// https://syzkaller.appspot.com/bug?id=e345e7990adf39a628c60cf7cc31326dde8cba66 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif static unsigned long long procid; static __thread int clone_ongoing; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) { exit(sig); } uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; int valid = addr < prog_start || addr > prog_end; if (skip && valid) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ ({ \ int ok = 1; \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } else \ ok = 0; \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ ok; \ }) static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff(unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // syz_mount_image$exfat arguments: [ // fs: ptr[in, buffer] { // buffer: {65 78 66 61 74 00} (length 0x6) // } // dir: ptr[in, buffer] { // buffer: {e9 1f 71 89 59 1e 92 33 61 4b 00} (length 0xb) // } // flags: mount_flags = 0xa18088 (8 bytes) // opts: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // } // } // chdir: int8 = 0x21 (1 bytes) // size: len = 0x1517 (8 bytes) // img: ptr[in, buffer] { // buffer: (compressed buffer with length 0x1517) // } // ] // returns fd_dir NONFAILING(memcpy((void*)0x200000000080, "exfat\000", 6)); NONFAILING( memcpy((void*)0x200000000240, "\351\037q\211Y\036\2223aK\000", 11)); NONFAILING(memcpy( (void*)0x2000000019c0, "\x78\x9c\xec\xdc\x0b\x98\x4e\x55\xfb\x30\xf0\xfb\x5e\x6b\x6d\xc6\x34\xf1" "\x34\xc9\x61\x58\x6b\xdd\x9b\x27\x0d\x96\x43\x92\x1c\x92\xe4\x90\x24\xc9" "\x2b\x49\x4e\x09\xa1\x49\x92\x84\xc4\x38\x4b\x1a\x92\x24\xc7\x49\x72\x18" "\x42\x72\x98\xc6\xa4\x71\x3e\x1f\x72\x4e\x92\xa4\x49\x92\x90\x90\xb0\xbe" "\x4b\x7f\x7d\xde\xb7\xf7\xd0\xf7\xfe\xff\x7d\x9f\xeb\x7b\xe7\xfe\x5d\xd7" "\xbe\xac\xfb\xd9\xcf\xbd\xf6\xbd\x9f\x7b\x3f\xf6\xb3\xf7\x73\x3d\xf3\x5d" "\x8f\x51\x75\x9a\xd5\xad\xd9\x84\x88\xe0\x7f\x04\xff\xeb\x9f\x64\x00\x88" "\x01\x80\x61\x00\x90\x0f\x00\x02\x00\xa8\x18\x5f\x31\xfe\xf2\xfa\x3c\x12" "\x93\xff\x67\x1b\x61\x7f\xae\x87\xd3\xae\x75\x05\xec\x5a\xe2\xfe\xe7\x6c" "\xdc\xff\x9c\x8d\xfb\x9f\xb3\x71\xff\x73\x36\xee\x7f\xce\xc6\xfd\xcf\xd9" "\xb8\xff\x39\x1b\xf7\x9f\xb1\x9c\x6c\xdb\xec\xc2\x37\xf0\x92\x73\x17\xbe" "\xff\x9f\x93\xf1\xf9\xff\x3f\x48\x76\x99\x49\x5f\x6d\x28\x73\x53\xcf\x7f" "\x23\x85\xfb\x9f\xb3\x71\xff\x73\x36\xee\x7f\xce\xc6\xfd\xcf\xd9\xb8\xff" "\x39\x1b\xf7\x3f\x67\xe3\xfe\xe7\x6c\xdc\x7f\xc6\x72\xb2\xff\xfe\xbd\x63" "\xfe\xee\xe0\x3f\x61\xb9\xd6\xc7\x1f\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6" "\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c" "\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18" "\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31" "\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63" "\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6" "\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c" "\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\xb1\x9c\xe1\x9c\xbf\x4a\x01\xc0" "\x6f\xe3\x6b\x5d\x17\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\xfe\x3c\x3e\xf7" "\xb5\xae\x80\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\xff\xf7\x21\x08\x90\x80" "\x08\x90\x0b\x72\x43\x0c\xe4\x81\x58\xb8\x0e\xe2\xe0\x7a\xc8\x0b\xf9\x20" "\x02\x37\x40\x3c\xdc\x08\xf9\xe1\x26\x28\x00\x05\xa1\x10\x14\x86\x04\x28" "\x02\x45\x41\x83\x01\x0b\x04\x21\x14\x83\xe2\x10\x85\x9b\xa1\x04\xdc\x02" "\x89\x50\x12\x4a\x41\x69\x70\x50\x06\xca\x42\x39\x28\x0f\xb7\x42\x05\xb8" "\x0d\x2a\xc2\xed\x50\x09\xee\x80\xca\x50\x05\xaa\x42\x35\xb8\x13\xaa\xc3" "\x5d\x50\x03\xee\x86\x9a\x70\x0f\xd4\x82\xda\x50\x07\xea\xc2\xbd\x50\x0f" "\xee\x83\xfa\x70\x3f\x34\x80\x07\xa0\x21\x3c\x08\x8d\xe0\x21\x68\x0c\x7f" "\x81\x26\xf0\x30\x34\x85\x47\xa0\x19\x3c\x0a\xcd\xe1\x31\x68\x01\x2d\xa1" "\x15\xb4\x86\x36\xff\xad\xfc\x17\xa1\x0f\xbc\x04\x7d\xa1\x1f\x24\x43\x7f" "\x18\x00\x03\x61\x10\x0c\x86\x21\x30\x14\x86\xc1\xcb\x30\x1c\x5e\x81\x11" "\xf0\x2a\xa4\xc0\x48\x18\x05\xaf\xc1\x68\x78\x1d\xc6\xc0\x1b\x30\x16\xde" "\x84\x71\xf0\x16\x8c\x87\x09\x30\x11\x26\xc1\x64\x98\x02\xa9\xf0\x36\x4c" "\x85\x77\x60\x1a\xbc\x0b\xd3\x61\x06\xcc\x84\x59\x90\x06\xb3\x61\x0e\xbc" "\x07\x73\x61\x1e\xcc\x87\xf7\x61\x01\x7c\x00\x0b\x61\x11\x2c\x86\x25\x90" "\x0e\x1f\x42\x06\x2c\x85\x4c\xf8\x08\x96\xc1\xc7\x90\x05\xcb\x61\x05\xac" "\x84\x55\xb0\x1a\xd6\xc0\x5a\x58\x07\xeb\x61\x03\x6c\x84\x4d\xb0\x19\xb6" "\xc0\x56\xd8\x06\x9f\xc0\x76\xd8\x01\x3b\x61\x17\xec\x86\x3d\xb0\x17\x3e" "\x85\x7d\xf0\x19\xec\x87\xcf\xe1\x00\x7c\xf1\x6f\xe6\x9f\xfd\x5d\x7e\x4f" "\x04\x04\x14\x28\x50\xa1\xc2\x5c\x98\x0b\x63\x30\x06\x63\x31\x16\xe3\x30" "\x0e\xf3\x62\x5e\x8c\x60\x04\xe3\x31\x1e\xf3\x63\x7e\x2c\x80\x05\xb0\x10" "\x16\xc2\x04\x4c\xc0\xa2\x58\x14\x0d\x1a\x24\x24\x54\x57\x8e\xa4\x12\x58" "\x02\x13\x31\x11\x4b\x61\x29\x74\xe8\xb0\x2c\x96\xc5\xf2\x78\x2b\x56\xc0" "\x0a\x58\x11\x2b\x62\x25\xac\x84\x95\xb1\x0a\x56\xc1\x6a\x58\x0d\xab\x63" "\x75\xac\x81\x35\xb0\x26\xd6\xc4\x5a\x58\x0b\xeb\x60\x1d\xbc\x17\xef\xc5" "\xfb\xb0\x3e\xd6\xc7\x06\xd8\x00\x1b\x62\x43\x6c\x84\x8d\xb0\x31\x36\xc6" "\x26\xd8\x04\x9b\x62\x53\x6c\x86\xcd\xb0\x39\x36\xc7\x16\xd8\x02\x5b\x61" "\x2b\x6c\x83\x6d\xb0\x2d\xb6\xc5\x76\xd8\x0e\x3b\x60\x07\xec\x88\x1d\xb1" "\x33\x76\xc6\x24\x4c\xc2\x2e\xd8\x05\xbb\x62\x57\xec\x86\xdd\xb0\x3b\x76" "\xc7\x1e\xd8\x03\x7b\x62\x2f\xec\x85\x2f\xe2\x8b\xf8\x12\xbe\x84\xfd\xb0" "\x96\xe8\x8f\x03\x70\x00\x0e\xc2\x41\x38\x04\x87\xe2\x50\x7c\x19\x87\xe3" "\x2b\xf8\x0a\xbe\x8a\x29\x38\x12\x47\xe1\x6b\xf8\x1a\xbe\x8e\x63\xf0\x0c" "\x8e\xc5\x37\x71\x1c\x8e\xc3\xea\x62\x02\x4e\xc4\x49\x48\x62\x0a\xa6\x62" "\x2a\x4e\xc5\xa9\x38\x0d\xa7\xe1\x74\x9c\x81\x33\x70\x16\xa6\xe1\x6c\x9c" "\x83\x73\x70\x2e\xce\xc3\x79\xf8\x3e\x2e\xc0\x0f\xf0\x03\x5c\x84\x8b\x70" "\x09\xa6\x63\x3a\x66\xe0\x52\xcc\xc4\x4c\x5c\x86\x67\x31\x0b\x97\xe3\x0a" "\x5c\x89\xab\x70\x35\xae\xc2\xb5\xb8\x0e\xd7\xe2\x06\xdc\x88\x1b\x70\x33" "\x6e\xc6\xad\xb8\x15\x3f\xc1\x4f\x70\x07\xee\xc0\x5d\xb8\x0b\xf7\x5c\x7e" "\xad\xf1\x53\xfc\x0c\x3f\xc3\x14\x3c\x80\x07\xf0\x20\x1e\xc4\x43\x78\x08" "\x0f\xe3\x61\xcc\xc6\x6c\x3c\x82\x47\xf0\x28\x1e\xc5\x63\x78\x0c\x8f\xe3" "\x71\x3c\x81\x27\xf1\x14\x9e\xc4\xd3\x78\x1a\xcf\xe0\x59\x3c\x87\xe7\xf0" "\x3c\x9e\xc7\x0b\xf8\x7c\xc2\x37\x4d\xf7\x94\x5c\x9f\x02\xe2\x32\x25\x94" "\xc8\x25\x72\x89\x18\x11\x23\x62\x45\xac\x88\x13\x71\x22\xaf\xc8\x2b\x22" "\x22\x22\xe2\x45\xbc\xc8\x2f\xf2\x8b\x02\xa2\x80\x28\x24\x0a\x89\x04\x91" "\x20\x8a\x8a\xa2\xc2\x08\x23\x48\x84\xa2\x98\x28\x26\xa2\x22\x2a\x4a\x88" "\x12\x22\x51\x24\x8a\x52\xa2\x94\x70\xc2\x89\xb2\xa2\xac\x28\x2f\xca\x8b" "\x0a\xa2\x82\xa8\x28\x6e\x17\x95\xc4\x1d\xa2\xb2\xa8\x22\xda\xbb\x6a\xa2" "\x9a\xa8\x2e\x3a\xb8\x1a\xe2\x6e\x51\x53\xd4\x14\xb5\x44\x6d\x51\x47\xd4" "\x15\x75\x45\x3d\x51\x4f\xd4\x17\xf5\x45\x03\xd1\x40\x34\x14\x0d\x45\x23" "\xf1\x90\x68\x2c\xfa\xe3\x10\x7c\x58\x5c\xee\x4c\x33\x31\x12\x9b\x8b\x51" "\xd8\x42\xb4\x14\xad\x44\x6b\xf1\x3a\x3e\x2e\xda\x8a\x31\xd8\x4e\xb4\x17" "\x1d\xc4\x93\xe2\x4d\x1c\x8b\x9d\x45\x5b\x97\x24\x9e\x16\x5d\xc4\x44\xec" "\x2a\x9e\x15\x93\xf0\x39\xd1\x5d\x4c\xc1\x1e\xe2\x05\xd1\x53\xf4\x12\xbd" "\xc5\x8b\xa2\x8f\x68\xe7\xfa\x8a\x7e\x62\x3a\xf6\x17\x03\xc4\x2c\x1c\x24" "\x06\x8b\x21\x62\xa8\x98\x8b\xb5\xc5\xe5\x8e\xd5\x11\xaf\x8a\x14\x31\x52" "\x8c\x12\xaf\x89\x25\xf8\xba\xf8\xed\x18\x1f\x27\xde\x12\xe3\xc5\x04\x31" "\x51\x4c\x12\x93\xc5\x14\x91\x2a\xde\x16\x53\xc5\x3b\x62\x9a\x78\x57\x4c" "\x17\x33\xc4\x4c\x31\x4b\xa4\x89\xd9\x62\x8e\x78\x4f\xcc\x15\xf3\xc4\x7c" "\xf1\xbe\x58\x20\x3e\x10\x0b\xc5\x22\xb1\x58\x2c\x11\xe9\xe2\x43\x91\x21" "\x96\x8a\x4c\xf1\x91\x58\x26\x3e\x16\x59\x62\xb9\x58\x21\x56\x8a\x55\x62" "\xb5\x58\x23\xd6\x8a\x75\x62\xbd\xd8\x20\x36\x8a\x4d\x62\xb3\xd8\x22\xb6" "\x8a\x6d\xe2\x13\xb1\x5d\xec\x10\x3b\xc5\x2e\xb1\x5b\xec\x11\x7b\xc5\xa7" "\x62\x9f\xf8\x4c\xec\x17\x9f\x8b\x03\xe2\x0b\x71\x50\x7c\x29\x0e\x89\xaf" "\xc4\x61\xf1\xb5\xc8\x16\xdf\x88\x23\xe2\x5b\x71\x54\x7c\x27\x8e\x89\xef" "\xc5\x71\xf1\x83\x38\x21\x4e\x8a\x53\xe2\x47\x71\x5a\xfc\x24\xce\x88\xb3" "\xe2\x9c\xf8\x59\x9c\x17\xbf\x88\x0b\xe2\xa2\xb8\x24\xbc\x00\x89\x52\x48" "\x29\x95\x0c\x64\x2e\x99\x5b\xc6\xc8\x3c\x32\x56\x5e\x27\xe3\xe4\xf5\x32" "\xaf\xcc\x27\x23\xf2\x06\x19\x2f\x6f\x94\xf9\xe5\x4d\xb2\x80\x2c\x28\x0b" "\xc9\xc2\x32\x41\x16\x91\x45\xa5\x96\x46\x5a\x49\x32\x94\xc5\x64\x71\x19" "\x95\x37\xcb\x12\xf2\x16\x99\x28\x4b\xca\x52\xb2\xb4\x74\xb2\x8c\x2c\x2b" "\xcb\xc9\xf2\xf2\x56\x59\x41\xde\x26\x2b\xca\xdb\x65\x25\x79\x87\xac\x2c" "\xab\xc8\xaa\xb2\x9a\xbc\x53\x56\x97\x77\xc9\x1a\xf2\x6e\x59\x53\xde\x23" "\x6b\xc9\xda\xb2\x8e\xac\x2b\xef\x95\xf5\xe4\x7d\xb2\xbe\xbc\x5f\x36\x90" "\x0f\xc8\x86\xf2\x41\xd9\x48\x3e\x24\x1b\xcb\xbf\xc8\x26\xf2\x61\xd9\x54" "\x3e\x22\x9b\xc9\x47\x65\x73\xf9\x98\x6c\x21\x5b\xca\x56\xb2\xb5\x6c\x23" "\x1f\x97\x6d\xe5\x13\xb2\x9d\x6c\x2f\x3b\xc8\x27\x65\x47\xd9\x49\x76\x96" "\x4f\xc9\x24\xf9\xb4\xec\x22\x9f\x91\x5d\xe5\xb3\xb2\x9b\x7c\x4e\x76\x97" "\xcf\xcb\x1e\xf2\x05\xd9\x53\xf6\x92\xbd\xe5\x45\x79\x49\x7a\xd9\x57\xf6" "\x93\xc9\xb2\xbf\x1c\x20\x07\xca\x41\x72\xb0\x1c\x22\x87\xca\x61\xf2\x65" "\x39\x5c\xbe\x22\x47\xc8\x57\x65\x4a\x0c\x00\xc8\xd7\xe4\x68\xf9\xba\x1c" "\x23\xdf\x90\x63\xe5\x9b\x72\x9c\x7c\x4b\x8e\x97\x13\xe4\x44\x39\x49\x4e" "\x96\x53\x64\xaa\x7c\x5b\x4e\x95\xef\xc8\x69\xf2\x5d\x39\x5d\xce\x90\x33" "\xe5\x2c\x99\x26\x67\xcb\x21\x57\x66\x9a\xff\x7f\x90\xff\xce\x3f\xc8\x1f" "\x21\x53\xe4\x48\xb9\x55\x6e\x93\x9f\xc8\xed\x72\x87\xdc\x29\x77\xc9\xdd" "\x72\x8f\xdc\x2b\xf7\xca\x7d\x72\x9f\xdc\x2f\xf7\xcb\x03\xf2\x80\x3c\x28" "\x0f\xca\x43\xf2\x90\x3c\x2c\x0f\xcb\x6c\x99\x2d\x8f\xc8\x23\xf2\xa8\x3c" "\x2a\x8f\xc9\x63\xf2\xb8\x3c\x2e\x4f\xc8\x93\xf2\x67\xf9\xa3\x3c\x2d\x7f" "\x92\x67\xe4\x59\x79\x56\xfe\x2c\xcf\xcb\xf3\xf2\xc2\x95\xd7\x00\x14\x2a" "\xa1\xa4\x52\x2a\x50\xb9\x54\x6e\x15\xa3\xf2\xa8\x58\x75\x9d\x8a\x53\xd7" "\xab\xbc\x2a\x9f\x8a\xa8\x1b\x54\xbc\xba\x51\xe5\x57\x37\xa9\x02\xaa\xa0" "\x2a\xa4\x0a\xab\x04\x55\x44\x15\x55\x5a\x19\x65\x15\xa9\x50\x15\x53\xc5" "\x55\x54\xdd\x8c\x57\xde\x22\xaa\x94\x2a\xad\x9c\x2a\xa3\xca\xaa\x72\xff" "\x4e\xbe\x2a\xa1\x6e\x51\x89\xaa\xe4\xdf\xe4\xff\x51\x7d\x6d\x54\x1b\xd5" "\x56\xb5\x55\xed\x54\x3b\xd5\x41\x75\x50\x1d\x55\x47\xd5\x59\x75\x56\x49" "\x2a\x49\x75\x51\x5d\x54\x57\xd5\x55\x75\x53\xdd\x54\x77\xd5\x5d\xf5\x50" "\x3d\x54\x4f\xd5\x53\xf5\x56\xbd\x55\x1f\xd5\x47\xf5\x55\x7d\x55\xb2\x4a" "\x56\x03\xd4\x40\x35\x48\x0d\x56\x43\xd4\x50\x35\xac\x3f\xa8\xe1\x6a\xb8" "\x1a\xa1\x46\xa8\x14\x95\xa2\x46\xa9\x51\x6a\xb4\x1a\xad\xc6\xa8\x31\x6a" "\xac\x1a\xab\xc6\xa9\x71\x6a\xbc\x1a\xaf\x26\xaa\x89\x6a\xb2\x9a\xac\x52" "\x55\xaa\x9a\xaa\xa6\xaa\x69\x6a\x9a\x9a\xae\xa6\xab\x99\x6a\xa6\x4a\x53" "\x69\x6a\x8e\x9a\xa3\xe6\xaa\xb9\x6a\xbe\x9a\xaf\x16\xa8\x05\x6a\xa1\x5a" "\xa8\x16\xab\xc5\x2a\x5d\xa5\xab\x0c\x95\xa1\x32\x55\xa6\x5a\xa6\x96\xa9" "\x2c\xb5\x5c\x2d\x57\x2b\xd5\x4a\xb5\x5a\xad\x56\x6b\xd5\x5a\xb5\x5e\xad" "\x57\x1b\xd5\x46\xb5\x59\x6d\x56\x59\x6a\x9b\xda\xa6\xb6\xab\xed\x6a\xa7" "\xda\xa9\x76\xab\xdd\x6a\xaf\xda\xab\xf6\xa9\x7d\x6a\xbf\xda\xaf\x0e\xa8" "\x03\xea\xa0\x3a\xa8\x0e\xa9\x43\xea\xb0\x3a\xac\xb2\x55\xb6\x3a\xa2\x8e" "\xa8\xa3\xea\xa8\x3a\xa6\x8e\xa9\xe3\xea\xb8\x3a\xa1\x4e\xa8\x53\xea\x94" "\x3a\xad\x4e\xab\x33\xea\x8c\x3a\xa7\xce\xa9\xf3\xea\xbc\xba\xa0\x2e\xa8" "\x4b\xea\x92\x82\x00\x02\x11\x88\x40\x05\x2a\xc8\x15\xe4\x0a\x62\x82\x98" "\x20\x36\x88\x0d\xe2\x82\xb8\x20\x6f\x90\x37\x88\x04\x91\x20\x3e\x88\x0f" "\xf2\x07\x37\x05\x05\x82\x82\x41\xa1\xa0\x70\x90\x10\x14\x09\x8a\x06\x3a" "\x30\x81\x0d\x28\x08\x83\x62\x41\xf1\x20\x1a\xdc\x1c\x94\x08\x6e\x09\x12" "\x83\x92\x41\xa9\xa0\x74\xe0\x82\x32\x41\xd9\xa0\x5c\x50\x3e\xb8\x35\xa8" "\x10\xdc\x16\x54\x0c\x6e\x0f\x2a\x05\x77\x04\x95\x83\x2a\x41\xd5\xa0\x5a" "\x70\x67\x50\x3d\xb8\x2b\xa8\x11\xdc\x1d\xd4\x0c\xee\x09\x6a\x05\xb5\x83" "\x3a\x41\xdd\xe0\xde\xa0\x5e\x70\x5f\x50\x3f\xb8\x3f\x68\x10\x3c\x10\x34" "\x0c\x1e\x0c\x1a\x05\x0f\x05\x8d\x83\xbf\x04\x4d\x82\x87\x83\xa6\xc1\x23" "\x41\xb3\xe0\xd1\xa0\x79\xf0\x58\xd0\x22\x68\x19\xb4\x0a\x5a\x07\x6d\xfe" "\xac\xf9\x15\x04\x4d\x03\xef\xcf\x14\x7c\xc2\xf5\xd5\xfd\x74\xb2\xee\xaf" "\x07\xe8\x81\x7a\x90\x1e\xac\x87\xe8\xa1\x7a\x98\x7e\x59\x0f\xd7\xaf\xe8" "\x11\xfa\x55\x9d\xa2\x47\xea\x51\xfa\x35\x3d\x5a\xbf\xae\xc7\xe8\x37\xf4" "\x58\xfd\xa6\x1e\xa7\xdf\xd2\xe3\xf5\x04\x3d\x51\x4f\xd2\x93\xf5\x14\x9d" "\xaa\xdf\xd6\x53\xf5\x3b\x7a\x9a\x7e\x57\x4f\xd7\x33\xf4\x4c\x3d\x4b\xa7" "\xe9\xd9\x7a\x8e\x7e\x4f\xcf\xd5\xf3\xf4\x7c\xfd\xbe\x5e\xa0\x3f\xd0\x0b" "\xf5\x22\xbd\x58\x2f\xd1\xe9\xfa\x43\x9d\xa1\x97\xea\x4c\xfd\x91\x5e\xa6" "\x3f\xd6\x59\x7a\xb9\x5e\xa1\x57\xea\x55\x7a\xb5\x5e\xa3\xd7\xea\x75\x7a" "\xbd\xde\xa0\x37\xea\x4d\x7a\xb3\xde\xa2\xb7\xea\x6d\xfa\x13\xbd\x5d\xef" "\xd0\x3b\xf5\x2e\xbd\x5b\xef\xd1\x7b\xf5\xa7\x7a\x9f\xfe\x4c\xef\xd7\x9f" "\xeb\x03\xfa\x0b\x7d\x50\x7f\xa9\x0f\xe9\xaf\xf4\x61\xfd\xb5\xce\xd6\xdf" "\xe8\x23\xfa\x5b\x7d\x54\x7f\xa7\x8f\xe9\xef\xf5\x71\xfd\x83\x3e\xa1\x4f" "\xea\x53\xfa\x47\x7d\x5a\xff\xa4\xcf\xe8\xb3\xfa\x9c\xfe\x59\x9f\xd7\xbf" "\xe8\x0b\xfa\xa2\xbe\xa4\xfd\xe5\x0f\xf7\x97\x4f\xef\x46\x19\x65\x72\x99" "\x5c\x26\xc6\xc4\x98\x58\x13\x6b\xe2\x4c\x9c\xc9\x6b\xf2\x9a\x88\x89\x98" "\x78\x13\x6f\xf2\x9b\xfc\xa6\x80\x29\x60\x0a\x99\x42\x26\xc1\x24\x98\xa2" "\xa6\xa8\xb9\x8c\x0c\x99\x62\xa6\x98\x89\x9a\xa8\x29\x61\x4a\x98\x44\x93" "\x68\x4a\x99\x52\xc6\x19\x67\xca\x9a\xb2\xa6\xbc\x29\x6f\x2a\x98\x0a\xa6" "\xa2\xa9\x68\x2a\x99\x4a\xa6\xb2\xa9\x6c\xaa\x9a\xaa\xe6\x4e\x73\xa7\xb9" "\xcb\xdc\x65\xee\x36\x77\x9b\x7b\xcc\x3d\xa6\xb6\xa9\x6d\xea\x9a\xba\xa6" "\x9e\xa9\x67\xea\x9b\xfa\xa6\x81\x69\x60\x1a\x9a\x86\xa6\x91\x69\x64\x1a" "\x9b\xc6\xa6\x89\x69\x62\x9a\x9a\xa6\xa6\x99\x69\x66\x9a\x9b\xe6\xa6\x85" "\x69\x61\x5a\x99\x56\xa6\x8d\x69\x63\xda\x9a\xb6\xa6\x9d\x69\x67\x3a\x98" "\x0e\xa6\xa3\xe9\x68\x3a\x9b\xce\x26\xc9\x24\x99\x2e\xa6\x8b\xe9\x6a\xba" "\x9a\x6e\xa6\x9b\xe9\x6e\xba\x9b\x1e\xa6\x87\xe9\x69\x7a\x9a\xde\xa6\xb7" "\xe9\x63\xfa\x98\xbe\xa6\xaf\x49\x36\xc9\x66\x80\x19\x60\x06\x99\x41\x66" "\x88\x19\x62\x86\x99\x61\x66\xb8\x19\x6e\x46\x98\x11\x26\xc5\xa4\x98\x51" "\x66\x94\x19\x6d\x46\x9b\x31\x66\x8c\x19\x6b\xde\x34\xe3\xcc\x5b\x66\xbc" "\x99\x60\x26\x9a\x49\x66\xb2\x99\x62\x52\x4d\xaa\x99\x6a\xa6\x9a\x69\x66" "\x9a\x99\x6e\xa6\x9b\x99\x66\xa6\x49\x33\x69\x66\x8e\x99\x63\xe6\x9a\xb9" "\x66\xbe\x99\x6f\x16\x98\x05\x66\xa1\x59\x68\x16\x9b\xc5\x26\xdd\xa4\x9b" "\x0c\x93\x61\x32\x4d\xa6\x59\x66\x96\x99\x2c\x93\x65\x56\x98\x15\x66\x95" "\x59\x65\xd6\x98\x35\x66\x9d\x59\x67\x36\x98\x0d\x66\x93\xd9\x64\xb6\x98" "\x2d\x66\x9b\xd9\x66\xb6\x9b\xed\x66\xa7\xd9\x69\x76\x9b\xdd\x66\xaf\xd9" "\x6b\xf6\x99\x7d\x66\xbf\xd9\x6f\x0e\x98\x03\xe6\xa0\x39\xe8\x11\xc0\x1c" "\x36\x87\x4d\xb6\xc9\x36\x47\xcc\x11\x73\xd4\x1c\x35\xc7\xcc\x31\x73\xdc" "\x1c\x37\x27\xcc\x09\x73\xca\x9c\x32\xa7\xcd\x69\x73\xc6\x9c\x31\xe7\xcc" "\x39\x73\xde\xfc\x62\x2e\x98\x8b\xe6\x92\xf1\x26\xc6\xe6\xb1\xb1\xf6\x3a" "\x1b\x67\xaf\xb7\x79\x6d\x3e\xfb\xfb\xb8\x90\x2d\x6c\x13\x6c\x11\x5b\xd4" "\x6a\x5b\xc0\x16\xfc\x9b\xd8\x58\x6b\x13\x6d\x49\x5b\xea\xb7\x4b\x4c\x5b" "\xce\x26\x5e\x3e\x97\xda\xd2\xd6\xd9\x32\xb6\xac\x2d\x67\x2b\xdb\x2a\xb6" "\xaa\xad\x66\xef\xb4\xd5\xed\x5d\xb6\xc6\xef\xe3\x7c\x60\xef\xb3\xf5\xed" "\xfd\xb6\x81\x7d\xc0\xd6\xb5\xf7\xda\x7a\x7f\x15\x37\xb4\x0f\xda\x46\xf6" "\x51\xdb\xd8\x3e\x66\x9b\xd8\x96\xb6\xa9\x6d\x6d\x9b\xd9\x47\x6d\x73\xfb" "\x98\x6d\x61\x5b\xda\x56\xb6\xb5\xed\x68\x3b\xd9\xce\xf6\x29\x9b\x64\x9f" "\xb6\x5d\xec\x33\x7f\x17\x67\xd8\xa5\x76\x9d\x5d\x6f\x37\xd8\x8d\x76\x9f" "\xfd\xcc\x9e\xb3\x3f\xdb\xa3\xf6\x3b\x7b\xde\xfe\x62\xfb\xda\x7e\x76\x98" "\x7d\xd9\x0e\xb7\xaf\xd8\x11\xf6\x55\x9b\x62\x47\xfe\x5d\x3c\xce\xbe\x65" "\xc7\xdb\x09\x76\xa2\x9d\x64\x27\xdb\x29\x7f\x17\xcf\xb4\xb3\x6c\x9a\x9d" "\x6d\xe7\xd8\xf7\xec\x5c\x3b\xef\xef\xe2\x74\xfb\xa1\x5d\x60\x33\xed\x42" "\xbb\xc8\x2e\xb6\x4b\x7e\x8d\x2f\xd7\x94\x69\x3f\xb2\xcb\xec\xc7\x36\xcb" "\x2e\xb7\x2b\xec\x4a\xbb\xca\xae\xb6\x6b\xec\xda\xff\x5d\xeb\x4a\xbb\xd9" "\x6e\xb1\x5b\xed\x5e\xfb\xa9\xdd\x6e\x77\xd8\x9d\x76\x97\xdd\x6d\xf7\xfc" "\x1a\x5f\xde\x8f\xfd\xf6\x73\x7b\xc0\x7e\x61\x8f\xd8\x6f\xed\x21\xfb\x95" "\x3d\x6c\x8f\xd9\x6c\xfb\xcd\xaf\xf1\xe5\xfd\x3b\x66\xbf\xb7\xc7\xed\x0f" "\xf6\x84\x3d\x69\x4f\xd9\x1f\xed\x69\xfb\x93\x3d\x63\xcf\x5e\xde\x7f\x7f" "\x79\xdf\x7f\xb4\x17\xed\x25\xeb\x2d\x10\x92\x20\x49\x8a\x02\xca\x45\xb9" "\x29\x86\xf2\x50\x2c\x5d\x47\x71\x74\x3d\xe5\xa5\x7c\x14\xa1\x1b\x28\x9e" "\x6e\xa4\xfc\x74\x13\x15\xa0\x82\x54\x88\x0a\x53\x02\x15\xa1\xa2\xa4\xc9" "\x90\x25\xa2\x90\x8a\x51\x71\x8a\xd2\xcd\x54\x82\x6e\xa1\x44\x2a\x49\xa5" "\xa8\x34\x39\x2a\x43\x65\xa9\x1c\x95\xa7\x5b\xa9\x02\xdd\x46\x15\xe9\x76" "\xaa\x44\x77\x50\x65\xaa\x42\x55\xa9\x1a\xdd\x49\xd5\xe9\x2e\xaa\x41\x77" "\x53\x4d\xba\x87\x6a\x51\x6d\xaa\x43\x75\xe9\x5e\xaa\x47\xf7\x51\x7d\xba" "\x9f\x1a\xd0\x03\xd4\x90\x1e\xa4\x46\xf4\x10\x35\xa6\xbf\x50\x13\x7a\x98" "\x9a\xd2\x23\xd4\x8c\x1e\xa5\xe6\xf4\x18\xb5\xa0\x96\xd4\x8a\x5a\x53\x1b" "\x7a\x9c\xda\xd2\x13\xd4\x8e\xda\x53\x07\x7a\x92\x3a\x52\x27\xea\x4c\x4f" "\x51\x12\x3d\x4d\x5d\xe8\x19\xea\x4a\xcf\x52\x37\x7a\x8e\xba\xd3\xf3\xd4" "\x83\x5e\xa0\x9e\xd4\x8b\x7a\xd3\x8b\xd4\x87\x5e\xa2\xbe\xd4\x8f\x92\xa9" "\x3f\x0d\xa0\x81\x34\x88\x06\xd3\x10\x1a\x4a\xc3\xe8\x65\x1a\x4e\xaf\xd0" "\x08\x7a\x95\x52\x68\x24\x8d\xa2\xd7\x68\x34\xbd\x4e\x63\xe8\x0d\x1a\x4b" "\x6f\xd2\x38\x7a\x8b\xc6\xd3\x04\x9a\x48\x93\x68\x32\x4d\xa1\x54\x7a\x9b" "\xa6\xd2\x3b\x34\x8d\xde\xa5\xe9\x34\x83\x66\xd2\x2c\x4a\xa3\xd9\x34\x87" "\xde\xa3\xb9\x34\x8f\xe6\xd3\xfb\xb4\x80\x3e\xa0\x85\xb4\x88\x16\xd3\x12" "\x4a\xa7\x0f\x29\x83\x96\x52\x26\x7d\x44\xcb\xe8\x63\xca\xa2\xe5\xb4\x82" "\x56\xd2\x2a\x5a\x4d\x6b\x68\x2d\xad\xa3\xf5\xb4\x81\x36\xd2\x26\xda\x4c" "\x5b\x68\x2b\x6d\xa3\x4f\x68\x3b\xed\xa0\x9d\xb4\x8b\x76\xd3\x1e\xda\x4b" "\x9f\xd2\x3e\xca\x73\xe5\x0d\xf7\x05\x1d\xa4\x2f\xe9\x10\x7d\x45\x87\xe9" "\x6b\xca\xa6\x6f\xe8\x08\x7d\x4b\x47\xe9\x3b\x3a\x46\xdf\xd3\x71\xfa\x81" "\x4e\xd0\x49\x3a\x45\x3f\xd2\x69\xfa\x89\xce\xd0\x59\x3a\x47\x3f\xd3\x79" "\xfa\x85\x2e\xd0\x45\xba\x44\x9e\x20\xc4\x50\x84\x32\x54\x61\x10\xe6\x0a" "\x73\x87\x31\x61\x9e\x30\x36\xbc\x2e\x8c\x0b\xaf\x0f\xf3\x86\xf9\xc2\x48" "\x78\x43\x18\x1f\xde\x18\xe6\x0f\x6f\x0a\x0b\x84\x05\xc3\x42\x61\xe1\x30" "\x21\x2c\x12\x16\x0d\x75\x68\x42\x1b\x52\x18\x86\xc5\xc2\xe2\x61\x34\xbc" "\x39\x2c\x11\xde\x12\x26\x86\x25\xc3\x52\x61\xe9\xd0\x85\x65\xc2\xb2\x61" "\xb9\xb0\x7c\x78\x6b\x58\x21\xbc\x2d\xac\x18\xde\x1e\x56\x0a\xef\x08\x2b" "\x87\x55\xc2\x47\x1f\xa8\x16\xde\x19\x56\x0f\xef\x0a\x6b\x84\x77\x87\x35" "\xc3\x7b\xc2\x5a\x61\xed\xb0\x4e\x58\x37\xbc\x37\xac\x17\xde\x17\xd6\x0f" "\xef\x0f\x1b\x84\x0f\x84\x15\xc2\x07\xc3\x46\xe1\x43\x21\x5c\xf9\xbd\x4a" "\xd3\xf0\x91\xb0\x59\xf8\x68\xd8\x3c\x7c\x2c\x6c\x11\xb6\x0c\x5b\x85\xad" "\xc3\x36\xe1\xe3\x61\xdb\xf0\x89\xb0\x5d\xd8\x3e\xec\x10\x3e\x19\x76\x0c" "\x3b\x85\x9d\xc3\xa7\xc2\xa4\xf0\xe9\xb0\x4b\xf8\xcc\x1f\xae\x4f\x0e\xfb" "\x87\x03\xc2\x81\xe1\xc0\xd0\xfb\xfb\xe5\xe2\xe8\x92\x68\x7a\xf4\xc3\x68" "\x46\x74\x69\x34\x33\xfa\x51\x74\x59\xf4\xe3\x68\x56\x74\x79\x74\x45\x74" "\x65\x74\x55\x74\x75\x74\x4d\x74\x6d\x74\x5d\x74\x7d\x74\x43\x74\x63\x74" "\x53\x74\x73\x74\x4b\x74\x6b\xd4\xfb\xba\xb9\xc1\xa1\x13\x4e\x3a\xe5\x02" "\x97\xcb\xe5\x76\x31\x2e\x8f\x8b\x75\xd7\xb9\x38\x77\xbd\xcb\xeb\xf2\xb9" "\x88\xbb\xc1\xc5\xbb\x1b\x5d\x7e\x77\x93\x2b\xe0\x0a\xba\x42\xae\xb0\x4b" "\x70\x45\x5c\x51\xa7\x9d\x71\xd6\x91\x0b\x5d\x31\x57\xdc\x45\xdd\xcd\xae" "\x84\xbb\xc5\x25\xba\x92\xae\x94\x2b\xed\x9c\x2b\xe3\xca\xba\xd6\xae\x8d" "\x6b\xe3\xda\xba\x27\x5c\x3b\xd7\xde\x75\x70\x4f\xba\x27\x5d\x27\xd7\xc9" "\x3d\xe5\x9e\x72\x4f\xbb\x2e\xee\x19\xd7\xd5\x3d\xeb\xba\xb9\xe7\x5c\x77" "\xf7\xbc\x7b\xde\xbd\xe0\x7a\xba\x5e\xae\xb7\x7b\xd1\xf5\x71\x2f\xb9\xbe" "\xae\x9f\x4b\x76\xc9\x6e\x80\x1b\xe0\x06\xb9\x41\x6e\x88\x1b\xe2\x86\xb9" "\x61\x6e\xb8\x1b\xee\x46\xb8\x11\x2e\xc5\xa5\xb8\x51\x6e\x94\x1b\xed\x46" "\xbb\x31\x6e\x8c\x1b\xeb\xc6\xba\x71\x6e\x9c\x1b\xef\xc6\xbb\x89\x6e\xa2" "\x9b\xec\x26\xbb\x54\x97\xea\xa6\xba\xa9\x6e\x9a\x9b\xe6\x02\x00\x98\xe9" "\x66\xba\x34\x97\xe6\xe6\xb8\x39\x6e\xae\x9b\xeb\xe6\xbb\xf9\x6e\x41\xe2" "\x02\xb7\xd0\x2d\x74\x8b\xdd\x62\x97\xee\xd2\x5d\x86\xcb\x70\x99\x2e\xd3" "\x2d\x73\xcb\x5c\x96\xcb\x72\x2b\xdc\x0a\xb7\xca\xad\x72\x6b\xdc\x1a\xb7" "\xce\xad\x73\x1b\xdc\x06\xb7\xc9\x6d\x72\x5b\xdc\x16\xb7\xcd\x6d\x73\xdb" "\xdd\x76\xb7\xd3\xed\x74\xbb\xdd\x6e\xb7\xd7\xed\x75\xfb\xdc\x3e\xb7\xdf" "\xed\x77\x07\xdc\x01\x77\xd0\x1d\x74\x87\xdc\x21\x77\xd8\x7d\xed\xb2\xdd" "\x37\xee\x88\xfb\xd6\x1d\x75\xdf\xb9\x63\xee\x7b\x77\xdc\xfd\xe0\x4e\xb8" "\x93\xee\x94\xfb\xd1\x9d\x76\x3f\xb9\x33\xee\xac\x3b\xe7\x7e\x76\xe7\xdd" "\x2f\xee\x82\xbb\xe8\x2e\x39\xef\x52\x23\x6f\x47\xa6\x46\xde\x89\x4c\x8b" "\xbc\x1b\x99\x1e\x99\x11\x99\x19\x99\x15\x49\x8b\xcc\x8e\xcc\x89\xbc\x17" "\x99\x1b\x99\x17\x99\x1f\x79\x3f\xb2\x20\xf2\x41\x64\x61\x64\x51\x64\x71" "\x64\x49\x24\x3d\xf2\x61\x24\x23\xb2\x34\x92\x19\xf9\x28\xb2\x2c\xf2\x71" "\x24\x2b\xb2\x3c\xb2\x22\xb2\x32\xb2\x2a\xb2\x5a\x81\x2f\xb2\x3d\xf4\xc5" "\x7c\x71\x1f\xf5\x37\xfb\x12\xfe\x16\x9f\xe8\x4b\xfa\x52\xbe\xb4\x77\xbe" "\x8c\xcf\xed\xcb\xf9\xf2\xfe\x56\x5f\xc1\xdf\xe6\x2b\xfa\xdb\x7d\x25\x7f" "\x87\xaf\xec\xab\xf8\xaa\xfe\x31\xdf\xc2\xb7\xf4\xad\x7c\x6b\xdf\xc6\x3f" "\xee\xdb\xfa\x27\x7c\x3b\xdf\xde\x77\xf0\x4f\xfa\x8e\xbe\x93\xef\xec\x9f" "\xf2\x49\xfe\x69\xdf\xc5\x3f\xe3\xbb\xfa\x67\x7d\x37\xff\x9c\xef\xee\x9f" "\xf7\x3d\xfc\x0b\xbe\xa7\xef\xe5\x7b\xfb\x17\x7d\x1f\xff\x92\xef\xeb\xfb" "\xf9\x64\xdf\xdf\x0f\xf0\x03\xfd\x20\x3f\xd8\x0f\xf1\x43\xfd\x30\xff\xb2" "\x1f\xee\x5f\xf1\x23\xfc\xab\x3e\xc5\x8f\xf4\xa3\xfc\x6b\x7e\xb4\x7f\xdd" "\x8f\xf1\x6f\xf8\xb1\xfe\x4d\x3f\xce\xbf\xe5\xc7\xfb\x09\x7e\xa2\x9f\xe4" "\x27\xfb\x29\x3e\xd5\xbf\xed\xa7\xfa\x77\xfc\x34\xff\xae\x9f\xee\x67\xf8" "\x99\x7e\x96\x4f\xf3\xb3\xfd\x1c\xff\x9e\x9f\xeb\xe7\xf9\xf9\xfe\x7d\xbf" "\xc0\x7f\xe0\x17\xfa\x45\x7e\xb1\x5f\xe2\xd3\xfd\x87\x3e\xc3\x2f\xf5\x99" "\xfe\x23\xbf\xcc\x7f\xec\xb3\xfc\x72\xbf\xc2\xaf\xf4\xab\xfc\x6a\xbf\xc6" "\xaf\xf5\xeb\xfc\x7a\xbf\xc1\x6f\xf4\x9b\xfc\x66\xbf\xc5\x6f\xf5\xdb\xfc" "\x27\x7e\xbb\xdf\xe1\x77\xfa\x5d\x7e\xb7\xdf\xe3\xf7\xfa\x4f\xfd\x3e\xff" "\x99\xdf\xef\x3f\xf7\x07\xfc\x17\xfe\xa0\xff\xd2\x1f\xf2\x5f\xf9\xc3\xfe" "\x6b\x9f\xed\xbf\xf1\x47\xb2\xbe\xf5\x47\xfd\x77\xfe\x98\xff\xde\x1f\xf7" "\x3f\xf8\x13\xfe\xa4\x3f\xe5\x7f\xf4\xa7\xfd\x4f\xfe\x8c\x3f\xeb\xcf\xf9" "\x9f\xfd\x79\xff\x8b\xbf\xe0\x2f\xfa\x4b\xff\xe6\x6f\xd6\x6a\xff\x19\xb7" "\xce\x19\x63\x8c\x31\xc6\xfe\x3f\x34\xf0\x0f\xd6\xf7\xff\x07\x8f\x29\x00" "\x10\x57\xc6\xbf\x78\xef\xaf\xdf\x51\x38\xfb\xaf\xd7\x4b\x00\xd8\x54\xe0" "\xbf\xc6\x83\x45\x42\xc7\x08\x00\x3c\xdd\xaf\xc7\xc3\xbf\x2d\xb5\x6a\x25" "\x27\x27\x5f\x79\x6e\x96\x84\xa0\xf8\x22\x00\x88\xfc\x6e\x03\x57\xe2\xe5" "\xd0\x01\x3a\x41\x12\xb4\x87\xf2\xff\xb0\xbe\xc1\xa2\xd7\x79\xfa\x17\xf3" "\x67\x8c\xa1\xc9\xd1\xdb\x01\x62\xff\x2a\x27\x06\xae\xc6\x57\xe7\xff\xf2" "\x9f\xcc\xff\xf8\x93\xe3\x32\x2a\x85\xe7\xe2\xff\x79\xfd\xd1\x45\x00\x89" "\xc5\xaf\xe6\x5c\xbe\x0a\xff\x2d\x5e\x0e\x1d\x7e\xfd\xea\xb0\x3d\x54\xf8" "\x27\xf3\x17\x6c\xfb\xaf\xea\xcf\x92\x90\xe7\xab\x54\x80\x76\x7f\x95\x13" "\x07\x00\xed\xf2\xfc\xbe\xfe\xb2\xf0\x04\x3c\x03\x49\x7f\xf3\xcc\x06\xff" "\x70\x9b\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x72\x9e\xc1\xa2\x6a\xb7\x3f\xb8" "\xfe\xfc\xf5\xfa\x3c\x41\x5d\xcd\xc9\x0d\x57\xe3\x3f\xba\x3e\x67\x8c\x31" "\xc6\x18\x63\x8c\x31\xc6\xd8\xb5\xf7\x5c\xaf\xde\x4f\x3d\x9e\x94\xd4\xbe" "\x1b\x0f\x78\xc0\x83\x1c\x36\xe8\xf4\x2f\x9e\x73\xad\xff\x67\x62\x8c\x31" "\xc6\x18\x63\x8c\xfd\xd9\xae\x7e\xe8\xbf\xfa\x58\x9e\x6b\x59\x10\x63\x8c" "\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18" "\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31" "\x96\x03\xfd\xbf\xf8\x4b\x63\xd7\x7a\x1f\x19\x63\x8c\x31\xc6\x18\x63\x8c" "\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18" "\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31" "\xc6\x18\x63\x8c\xb1\x6b\xed\x7f\x05\x00\x00\xff\xff\xc1\xda\x33\xe3", 5399)); NONFAILING(syz_mount_image( /*fs=*/0x200000000080, /*dir=*/0x200000000240, /*flags=MS_I_VERSION|MS_POSIXACL|MS_SILENT|MS_RELATIME|MS_NOEXEC|0x80*/ 0xa18088, /*opts=*/0x200000000140, /*chdir=*/0x21, /*size=*/0x1517, /*img=*/0x2000000019c0)); // syz_mount_image$exfat arguments: [ // fs: nil // dir: ptr[in, buffer] { // buffer: {2e 2f 62 75 73 00} (length 0x6) // } // flags: mount_flags = 0x4800 (8 bytes) // opts: nil // chdir: int8 = 0x0 (1 bytes) // size: len = 0x0 (8 bytes) // img: ptr[in, buffer] { // buffer: (compressed buffer with length 0x0) // } // ] // returns fd_dir NONFAILING(memcpy((void*)0x200000000500, "./bus\000", 6)); NONFAILING(syz_mount_image(/*fs=*/0, /*dir=*/0x200000000500, /*flags=MS_REC|MS_NODIRATIME*/ 0x4800, /*opts=*/0, /*chdir=*/0, /*size=*/0, /*img=*/0x200000000240)); // creat arguments: [ // file: ptr[in, buffer] { // buffer: {2e 2f 66 69 6c 65 32 00} (length 0x8) // } // mode: open_mode = 0x71283578ac7c5cd (8 bytes) // ] // returns fd NONFAILING(memcpy((void*)0x200000000180, "./file2\000", 8)); syscall( __NR_creat, /*file=*/0x200000000180ul, /*mode=S_IXOTH|S_IROTH|S_IXGRP|S_IXUSR|S_IWUSR|S_IRUSR|0x71283578ac7c400*/ 0x71283578ac7c5cdul); // truncate arguments: [ // file: ptr[in, buffer] { // buffer: {2e 2f 66 69 6c 65 32 00} (length 0x8) // } // len: intptr = 0xf (8 bytes) // ] NONFAILING(memcpy((void*)0x200000000040, "./file2\000", 8)); syscall(__NR_truncate, /*file=*/0x200000000040ul, /*len=*/0xful); // chdir arguments: [ // dir: ptr[in, buffer] { // buffer: {2e 2f 66 69 6c 65 30 00} (length 0x8) // } // ] NONFAILING(memcpy((void*)0x200000000140, "./file0\000", 8)); syscall(__NR_chdir, /*dir=*/0x200000000140ul); // openat$cgroup_ro arguments: [ // fd: fd_cgroup (resource) // file: ptr[in, buffer] { // buffer: {70 69 64 73 2e 63 75 72 72 65 6e 74 00} (length 0xd) // } // flags: const = 0x275a (4 bytes) // mode: const = 0x0 (2 bytes) // ] // returns fd NONFAILING(memcpy((void*)0x2000000000c0, "pids.current\000", 13)); syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x2000000000c0ul, /*flags=*/0x275a, /*mode=*/0); // openat arguments: [ // fd: fd_dir (resource) // file: ptr[in, buffer] { // buffer: {2e 2f 66 69 6c 65 31 00} (length 0x8) // } // flags: open_flags = 0x42 (4 bytes) // mode: open_mode = 0x147 (2 bytes) // ] // returns fd NONFAILING(memcpy((void*)0x200000000880, "./file1\000", 8)); syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000880ul, /*flags=O_CREAT|O_RDWR*/ 0x42, /*mode=S_IXOTH|S_IWOTH|S_IROTH|S_IXUSR|S_IRUSR*/ 0x147); // openat$dir arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: ptr[in, buffer] { // buffer: {2e 00} (length 0x2) // } // flags: open_flags = 0x0 (4 bytes) // mode: open_mode = 0x0 (2 bytes) // ] // returns fd_dir NONFAILING(memcpy((void*)0x200000000000, ".\000", 2)); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000000ul, /*flags=*/0, /*mode=*/0); if (res != -1) r[0] = res; // unlinkat arguments: [ // fd: fd_dir (resource) // path: ptr[in, buffer] { // buffer: {2e 2f 66 69 6c 65 31 00} (length 0x8) // } // flags: unlinkat_flags = 0x200 (8 bytes) // ] NONFAILING(memcpy((void*)0x200000000040, "./file1\000", 8)); syscall(__NR_unlinkat, /*fd=*/r[0], /*path=*/0x200000000040ul, /*flags=AT_REMOVEDIR*/ 0x200ul); // quotactl$Q_SETINFO arguments: [ // cmd: quota_cmd_setinfo = 0xffffffff80000602 (8 bytes) // special: nil // id: uid (resource) // addr: nil // ] syscall(__NR_quotactl, /*cmd=Q_SETINFO_PRJ*/ 0xffffffff80000602ul, /*special=*/0ul, /*id=*/0, /*addr=*/0ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; install_segv_handler(); loop(); return 0; }