e"
"\xae\x0e\x33\xd6\x06\x9a\x55\x6e\x82\x99\x38\xe2\xa3\x7d\xe9\xf8\x14"
"\xfa\xbe\x91\x35\xe5\x6a\x1e\xe9\x77\xd5\x6f\x42\xb6\x09\x17\xd4\x87"
"\xea\xed\xbc\x13\x03\x76\xbb\x12\xd0\xf0\x22\x9c\xa3\xf2\x8f\xd8\xfb"
"\x9a\x0d\x06\xd5\xea\xb9\x12\xc8\x8c\x1c\xbe\x45\x58\xec\x09\x0b\xef"
"\x5f\x45\x13\x5c\x86\x68\x45\x45\x50\xeb\x9d\x86\x0f\x27\xfe\xa8\x18"
"\xfb\xf9\x33\xfa\x77\xf3\x52\x59\xb9\x61\xec\xe8\x78\x5e\x19\x48\xee"
"\x48\x63\x69\x82\x16\x05\x99\x25\xdb\xa2\x6c\xe0\x2c\x41\x6e\x12\x67"
"\x72\xf6\x35\x57\xec\xd3\xd8\xc9\xb4\xc0\xc0\x28\x78\xc9\xe5\x8d\x7e"
"\xe4\x0b\xf6\xfa\xdf\x8d\x63\x03\x18\xf3\xdd\xd4\x2c\xc7\x05\xfd\x71"
"\x48\xb1\x0b\xc4\x7c\xca\x49\x39\xd1\x5a\x81\x26\xff\xe2\xa2\x41\x35"
"\x2c\xc7\xac\x06\x0a\x1d\xef\xbe\x28\x68\x54\xaf\x31\xa8\x95\x95\x7c"
"\x63\x7a\xb2\xd8\xd0\x4b\xba\xe6\x3e\x0a\x05\x03\x06\xf4\xd9\xbe\x39"
"\xce\x9f\x65\x81\xc3\xf9\xe9\xf8\x0a\xa0\x27\xa5\xc9\x82\x26\x41\x53"
"\xa1\x5f\x01\x07\xdc\xe0\x23\x55\x3e\x5a\xc2\xde\xe1\x0a\xaf\x4e\x73"
"\x10\x63\x14\x27\xe1\x24\xea\xf2\xbc\xa9\x0e\xbc\x71\xae\x4c\x85\x64"
"\x32\xd3\x9e\x9a\x4f\xb8\x38\xb3\x4a\x0a\x02\x80\xf2\x2a\x6a\x12\x1b"
"\xc8\x7b\xa7\x46\xd1\x4a\x0b\x0a\xfa\xed\xb4\xe3\xd9\x99\x6f\x3c\xe6"
"\x89\x10\x63\x04\x59\xa3\xb9\xcd\x40\x06\x6d\x16\x6a\x92\x6c\x42\x7c"
"\xec\x7a\x53\x05\x6a\x26\x14\x04\x5e\x83\xa3\xa3\x97\x38\x72\xf7\xc3"
"\x87\x59\xa7\x82\x38\xfc\xbf\x58\x69\x53\xf9\x6e\xe5\xe9\x29\x40\x19"
"\xb7\x45\x47\x03\x50\xe8\xfc\x7d\x15\xd6\x02\x3a\x8c\x73\xcc\x3d\x62"
"\x41\x14\xd2\x07\x91\xd6\x67\x25\xd1\x34\x5c\x67\xa7\x33\xae\x80\xd6"
"\x0f\x73\x16\x86\x2e\xa1\x5b\x5a\xff\x97\xd5\x78\x55\x59\xec\x91\x6a"
"\x2e\xa6\xb4\xe5\x80\x23\xed\x4c\xa1\x0d\xf8\x04\x8a\xb9\xdc\x5c\x74"
"\x24\xe5\xe3\x75\xc3\x50\xc9\xea\xf2\x61\x05\x47\xd7\x59\xd6\xb0\xc7"
"\x0a\x2a\x1a\xc9\x4e\x77\x78\x66\xa5\x06\x80\x74\xc0\x37\xd9\xd1\x88"
"\x13\x67\x73\x1c\x94\xc4\xf3\xdd\xbd\xac\xc1\x62\xea\x71\xc6\x67\xd5"
"\xf4\x8c\x2b\x0a\x50\x5b\xb1\xf3\x69\xed\xfc\x4f\xb2\xc7\x4c\x0f\x35"
"\x8f\xe6\x71\x34\x56\x3c\x7e\x7a\xdc\x09\x86\x65\x61\xbb\xdc\x26\x92"
"\x6e\x76\x9a\xe9\xb6\x10\xda\x09\xc3\xce\x32\x97\x74\x23\x53\x72\xcb"
"\xf4\x1f\x26\xcb\x62\x4d\x13\x4c\x2a\x89\xfa\xad\xb8\x0a\x39\xa1\x32"
"\x47\xf8\x24\x6a\x50\x6f\xd5\x5f\xd4\x17\x4c\x17\x88\x74\x8b\xdb\x4c"
"\x3b\xb4\xfb\x7e\x09\x3f\x60\xc8\xc2\x83\x79\xa8\xf2\xe1\x09\x5f\x2f"
"\xf5\xf2\xd0\xc6\x18\xde\xca\x95\xda\xd2\xc3\x23\x93\x93\xd6\xbd\x71"
"\xec\x34\x29\x5e\xcf\x48\xdb\xc9\xbc\x3c\x37\xc7\xc9\x88\xb3\xd6\xe7"
"\x4e\x0a\x8c\xe3\x1f\x22\xb0\xc6\xb3\xb6\xc2\x58\x1c\xf3\x1c\x00\x46"
"\xb4\x0d\xb3\xca\x9c\x88\xca\x9f\xfb\xfe\xcf\x16\x34\x4a\x04\x02\x23"
"\xcc\x60\xfe\x49\xdc\x00\x18\x1e\x2e\xe8\x08\xe4\x51\x95\xef\xc1\x83"
"\x4c\xca\x86\xe6\x77\x50\x3d\xfe\x4c\x8f\x6f\xd1\x12\x62\x60\xc2\x7c"
"\x24\x41\x6f\x41\x01\x3e\x68\x46\x39\xab\x19\xe8\x63\xd0\xcd\x39\xe2"
"\xdc\x6a\x2b\x34\x61\x60\xd7\xd9\x11\xf0\x09\x1d\x43\xd0\x8d\xd0\x27"
"\xbb\x5d\x84\xd4\x2a\x3b\x5f\xf0\xc4\xbe\x4f\x6e\xbd\x24\xa0\x5b\xe8"
"\x8e\xad\x8d\x4e\xbe\x00\xa4\x20\x1f\x2b\xbe\x28\xd4\xe0\xa6\x1e\x54"
"\xa8\xcc\x55\xdf\xca\x10\x83\x2a\xbc\x4f\x7a\x7a\x34\xbd\xbd\x47\xee"
"\xc3\xf2\xe9\x8a\x28\x34\x10\xaa\x42\xe2\x06\xf8\xad\x12\xc6\xa1\xa3"
"\x5d\xb8\xaf\x6b\x43\x37\x36\xda\xeb\x65\x10\x68\xc3\x3b\xcf\x5a\x7c"
"\xe8\xe4\xdd\x4e\x34\xb7\xfd\x44\xf5\xbf\x1e\x77\x11\x33\xbd\x12\x71"
"\x7e\x02\xdf\x62\x74\x56\x72\xdb\x54\xae\xd5\x85\x20\x60\xba\x76\x9f"
"\x46\x25\xac\x06\x1f\x31\xe5\x2a\x4b\xe9\xc4\xcd\x4a\x51\xe2\x11\x3c"
"\x10\x18\x47\x0e\x20\xdb\xbc\xac\x9f\x8a\x21\x37\x34\xf7\xa8\xfd\x9f"
"\x95\xd6\x27\xe6\x08\xde\x05\x4c\x77\x09\xc2\x9c\xf9\x9d\x26\x4e\x26"
"\xa0\x87\xbe\xd6\xee\x21\xa3\xa2\xf1\x1d\xc9\xde\x20\x98\x9b\x62\xd2"
"\x91\xbf\x17\xae\xb8\x51\x6c\xa4\x39\x6a\x3b\xb5\xa0\x45\xad\x09\x5b"
"\xc7\x85\x2d\x3e\x50\x49\x17\x82\xb0\x9a\x2a\x85\xd0\xcc\xe8\xf5\x2c"
"\xa9\x60\xcf\xe4\x6a\x1a\xf3\xd4\x37\xbe\x87\x33\x58\x6b\x09\xe2\xfa"
"\x78\xe4\x99\xd9\x94\xfa\xac\x4e\x2f\x63\xeb\x32\x9f\xa9\x18\xd0\x89"
"\xca\xd9\xe7\x40\x0b\x63\x9b\x63\x4c\xde\x2e\x6c\x5f\x58\xa3\x94\x61"
"\xfd\x23\x82\x55\x08\x87\xa2\x06\x23\x72\x3f\x25\x7e\x31\x3b\x27\x8a"
"\x89\xe9\x07\x8d\xe5\x94\x79\xf9\x7a\x0c\xbd\x29\x57\x7b\x95\x8b\x9e"
"\x78\x96\x19\xf7\xed\xc3\x15\x0d\xe3\x99\xab\xef\x9e\x19\xa1\x33\x0a"
"\x3f\x8d\xdc\xdc\xec\x2d\x7c\xe8\x03\x18\x92\xcd\x02\xd8\x2d\x90\xef"
"\x1a\xd5\x1f\x54\x72\xc4\xab\xf7\x11\xc4\x37\x98\x7b\x2b\xae\xeb\xee"
"\x41\xdc\xc1\x9a\xfa\xf5\x19\xe8\xb5\xbb\x27\xf4\x6b\x9d\x5e\xc8\x62"
"\xcc\x30\xf5\x49\x4f\x70\xa6\x25\xa2\xa0\xbd\x0b\x14\x06\xd1\xee\xcc"
"\xdb\xc4\x9f\x89\x0f\xa6\x96\x47\xe5\x28\x0f\x57\x3c\xc0\xec\xcb\xc7"
"\x4d\xea\x22\x0a\xdd\x53\x72\x30\xcf\xf2\xfc\xec\x2b\x53\x1d\x73\x5f"
"\xed\xa8\x23\x51\x70\x02\x8c\xbd\x57\xb0\xaa\xf4\xe4\xf2\xc1\x90\x9f"
"\x95\x75\xe6\x92\xed\x3a\x39\x2b\x16\x7c\xf8\x15\x19\xd4\x93\x19\x6b"
"\x12\xf1\x88\xd9\x31\x31\xfa\x5e\x85\x42\xca\x6b\xaa\x92\x15\x74\x21"
"\x3a\x91\x1b\x08\x10\x13\x6d\xaa\x15\x87\x58\x9b\x71\x05\xf6\x47\xc5"
"\x74\x85\x29\x8c\x21\xa2\xe2\xbd\x5c\xeb\x95\x6f\x81\x62\xf8\xed\x02"
"\x1c\x28\xaa\x4d\x8f\x57\x52\xc8\x42\x4c\x63\x31\xe6\xad\x5c\xe2\x6d"
"\x12\x94\x79\xe2\x3e\xda\x7a\xd0\xad\x51\xe0\x52\x38\xbf\x56\xec\x70"
"\x62\x16\x41\xb0\x3d\x11\x6b\xf4\x9b\x13\x34\xc2\x71\x49\xb7\x21\x9e"
"\xdb\xc6\xe8\x53\x1c\x55\x65\x8b\x5c\xda\xce\x3a\x4e\x98\xea\xd6\x8d"
"\xdc\xe0\xdd\x52\xa2\x06\xac\x79\xdd\xb1\xd2\x8d\xcc\x08\x45\xd5\x94"
"\x6b\x16\x66\xee\xcd\xf5\x4b\xbf\xb9\x90\xe8\xba\x88\x60\x5c\x01\xbb"
"\x2a\x79\xc6\xe3\x13\xc1\x33\x69\x1c\xb2\x1f\x1f\x27\x28\xb8\xfd\xaa"
"\xef\xe6\xfd\xe1\xc6\xb9\x1d\xed\xc8\x5c\xda\x7b\x9d\x38\xf3\x3e\x93"
"\x73\x50\x5a\xb2\x98\xca\xeb\xda\xe3\x60\xe8\xac\xcf\x06\xf0\x5c\x17"
"\x01\xec\x6e\xe1\x6b\x15\x9e\x44\x5a\xac\xc9\xb3\xb5\xf4\x6f\x58\x0f"
"\xfe\x84\xc4\x0d\x70\xed\xbb\x35\x6c\x9f\x4c\x78\xd5\x10\x31\x6c\xa7"
"\x16\xeb\xec\x19\x10\x8f\x7a\x9e\xf1\x15\xc2\x1c\x73\xe6\xd1\x23\x04"
"\xf5\x08\x50\x3a\x41\xc3\xbf\x59\x8c\xd1\xf2\x97\x5b\x3f\x81\x9a\x39"
"\x9c\xf8\x1b\xd3\xc2\xf6\xff\x44\xb0\x68\x53\x06\x7b\xc3\xd9\x24\x95"
"\xfc\xf6\x3d\xba\x92\x31\x4a\xa1\xa2\xbe\x84\xf7\x31\x48\x2c\xdd\x4f"
"\xa4\x79\xd2\xa1\x96\xe3\x3e\xdb\x5a\x83\x3a\xbc\x0f\x08\x21\xce\xdb"
"\x24\xbf\xcb\x9c\x6a\x58\x35\x73\x60\xdd\xae\x36\xc3\xa6\xc4\x0b\x9a"
"\xbf\x7e\x39\xb2\x4d\x79\x8f\x1a\x15\x5b\x5a\x3c\x19\xbe\xed\x95\x3c"
"\xba\x79\x98\xf2\x4a\x68\x97\x3b\xc0\x84\x08\x60\x6c\xd2\x19\x9c\x8c"
"\xb9\xcf\x9b\x20\x12\xa4\x88\xbd\xf6\x65\xbd\xc9\xb2\x32\x32\xc3\x6b"
"\x88\x88\x2f\x0c\xb5\x8e\x39\x4c\x22\xf5\x82\x5b\x58\xa5\xf0\x85\xe1"
"\xf8\x06\x79\xb3\xcd\xfc\x62\xab\x17\x5c\x24\x4a\xb8\xab\xe2\xb1\x0a"
"\x42\xcd\x80\xea\x56\x52\xe7\xb1\x9a\x57\xda\xa9\xa8\x11\x30\x45\xe2"
"\x3e\x68\xe0\x77\xed\x83\xe3\x74\x68\x5e\xe8\x78\xf3\x33\x52\xea\x2b"
"\x57\x88\x5e\x3e\x4b\x44\xba\x8a\xf4\x84\x93\xf3\xeb\x5c\xe3\xcd\x48"
"\x44\x7d\xd4\x71\xf9\xfe\xe2\xa1\x1c\x87\x3c\xb8\xce\x8a\x13\xc4\xca"
"\xd3\xaa\x7b\xd6\xd1\xa8\x86\x37\x61\x1b\x8b\x3a\xba\xb2\xd2\xcb\x66"
"\x9d\x2f\xd3\xa2\xd5\x37\x83\xe6\x3b\x4f\xdd\x25\xe8\xa3\xdc\x1b\x73"
"\x75\x9c\x2d\xf2\xdb\xfe\xcf\xd3\x60\x5d\xbf\xbf\x73\x1f\xde\x0b\xa9"
"\xdf\x33\x3f\x00\xfb\xd2\x4d\x3b\x05\x9c\x34\x1a\x53\x65\xe5\xe4\x01"
"\xe9\x6e\x26\x0d\xad\x8e\x1e\x76\xf5\xbf\x32\xe4\xe5\xd9\x6b\x7d\x4d"
"\x52\x30\x37\x29\x51\x40\xd8\x22\xcd\x1c\x13\xd9\x52\x84\xef\xb3\xbc"
"\x15\x5d\xeb\xe2\x19\x63\x6e\x4f\x47\xf4\xf7\x1a\x48\xb4\x2f\x9d\x3c"
"\xcc\xb9\xdd\xbe\xf5\x17\xe5\x3a\xad\x2b\xd0\x7c\x76\xaa\xd9\xf5\xa6"
"\x50\x27\x24\xae\x7a\xa2\x04\x08\x40\xb7\xcb\xce\xd5\xf2\xfc\xa5\xbd"
"\x2e\x9b\x8c\xf7\x0b\xa7\x14\x0a\x20\xef\x52\xbf\xe6\xdb\xdd\x7f\x53"
"\xc2\xdb\x51\x72\x59\x19\xbf\x20\xf9\x7f\xd8\xef\x6d\xed\x1f\xd3\xc4"
"\xbb\x72\xd6\x27\x05\xad\x4e\x9b\x6a\x6e\x48\x95\xad\xce\xed\x92\xef"
"\x1c\xad\xc1\x1c\xfd\x8b\x15\x59\xfa\x52\x79\x78\x84\x6f\xfa\x83\x62"
"\x38\xa3\xf3\x3c\x51\xbc\xbd\x31\x0d\x52\x34\x75\x54\xd4\x10\xa5\x8d"
"\x32\x03\x01\x3c\xef\x1e\xd2\x86\x93\x39\x5a\x28\x5e\x01\xc3\xd2\x9a"
"\x3e\x90\x3d\x8d\x02\xe2\xb9\x6b\x01\x79\x89\xf7\xe3\x47\x51\xf7\xd8"
"\x8c\x06\x14\x98\x89\xf1\xc7\xad\x60\x19\x18\x35\x29\xa0\xb0\xb3\x91"
"\x20\xbb\x1d\x9c\xfe\xaf\xb3\x20\x1e\x2f\x8e\x70\x98\x38\xfd\x8f\xb3"
"\x3e\x61\x76\x10\x53\xc4\xab\x9e\xda\x51\xba\xd7\xc0\x5f\x8d\xc0\x77"
"\xbe\x7e\x78\x99\xac\xc5\x85\x03\x30\x74\xf5\x43\x19\xd7\x2a\xf3\x55"
"\xee\xa5\xa4\x93\xac\xf9\x07\xf4\x86\x26\x2b\xda\xfa\xd0\xc6\x85\x8d"
"\xdc\xcc\xce\x28\x3e\x14\x5d\x4b\x09\x9f\x3f\x18\xcf\x5a\xd5\x2a\xf5"
"\x80\xd5\xb7\x77\xb3\x0c\xfb\xc9\x8e\xc9\x8f\x30\xb7\x40\xd0\x03\x60"
"\x33\xcb\xfe\x8d\x27\x48\x1d\x60\xfe\x86\x4f\x65\x78\x6c\xe8\x94\x87"
"\xd7\x9b\xc9\xc6\x6c\xfe\x9a\x36\x50\x6d\x94\x1a\x72\x4f\xc4\x9d\x3b"
"\xa1\x6c\x76\xe7\x7a\x45\x64\x23\x12\x41\xbd\x2e\xe3\xa6\xa7\x79\xea"
"\xac\xf7\x4e\xb2\x4f\x07\x4f\x83\xc7\xbe\x8a\x72\xaf\xec\x26\xd1\x20"
"\x3e\x4b\x8d\xec\x82\x5f\xe9\x67\x59\x58\x03\x85\x4f\x26\x67\xe0\xdd"
"\x58\xb3\xe8\x82\xa1\x06\xec\x82\x2b\x14\xee\x05\x31\x53\x0a\x1a",
4096));
NONFAILING(memcpy(
(void*)0x20009480,
"\x61\xea\xa2\x0e\x86\x70\x63\x40\x16\xa0\xfd\xdd\x04\x1d\x5b\x1b\x6b"
"\x50\x23\x32\x71\x79\x2a\x2c\x83\xbe\x3c\x20\x64\x7b\x76\x9f\x96\xa0"
"\x3b\x55\xea\x27\x2d\x72\x17\xe4\x2a\x94\x39\xb0\xc8\x3b\x4e\x2a\x73"
"\xb8\xae\xef\x63\x9b\x70\xbf\x90\x5f\xfb\x73\x92\x80\x28\xa1\x15\x03"
"\x2f\x85\xfa\xe7\x27\xa6\x54\x71\x1a\xb9\xc7\x20\x96\x3c\xdb\xf7\xf9"
"\xeb\x6b\x95\xe6\xb7\x96\xfa\xbe\x1e\x02\x1c\x3e\x34\xff\xba\x75\xa1"
"\x1f\x95\x21\xe9\x7d\x53\x8d\x44\x39\xbf\x17\xc4\x53\x01\xc5\xfd\x75"
"\xdc\x05\xae\x37\x34\xc1\xa7\x58\xf2\x92\x77\x2a\xa4\x69\x5a\xc5\x60"
"\xb2\x0a\x78\x1c\x39\x45\xee\xe5\xba\xb3\x8d\x6b\x87\xc7\x06\xf3\x4f"
"\xa9\x18\xd5\x73\xcb\x6e\xe9\x6d\xd4\x38\x10\xeb\x7f\xd1\xff\x32\x81"
"\x07\x03\x2a\x5c\x63\x71\xc6\xe4\x6b\x50\x4f\xe7\x93\xf5\x41\x15\xf6"
"\x11\xbe\x86\x9e\xe2\x80\x0f\xbc\xea\xe2\x6c\xa2\x87\xed\xef\x7c\x79"
"\x8e\x44\x03\x8e\x1f\xb6\xa8\x02\xf5\x7a\x44\x41\x92\x89\x92\x4e\x1a"
"\x46\x96\xa7\x47\x22\x98\x38\xf6\x5c\xc7\x3f\x69\xc9\xe5\xc6\x37\x23"
"\x85\x3a\x17\x52\xdc\x5f\x11\x33\x4d\xa9\xd6\x77\x4a\x15\x5a\x80\x5c"
"\xbc\x29\x3a\x6c\xd5\xc2\x74\x28\xb9\xac\x33\xcd\xe0\x01\x26\x3e\x1b"
"\xcb\x81\xd9\xf5\xce\x6c\x4c\x40\xc0\x69\x62\xd8\x2f\x76\x76\x74\xdb"
"\x8c\x4a\xa2\x0a\x61\xe7\x18\x4b\x57\x83\xf7\x92\x3b\xa2\x7c\x4c\xe5"
"\x3b\xa6\xc3\x33\xbc\xda\x40\x05\x77\x19\xb1\xe6\x72\xe5\x39\xda\x40"
"\xcc\xb3\x01\x68\xdc\x1f\xdf\xb9\x14\xc2\x33\x17\x85\xbc\x7a\x5d\xd2"
"\x34\x3d\xd8\x2f\x5c\x7b\x7b\x64\x16\xa7\xec\xcb\x21\xd2\x2b\xf9\xca"
"\x80\x7f\xa4\xf0\x0e\x15\x98\xbe\x91\xb9\x40\xac\x7b\xc2\x02\x9d\x2f"
"\x0d\x21\x0e\xab\xe1\x61\x9b\xde\x3c\x11\x4c\x1d\xd8\xeb\x8b\xb7\xc5"
"\x22\x3d\x1f\xc6\x6d\x5e\x62\x58\x0c\x84\xb3\x32\x47\x40\x68\x09\x79"
"\x80\xd1\x39\x07\x8c\xd1\x7e\xec\x83\x6e\xf2\xef\xe2\x98\x1a\xca\x9f"
"\xee\x84\x69\x8f\x4a\x8c\xce\x77\x2d\x4b\xf7\x8e\x64\x19\x7e\xc4\xb8"
"\x84\x38\x78\x1f\x9f\x7c\x49\xf1\xd7\xc0\x3f\xf4\x8b\x26\xa2\x3b\x1d"
"\xeb\x98\xe5\xb2\x79\xdd\x50\xd6\x41\x78\xbe\x38\x71\xb0\x2c\x04\xd9"
"\xc4\x97\xe4\x43\xa6\xef\x10\x7d\x2c\xea\xfa\x19\xf9\x0a\x3d\x9e\x49"
"\xe4\xd4\x5f\x36\x78\xda\xd8\x08\xf9\xbc\xfa\x0b\x67\x57\x0d\x0f\x55"
"\x83\x84\xc1\x66\xb8\x54\xcb\xfa\xc7\xd4\x81\x71\x40\x11\x82\x59\x1b"
"\x92\x0c\x97\xce\x87\x47\x11\x38\xc6\xf5\x4e\xa0\x44\xc8\x7c\x6c\xa2"
"\x3e\xde\xc2\x97\x23\xb2\x13\xf3\xba\xab\x16\x5a\x26\xe1\xc6\x7e\xc4"
"\x5f\x53\x08\x2d\x7d\x10\xd3\x3e\x1d\x77\xc1\x42\x1f\x27\x25\xdb\x36"
"\x4c\x95\xfe\xc7\xb9\x0c\x01\xa8\xe5\x54\x72\x64\xcf\xf5\x86\x3f\xc6"
"\xc2\xf8\xc7\xf0\x6e\x0e\x73\xe9\xd4\xab\xc9\xf4\x78\x6f\x5f\x89\xe4"
"\x43\x98\x7d\xef\xcf\x5a\x59\x7f\x82\x71\xc3\x57\x1b\x45\x04\x9d\x73"
"\xf4\xac\x03\x63\x2c\x2f\x7a\x13\x35\x31\x50\xe0\xe7\xd0\xac\x29\xca"
"\xa1\x24\x05\x39\x3f\x1a\x12\x64\x1a\x8b\x3c\xbf\xd6\x86\xdb\xef\x52"
"\x35\xe2\xce\x7f\xc1\xe0\xf0\xe2\x80\xad\x99\xb6\x62\xcd\x3a\x4f\x31"
"\x1f\xd4\x42\x53\xc0\x54\xf2\x15\x29\x50\x66\xeb\xdb\x4d\x2e\x01\x81"
"\x35\xe9\x42\x88\x91\x66\xca\x02\x76\xe8\xc1\x98\xae\xf9\x3b\x67\x42"
"\x0c\x12\x7d\xb1\xdf\xb7\x40\x9d\xf3\x9d\xbe\xb4\xd1\x91\xd4\xd9\x6f"
"\xdf\x93\xf1\xd7\x44\xf0\x08\xf4\x3f\x9b\x3e\x1f\xeb\x7c\x29\x48\x3e"
"\x1f\xb3\x7d\x9e\xf7\x34\x5a\x98\x45\x32\xde\x4a\xc2\x11\xdf\xb1\x6a"
"\xb8\xcd\x41\x34\x6f\x88\xc5\x58\xda\xf8\xef\x7c\x12\x6a\x81\x69\x72"
"\xc7\x49\x68\x2c\xb7\x07\x3c\x5f\xf0\x09\xea\x78\x83\xff\x97\x21\x3b"
"\x9b\xa2\xc9\x81\xb0\xf3\xea\x98\x26\xb6\x72\xc7\x2f\x89\xcc\x0a\x8b"
"\x58\xe7\xe0\xb8\x12\x67\xf3\xa5\x7d\x4d\xf9\x30\xa0\xbd\x89\x0d\xa1"
"\x5c\x97\x49\x64\xf4\xbc\x7a\x9d\x24\xe4\xae\xe4\xc8\x5a\x3f\x77\xb7"
"\x95\x5e\xc9\x4b\x71\x8f\x83\x4b\xbd\x40\xd5\xcf\x20\xf9\x2f\xf3\x15"
"\x89\x36\x21\x80\x9c\xa2\xdb\x54\xeb\xfa\xe9\xe5\xc0\xf9\x49\x54\x57"
"\x51\x8f\xd9\x3d\x59\x32\x32\x88\xf5\xf8\xe6\x9f\xe4\x65\xe7\x0f\xfe"
"\x5a\x0c\xf8\x5a\xe6\x23\xc2\xb5\xb6\xb1\x7d\x35\x1c\x8e\x94\xdf\xe6"
"\xa5\xe2\x29\x7c\x53\xf0\x01\x85\x4a\x53\x65\x7c\x8c\x89\x87\x43\xcb"
"\x72\x15\x9b\xe2\x41\xf5\xf8\x75\x9f\xfa\x0b\x6c\xeb\x9f\xa5\x6a\xab"
"\x07\x9b\x39\x58\xfb\xad\x1f\x13\xe8\x54\x49\x30\x6c\x5a\xf1\x1e\x10"
"\x96\xce\xa7\xd4\x41\xd2\x13\x46\xc4\x79\x85\xf0\xa5\xcf\x08\xe6\x48"
"\xa3\xa8\xf1\xb9\xc3\x2b\xd4\x18\x89\x7e\x54\x83\xd7\x0e\xb0\x9b\x46"
"\xcd\x41\xec\xfd\x5c\xf8\x23\x4f\x35\xa7\xa5\xb7\x9f\xbc\xb5\x30\xd5"
"\x10\x9e\xa0\xf2\x0d\xea\x23\x3d\x31\x5f\xfc\x7d\x38\x46\x7b\x6f\xfb"
"\xf7\x86\x44\x6f\x7f\x66\x17\x29\x72\x58\xbc\xa8\x00\x4b\xe3\xa1\x09"
"\xef\x10\x3b\x09\x00\x00\x00\x00\x00\x00\x00\x08\x64\x1b\xe5\x49\x9a"
"\x19\xeb\x79\x0a\xfa\x6f\x2c\x5c\x48\x52\xbb\x4c\x8c\xc7\x6d\x10\xb1"
"\x7a\x69\x64\x0c\xa2\x0d\x80\xec\xaf\xbb\xeb\x43\x14\x75\x1c\xc0\x85"
"\x7b\x35\xa0\x43\x21\xef\xc7\xe1\xf4\x31\xf3\x04\x68\x4c\x1b\xa5\x30"
"\x0c\x61\x58\x91\x20\xf2\x00\xc4\x5d\x3f\x99\xf0\x62\x2d\x90\xfd\x7a"
"\x5c\x9a\x6e\xe7\x76\xea\x42\x1f\x1c\x68\x66\x8b\x24\x9e\xbc\xe1\x77"
"\x09\x64\x83\x93\xe8\x6f\x8c\x59\x6a\xbb\x77\xaa\xfe\x37\x6e\x15\x8c"
"\x0f\x2e\x4b\x16\xd1\xa7\x66\xe2\xdd\xdb\x8c\xb4\x81\xb2\x8c\x5c\x98"
"\xf2\xa6\x8a\x0f\xd1\xc5\x55\xd1\x7a\xd0\x93\x2c\x3e\x85\x50\x78\xb2"
"\xd9\xe5\xff\x6f\x8d\x0b\xea\x70\xe5\xfe\x83\xf0\xb0\x83\x1d\x95\x3a"
"\x05\x06\x1a\xbb\xca\xbe\x04\x3b\x59\xed\xf1\xbc\x25\x19\x5d\x55\x4b"
"\x3f\x11\xe2\xdc\x05\x91\xb2\xfb\x17\x71\xa2\x50\x92\xca\xd4\x42\x26"
"\x63\xb6\x0d\x0b\x45\xff\xeb\xaa\x9f\x64\x6d\xa6\xb9\xb9\xdc\x2f\x5d"
"\x27\xbd\x23\x6c\xab\xf6\xae\x85\x1d\x70\xf7\xd6\xd7\x74\xfe\x09\xf1"
"\x2a\x02\xb3\xc9\x42\x73\xd6\xfe\x8b\x5f\x61\x7e\xb3\x22\x89\x03\x01"
"\x62\xc2\x89\xbb\x57\x40\xfe\xc5\x23\xad\xc0\xfe\xb5\x12\xc8\x94\x81"
"\xc0\x30\xae\x2e\xde\xab\xab\xcc\x59\x5a\x6b\xb3\xe7\xf8\x0d\xbd\x8e"
"\x8a\x21\xe0\xb8\xa6\x38\x8e\x18\xd8\x71\x9b\xf9\x6c\x40\x44\x0c\x07"
"\xe5\xd5\x01\xa9\x3f\x81\x57\x43\xfe\x8f\x6c\x56\xfb\xe1\xb7\x50\x2f"
"\x0e\x41\x8e\x7a\x3b\x11\x6b\xda\x4c\x75\x9a\x65\xcb\xb2\xb5\x47\x5c"
"\x37\x48\xc0\x48\x9a\x0b\x6b\x84\xc3\xf4\x61\xd5\x8b\x04\xf6\x12\xae"
"\x6e\x46\x33\x94\x9e\xe8\xb2\x71\xa8\xe8\x73\xf2\xe4\x0b\x7f\x75\xf3"
"\xdf\xfd\x09\x00\xe0\xe2\x9f\x2d\x16\xf3\xc9\x19\x07\x95\x81\xd2\x09"
"\x49\x89\xcb\x6f\xfa\x80\x8c\x2e\x3c\x1c\x53\x44\x49\xe0\x7b\xd8\xcd"
"\x28\x76\xf2\x48\x50\xa6\x94\x75\xcb\xa9\xc4\xa8\xb5\x74\xa7\xd1\x14"
"\x54\xb4\x39\xeb\x6a\x77\xf0\xaa\x6a\x2f\x52\xdb\x41\x3f\x5d\x5a\xee"
"\x6c\x38\x8e\x10\xb4\xb0\x5e\xe9\xa1\x41\xfc\xf0\x17\x32\x11\xb8\x3b"
"\x6f\x01\xc6\x98\x8d\x83\xc7\xcf\x89\xac\x51\x88\xf5\x75\xf4\x51\x95"
"\x17\x65\x3b\x57\x5e\xab\x7b\x78\x34\x27\xa8\x39\x18\xcf\x55\xbf\x71"
"\x52\x1f\x33\xc3\x67\xb7\x63\x9a\x25\xc3\xda\xa2\x83\x72\xad\x57\x05"
"\x9e\x4a\x16\x9c\x1e\x8c\xa3\x42\x59\x7d\x7e\x71\x14\x82\xc9\x5d\x45"
"\xd3\x75\x08\x4d\x34\xdd\x31\xa4\x94\x2c\x93\x09\xa2\x5d\x03\x82\x58"
"\xad\x95\x48\x37\xac\x32\x2e\x83\xdb\x09\xf6\xb2\x81\x28\xe4\x0a\x19"
"\x86\xae\x71\x16\x60\x4c\xef\x2e\xd4\x8d\xa1\x71\x0a\x0a\xe0\x37\x19"
"\xf2\x09\x13\x32\x09\x3c\xff\x90\x89\x79\xff\x68\x4d\x82\x26\x26\xd0"
"\x95\x25\x6a\x00\xd3\xf8\xb9\x6c\x26\x2f\x17\xa3\x55\xdb\xed\xf6\x34"
"\x53\x33\x10\x46\xdb\xde\x13\xcf\x9f\xa9\x3e\xfb\xef\x77\x7e\x01\x0c"
"\x1e\x9b\xa2\x7b\xe7\x59\x34\x3e\x38\x16\xf9\x24\x6d\x4d\x70\x8c\x17"
"\x00\x5f\xea\xb9\xbb\xcc\x25\xb4\xa3\x33\xb4\x4f\x94\x3d\x35\xc5\xf4"
"\xf9\x11\x6b\xbf\xa1\xed\x84\xf4\x7b\x57\xc2\x83\x51\xaa\x38\x0c\xf8"
"\xc0\x29\x3a\x4f\x88\xea\x96\xf6\xa3\x5c\xa7\x3e\x04\x50\xe3\x8f\x47"
"\xff\x96\xd4\x56\x53\xd1\x03\x15\x49\x27\x10\xca\xe5\xa5\xc2\xf1\x43"
"\x5d\xf9\x92\xf9\xcb\x2c\x5b\x5c\x21\x0f\x56\x89\x00\x46\x7d\x27\x8a"
"\xe3\xd5\xe3\xa4\x74\x1a\x37\x48\x81\x16\x08\xe9\x7b\x9b\xff\x03\x22"
"\x5a\x6c\x37\xb5\x28\xf2\xd7\xb9\xfe\x84\x9f\x5a\x12\xfe\xce\xc5\x4c"
"\x7c\x3d\x90\x19\xc2\xeb\xa7\x13\x1d\x42\x58\x14\xa8\x8a\x8c\x69\x21"
"\xc4\xa3\x85\x6f\x89\x10\x48\xc9\x5b\xb6\xd2\xc9\xb1\x25\x64\xa5\x63"
"\xd7\x86\x70\x20\xbf\xd6\x2d\xc4\x6e\x69\x6e\xba\x6c\x58\x6b\x0f\xc7"
"\x57\x99\x40\xe8\x9b\x1a\xd9\xe8\x3c\xb7\x39\x53\xda\x3f\x4c\x50\xb6"
"\x0f\x35\x33\x8e\x86\x57\x23\xc7\xa3\xd3\x97\x92\x9b\x0c\xbe\xaa\x7a"
"\x8d\xc8\x08\x9e\x92\x6a\xba\xb2\xb2\x13\x7d\x00\xca\x10\x0b\xe1\x7e"
"\x11\x94\xea\x8e\xae\x93\xf7\x6e\x7e\xee\xc4\x99\x63\x85\x8a\x1b\xd4"
"\xe0\xff\x00\x6a\xa1\x46\x92\xfa\xc8\xad\x66\xcc\x86\x10\x58\x36\xa7"
"\x45\xad\xb3\x7a\xed\x83\x52\xa0\x7e\x7d\x22\x01\x0a\x43\x4f\x19\xcb"
"\x99\x58\xa3\xe9\x48\x28\x23\x21\x95\x5a\x84\xe3\x5d\xd5\xcb\xb0\x00"
"\x05\x64\xeb\xb7\x35\x3b\x53\x50\xa6\x30\x9f\x1f\xbb\x9a\x6b\x81\xa6"
"\x04\x2b\xad\xfe\x44\xe9\xc0\x22\xfb\x99\x6e\x55\xad\x4b\x83\x78\x2d"
"\x30\xb2\x08\x7d\x3e\xc6\xc3\xe7\x20\xc8\x9c\x03\xa9\xe3\xaf\xc3\xd2"
"\x25\xfd\x27\xa9\xed\x95\x45\x62\xf1\xa2\xe2\x5f\xd2\x89\x11\xed\x22"
"\x0a\x70\x04\x20\xc1\xc7\x5f\x80\x28\xfc\xee\xd5\x12\xf1\x8e\x48\x54"
"\xc9\xef\xe2\x02\x5e\xec\x9a\x8d\x2e\xa5\x55\xb4\xae\xc7\x38\xba\x2f"
"\xc4\x6d\xe8\xfa\x48\x15\xc6\xe8\x53\x7b\x9c\x46\x81\xe1\x19\x9c\x1d"
"\xd1\x22\x8c\x27\xb0\x86\x00\x60\xfb\x6d\x6e\x0e\x38\xb3\xec\xfd\x33"
"\xe6\x9e\x55\xfa\xcc\x10\x5f\x23\x39\x62\xba\x03\xd1\xd2\x94\xc2\x6d"
"\x73\xd2\x12\x74\x0f\x44\x53\xf2\xb7\x92\x77\xaa\xa6\xfa\x72\x0f\xb8"
"\x6d\x73\xcf\x58\x52\x60\xfa\xa7\x39\x50\x2a\x9c\x31\xe6\x23\x5a\xc8"
"\x06\x31\x0b\x61\x1b\x10\xdc\xcf\x34\x7c\x71\xc2\xd4\x40\x18\x59\x15"
"\x5c\x42\x38\x7f\xba\x41\x9c\x99\xcc\x82\x71\x1c\x47\xf8\xce\xc1\xc8"
"\x07\x0f\x82\xdc\x73\x97\xf9\x13\x22\xac\xb7\x7f\x52\x34\x82\x6e\x97"
"\xf4\x35\xdc\x87\x08\x8f\xf5\x5c\xab\x5f\xb4\x3c\xf3\x13\x56\x82\x23"
"\x07\x98\xe8\x2d\x62\x47\x90\x71\xa3\xbb\x81\x54\x79\x83\x40\xcc\x83"
"\xf9\xbf\xd0\x11\xe7\x4d\xdf\xa8\x2c\x93\x26\xd3\x72\xee\xab\xb2\x5c"
"\x85\x17\xfb\x4c\xa7\x82\xe4\xaf\x99\x79\x9a\x7b\x74\x48\xee\xfe\x60"
"\x86\x64\xf1\x40\x93\x37\xeb\x31\x35\x90\x54\xb4\x04\x09\xcd\x68\x7f"
"\x9e\x4b\xb1\xca\xdd\xa1\xe4\xda\xa0\x27\x67\xd7\x58\xe3\xf4\xd1\x8e"
"\x0f\x8f\x65\x7f\x77\x83\x4a\xb0\x2b\x61\x08\xe7\x96\x3b\x2c\xdd\xd0"
"\x3e\x60\xe6\x85\x5e\x05\x2b\x9f\xde\x11\x35\x9d\xb4\x44\x9b\x8e\x0d"
"\x00\xc7\x82\x31\x22\x58\xe0\xab\x8d\x16\x6c\xe0\xa4\x7a\x73\x12\x68"
"\x4a\x2c\x7e\xad\x37\x07\x10\x00\xa6\x78\x95\xf9\xf2\x0d\x97\x91\x71"
"\x4d\x1e\xe7\xd6\x10\xd4\xfa\xda\xbf\x39\x66\xdd\x5e\x3d\x09\x49\xeb"
"\x60\x4b\x8b\x10\xf8\xaf\x9e\x66\xf1\x86\x57\xc3\x26\xe3\x8a\x8b\xd2"
"\xa3\x14\x86\xed\x9b\xaa\x75\xa3\x31\xc6\xba\x4b\x60\xd4\x6b\x93\xe4"
"\xd8\x4f\xfa\x66\x18\xed\xd9\x8e\xf5\x99\x21\xd4\x99\x5a\xb1\x39\x18"
"\xec\x8a\x06\xa7\xe8\x29\xfb\x09\xf2\x37\x91\x39\x73\xe0\x38\xb6\x5d"
"\xe2\xe0\xf7\xbf\x94\xac\xeb\xd3\x53\x6e\xfd\x6e\x8f\x88\x68\x11\xf4"
"\xee\x17\xfc\x7f\x5a\xa0\x22\x91\x69\x69\x09\x2e\xc9\xbc\x1b\xf4\x14"
"\x8d\xc1\x4b\x9b\x40\xdf\x48\x5b\x81\xaf\x9d\x00\x65\x0d\x6e\xcf\x7a"
"\x16\xf0\x2e\x4f\x00\xac\xe7\x42\x2e\xb6\xaf\xfb\xb4\x72\xef\x15\x54"
"\xa3\x17\x11\xc3\xfa\x0d\x4f\x6a\xc0\xf1\xb0\x42\xc0\x22\xfb\x69\xec"
"\xe4\xd9\x05\x70\xbd\xb5\x38\xf5\x75\x84\xaa\x20\x4d\x5c\xac\xb7\xb1"
"\xa7\xc2\x6c\x47\x25\x61\x85\x42\xaf\x6c\xd8\x68\xdc\xbd\xcf\xac\x07"
"\xca\x63\xdf\x0b\xb0\x16\xa2\x05\x4b\x97\xe3\xaf\xeb\xc1\xe8\x2a\x22"
"\xb9\xff\x82\xe2\x1f\xcd\x5b\xd8\xeb\x61\x89\x62\xcd\x66\x4d\x18\xcc"
"\xd4\xc4\xae\xa3\xf9\xbe\x5c\x89\x8e\x3d\xd9\x3e\x05\xa1\xa2\x1d\x00"
"\xfd\x8f\x8f\x70\x50\x1a\x66\xe2\x8a\xb8\x66\xb7\x03\x62\x12\xb7\x52"
"\x38\xac\x9f\x0f\xd3\xfe\xaa\x0c\xcc\x4d\x81\xba\xa7\x4e\x20\x0b\xa8"
"\xd7\xfa\xd8\xb9\xb6\x4e\x64\x4d\x2d\x29\x40\x86\x88\x94\xcb\x85\xd4"
"\xe8\x69\xfd\xd9\x68\x38\xf1\xf6\x84\x4a\x63\xd8\x1d\x82\x60\x93\x44"
"\x6b\xd9\xb0\xf5\xd4\x86\xfb\x12\x41\xe1\x96\x54\xbb\x37\xb0\xab\x05"
"\x28\x4b\xad\x40\x0a\xa3\x2c\xcd\xdb\x86\xfa\xff\xac\x46\xf2\xac\xc6"
"\xa1\x36\xd3\xae\x51\x0b\x57\x91\xcd\xc6\x7e\xb5\xdc\x02\x57\xc0\x63"
"\x54\xe9\xbe\x36\xd0\x85\x3d\x53\x77\x8d\xc4\xd1\x35\xfa\xc7\x7c\x10"
"\x24\x6a\x91\x7f\x17\xb1\xa2\x1c\x9b\x9a\x08\xb2\x5c\xa8\x46\xed\x8a"
"\xbc\xb3\x8a\xfa\xd2\x71\xc8\x2e\x3b\xfc\x77\x77\x02\xc3\xf4\xcb\x89"
"\xec\x9d\x2b\x33\x6f\xb1\x8d\xa2\x9f\x43\x60\x47\x37\xf5\xfe\x83\x71"
"\x7b\xd9\x36\xb0\xcf\x72\xf1\x2c\x08\xcb\x06\xcd\x28\xe5\x45\xd9\x19"
"\xf9\x37\x33\x10\x03\xa7\xb6\xfe\xc6\xf0\x38\x5b\x62\x9b\x8e\xe1\x94"
"\x55\xa9\x0c\x0b\x9f\xd7\xea\x15\xf4\xf6\x4a\x40\x34\x03\xbd\x35\xd2"
"\xa4\x9d\xae\x1c\x5c\xb9\x49\xd0\x20\xd9\x60\xe9\xe9\x31\x57\x8d\xab"
"\x04\xbf\xf6\xe4\x34\x4e\x72\x61\x93\x5c\xa6\x58\xdd\x50\x52\x6c\xfa"
"\xa1\xe2\x69\x2f\x97\xb7\xf1\xbf\xc6\x7f\x8a\xf4\xc7\x93\xc7\x92\x2f"
"\xd5\x83\x5d\xcb\x71\xdc\xe6\x40\x47\xf8\x2b\x51\xf9\x07\x34\xa5\x6a"
"\xad\x03\x9a\xb6\xcb\xeb\xeb\x18\x91\xc9\xb7\x4e\x87\x4f\x17\xfd\xa7"
"\x2d\xc8\x14\x8a\xef\xd4\x18\x95\x71\xf8\x5d\xcc\x22\x49\x01\x0d\xca"
"\x4b\x7b\xd9\x56\x6e\x69\x7f\xee\x20\xd8\x73\x1c\xa2\xd9\x1f\x87\xbb"
"\xda\x22\x26\x6c\x79\x70\x80\x8b\x0a\xe4\xd0\xe5\x5f\xf7\xd2\x03\xa5"
"\x76\x40\x9c\xc4\x34\xa8\xcf\x7d\x75\x58\x52\x51\x58\xf0\x88\x44\x5c"
"\x0e\xc9\x8c\xf0\xfc\x8a\xd0\x9d\x27\xe3\x20\xa8\xaa\x85\xf5\x2e\x94"
"\xfd\xfe\xf8\x86\x18\x39\x86\x3c\x77\x4c\xd3\x21\x9e\xe6\xaf\xee\xd6"
"\xb3\xb8\xbc\x7d\x32\x63\xab\x3c\x0e\x73\xb3\xd5\x5a\xe3\xcb\xb3\x5f"
"\x35\xd7\x71\x7f\xa2\x6c\x20\x1c\x2a\x07\x54\x54\x36\x4e\xf2\x7d\xde"
"\x12\x9d\x6b\xa0\x1a\xd9\xa1\xbb\xe8\x24\xc0\x1a\x5b\xea\x31\xe0\x1a"
"\xf9\x42\x92\xb5\xbf\xa0\xa7\x1c\x0c\x34\xc0\xb3\x72\x53\xc9\xde\xe1"
"\x40\x3c\xeb\x3a\xc1\x4e\xd2\x9e\x87\xe4\x0c\x9e\xe4\x4c\x14\x80\x2f"
"\xe0\xf3\x08\x6f\x0e\x0c\xfc\x09\xf2\x1c\x42\x4c\xcd\xc2\x37\xc8\x4b"
"\x61\x3d\xb4\x6b\x68\xde\x6e\xbf\xbd\x3f\x13\x57\xff\x9f\xbd\x9a\x91"
"\x5c\x26\x24\x19\x9c\x6f\x20\xce\x7d\x95\x2c\x92\xbf\x2a\x72\xd3\x42"
"\x45\x78\x88\xa8\x62\x54\x8b\xd2\x02\x30\x23\x4d\x0a\xf8\x8a\x17\xc4"
"\x38\x09\xdb\x85\x18\x54\x4e\xb8\x7f\xde\xe1\x84\x23\x4c\xfe\xbb\xf6"
"\x65\x8a\x51\xa3\xc8\xc9\x12\x1e\x36\x13\x15\x5d\xca\xb1\xd9\x71\x5e"
"\xe5\xb2\x5e\x64\x0f\xd4\x21\x83\x50\x32\x90\xc5\x3f\x4e\x78\x2e\x5a"
"\xba\x85\x2f\xf2\xba\xfa\x2b\x27\xd9\x2a\xf0\x78\xbd\x5a\xd0\x8b\xb9"
"\xf3\xda\x8d\xca\xed\x75\x2f\x57\x12\x41\xdd\x26\x39\xc2\xed\x62\xac"
"\x94\xff\xc0\x11\x3a\x60\x62\xed\x1f\x87\x77\x65\x13\x83\x35\xea\x02"
"\x1b\xf9\x10\x3a\x68\xaf\x8e\x41\x74\x28\xf7\xd9\x49\xe9\x94\xef\xf8"
"\x79\xdf\x85\x97\x04\x2d\x63\x57\x83\x01\x20\x7a\x77\x90\xb6\x69\x05"
"\x6a\x8c\x69\x3e\x45\x21\x22\xfc\x1e\x81\xc8\xb7\xa9\x20\x0d\x28\x4d"
"\x63\x4f\xf1\xe2\x2d\xde\xaa\xd7\xb6\xaf\xa0\xd1\x3f\xc6\x7b\xb0\xf7"
"\xcb\x9c\x5e\x2e\x4f\xc8\x52\x04\xc4\x53\x22\x4a\x70\x25\xdd\xc4\xb0"
"\x53\x09\x6b\x27\x37\x39\xc6\xd4\x62\x7b\xaf\x95\x8a\x81\x78\x48\xf0"
"\xe1\x6d\x95\xa7\xb2\x6e\x54\x33\xff\xf0\xa0\xb4\xc8\xa7\xf9\xe8\x97"
"\xbe\x53\x69\xbd\x37\x6e\xac\x96\xa5\x02\x19\x2d\x51\x37\xd3\xcd\x9d"
"\x39\x12\x25\xea\x0a\xd5\xcb\x83\x69\x0c\x77\xc0\xe7\x68\x37\x7e\x73"
"\x19\x30\x8e\x7d\x9f\xac\x95\xc0\xd5\xbf\x65\xf6\xf1\xa8\xa7\xa7\x73"
"\x7e\x81\xd9\xfc\x5e\x78\x3e\x37\xea\xd7\x6c\x8d\x89\xe2\x42\xe2\xef"
"\x45\xd8\xeb\xe4\xff\x6e\x21\xef\x6e\x89\x7f\x10\xfe\xac\x1b\x09\x08"
"\x16\xd6\x72\x24\xe4\x99\xc9\xe8\x16\x18\xc4\xbf\x9b\xc2\xac\x43\xa0"
"\x37\xa0\xc6\x76\xeb\xe5\x4b\x24\x2f\x0e\xd0\x5b\x26\xc0\xf5\x87\x57"
"\xa5\xde\xf2\x1f\x93\xa5\xc3\xb7\xa6\x29\x3e\x85\x53\x01\xd7\x78\x52"
"\x81\xac\x94\x31\x09\x98\x2c\x84\x37\x21\x95\x41\xb0\x8f\x5d\x8c\x59"
"\x6c\x9b\xe8\x30\x12\xdb\xb6\x30\x1b\x93\xaf\xb3\xb3\x6c\x0f\x01\x68"
"\x69\xf9\x6b\x90\x7c\xd4\x12\xc3\x4f\x55\x04\xc6\xf0\xb7\x2d\x7b\x9d"
"\xad\x39\x0a\xdf\x97\x97\x72\x7b\xed\xa7\xc5\x24\xc6\x73\xac\xfd\x25"
"\xd8\x34\xed\x18\xc6\x4e\x87\x54\x5c\xab\xdd\x35\xcf\x3d\xbe\x01\xc9"
"\x31\x52\xd8\xd6\x7b\x23\xe9\xf1\xeb\x73\x41\xf9\xfd\x28\xe2\x5b\xf7"
"\x14\xfe\x45\x79\x9b\xea\x0f\x20\xb7\x1c\x2f\x0f\xcb\x62\xf2\xf7\xea"
"\x5d\x01\x89\xbf\xae\x06\xc3\x8b\x82\xf2\x6e\x7e\xc6\x66\x12\x99\x02"
"\x70\x5f\x0e\x52\xe1\xf7\x89\x07\x81\xd6\xe3\x33\x27\x93\xca\x88\x8d"
"\x3d\xe0\x2e\x32\x1f\xca\x88\x3e\xd6\x33\xea\x58\x00\x24\x54\x71\x40"
"\xc2\xec\xcf\x15\x62\xac\x4b\x79\x0d\xe9\x40\x94\xd6\xe5\xb0\x16\xb5"
"\x80\x7a\x8b\xcb\x19\xa1\xc5\x0c\xfa\x21\x9f\xb8\xef\xc6\x97\xae\x4b"
"\xce\xb4\x98\xa8\x24\x13\xc6\x21\x8f\x2c\x23\x11\x6c\x25\xd1\x35\xa5"
"\x78\x36\xa4\xef\xba\x10\x2b\x88\x13\x89\xeb\x07\x04\x14\x4b\x54\xa6"
"\xf5\xc3\x72\xc8\xa6\x0f\x33\x55\x1d\xb9\x25\x94\x93\x2f\x9c\x7a\x9f"
"\xab\xf3\x96\x72\xfe\x75\x29\xe6\x04\xa4\xe5\x35\xeb\xdd\x52\x7a\x41"
"\x1b\x93\xca\xcb\x44\x1f\xf5\xf6\x36\x11\x92\xf4\x27\x62\xed\xc1\x9b"
"\x2e\x8d\x1f\x38\x63\xa2\xa0\xf5\x7f\x93\xc1\x0a\x6d\x39\x9b\x02\xbb"
"\x62\x94\x21\x44\xbb\x6c\x4d\xd0\x1e\x1f\xe1\xbe\xb9\xcb\x45\xf7\x69"
"\x12\xdd\x90\x1d\x20\x75\xbd\xab\x3d\xdb\x0a\x72\xb8\xc5\x33\xbe\x38"
"\x85\x3a\x22\x0d\xa0\x3d\xb3\x9a\xd8\x92\x96\xe0\x51\xc9\x4e\xf9\x69"
"\x79\xbf\x93\x4c\xfe\x72\xfc\x33\xdb\x7f\x63\x39\x72\xdd\xae\x79\x5f"
"\x24\x78\x56\xc9\x7a\xbb\x65\x86\xb1\x6e\x85\x34\x7a\x58\xcb\x31\x3d"
"\x0c\x7f\xfe\xa8\x41\x77\xbe\x6c\xab\x90\x1a\xbc\xe2\x16\x57\xf5\xc7"
"\xe1\x1b\x36\xc4\x01\x82\xc8\xc9\xcd\xfc\x87\xda\xff\xc3\xf2\xf9\xd8"
"\x56\x90\xe4\xf2\x85\x42\x15\xf9\x63\xb4\xf8\x9a\xac\x09\x8f\x7b\xa9"
"\x79\x88\xc1\x31\x91\x12\x41\xd6\xfa\x86\x32\x30\x76\x44\x7b\x58\xc8"
"\x24\xd4\xae\x8a\xbc\xb9\x55\x8d\xb3\xf3\x09\x36\x76\x42\x30\x55\xe5"
"\xba\x7a\x4b\x3d\xaa\x3e\x41\x17\x59\x62\xfa\xc1\x4a\x7e\x4b\xbc\x3f"
"\x7a\x44\xb9\x0e\xfb\x31\xd0\x13\xf1\x4a\x08\x5f\x21\x35\xa2\xc9",
4096));
syscall(__NR_ioctl, r[2], 0x4080aebf, 0x20008400);
break;
case 5:
syscall(__NR_ioctl, r[2], 0xc080aebe, 0x20002280);
break;
}
}
int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
install_segv_handler();
do_sandbox_none();
return 0;
}