// https://syzkaller.appspot.com/bug?id=be6e90ce70987950e6deb3bac8418344ca8b96cd // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif static unsigned long long procid; static __thread int clone_ongoing; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) { exit(sig); } uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; int valid = addr < prog_start || addr > prog_end; if (skip && valid) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ ({ \ int ok = 1; \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } else \ ok = 0; \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ ok; \ }) static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static void netlink_nest(struct nlmsg* nlmsg, int typ) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_type = typ; nlmsg->pos += sizeof(*attr); nlmsg->nested[nlmsg->nesting++] = attr; } static void netlink_done(struct nlmsg* nlmsg) { struct nlattr* attr = nlmsg->nested[--nlmsg->nesting]; attr->nla_len = nlmsg->pos - (char*)attr; } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static int netlink_next_msg(struct nlmsg* nlmsg, unsigned int offset, unsigned int total_len) { struct nlmsghdr* hdr = (struct nlmsghdr*)(nlmsg->buf + offset); if (offset == total_len || offset + hdr->nlmsg_len > total_len) return -1; return hdr->nlmsg_len; } static void netlink_add_device_impl(struct nlmsg* nlmsg, const char* type, const char* name, bool up) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; netlink_init(nlmsg, RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); if (name) netlink_attr(nlmsg, IFLA_IFNAME, name, strlen(name)); netlink_nest(nlmsg, IFLA_LINKINFO); netlink_attr(nlmsg, IFLA_INFO_KIND, type, strlen(type)); } static void netlink_add_device(struct nlmsg* nlmsg, int sock, const char* type, const char* name) { netlink_add_device_impl(nlmsg, type, name, false); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_veth(struct nlmsg* nlmsg, int sock, const char* name, const char* peer) { netlink_add_device_impl(nlmsg, "veth", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_nest(nlmsg, VETH_INFO_PEER); nlmsg->pos += sizeof(struct ifinfomsg); netlink_attr(nlmsg, IFLA_IFNAME, peer, strlen(peer)); netlink_done(nlmsg); netlink_done(nlmsg); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_xfrm(struct nlmsg* nlmsg, int sock, const char* name) { netlink_add_device_impl(nlmsg, "xfrm", name, true); netlink_nest(nlmsg, IFLA_INFO_DATA); int if_id = 1; netlink_attr(nlmsg, 2, &if_id, sizeof(if_id)); netlink_done(nlmsg); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_hsr(struct nlmsg* nlmsg, int sock, const char* name, const char* slave1, const char* slave2) { netlink_add_device_impl(nlmsg, "hsr", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); int ifindex1 = if_nametoindex(slave1); netlink_attr(nlmsg, IFLA_HSR_SLAVE1, &ifindex1, sizeof(ifindex1)); int ifindex2 = if_nametoindex(slave2); netlink_attr(nlmsg, IFLA_HSR_SLAVE2, &ifindex2, sizeof(ifindex2)); netlink_done(nlmsg); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_linked(struct nlmsg* nlmsg, int sock, const char* type, const char* name, const char* link) { netlink_add_device_impl(nlmsg, type, name, false); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_vlan(struct nlmsg* nlmsg, int sock, const char* name, const char* link, uint16_t id, uint16_t proto) { netlink_add_device_impl(nlmsg, "vlan", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_attr(nlmsg, IFLA_VLAN_ID, &id, sizeof(id)); netlink_attr(nlmsg, IFLA_VLAN_PROTOCOL, &proto, sizeof(proto)); netlink_done(nlmsg); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_macvlan(struct nlmsg* nlmsg, int sock, const char* name, const char* link) { netlink_add_device_impl(nlmsg, "macvlan", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); uint32_t mode = MACVLAN_MODE_BRIDGE; netlink_attr(nlmsg, IFLA_MACVLAN_MODE, &mode, sizeof(mode)); netlink_done(nlmsg); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_add_geneve(struct nlmsg* nlmsg, int sock, const char* name, uint32_t vni, struct in_addr* addr4, struct in6_addr* addr6) { netlink_add_device_impl(nlmsg, "geneve", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_attr(nlmsg, IFLA_GENEVE_ID, &vni, sizeof(vni)); if (addr4) netlink_attr(nlmsg, IFLA_GENEVE_REMOTE, addr4, sizeof(*addr4)); if (addr6) netlink_attr(nlmsg, IFLA_GENEVE_REMOTE6, addr6, sizeof(*addr6)); netlink_done(nlmsg); netlink_done(nlmsg); int err = netlink_send(nlmsg, sock); if (err < 0) { } } #define IFLA_IPVLAN_FLAGS 2 #define IPVLAN_MODE_L3S 2 #undef IPVLAN_F_VEPA #define IPVLAN_F_VEPA 2 static void netlink_add_ipvlan(struct nlmsg* nlmsg, int sock, const char* name, const char* link, uint16_t mode, uint16_t flags) { netlink_add_device_impl(nlmsg, "ipvlan", name, false); netlink_nest(nlmsg, IFLA_INFO_DATA); netlink_attr(nlmsg, IFLA_IPVLAN_MODE, &mode, sizeof(mode)); netlink_attr(nlmsg, IFLA_IPVLAN_FLAGS, &flags, sizeof(flags)); netlink_done(nlmsg); netlink_done(nlmsg); int ifindex = if_nametoindex(link); netlink_attr(nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev, const void* addr, int addrsize) { struct ifaddrmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120; hdr.ifa_scope = RT_SCOPE_UNIVERSE; hdr.ifa_index = if_nametoindex(dev); netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize); netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize); return netlink_send(nlmsg, sock); } static void netlink_add_addr4(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in_addr in_addr; inet_pton(AF_INET, addr, &in_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr)); if (err < 0) { } } static void netlink_add_addr6(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in6_addr in6_addr; inet_pton(AF_INET6, addr, &in6_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr)); if (err < 0) { } } static void netlink_add_neigh(struct nlmsg* nlmsg, int sock, const char* name, const void* addr, int addrsize, const void* mac, int macsize) { struct ndmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ndm_ifindex = if_nametoindex(name); hdr.ndm_state = NUD_PERMANENT; netlink_init(nlmsg, RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, NDA_DST, addr, addrsize); netlink_attr(nlmsg, NDA_LLADDR, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static struct nlmsg nlmsg; static int tunfd = -1; #define TUN_IFACE "syz_tun" #define LOCAL_MAC 0xaaaaaaaaaaaa #define REMOTE_MAC 0xaaaaaaaaaabb #define LOCAL_IPV4 "172.20.20.170" #define REMOTE_IPV4 "172.20.20.187" #define LOCAL_IPV6 "fe80::aa" #define REMOTE_IPV6 "fe80::bb" #define IFF_NAPI 0x0010 static void initialize_tun(void) { tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); printf("otherwise fuzzing or reproducing might not work as intended\n"); return; } const int kTunFd = 200; if (dup2(tunfd, kTunFd) < 0) exit(1); close(tunfd); tunfd = kTunFd; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { exit(1); } char sysctl[64]; sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE); write_file(sysctl, "0"); sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE); write_file(sysctl, "0"); int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); netlink_add_addr4(&nlmsg, sock, TUN_IFACE, LOCAL_IPV4); netlink_add_addr6(&nlmsg, sock, TUN_IFACE, LOCAL_IPV6); uint64_t macaddr = REMOTE_MAC; struct in_addr in_addr; inet_pton(AF_INET, REMOTE_IPV4, &in_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr, ETH_ALEN); struct in6_addr in6_addr; inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr, ETH_ALEN); macaddr = LOCAL_MAC; netlink_device_change(&nlmsg, sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN, NULL); close(sock); } #define DEVLINK_FAMILY_NAME "devlink" #define DEVLINK_CMD_PORT_GET 5 #define DEVLINK_ATTR_BUS_NAME 1 #define DEVLINK_ATTR_DEV_NAME 2 #define DEVLINK_ATTR_NETDEV_NAME 7 static struct nlmsg nlmsg2; static void initialize_devlink_ports(const char* bus_name, const char* dev_name, const char* netdev_prefix) { struct genlmsghdr genlhdr; int len, total_len, id, err, offset; uint16_t netdev_index; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) exit(1); int rtsock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (rtsock == -1) exit(1); id = netlink_query_family_id(&nlmsg, sock, DEVLINK_FAMILY_NAME, true); if (id == -1) goto error; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = DEVLINK_CMD_PORT_GET; netlink_init(&nlmsg, id, NLM_F_DUMP, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, DEVLINK_ATTR_BUS_NAME, bus_name, strlen(bus_name) + 1); netlink_attr(&nlmsg, DEVLINK_ATTR_DEV_NAME, dev_name, strlen(dev_name) + 1); err = netlink_send_ext(&nlmsg, sock, id, &total_len, true); if (err < 0) { goto error; } offset = 0; netdev_index = 0; while ((len = netlink_next_msg(&nlmsg, offset, total_len)) != -1) { struct nlattr* attr = (struct nlattr*)(nlmsg.buf + offset + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg.buf + offset + len; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == DEVLINK_ATTR_NETDEV_NAME) { char* port_name; char netdev_name[IFNAMSIZ]; port_name = (char*)(attr + 1); snprintf(netdev_name, sizeof(netdev_name), "%s%d", netdev_prefix, netdev_index); netlink_device_change(&nlmsg2, rtsock, port_name, true, 0, 0, 0, netdev_name); break; } } offset += len; netdev_index++; } error: close(rtsock); close(sock); } static int runcmdline(char* cmdline) { int ret = system(cmdline); if (ret) { } return ret; } #define DEV_IPV4 "172.20.20.%d" #define DEV_IPV6 "fe80::%02x" #define DEV_MAC 0x00aaaaaaaaaa static void netdevsim_add(unsigned int addr, unsigned int port_count) { write_file("/sys/bus/netdevsim/del_device", "%u", addr); if (write_file("/sys/bus/netdevsim/new_device", "%u %u", addr, port_count)) { char buf[32]; snprintf(buf, sizeof(buf), "netdevsim%d", addr); initialize_devlink_ports("netdevsim", buf, "netdevsim"); } } #define WG_GENL_NAME "wireguard" enum wg_cmd { WG_CMD_GET_DEVICE, WG_CMD_SET_DEVICE, }; enum wgdevice_attribute { WGDEVICE_A_UNSPEC, WGDEVICE_A_IFINDEX, WGDEVICE_A_IFNAME, WGDEVICE_A_PRIVATE_KEY, WGDEVICE_A_PUBLIC_KEY, WGDEVICE_A_FLAGS, WGDEVICE_A_LISTEN_PORT, WGDEVICE_A_FWMARK, WGDEVICE_A_PEERS, }; enum wgpeer_attribute { WGPEER_A_UNSPEC, WGPEER_A_PUBLIC_KEY, WGPEER_A_PRESHARED_KEY, WGPEER_A_FLAGS, WGPEER_A_ENDPOINT, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, WGPEER_A_LAST_HANDSHAKE_TIME, WGPEER_A_RX_BYTES, WGPEER_A_TX_BYTES, WGPEER_A_ALLOWEDIPS, WGPEER_A_PROTOCOL_VERSION, }; enum wgallowedip_attribute { WGALLOWEDIP_A_UNSPEC, WGALLOWEDIP_A_FAMILY, WGALLOWEDIP_A_IPADDR, WGALLOWEDIP_A_CIDR_MASK, }; static void netlink_wireguard_setup(void) { const char ifname_a[] = "wg0"; const char ifname_b[] = "wg1"; const char ifname_c[] = "wg2"; const char private_a[] = "\xa0\x5c\xa8\x4f\x6c\x9c\x8e\x38\x53\xe2\xfd\x7a\x70\xae\x0f\xb2\x0f\xa1" "\x52\x60\x0c\xb0\x08\x45\x17\x4f\x08\x07\x6f\x8d\x78\x43"; const char private_b[] = "\xb0\x80\x73\xe8\xd4\x4e\x91\xe3\xda\x92\x2c\x22\x43\x82\x44\xbb\x88\x5c" "\x69\xe2\x69\xc8\xe9\xd8\x35\xb1\x14\x29\x3a\x4d\xdc\x6e"; const char private_c[] = "\xa0\xcb\x87\x9a\x47\xf5\xbc\x64\x4c\x0e\x69\x3f\xa6\xd0\x31\xc7\x4a\x15" "\x53\xb6\xe9\x01\xb9\xff\x2f\x51\x8c\x78\x04\x2f\xb5\x42"; const char public_a[] = "\x97\x5c\x9d\x81\xc9\x83\xc8\x20\x9e\xe7\x81\x25\x4b\x89\x9f\x8e\xd9\x25" "\xae\x9f\x09\x23\xc2\x3c\x62\xf5\x3c\x57\xcd\xbf\x69\x1c"; const char public_b[] = "\xd1\x73\x28\x99\xf6\x11\xcd\x89\x94\x03\x4d\x7f\x41\x3d\xc9\x57\x63\x0e" "\x54\x93\xc2\x85\xac\xa4\x00\x65\xcb\x63\x11\xbe\x69\x6b"; const char public_c[] = "\xf4\x4d\xa3\x67\xa8\x8e\xe6\x56\x4f\x02\x02\x11\x45\x67\x27\x08\x2f\x5c" "\xeb\xee\x8b\x1b\xf5\xeb\x73\x37\x34\x1b\x45\x9b\x39\x22"; const uint16_t listen_a = 20001; const uint16_t listen_b = 20002; const uint16_t listen_c = 20003; const uint16_t af_inet = AF_INET; const uint16_t af_inet6 = AF_INET6; const struct sockaddr_in endpoint_b_v4 = { .sin_family = AF_INET, .sin_port = htons(listen_b), .sin_addr = {htonl(INADDR_LOOPBACK)}}; const struct sockaddr_in endpoint_c_v4 = { .sin_family = AF_INET, .sin_port = htons(listen_c), .sin_addr = {htonl(INADDR_LOOPBACK)}}; struct sockaddr_in6 endpoint_a_v6 = {.sin6_family = AF_INET6, .sin6_port = htons(listen_a)}; endpoint_a_v6.sin6_addr = in6addr_loopback; struct sockaddr_in6 endpoint_c_v6 = {.sin6_family = AF_INET6, .sin6_port = htons(listen_c)}; endpoint_c_v6.sin6_addr = in6addr_loopback; const struct in_addr first_half_v4 = {0}; const struct in_addr second_half_v4 = {(uint32_t)htonl(128 << 24)}; const struct in6_addr first_half_v6 = {{{0}}}; const struct in6_addr second_half_v6 = {{{0x80}}}; const uint8_t half_cidr = 1; const uint16_t persistent_keepalives[] = {1, 3, 7, 9, 14, 19}; struct genlmsghdr genlhdr = {.cmd = WG_CMD_SET_DEVICE, .version = 1}; int sock; int id, err; sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock == -1) { return; } id = netlink_query_family_id(&nlmsg, sock, WG_GENL_NAME, true); if (id == -1) goto error; netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_a, strlen(ifname_a) + 1); netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_a, 32); netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_a, 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_b, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_b_v4, sizeof(endpoint_b_v4)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[0], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4, sizeof(first_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6, sizeof(first_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_c, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_c_v6, sizeof(endpoint_c_v6)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[1], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4, sizeof(second_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6, sizeof(second_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); err = netlink_send(&nlmsg, sock); if (err < 0) { } netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_b, strlen(ifname_b) + 1); netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_b, 32); netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_b, 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_a, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_a_v6, sizeof(endpoint_a_v6)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[2], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4, sizeof(first_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6, sizeof(first_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_c, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_c_v4, sizeof(endpoint_c_v4)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[3], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4, sizeof(second_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6, sizeof(second_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); err = netlink_send(&nlmsg, sock); if (err < 0) { } netlink_init(&nlmsg, id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, WGDEVICE_A_IFNAME, ifname_c, strlen(ifname_c) + 1); netlink_attr(&nlmsg, WGDEVICE_A_PRIVATE_KEY, private_c, 32); netlink_attr(&nlmsg, WGDEVICE_A_LISTEN_PORT, &listen_c, 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGDEVICE_A_PEERS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_a, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_a_v6, sizeof(endpoint_a_v6)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[4], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v4, sizeof(first_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &first_half_v6, sizeof(first_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGPEER_A_PUBLIC_KEY, public_b, 32); netlink_attr(&nlmsg, WGPEER_A_ENDPOINT, &endpoint_b_v4, sizeof(endpoint_b_v4)); netlink_attr(&nlmsg, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, &persistent_keepalives[5], 2); netlink_nest(&nlmsg, NLA_F_NESTED | WGPEER_A_ALLOWEDIPS); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v4, sizeof(second_half_v4)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_nest(&nlmsg, NLA_F_NESTED | 0); netlink_attr(&nlmsg, WGALLOWEDIP_A_FAMILY, &af_inet6, 2); netlink_attr(&nlmsg, WGALLOWEDIP_A_IPADDR, &second_half_v6, sizeof(second_half_v6)); netlink_attr(&nlmsg, WGALLOWEDIP_A_CIDR_MASK, &half_cidr, 1); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); netlink_done(&nlmsg); err = netlink_send(&nlmsg, sock); if (err < 0) { } error: close(sock); } static void initialize_netdevices(void) { char netdevsim[16]; sprintf(netdevsim, "netdevsim%d", (int)procid); struct { const char* type; const char* dev; } devtypes[] = { {"ip6gretap", "ip6gretap0"}, {"bridge", "bridge0"}, {"vcan", "vcan0"}, {"bond", "bond0"}, {"team", "team0"}, {"dummy", "dummy0"}, {"nlmon", "nlmon0"}, {"caif", "caif0"}, {"batadv", "batadv0"}, {"vxcan", "vxcan1"}, {"veth", 0}, {"wireguard", "wg0"}, {"wireguard", "wg1"}, {"wireguard", "wg2"}, }; const char* devmasters[] = {"bridge", "bond", "team", "batadv"}; struct { const char* name; int macsize; bool noipv6; } devices[] = { {"lo", ETH_ALEN}, {"sit0", 0}, {"bridge0", ETH_ALEN}, {"vcan0", 0, true}, {"tunl0", 0}, {"gre0", 0}, {"gretap0", ETH_ALEN}, {"ip_vti0", 0}, {"ip6_vti0", 0}, {"ip6tnl0", 0}, {"ip6gre0", 0}, {"ip6gretap0", ETH_ALEN}, {"erspan0", ETH_ALEN}, {"bond0", ETH_ALEN}, {"veth0", ETH_ALEN}, {"veth1", ETH_ALEN}, {"team0", ETH_ALEN}, {"veth0_to_bridge", ETH_ALEN}, {"veth1_to_bridge", ETH_ALEN}, {"veth0_to_bond", ETH_ALEN}, {"veth1_to_bond", ETH_ALEN}, {"veth0_to_team", ETH_ALEN}, {"veth1_to_team", ETH_ALEN}, {"veth0_to_hsr", ETH_ALEN}, {"veth1_to_hsr", ETH_ALEN}, {"hsr0", 0}, {"dummy0", ETH_ALEN}, {"nlmon0", 0}, {"vxcan0", 0, true}, {"vxcan1", 0, true}, {"caif0", ETH_ALEN}, {"batadv0", ETH_ALEN}, {netdevsim, ETH_ALEN}, {"xfrm0", ETH_ALEN}, {"veth0_virt_wifi", ETH_ALEN}, {"veth1_virt_wifi", ETH_ALEN}, {"virt_wifi0", ETH_ALEN}, {"veth0_vlan", ETH_ALEN}, {"veth1_vlan", ETH_ALEN}, {"vlan0", ETH_ALEN}, {"vlan1", ETH_ALEN}, {"macvlan0", ETH_ALEN}, {"macvlan1", ETH_ALEN}, {"ipvlan0", ETH_ALEN}, {"ipvlan1", ETH_ALEN}, {"veth0_macvtap", ETH_ALEN}, {"veth1_macvtap", ETH_ALEN}, {"macvtap0", ETH_ALEN}, {"macsec0", ETH_ALEN}, {"veth0_to_batadv", ETH_ALEN}, {"veth1_to_batadv", ETH_ALEN}, {"batadv_slave_0", ETH_ALEN}, {"batadv_slave_1", ETH_ALEN}, {"geneve0", ETH_ALEN}, {"geneve1", ETH_ALEN}, {"wg0", 0}, {"wg1", 0}, {"wg2", 0}, }; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); unsigned i; for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) netlink_add_device(&nlmsg, sock, devtypes[i].type, devtypes[i].dev); for (i = 0; i < sizeof(devmasters) / (sizeof(devmasters[0])); i++) { char master[32], slave0[32], veth0[32], slave1[32], veth1[32]; sprintf(slave0, "%s_slave_0", devmasters[i]); sprintf(veth0, "veth0_to_%s", devmasters[i]); netlink_add_veth(&nlmsg, sock, slave0, veth0); sprintf(slave1, "%s_slave_1", devmasters[i]); sprintf(veth1, "veth1_to_%s", devmasters[i]); netlink_add_veth(&nlmsg, sock, slave1, veth1); sprintf(master, "%s0", devmasters[i]); netlink_device_change(&nlmsg, sock, slave0, false, master, 0, 0, NULL); netlink_device_change(&nlmsg, sock, slave1, false, master, 0, 0, NULL); } netlink_add_xfrm(&nlmsg, sock, "xfrm0"); netlink_device_change(&nlmsg, sock, "bridge_slave_0", true, 0, 0, 0, NULL); netlink_device_change(&nlmsg, sock, "bridge_slave_1", true, 0, 0, 0, NULL); netlink_add_veth(&nlmsg, sock, "hsr_slave_0", "veth0_to_hsr"); netlink_add_veth(&nlmsg, sock, "hsr_slave_1", "veth1_to_hsr"); netlink_add_hsr(&nlmsg, sock, "hsr0", "hsr_slave_0", "hsr_slave_1"); netlink_device_change(&nlmsg, sock, "hsr_slave_0", true, 0, 0, 0, NULL); netlink_device_change(&nlmsg, sock, "hsr_slave_1", true, 0, 0, 0, NULL); netlink_add_veth(&nlmsg, sock, "veth0_virt_wifi", "veth1_virt_wifi"); netlink_add_linked(&nlmsg, sock, "virt_wifi", "virt_wifi0", "veth1_virt_wifi"); netlink_add_veth(&nlmsg, sock, "veth0_vlan", "veth1_vlan"); netlink_add_vlan(&nlmsg, sock, "vlan0", "veth0_vlan", 0, htons(ETH_P_8021Q)); netlink_add_vlan(&nlmsg, sock, "vlan1", "veth0_vlan", 1, htons(ETH_P_8021AD)); netlink_add_macvlan(&nlmsg, sock, "macvlan0", "veth1_vlan"); netlink_add_macvlan(&nlmsg, sock, "macvlan1", "veth1_vlan"); netlink_add_ipvlan(&nlmsg, sock, "ipvlan0", "veth0_vlan", IPVLAN_MODE_L2, 0); netlink_add_ipvlan(&nlmsg, sock, "ipvlan1", "veth0_vlan", IPVLAN_MODE_L3S, IPVLAN_F_VEPA); netlink_add_veth(&nlmsg, sock, "veth0_macvtap", "veth1_macvtap"); netlink_add_linked(&nlmsg, sock, "macvtap", "macvtap0", "veth0_macvtap"); netlink_add_linked(&nlmsg, sock, "macsec", "macsec0", "veth1_macvtap"); char addr[32]; sprintf(addr, DEV_IPV4, 14 + 10); struct in_addr geneve_addr4; if (inet_pton(AF_INET, addr, &geneve_addr4) <= 0) exit(1); struct in6_addr geneve_addr6; if (inet_pton(AF_INET6, "fc00::01", &geneve_addr6) <= 0) exit(1); netlink_add_geneve(&nlmsg, sock, "geneve0", 0, &geneve_addr4, 0); netlink_add_geneve(&nlmsg, sock, "geneve1", 1, 0, &geneve_addr6); netdevsim_add((int)procid, 4); netlink_wireguard_setup(); for (i = 0; i < sizeof(devices) / (sizeof(devices[0])); i++) { char addr[32]; sprintf(addr, DEV_IPV4, i + 10); netlink_add_addr4(&nlmsg, sock, devices[i].name, addr); if (!devices[i].noipv6) { sprintf(addr, DEV_IPV6, i + 10); netlink_add_addr6(&nlmsg, sock, devices[i].name, addr); } uint64_t macaddr = DEV_MAC + ((i + 10ull) << 40); netlink_device_change(&nlmsg, sock, devices[i].name, true, 0, &macaddr, devices[i].macsize, NULL); } close(sock); } static void initialize_netdevices_init(void) { int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); struct { const char* type; int macsize; bool noipv6; bool noup; } devtypes[] = { {"nr", 7, true}, {"rose", 5, true, true}, }; unsigned i; for (i = 0; i < sizeof(devtypes) / sizeof(devtypes[0]); i++) { char dev[32], addr[32]; sprintf(dev, "%s%d", devtypes[i].type, (int)procid); sprintf(addr, "172.30.%d.%d", i, (int)procid + 1); netlink_add_addr4(&nlmsg, sock, dev, addr); if (!devtypes[i].noipv6) { sprintf(addr, "fe88::%02x:%02x", i, (int)procid + 1); netlink_add_addr6(&nlmsg, sock, dev, addr); } int macsize = devtypes[i].macsize; uint64_t macaddr = 0xbbbbbb + ((unsigned long long)i << (8 * (macsize - 2))) + (procid << (8 * (macsize - 1))); netlink_device_change(&nlmsg, sock, dev, !devtypes[i].noup, 0, &macaddr, macsize, NULL); } close(sock); } static int read_tun(char* data, int size) { if (tunfd < 0) return -1; int rv = read(tunfd, data, size); if (rv < 0) { if (errno == EAGAIN || errno == EBADF || errno == EBADFD) return -1; exit(1); } return rv; } static void flush_tun() { char data[1000]; while (read_tun(&data[0], sizeof(data)) != -1) { } } #define MAX_FDS 30 //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff(unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define XT_TABLE_SIZE 1536 #define XT_MAX_ENTRIES 10 struct xt_counters { uint64_t pcnt, bcnt; }; struct ipt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_entries; unsigned int size; }; struct ipt_get_entries { char name[32]; unsigned int size; uint64_t entrytable[XT_TABLE_SIZE / sizeof(uint64_t)]; }; struct ipt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[5]; unsigned int underflow[5]; unsigned int num_counters; struct xt_counters* counters; uint64_t entrytable[XT_TABLE_SIZE / sizeof(uint64_t)]; }; struct ipt_table_desc { const char* name; struct ipt_getinfo info; struct ipt_replace replace; }; static struct ipt_table_desc ipv4_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; static struct ipt_table_desc ipv6_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "mangle"}, {.name = "raw"}, {.name = "security"}, }; #define IPT_BASE_CTL 64 #define IPT_SO_SET_REPLACE (IPT_BASE_CTL) #define IPT_SO_GET_INFO (IPT_BASE_CTL) #define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1) struct arpt_getinfo { char name[32]; unsigned int valid_hooks; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_entries; unsigned int size; }; struct arpt_get_entries { char name[32]; unsigned int size; uint64_t entrytable[XT_TABLE_SIZE / sizeof(uint64_t)]; }; struct arpt_replace { char name[32]; unsigned int valid_hooks; unsigned int num_entries; unsigned int size; unsigned int hook_entry[3]; unsigned int underflow[3]; unsigned int num_counters; struct xt_counters* counters; uint64_t entrytable[XT_TABLE_SIZE / sizeof(uint64_t)]; }; struct arpt_table_desc { const char* name; struct arpt_getinfo info; struct arpt_replace replace; }; static struct arpt_table_desc arpt_tables[] = { {.name = "filter"}, }; #define ARPT_BASE_CTL 96 #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) static void checkpoint_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { int fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: case ENOENT: return; } exit(1); } for (int i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); socklen_t optlen = sizeof(table->info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } exit(1); } if (table->info.size > sizeof(table->replace.entrytable)) exit(1); if (table->info.num_entries > XT_MAX_ENTRIES) exit(1); struct ipt_get_entries entries; memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) exit(1); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_iptables(struct ipt_table_desc* tables, int num_tables, int family, int level) { int fd = socket(family, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: case ENOENT: return; } exit(1); } for (int i = 0; i < num_tables; i++) { struct ipt_table_desc* table = &tables[i]; if (table->info.valid_hooks == 0) continue; struct ipt_getinfo info; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); socklen_t optlen = sizeof(info); if (getsockopt(fd, level, IPT_SO_GET_INFO, &info, &optlen)) exit(1); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { struct ipt_get_entries entries; memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, level, IPT_SO_GET_ENTRIES, &entries, &optlen)) exit(1); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } struct xt_counters counters[XT_MAX_ENTRIES]; table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, level, IPT_SO_SET_REPLACE, &table->replace, optlen)) exit(1); } close(fd); } static void checkpoint_arptables(void) { int fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: case ENOENT: return; } exit(1); } for (unsigned i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; strcpy(table->info.name, table->name); strcpy(table->replace.name, table->name); socklen_t optlen = sizeof(table->info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &table->info, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } exit(1); } if (table->info.size > sizeof(table->replace.entrytable)) exit(1); if (table->info.num_entries > XT_MAX_ENTRIES) exit(1); struct arpt_get_entries entries; memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + table->info.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) exit(1); table->replace.valid_hooks = table->info.valid_hooks; table->replace.num_entries = table->info.num_entries; table->replace.size = table->info.size; memcpy(table->replace.hook_entry, table->info.hook_entry, sizeof(table->replace.hook_entry)); memcpy(table->replace.underflow, table->info.underflow, sizeof(table->replace.underflow)); memcpy(table->replace.entrytable, entries.entrytable, table->info.size); } close(fd); } static void reset_arptables() { int fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: case ENOENT: return; } exit(1); } for (unsigned i = 0; i < sizeof(arpt_tables) / sizeof(arpt_tables[0]); i++) { struct arpt_table_desc* table = &arpt_tables[i]; if (table->info.valid_hooks == 0) continue; struct arpt_getinfo info; memset(&info, 0, sizeof(info)); strcpy(info.name, table->name); socklen_t optlen = sizeof(info); if (getsockopt(fd, SOL_IP, ARPT_SO_GET_INFO, &info, &optlen)) exit(1); if (memcmp(&table->info, &info, sizeof(table->info)) == 0) { struct arpt_get_entries entries; memset(&entries, 0, sizeof(entries)); strcpy(entries.name, table->name); entries.size = table->info.size; optlen = sizeof(entries) - sizeof(entries.entrytable) + entries.size; if (getsockopt(fd, SOL_IP, ARPT_SO_GET_ENTRIES, &entries, &optlen)) exit(1); if (memcmp(table->replace.entrytable, entries.entrytable, table->info.size) == 0) continue; } else { } struct xt_counters counters[XT_MAX_ENTRIES]; table->replace.num_counters = info.num_entries; table->replace.counters = counters; optlen = sizeof(table->replace) - sizeof(table->replace.entrytable) + table->replace.size; if (setsockopt(fd, SOL_IP, ARPT_SO_SET_REPLACE, &table->replace, optlen)) exit(1); } close(fd); } #define NF_BR_NUMHOOKS 6 #define EBT_TABLE_MAXNAMELEN 32 #define EBT_CHAIN_MAXNAMELEN 32 #define EBT_BASE_CTL 128 #define EBT_SO_SET_ENTRIES (EBT_BASE_CTL) #define EBT_SO_GET_INFO (EBT_BASE_CTL) #define EBT_SO_GET_ENTRIES (EBT_SO_GET_INFO + 1) #define EBT_SO_GET_INIT_INFO (EBT_SO_GET_ENTRIES + 1) #define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO + 1) struct ebt_replace { char name[EBT_TABLE_MAXNAMELEN]; unsigned int valid_hooks; unsigned int nentries; unsigned int entries_size; struct ebt_entries* hook_entry[NF_BR_NUMHOOKS]; unsigned int num_counters; struct ebt_counter* counters; char* entries; }; struct ebt_entries { unsigned int distinguisher; char name[EBT_CHAIN_MAXNAMELEN]; unsigned int counter_offset; int policy; unsigned int nentries; char data[0] __attribute__((aligned(__alignof__(struct ebt_replace)))); }; struct ebt_table_desc { const char* name; struct ebt_replace replace; char entrytable[XT_TABLE_SIZE]; }; static struct ebt_table_desc ebt_tables[] = { {.name = "filter"}, {.name = "nat"}, {.name = "broute"}, }; static void checkpoint_ebtables(void) { int fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: case ENOENT: return; } exit(1); } for (size_t i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) { struct ebt_table_desc* table = &ebt_tables[i]; strcpy(table->replace.name, table->name); socklen_t optlen = sizeof(table->replace); if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_INFO, &table->replace, &optlen)) { switch (errno) { case EPERM: case ENOENT: case ENOPROTOOPT: continue; } exit(1); } if (table->replace.entries_size > sizeof(table->entrytable)) exit(1); table->replace.num_counters = 0; table->replace.entries = table->entrytable; optlen = sizeof(table->replace) + table->replace.entries_size; if (getsockopt(fd, SOL_IP, EBT_SO_GET_INIT_ENTRIES, &table->replace, &optlen)) exit(1); } close(fd); } static void reset_ebtables() { int fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { switch (errno) { case EAFNOSUPPORT: case ENOPROTOOPT: case ENOENT: return; } exit(1); } for (unsigned i = 0; i < sizeof(ebt_tables) / sizeof(ebt_tables[0]); i++) { struct ebt_table_desc* table = &ebt_tables[i]; if (table->replace.valid_hooks == 0) continue; struct ebt_replace replace; memset(&replace, 0, sizeof(replace)); strcpy(replace.name, table->name); socklen_t optlen = sizeof(replace); if (getsockopt(fd, SOL_IP, EBT_SO_GET_INFO, &replace, &optlen)) exit(1); replace.num_counters = 0; table->replace.entries = 0; for (unsigned h = 0; h < NF_BR_NUMHOOKS; h++) table->replace.hook_entry[h] = 0; if (memcmp(&table->replace, &replace, sizeof(table->replace)) == 0) { char entrytable[XT_TABLE_SIZE]; memset(&entrytable, 0, sizeof(entrytable)); replace.entries = entrytable; optlen = sizeof(replace) + replace.entries_size; if (getsockopt(fd, SOL_IP, EBT_SO_GET_ENTRIES, &replace, &optlen)) exit(1); if (memcmp(table->entrytable, entrytable, replace.entries_size) == 0) continue; } for (unsigned j = 0, h = 0; h < NF_BR_NUMHOOKS; h++) { if (table->replace.valid_hooks & (1 << h)) { table->replace.hook_entry[h] = (struct ebt_entries*)table->entrytable + j; j++; } } table->replace.entries = table->entrytable; optlen = sizeof(table->replace) + table->replace.entries_size; if (setsockopt(fd, SOL_IP, EBT_SO_SET_ENTRIES, &table->replace, optlen)) exit(1); } close(fd); } static void checkpoint_net_namespace(void) { checkpoint_ebtables(); checkpoint_arptables(); checkpoint_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); checkpoint_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void reset_net_namespace(void) { reset_ebtables(); reset_arptables(); reset_iptables(ipv4_tables, sizeof(ipv4_tables) / sizeof(ipv4_tables[0]), AF_INET, SOL_IP); reset_iptables(ipv6_tables, sizeof(ipv6_tables) / sizeof(ipv6_tables[0]), AF_INET6, SOL_IPV6); } static void mount_cgroups(const char* dir, const char** controllers, int count) { if (mkdir(dir, 0777)) { return; } char enabled[128] = {0}; int i = 0; for (; i < count; i++) { if (mount("none", dir, "cgroup", 0, controllers[i])) { continue; } umount(dir); strcat(enabled, ","); strcat(enabled, controllers[i]); } if (enabled[0] == 0) { if (rmdir(dir) && errno != EBUSY) exit(1); return; } if (mount("none", dir, "cgroup", 0, enabled + 1)) { if (rmdir(dir) && errno != EBUSY) exit(1); } if (chmod(dir, 0777)) { } } static void mount_cgroups2(const char** controllers, int count) { if (mkdir("/syzcgroup/unified", 0777)) { return; } if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) { if (rmdir("/syzcgroup/unified") && errno != EBUSY) exit(1); return; } if (chmod("/syzcgroup/unified", 0777)) { } int control = open("/syzcgroup/unified/cgroup.subtree_control", O_WRONLY); if (control == -1) return; int i; for (i = 0; i < count; i++) if (write(control, controllers[i], strlen(controllers[i])) < 0) { } close(control); } static void setup_cgroups() { const char* unified_controllers[] = {"+cpu", "+io", "+pids"}; const char* net_controllers[] = {"net", "net_prio", "devices", "blkio", "freezer"}; const char* cpu_controllers[] = {"cpuset", "cpuacct", "hugetlb", "rlimit", "memory"}; if (mkdir("/syzcgroup", 0777)) { return; } mount_cgroups2(unified_controllers, sizeof(unified_controllers) / sizeof(unified_controllers[0])); mount_cgroups("/syzcgroup/net", net_controllers, sizeof(net_controllers) / sizeof(net_controllers[0])); mount_cgroups("/syzcgroup/cpu", cpu_controllers, sizeof(cpu_controllers) / sizeof(cpu_controllers[0])); write_file("/syzcgroup/cpu/cgroup.clone_children", "1"); write_file("/syzcgroup/cpu/cpuset.memory_pressure_enabled", "1"); } static void setup_cgroups_loop() { int pid = getpid(); char file[128]; char cgroupdir[64]; snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } snprintf(file, sizeof(file), "%s/pids.max", cgroupdir); write_file(file, "32"); snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); write_file(file, "%d", pid); snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); write_file(file, "%d", pid); snprintf(file, sizeof(file), "%s/memory.soft_limit_in_bytes", cgroupdir); write_file(file, "%d", 299 << 20); snprintf(file, sizeof(file), "%s/memory.limit_in_bytes", cgroupdir); write_file(file, "%d", 300 << 20); snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); write_file(file, "%d", pid); } static void setup_cgroups_test() { char cgroupdir[64]; snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid); if (symlink(cgroupdir, "./cgroup")) { } snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid); if (symlink(cgroupdir, "./cgroup.cpu")) { } snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid); if (symlink(cgroupdir, "./cgroup.net")) { } } static void initialize_cgroups() { if (mkdir("./syz-tmp/newroot/syzcgroup", 0700)) exit(1); if (mkdir("./syz-tmp/newroot/syzcgroup/unified", 0700)) exit(1); if (mkdir("./syz-tmp/newroot/syzcgroup/cpu", 0700)) exit(1); if (mkdir("./syz-tmp/newroot/syzcgroup/net", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/syzcgroup/unified", "./syz-tmp/newroot/syzcgroup/unified", NULL, bind_mount_flags, NULL)) { } if (mount("/syzcgroup/cpu", "./syz-tmp/newroot/syzcgroup/cpu", NULL, bind_mount_flags, NULL)) { } if (mount("/syzcgroup/net", "./syz-tmp/newroot/syzcgroup/net", NULL, bind_mount_flags, NULL)) { } } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); initialize_cgroups(); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); initialize_netdevices_init(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); initialize_tun(); initialize_netdevices(); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_loop() { setup_cgroups_loop(); checkpoint_net_namespace(); } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } reset_net_namespace(); } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setup_cgroups_test(); write_file("/proc/self/oom_score_adj", "1000"); flush_tun(); if (symlink("/dev/binderfs", "./binderfs")) { } } static void close_fds() { for (int fd = 3; fd < MAX_FDS; fd++) close(fd); } static const char* setup_binfmt_misc() { if (mount(0, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, 0) && errno != EBUSY) { return NULL; } if (!write_file("/proc/sys/fs/binfmt_misc/register", ":syz0:M:0:\x01::./file0:") || !write_file("/proc/sys/fs/binfmt_misc/register", ":syz1:M:1:\x02::./file0:POC")) return "write(/proc/sys/fs/binfmt_misc/register) failed"; return NULL; } static const char* setup_usb() { if (chmod("/dev/raw-gadget", 0666)) return "failed to chmod /dev/raw-gadget"; return NULL; } static void setup_sysctl() { int cad_pid = fork(); if (cad_pid < 0) exit(1); if (cad_pid == 0) { for (;;) sleep(100); } char tmppid[32]; snprintf(tmppid, sizeof(tmppid), "%d", cad_pid); struct { const char* name; const char* data; } files[] = { {"/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"}, {"/proc/sys/kernel/hung_task_check_interval_secs", "20"}, {"/proc/sys/net/core/bpf_jit_kallsyms", "1"}, {"/proc/sys/net/core/bpf_jit_harden", "0"}, {"/proc/sys/kernel/kptr_restrict", "0"}, {"/proc/sys/kernel/softlockup_all_cpu_backtrace", "1"}, {"/proc/sys/fs/mount-max", "100"}, {"/proc/sys/vm/oom_dump_tasks", "0"}, {"/proc/sys/debug/exception-trace", "0"}, {"/proc/sys/kernel/printk", "7 4 1 3"}, {"/proc/sys/kernel/keys/gc_delay", "1"}, {"/proc/sys/vm/oom_kill_allocating_task", "1"}, {"/proc/sys/kernel/ctrl-alt-del", "0"}, {"/proc/sys/kernel/cad_pid", tmppid}, }; for (size_t i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].name, files[i].data)) { } } kill(cad_pid, SIGKILL); while (waitpid(cad_pid, NULL, 0) != cad_pid) ; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define SWAP_FILE "./swap-file" #define SWAP_FILE_SIZE (128 * 1000 * 1000) static const char* setup_swap() { swapoff(SWAP_FILE); unlink(SWAP_FILE); int fd = open(SWAP_FILE, O_CREAT | O_WRONLY | O_CLOEXEC, 0600); if (fd == -1) return "swap file open failed"; fallocate(fd, FALLOC_FL_ZERO_RANGE, 0, SWAP_FILE_SIZE); close(fd); char cmdline[64]; sprintf(cmdline, "mkswap %s", SWAP_FILE); if (runcmdline(cmdline)) return "mkswap failed"; if (swapon(SWAP_FILE, SWAP_FLAG_PREFER) == 1) return "swapon failed"; return NULL; } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { setup_loop(); int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); close_fds(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // syz_mount_image$ext4 arguments: [ // fs: ptr[in, buffer] { // buffer: {65 78 74 34 00} (length 0x5) // } // dir: ptr[in, buffer] { // buffer: {2e 2f 62 75 73 00} (length 0x6) // } // flags: mount_flags = 0x2000040 (8 bytes) // opts: ptr[in, fs_options[ext4_options]] { // fs_options[ext4_options] { // elems: array[fs_opt_elem[ext4_options]] { // fs_opt_elem[ext4_options] { // elem: union ext4_options { // auto_da_alloc: buffer: {61 75 74 6f 5f 64 61 5f 61 6c 6c 6f // 63} (length 0xd) // } // comma: const = 0x2c (1 bytes) // } // fs_opt_elem[ext4_options] { // elem: union ext4_options { // jqfmt_vfsold: buffer: {6a 71 66 6d 74 3d 76 66 73 6f 6c 64} // (length 0xc) // } // comma: const = 0x2c (1 bytes) // } // fs_opt_elem[ext4_options] { // elem: union ext4_options { // noquota: buffer: {6e 6f 71 75 6f 74 61} (length 0x7) // } // comma: const = 0x2c (1 bytes) // } // fs_opt_elem[ext4_options] { // elem: union ext4_options { // init_itable: buffer: {69 6e 69 74 5f 69 74 61 62 6c 65} // (length 0xb) // } // comma: const = 0x2c (1 bytes) // } // fs_opt_elem[ext4_options] { // elem: union ext4_options { // stripe: fs_opt["stripe", fmt[hex, int32]] { // name: buffer: {73 74 72 69 70 65} (length 0x6) // eq: const = 0x3d (1 bytes) // val: int32 = 0x79 (18 bytes) // } // } // comma: const = 0x2c (1 bytes) // } // fs_opt_elem[ext4_options] { // elem: union ext4_options { // resgid: fs_opt["resgid", fmt[hex, gid]] { // name: buffer: {72 65 73 67 69 64} (length 0x6) // eq: const = 0x3d (1 bytes) // val: gid (resource) // } // } // comma: const = 0x2c (1 bytes) // } // fs_opt_elem[ext4_options] { // elem: union ext4_options { // data_err_ignore: buffer: {64 61 74 61 5f 65 72 72 3d 69 67 6e // 6f 72 65} (length 0xf) // } // comma: const = 0x2c (1 bytes) // } // fs_opt_elem[ext4_options] { // elem: union ext4_options { // init_itable: buffer: {69 6e 69 74 5f 69 74 61 62 6c 65} // (length 0xb) // } // comma: const = 0x2c (1 bytes) // } // fs_opt_elem[ext4_options] { // elem: union ext4_options { // errors_continue: buffer: {65 72 72 6f 72 73 3d 63 6f 6e 74 69 // 6e 75 65} (length 0xf) // } // comma: const = 0x2c (1 bytes) // } // } // common: array[fs_opt_elem[fs_options_common]] { // } // null: const = 0x0 (1 bytes) // } // } // chdir: int8 = 0x1 (1 bytes) // size: len = 0x4e7 (8 bytes) // img: ptr[in, buffer] { // buffer: (compressed buffer with length 0x4e7) // } // ] // returns fd_dir NONFAILING(memcpy((void*)0x200000000080, "ext4\000", 5)); NONFAILING(memcpy((void*)0x200000000140, "./bus\000", 6)); NONFAILING(memcpy((void*)0x200000000480, "auto_da_alloc", 13)); NONFAILING(*(uint8_t*)0x20000000048d = 0x2c); NONFAILING(memcpy((void*)0x20000000048e, "jqfmt=vfsold", 12)); NONFAILING(*(uint8_t*)0x20000000049a = 0x2c); NONFAILING(memcpy((void*)0x20000000049b, "noquota", 7)); NONFAILING(*(uint8_t*)0x2000000004a2 = 0x2c); NONFAILING(memcpy((void*)0x2000000004a3, "init_itable", 11)); NONFAILING(*(uint8_t*)0x2000000004ae = 0x2c); NONFAILING(memcpy((void*)0x2000000004af, "stripe", 6)); NONFAILING(*(uint8_t*)0x2000000004b5 = 0x3d); NONFAILING(sprintf((char*)0x2000000004b6, "0x%016llx", (long long)0x79)); NONFAILING(*(uint8_t*)0x2000000004c8 = 0x2c); NONFAILING(memcpy((void*)0x2000000004c9, "resgid", 6)); NONFAILING(*(uint8_t*)0x2000000004cf = 0x3d); NONFAILING(sprintf((char*)0x2000000004d0, "0x%016llx", (long long)0)); NONFAILING(*(uint8_t*)0x2000000004e2 = 0x2c); NONFAILING(memcpy((void*)0x2000000004e3, "data_err=ignore", 15)); NONFAILING(*(uint8_t*)0x2000000004f2 = 0x2c); NONFAILING(memcpy((void*)0x2000000004f3, "init_itable", 11)); NONFAILING(*(uint8_t*)0x2000000004fe = 0x2c); NONFAILING(memcpy((void*)0x2000000004ff, "errors=continue", 15)); NONFAILING(*(uint8_t*)0x20000000050e = 0x2c); NONFAILING(*(uint8_t*)0x20000000050f = 0); NONFAILING(memcpy( (void*)0x200000000540, "\x78\x9c\xec\xdd\xcf\x6b\x5c\x5b\x1d\x00\xf0\xef\xbd\xc9\xbc\xfe\xca\x33" "\xf3\xd4\xc5\xf3\x81\xef\x15\xad\xa4\x45\x3b\x93\x34\xb6\x0d\x2e\x6a\x05" "\xb1\xab\x82\xb5\xee\x6b\x4c\x26\x21\x64\x92\x09\x99\x49\xdb\x84\xa2\x29" "\xee\x15\x44\x54\x70\xe5\xca\x8d\xe0\x1f\x20\x48\xff\x04\x11\x0a\xba\x97" "\x2a\x8a\x68\xab\x0b\x17\xea\xc8\xcc\xdc\xa9\xcd\x38\x93\x04\x3a\x99\xdb" "\x97\x7c\x3e\x70\x7b\xcf\x3d\x67\x66\xbe\xdf\xd3\x32\xf7\xc7\xb9\xa7\x73" "\x03\x38\xb1\xce\x47\xc4\xcd\x88\x18\x8b\x88\x4b\x11\x31\x99\xd5\xa7\xd9" "\x72\xab\xd5\x7e\xa7\xf3\xba\x17\xcf\x1f\x2d\xb4\x96\x24\x9a\xcd\xbb\x7f" "\x4d\x22\xc9\xea\x22\x4e\xef\xf9\xcc\x73\x11\xb1\x1b\x9d\xda\xaf\xdd\x8a" "\xf8\x66\xf2\xff\x71\xeb\xdb\x3b\xab\xf3\xd5\x6a\x65\x33\xdb\x2e\x37\xd6" "\x36\xca\xf5\xed\x9d\xcb\x2b\x6b\xf3\xcb\x95\xe5\xca\xfa\xec\xec\xcc\xb5" "\xb9\xeb\x73\x57\xe7\xa6\x87\xd2\xcf\x62\x44\xdc\xf8\xf2\x1f\x7f\xf8\xbd" "\x9f\x7d\xe5\xc6\xaf\x3e\xf7\xe0\xf7\xf7\xfe\x7c\xf1\x5b\xad\xb4\x26\xb2" "\xf6\x4e\x3f\x86\xaf\xd3\xf5\xc2\x9e\xbf\xa1\xf1\x88\xd8\x3c\x8a\x60\x39" "\x18\xcb\xd6\x85\x01\xed\xdf\x1d\x1b\x61\x32\x00\x00\x1c\xa8\x75\x8e\xff" "\xd1\x88\xf8\x54\xfb\xfc\x7f\x32\xc6\xda\x67\xa7\x00\x00\x00\xc0\x71\xd2" "\xfc\xe2\x44\xfc\x2b\x89\x68\x02\x00\x00\x00\xc7\x56\xda\x9e\x03\x9b\xa4" "\xa5\x6c\x2e\xc0\x44\xa4\x69\xa9\xd4\x99\xc3\xfb\xf1\x38\x9b\x56\x6b\xf5" "\xc6\x67\x97\x6a\x5b\xeb\x8b\x9d\xb9\xb2\xc5\x28\xa4\x4b\x2b\xd5\xca\x74" "\x36\x57\xb8\x18\x85\xa4\xb5\x3d\x93\xcd\xb1\xed\x6e\x5f\xe9\xd9\x9e\x8d" "\x88\x77\x22\xe2\x07\x93\x67\xda\xdb\xa5\x85\x5a\x75\x31\xef\xc1\x0f\x00" "\x00\x00\x38\x21\xce\xf5\x5c\xff\xff\x63\xb2\x7d\xfd\x7f\x2a\xef\xbc\x00" "\x00\x00\x80\x21\x2b\xe6\x9d\x00\x00\x00\x00\x70\xe4\xf6\xbb\xfe\xff\xc8" "\x08\xf3\x00\x00\x00\x00\x8e\x8e\xfb\xff\x00\x00\x00\x70\xac\x7d\xf5\xf6" "\xed\xd6\xd2\xec\x3e\xff\x7a\xf1\xfe\xf6\xd6\x6a\xed\xfe\xe5\xc5\x4a\x7d" "\xb5\xb4\xb6\xb5\x50\x5a\xa8\x6d\x6e\x94\x96\x6b\xb5\xe5\xf6\x6f\xf6\xad" "\x1d\xf4\x79\xd5\x5a\x6d\xe3\xf3\xb1\xbe\xf5\xb0\xdc\xa8\xd4\x1b\xe5\xfa" "\xf6\xce\xbd\xb5\xda\xd6\x7a\xe3\xde\x4a\xcf\x43\xc2\x01\x00\x00\x80\x91" "\x79\xe7\x83\x27\xbf\x4b\x22\x62\xf7\x0b\x67\xda\x4b\xcb\x5b\x87\x7f\xfb" "\xdb\x47\x97\x19\x70\xd4\x92\x03\xda\xdb\x0f\x09\x79\x96\x6d\xfc\x61\x04" "\x09\x01\x23\x33\x96\x77\x02\x40\x6e\xc6\xf3\x4e\x00\xc8\x4d\x21\xef\x04" "\x80\xdc\x1d\x34\x0e\x30\x70\xf2\xce\xaf\x87\x9f\x0b\x00\x00\x70\x34\xa6" "\x3e\x31\xf8\xfe\xbf\xb1\x01\x38\xde\xd2\x81\x2d\xcd\x91\xe6\x01\x00\x8c" "\x8e\xfb\xff\x70\x72\x15\xf6\xce\x00\xbc\x9a\x5f\x26\x40\x5e\x0e\x7a\xcc" "\xc7\xeb\xdc\xff\xef\x8c\x24\x34\x0d\x28\x00\x00\x40\xce\x26\xda\x4b\x92" "\x96\xb2\x7b\x81\x13\x91\xa6\xa5\x52\xe7\x3f\xf6\x17\xa3\x90\x2c\xad\x54" "\x2b\xd3\xd9\xf5\xc1\x6f\x27\x0b\xa7\x5a\xdb\x33\xed\x77\x26\x07\xce\x19" "\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x3a\x9a\xcd\x24\x9a\x00\x00\x00\xc0\xb1\x16\x91\xfe\x29\x69\xff" "\x9a\x7f\xc4\xd4\xe4\x85\x89\xde\xf1\x81\xb7\x92\x7f\x4e\xb6\xd7\x11\xf1" "\xe0\x27\x77\x7f\xf4\x70\xbe\xd1\xd8\x9c\x69\xd5\xff\xed\x65\x7d\xe3\xc7" "\x59\xfd\x95\x3c\x46\x30\x00\x00\x00\x80\x5e\xdd\xeb\xf4\xee\x75\x3c\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x0c\xd3\x8b\xe7\x8f\x16\xba\xcb\x28\xe3\xfe\xe5\x4b\x11\x51\xec\x1b\xff" "\x83\xd3\xed\xd5\xe9\x28\x44\xc4\xd9\xbf\x27\x31\xfe\xca\xfb\x92\x88\x18" "\x1b\x42\xfc\xdd\xc7\x11\xf1\x6e\xbf\xf8\x49\x2b\xad\x28\x46\x27\x8b\x7e" "\xf1\xcf\xe4\x18\x3f\x8d\x88\x73\x43\x88\x0f\x27\xd9\x93\xd6\xfe\xe7\x66" "\xbf\xef\x5f\x1a\xe7\xdb\xeb\xfe\xdf\xbf\xf1\x6c\x79\x5d\x83\xf7\x7f\x69" "\x74\xf7\x7f\x63\x03\xf6\x3f\x6f\x1f\x32\xc6\x7b\x4f\x7f\x51\x1e\x18\xff" "\x71\xc4\x7b\xe3\xfd\xf7\x3f\xdd\xf8\xc9\x80\xf8\x9f\x3e\x64\xfc\x6f\x7c" "\x7d\x67\xa7\xa7\xea\xdb\xdd\x42\xf3\xa7\x11\x53\x7d\x8f\x3f\xc9\x9e\x58" "\xe5\xc6\xda\x46\xb9\xbe\xbd\x73\x79\x65\x6d\x7e\xb9\xb2\x5c\x59\x9f\x9d" "\x9d\xb9\x36\x77\x7d\xee\xea\xdc\x74\x79\x69\xa5\x5a\xc9\xfe\xec\x1b\xff" "\xfb\x9f\xfc\xe5\x7f\xf6\xeb\xff\xd9\x01\xf1\x8b\x07\xf4\xff\xc2\x21\xfb" "\xff\xef\xa7\x0f\x9f\x7f\xac\x53\x2c\xf4\xb6\x75\x2b\xfa\x1d\x7f\xdf\x1d" "\x10\x3f\xcd\x8e\x7d\x9f\xc9\xca\xad\xf6\xa9\x6e\x79\xb7\x53\x7e\xd5\xfb" "\x3f\xff\xcd\xfb\xfb\xf5\x7f\x71\x40\xff\x5f\xfe\xfb\xf7\x39\xd0\xb6\x62" "\x5e\x3c\x64\xff\x2f\xdd\xf9\xce\xb3\x43\xbe\x14\x00\x18\x81\xfa\xf6\xce" "\xea\x7c\xb5\x5a\xd9\xfc\x30\x16\xd2\x78\x23\xd2\x50\x18\x4a\xe1\xd4\x9b" "\x91\xc6\x3e\x85\x42\xbc\x11\x69\x8c\xa6\x90\xf7\x9e\x09\x00\x00\x18\xb6" "\xff\x9d\xf4\xe7\x9d\x09\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x9c\x5c\xa3\xf8\x39\xb1\xde\x98\xbb\xf9\x74\x15\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x60\x5f\xff\x0d\x00\x00\xff\xff\x27\x2d\xd9\x9e", 1255)); NONFAILING(syz_mount_image(/*fs=*/0x200000000080, /*dir=*/0x200000000140, /*flags=MS_LAZYTIME|MS_MANDLOCK*/ 0x2000040, /*opts=*/0x200000000480, /*chdir=*/1, /*size=*/0x4e7, /*img=*/0x200000000540)); // open arguments: [ // file: ptr[in, buffer] { // buffer: {2e 2f 62 75 73 00} (length 0x6) // } // flags: open_flags = 0x14927e (8 bytes) // mode: open_mode = 0x0 (8 bytes) // ] // returns fd NONFAILING(memcpy((void*)0x200000000180, "./bus\000", 6)); res = syscall(__NR_open, /*file=*/0x200000000180ul, /*flags=O_TRUNC|O_SYNC|O_NOATIME|O_LARGEFILE|O_CREAT|O_RDWR|0x3c*/ 0x14927eul, /*mode=*/0ul); if (res != -1) r[0] = res; // fallocate arguments: [ // fd: fd (resource) // mode: fallocate_mode = 0x0 (8 bytes) // off: intptr = 0x0 (8 bytes) // len: intptr = 0x1000f4 (8 bytes) // ] syscall(__NR_fallocate, /*fd=*/r[0], /*mode=*/0ul, /*off=*/0ul, /*len=*/0x1000f4ul); // open arguments: [ // file: ptr[in, buffer] { // buffer: {2e 2f 62 75 73 00} (length 0x6) // } // flags: open_flags = 0x14507e (8 bytes) // mode: open_mode = 0x0 (8 bytes) // ] // returns fd NONFAILING(memcpy((void*)0x200000000780, "./bus\000", 6)); res = syscall( __NR_open, /*file=*/0x200000000780ul, /*flags=O_SYNC|O_NOATIME|O_DIRECT|O_CREAT|O_RDWR|0x3c*/ 0x14507eul, /*mode=*/0ul); if (res != -1) r[1] = res; // mmap arguments: [ // addr: VMA[0x600000] // len: len = 0x600000 (8 bytes) // prot: mmap_prot = 0x90e976db910956fe (8 bytes) // flags: mmap_flags = 0x4002011 (8 bytes) // fd: fd (resource) // offset: intptr = 0x0 (8 bytes) // ] syscall( __NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x600000ul, /*prot=PROT_GROWSDOWN|PROT_SEM|PROT_WRITE|PROT_EXEC|0x90e976db900956f0*/ 0x90e976db910956feul, /*flags=MAP_UNINITIALIZED|MAP_LOCKED|MAP_FIXED|MAP_SHARED*/ 0x4002011ul, /*fd=*/r[1], /*offset=*/0ul); // mount arguments: [ // src: ptr[in, blockdev_filename] { // union blockdev_filename { // loop: loop_filename { // prefix: buffer: {2f 64 65 76 2f 6c 6f 6f 70} (length 0x9) // id: proc = 0x0 (1 bytes) // z: const = 0x0 (1 bytes) // } // } // } // dst: ptr[in, buffer] { // buffer: {2e 2f 62 75 73 00} (length 0x6) // } // type: nil // flags: mount_flags = 0x1000 (8 bytes) // data: nil // ] NONFAILING(memcpy((void*)0x200000000380, "/dev/loop", 9)); NONFAILING(*(uint8_t*)0x200000000389 = 0x30); NONFAILING(*(uint8_t*)0x20000000038a = 0); NONFAILING(memcpy((void*)0x200000000140, "./bus\000", 6)); syscall(__NR_mount, /*src=*/0x200000000380ul, /*dst=*/0x200000000140ul, /*type=*/0ul, /*flags=MS_BIND*/ 0x1000ul, /*data=*/0ul); // syz_fuse_handle_req arguments: [ // fd: fd_fuse (resource) // buf: ptr[in, buffer] { // buffer: {22 f8 ea 77 e0 c8 70 aa ee 3b de 9b e8 4b ff fa 3e ab e4 0a // 0d 0f 24 3a e4 4c 67 07 a1 24 b1 90 7b f3 ec 0e 19 1a 6c 2e c0 5d 77 // f6 54 08 31 4b 75 16 c3 74 e9 8d c1 03 55 5f 98 e6 9e 16 ec 70 99 c9 // b0 7d bd e1 94 4d 85 79 bd b3 72 25 0b bd 3b 97 d3 70 82 a2 b8 d8 7b // f8 f1 7d 51 fc 4f e3 7b eb 31 e7 11 9a 0e 28 f7 3e 10 15 61 2e ea 09 // 69 50 86 13 b1 c1 94 fc 6d bf ba 55 c8 4e 52 99 f9 f5 a2 8b 57 b6 a7 // cc 90 60 08 4a 40 6d a2 78 b6 f8 75 8d 22 b9 1c e1 76 26 f6 5a 36 13 // d7 8b f6 35 53 3b 96 8d 24 9f 4a d0 ef 1e 94 44 03 5e 5a cf 8f d2 48 // 33 9e 6e a6 b4 ae f3 18 65 20 9f f4 a6 4a f4 7c 42 88 79 7e 43 03 f1 // 4e dc 61 b1 e3 ef 07 ad 84 28 cf bb 44 53 bb 29 db b2 cf 34 3c 8b 0e // 0b ca f1 8c b1 ff 71 57 41 8a 90 6b e6 a0 e7 b2 7a 59 82 e3 d2 7f 4c // 15 db 81 95 66 f9 46 07 97 b2 b1 64 c5 e0 0c 94 22 f8 30 4c b7 5c 44 // a9 13 50 69 dc 57 37 6a 4b cf c5 48 09 6c 4e 00 04 09 cd b9 4f c6 bd // 6b 33 fa 9a c8 e4 8f 13 57 96 a9 6f 11 11 1a fe 1e e9 9e b6 70 4a 49 // 32 65 3d fb 1e 13 a4 0b 76 18 71 fb 26 0f 1f cf 88 15 d3 79 12 45 5c // c3 a9 7d a9 59 de c3 a7 f9 3b d2 82 94 d2 fe aa 74 cf 48 08 3c 85 e6 // 1c 30 64 8f 5b 7c 80 4e 3c 77 6b 9a 49 b9 50 28 75 43 e1 16 e9 13 b5 // 39 2b 91 db 78 45 ab 4f d9 91 d6 06 10 f7 05 c8 2c 47 37 d7 04 8e 6b // d4 4f 47 f5 6d 07 55 40 6a 51 b4 6e d1 cd 51 b3 6a 39 a7 d1 f1 da 14 // 1d 5b 9a bf ca 02 06 76 85 61 5f 5b 44 c7 80 ef 68 55 76 f0 92 72 82 // 04 b8 85 f8 ba d0 5c 89 87 64 4d 18 a5 4a 0d aa db 3f 5f 4f 54 d6 1a // 57 71 9e dc b4 ed 4c c2 c3 9c 9a 66 1e 62 e2 d3 5a 5b 47 11 63 69 0c // 65 a2 d1 5a d5 47 ad 31 d4 5b 8a c8 4c cc df bf 99 b1 31 46 e6 42 d4 // c8 40 f4 25 0e 88 24 86 f3 38 2c 5d 37 4a f1 26 26 82 9d 42 3d 5e c6 // 9a e1 80 a4 11 4e d4 f5 89 97 4c 7c 64 28 96 6c 3f fb e7 85 d4 52 c9 // 30 0a 5d 61 4e da 84 98 34 0f eb e5 20 73 2a a1 57 e3 97 18 bb 98 40 // 34 14 9d 11 78 7d 8e bf 68 59 62 5e f1 80 ff 4b 5a da b6 07 b1 e5 5c // 44 41 2a c2 a2 38 e6 b6 8d a1 e2 22 e4 58 1c b0 0f dd aa 97 ad ab 57 // 7b 69 96 9a ba 6b 38 c9 12 40 0d 59 59 c1 b9 f8 d9 5e fd 43 fa 2f e6 // 3a 11 2b 49 65 c5 02 70 d0 c1 74 c2 aa c0 94 bd 51 c1 42 de fa 5b 04 // 31 04 db c5 c2 0d 09 8c e9 c9 bf cf 04 67 88 8a 4c dc 0c fc 2e f6 a8 // e8 c2 41 17 8b e7 90 49 64 ad 18 07 02 19 16 0b ec 00 32 3c 59 81 d4 // 4a 53 ca 52 2c 13 bb 03 bf 72 db 6e b2 26 7f cd f2 cc 8d 13 cc ff c0 // 95 d1 ce c3 e8 b9 f6 d1 7a f5 ee d8 09 ad 96 de 9e 88 08 56 35 92 f0 // ef 19 4b 0c 8c a4 eb 5d 11 7f 6b 4d 66 4d 5f 25 5f 4b 62 73 bc e7 3e // 1a 8b cb ad 00 71 7c 2f 4f 85 27 53 d7 0a 72 a4 f0 c1 86 96 55 25 d4 // 60 3b 29 87 c4 bd d3 d7 8a 6f f3 87 f9 f1 fb 58 dd 16 dc 5a 9b f0 fe // 49 00 55 de 1b 17 e2 6a 31 35 4f ac 37 be dc de 20 53 4b f2 98 d9 7d // 1e 0d a0 86 f0 b5 10 bf a2 9a 94 50 b4 36 32 ed 71 fd b4 21 8d 4b 96 // 11 a2 3c ef 84 46 f0 a8 df 50 8b 16 4b d8 c2 39 ab 04 42 00 eb 7a a7 // b5 b9 89 22 67 c8 b0 58 a2 8c 26 f6 f4 f8 71 a2 4e 70 47 57 35 37 3a // 68 35 4d 17 43 4a d3 ba 1f 6d 6a 11 67 ab 9f 06 85 f3 96 d7 b4 98 ad // c4 6d 81 d8 d5 f2 06 45 b5 20 97 ed 1a a8 59 8c 4a 6b 6e 14 83 0b fb // 67 b3 5c d4 2b 7a 96 2c bc 3b 44 a8 e6 65 45 dd 8c 32 13 ab 50 63 c1 // 58 f5 40 02 3b 97 76 6a da 87 75 c6 c3 5f d4 e3 53 37 50 75 03 a2 9c // 15 9b 24 30 79 4b e7 c9 ed 26 09 31 9e 69 8b 0f cd bb f4 4f 4a 5d 12 // 8c 7b 0c 41 d4 01 12 de cf 6a 06 e5 1d 19 1c bf fd 44 4b 8b 32 31 15 // bb ab 4d bc 8f 9f da fd 6d 2f 7b 10 80 a4 ae d3 58 18 c2 6f c7 5a 8c // 6a 98 18 2e 1f 9b d3 5c 94 5e 94 cd b3 b2 5d 89 8b 70 4c 89 11 4d 22 // bd da b1 94 9c 78 1b 91 80 ff fe d0 04 2e db 70 78 8c 12 a9 7c 44 ea // 78 16 db 92 5c e4 d7 f2 17 4e 18 b3 92 83 4c 89 17 16 e2 e2 8d 07 64 // 86 f1 86 eb 8f 65 24 de e0 7c e2 20 9b f9 df c6 98 1f 8a 93 9a d9 fd // 4c 09 20 94 f0 bb 48 bf 37 28 0c 0e b3 c7 ee d5 17 9e 90 9c c6 26 ce // 17 8f a4 ad 70 26 1f 50 6e ac ec ca c8 27 2b 7c 8e 41 39 8f e6 52 d9 // f4 86 02 e4 ef 4d ce 43 44 96 11 ef 27 05 d6 a6 dd 95 4c 09 c0 0d 1e // 8d 24 54 f4 29 ff 36 73 8f 20 76 70 27 f1 f7 15 1b 21 24 35 1a 9f 01 // 96 f8 e8 38 ad b8 82 d0 cb f4 63 af a9 15 44 5a 02 ed 6c 5b e4 a0 8c // b8 03 98 c4 d5 e9 55 00 da 86 2b cc 26 58 a2 85 99 af 0a 2b 93 7e 26 // 58 df ee 12 10 0c c4 88 ba 67 6c e6 12 29 57 07 8f f2 a3 f1 2a 5d 74 // 3b 5c 91 a6 8b 80 fc 7a d1 16 75 7d 97 40 d2 b9 40 41 4f 7a 43 a1 c5 // c5 fe 3a 5b 65 eb 94 26 bd a3 cc a9 95 17 15 37 e6 23 cc 8d 0a 41 ff // f3 c1 d8 67 f4 f4 bc e5 0f 1e ba a7 1e 79 fd 8e d9 cb ca 12 cb ed e5 // 04 01 d5 98 79 ad a3 3d 87 f2 bf 76 11 dc d4 b5 b9 18 76 57 0d ea 77 // e6 e8 43 3a ba 3a 18 d3 1e e4 fa 35 a4 b3 37 6c fe cc 0e 4c f9 40 de // 70 cf db 9b 0b 29 c1 e6 8b d2 d5 8e 5b 07 53 a1 5b 69 c1 63 68 43 db // e0 5e 98 1d 05 8f 39 37 60 da ca 68 6c 12 88 2a 38 c5 a2 65 0b d1 da // a6 29 f8 d2 85 44 81 8c 97 dc be 60 c8 45 5e fd 62 62 9a 44 84 18 4c // 65 cb 4e a6 bb e7 56 ad ab 8f 27 45 2d 5f 6b f7 ef 39 0d 6b a8 60 93 // d8 b3 3d 75 67 a3 a8 fb 5d 6d 82 c6 33 d7 df 72 a0 99 c1 24 a5 1e 40 // 1d 62 34 c0 6e ee 0a 37 c8 8e 0c ff 59 c5 29 a0 57 50 b9 6a 00 c5 53 // 57 ee 98 f6 9b 65 b8 d0 a7 6a 1e 98 0a ca 89 19 5b 04 e5 e9 02 1f f0 // 7a 6e d3 33 cb 46 19 18 19 ac dc f6 e9 b9 8c 36 43 30 c8 cf f6 9c a3 // e7 75 b8 4f 1b 0d ee 29 bc 22 93 21 79 ba 25 de 6b da ac 05 d9 df f2 // 84 b3 f1 00 31 9b 51 eb bd d9 24 4b 4b 68 6b a4 10 39 1d 61 15 81 7a // 47 4d 05 bc 00 f7 b9 19 02 7b 74 ec e4 d8 b3 4a b4 a2 49 0c b3 9b f6 // 98 44 c6 88 1f a7 f6 47 57 62 8e e8 00 9a 44 2a de 79 3f dd 41 d3 09 // 76 7b a2 4d f8 35 4e 19 79 d4 1e 2f 34 b8 4e 99 55 7f 91 f4 93 f0 1c // 69 8e a7 4f 1a 42 67 d1 cc f2 03 0e 15 c8 2b c7 43 eb 4e bd c6 c4 f1 // b2 4c dd a0 16 2a 76 98 5d 15 4e 7f 91 52 1d e2 04 bc 41 59 74 7f 16 // 95 90 fe f4 3e 48 56 4e 14 45 ee 10 a5 60 60 2c bc 16 0c 80 a2 7c 65 // a1 e3 31 e9 34 ed 53 d4 a0 28 5e e1 56 90 e6 8f 67 ea b4 51 0d 89 3a // 96 15 cc a0 83 d1 4e 1a 1d e7 e9 7d 95 80 50 f0 de 8f e6 c9 c8 15 8a // ee b1 80 da f5 dd 84 be 99 a1 c3 71 51 08 bc 67 ba cd 14 54 2a 17 e9 // 78 26 48 07 84 75 90 7d 82 a2 bd 25 fb 18 1a 1d cf d1 23 cf b4 9b 11 // f2 a0 a6 9d 33 e7 b5 11 47 d1 99 14 f1 7c e6 70 8e 93 47 5f 6a c5 1b // 58 39 2a 43 8e ae 03 82 bf 86 c5 fc 4b 9b b9 19 dc e6 98 ef c5 e4 46 // 8e b9 38 fa 69 7c be 16 b2 aa d7 ee a6 19 8d de 32 71 3f c2 41 da de // 9d 57 8d 19 14 e4 6d d0 e7 f4 5c 1d 92 d2 6e fc c3 50 f2 c4 1d 99 1c // 4b 87 0e 1a e4 8b 9f 0c 15 39 b9 23 31 cf 2d 35 32 1b e3 db df a0 83 // 24 d0 fc 7f 48 24 00 ee 86 fc b0 6e 02 fe 25 66 90 e5 a9 ec e7 f0 91 // d8 82 28 43 a6 aa 0e 8f 5d 01 21 f9 7d 0f e5 02 3f 00 52 eb 24 ec 06 // 48 df a4 c0 0f 77 ad 31 ec 85 be f9 49 c1 a6 45 b8 02 56 2f 09 50 43 // 71 5f 25 19 77 05 33 30 bc fd ba df 62 ed 2f 35 dd a4 66 f8 f7 de 12 // fe 80 33 b1 b4 62 6b 01 ca fb 4c 9e 97 9a 76 3d 77 73 a5 b1 33 df e0 // 45 ed cd be cb 05 49 23 05 29 bc fa dd 21 70 bc 4f 87 84 6b 3e 59 20 // e6 f7 15 2a 3e a6 48 db 65 18 7b 4f de 3e bf 2d 06 7c 29 1d f1 fa 6c // c7 d4 3e 06 cb b2 d2 5f 67 48 6b 7f 66 29 f9 00 2f 12 2f 3a f0 43 f5 // cc a8 0a 07 68 a9 89 e5 ed c5 09 8d 4c a8 2c b1 08 df 90 23 84 a3 f1 // 87 a0 c0 ef df 82 a1 73 91 8d 8e 45 2e 4e 7e 2d eb fd fc 71 bf d0 47 // 3f f2 50 47 7c ed ce 3b 0f 16 85 60 fd f4 eb 43 af da 72 41 97 d2 77 // 85 89 9b d8 29 76 4e 3b 9d 79 1c 32 f1 32 12 9c f5 e1 1c f8 11 b5 d4 // 33 93 d8 a2 38 92 b0 4c 64 9b 42 ec ee af 8c 9f 33 3e 53 20 c1 83 c2 // 88 d1 88 88 ce 3a 43 f5 03 f3 8a 88 50 37 35 a0 05 9d c0 24 77 14 5c // 0e a8 cd 2d c3 e0 19 ae 15 b3 50 4d 95 d2 44 bd 01 d6 42 47 80 74 ed // 44 3e 49 1e 7e 79 c4 7f d0 14 39 0c d5 f4 ce dd 91 54 f3 60 7e 12 86 // cf 96 66 28 42 23 6f cc b5 2c 2a 75 32 b5 bc fc ff 48 24 ce 56 92 2d // 1f f8 c1 60 2f 86 cc 38 5f 7f 05 a2 a6 84 74 d8 40 de 81 7e c8 4e a6 // 11 cd 0e 32 90 b7 25 05 89 74 53 8c cd 8a 4e 78 38 0f e1 55 44 6a bf // 56 bb 91 61 46 31 11 81 09 55 db 7a da 24 f0 b4 f8 8a e5 b8 3e fa 12 // c4 cf 64 57 f9 41 ef 21 76 c5 ce 75 b9 8d 54 21 a0 07 45 af ac 9b d9 // 09 fc 51 72 97 60 41 2a 57 20 ee 24 cb 1f e4 b2 83 07 a1 e1 53 e4 cd // 2e ec 7b 62 82 6e 81 4b 7b 56 2e 16 86 3e 89 76 c3 56 59 3d 82 d4 37 // 92 42 53 35 d3 8d 3e 00 79 7f ec 4a 97 5e 5e db 0e c4 5f ac 21 39 f1 // 2f 16 c5 21 8c 26 dc 1c ca 8c 07 1a b9 47 23 c0 f0 a8 77 1f a5 64 5a // f6 cb fd 94 e7 c7 11 24 a5 9b be 44 bb ea 29 60 30 8c 4d 15 31 da 9c // 5a f9 12 35 92 f1 92 f1 d0 ba a2 40 3d 49 fa 43 36 07 71 9e b3 41 47 // 43 e4 0a a9 28 bd fc 2a 9e ae 76 f6 20 38 fe 02 f0 db 13 a8 c8 13 75 // 0e 45 62 6f 1e a1 50 17 7c 7a 95 60 bc 0f bf d1 00 42 18 ec 18 42 83 // 07 75 3e ce 8e 8e 89 55 e6 18 e3 99 f2 b8 e4 b4 ae 85 4c 60 f0 2f fc // 61 c5 95 ca 6b 82 6c 31 9e cc 0b 82 29 ec 71 4d 57 0f 65 0b f4 52 2b // d8 83 a8 85 26 bb 88 ba 5a 20 11 be 73 c4 8f 2f dc 44 24 cf be ad 86 // c8 b6 91 76 a6 e2 03 27 95 a0 84 6a 4c de ae 8d 8b 12 b3 54 58 da 90 // 32 c4 67 be 54 75 12 e8 91 92 f4 23 b8 4e ba 74 41 bb 2d 38 ad 53 a5 // 5b 83 9e 94 7b b6 47 71 0b 53 e6 93 7e 2b 00 e2 23 6f 99 41 1f 8f fb // 61 85 95 1d 91 9c 04 8f 3c 1f fe 1f ca ee 46 01 1f b2 c7 80 75 44 13 // 9f b9 12 da 19 3c 4c d7 62 f9 3a 74 08 6d 96 45 5a b5 7a e0 57 c8 f2 // 80 2a 76 eb 97 e6 32 91 bc 40 73 c5 39 5a 03 9c 50 cf 53 b8 8d ea 44 // 48 2e e7 74 0d c9 cb 57 15 70 dc d3 e5 6e 9a 21 eb 17 dc 89 2f d3 ba // 36 c7 f0 3b 7d be 6f fa b9 a8 09 87 8a be 16 57 9d cb 06 ff 96 95 99 // a5 bf a7 ee d8 a1 f1 aa bc cb b7 8c fe c3 23 32 9b 2e f5 d4 54 0b 11 // 13 4c 90 5f 98 2d 99 58 87 37 f7 2d d2 2d ff 10 df c1 44 35 6e 9b 89 // 98 49 13 c0 25 ff 4a 1d 08 f8 82 d7 75 9a 32 d5 d8 aa 7f 56 4e b5 5e // 41 23 ba d1 df 29 76 a4 ec 92 bc 51 8f 0c ca f0 07 1d 2c 8b 6a 5d 15 // eb 7f 23 e2 a9 13 68 d3 10 5e ac bd c0 1b c9 d9 5a e2 4f e3 be 92 f1 // 0c cc ad 21 ca e6 d7 5e e2 0e 0a 4b d5 87 ed 3e b9 b7 a8 81 d5 5d c3 // 84 30 ae d1 57 c4 91 e0 a6 42 fb 64 39 1d b0 89 62 96 54 c9 d6 3e 23 // 72 b2 3c 0c d5 ec cc 99 f8 d4 ea 98 73 b6 13 09 aa cc 64 02 c4 84 31 // bf cb bf 53 79 44 4c 1f 41 36 5a 12 a7 dd 23 fc 2c d3 1e 20 96 b1 b4 // 75 0d aa 89 ea f9 c2 47 fc cc 9c 56 d1 23 5c 92 b9 06 6a 31 93 c6 45 // d3 e8 d8 8f b7 c1 92 16 c5 15 84 60 43 77 3e b9 a6 fa 60 c1 50 81 38 // 5f 3e af 18 72 d8 4e 6d e2 81 8a 14 eb 84 92 18 23 3b 30 58 e9 7a 91 // 17 38 d2 7e f7 d1 fd 91 29 59 bd 35 67 2d 20 88 c5 25 c5 b4 53 8a d9 // 5a db 64 a0 c9 26 ea 38 74 16 11 09 b9 08 7e 41 60 0c 49 00 8f 69 4b // bf 27 ef 26 31 b0 c0 95 4c 83 df 95 44 f7 4b cf 6d cb 2f f4 a1 e0 ca // 90 b0 29 b9 bd d8 ab fe d4 96 81 09 be 96 ac b5 e1 50 76 f9 85 71 db // c6 5d c2 ee 1f 71 4e dc b9 21 e1 5e a3 c5 64 bb 15 5c 5e fd 8e f5 99 // 92 17 3d e6 c3 ee 03 5d 77 ae 0a 96 c3 e0 72 31 3b 30 7d d5 42 a3 72 // 60 86 a0 d6 04 75 01 a9 ea 01 d4 41 00 09 78 57 f1 6c de a7 dc ff 1b // bb 63 78 de 4d 4d 2d c5 28 a5 7b 7b c7 fe 41 77 ea 55 17 25 e2 84 0e // 0d ed 85 08 4c 7a e4 ad b8 03 60 c2 90 a7 89 65 92 a1 05 9a 08 8b d5 // 89 cc 1c 32 e1 3d eb 2b 52 33 a8 f2 af 4a a2 6f c1 d0 e5 44 f3 b3 c6 // d6 b8 e1 44 dd 45 8b c8 74 e3 31 50 93 bf 36 ac 99 b3 7a 73 d3 46 1c // ae b8 33 03 e8 c2 d9 52 07 6b af 09 04 ba 22 63 e9 a5 bb 04 dc 72 2c // 82 94 21 cc e5 e1 e6 a7 7a af 5c 07 fd d2 ee 90 0c 69 fa b6 2d c0 d2 // 3a eb 12 01 14 fe 46 e4 c3 ef cf 6f 7d dd ca b8 fa 48 12 55 46 b2 ae // 3c 88 4e 8c 9c 4c 1a 74 2f e9 b6 f2 bd 46 6c 21 9e 5e ab 81 1d af ed // dc ef 73 da f3 a8 eb 8c 1b d1 e2 3d 15 79 7e 0f 52 0d a8 d2 f3 30 ef // ed 2f 51 10 21 ef 8f 7c e7 3c 0f 77 7c 3a 5b a9 1a 97 ee 1c 6a 8d d7 // 19 98 c6 ae dc ce fd c0 f4 05 04 2d 02 1b 59 f4 79 2e 36 2e b1 15 ad // a0 f4 7c 1f d6 76 6b 31 57 eb 88 9b 3a 9b 7f 47 7b ed 5d c7 78 23 94 // a8 27 a7 0f 14 0c 64 0d 6c d3 ca ee 98 b5 3c ee 83 c5 93 18 59 c3 0c // f5 8a 34 9c 56 39 d9 be 85 15 d7 37 36 e9 66 97 7b ae ce d1 ee 05 3a // e2 6b 9f 82 7f 1c 0a e6 15 22 fc df 7b 96 bc b1 de ec 87 b0 6e 2c 98 // 58 e6 ef 57 2d 76 a7 b5 82 53 8b f5 ff 12 f7 c7 92 14 7d 76 c1 60 10 // 27 e4 ee ac 71 28 01 61 bd 79 c8 cc ed d3 9f 7e 4c d8 3e c8 d9 65 45 // 29 77 9a ec 12 ab 42 22 4d d1 bb c6 20 c4 2b 8c cd f3 d6 56 9b 2f 89 // 3f ce a5 40 44 84 40 51 a8 dc 1b 7a d0 6c 21 61 c2 28 34 38 51 73 d2 // 1e b5 70 56 a5 87 d3 31 83 d5 7e 3e a0 96 2f a8 13 46 09 aa 11 56 a1 // fa 7c 6d 10 51 d0 25 6d 17 70 54 e2 b0 1c 33 92 0b 68 47 00 f6 e9 59 // 8f 62 4f 9b c5 e8 cb 79 c3 3b 62 4a cf 4b 48 ae b2 b6 11 b7 ae dd bd // f9 ac 3c c8 f0 e9 a7 e4 f7 93 cb 83 ad 36 07 e1 2d 86 ac 2e aa b3 12 // cc 8b 57 bc a7 50 70 fa 77 00 f9 42 35 9b 5f ac a4 32 44 75 06 cb 6d // 74 d0 21 c0 6c 6a 62 bf 88 2b cd 7a d4 47 b3 97 76 d1 72 17 8b 4e 14 // 0f 87 75 09 3c 5a 57 7b aa 97 70 06 6d 80 23 cf 7a d9 07 0e 24 6b a9 // fa d7 0e 76 c5 bd ff fb fa 36 f9 35 90 2b 3a b5 75 97 d2 13 d3 ae ed // 99 a4 61 fd cc a7 36 10 04 0d 00 7c cf de 8e 62 24 79 63 71 e9 75 96 // 35 d6 bb a3 66 58 81 54 a2 77 a0 bc b0 2e 16 2a f4 2b 98 ed 1b 27 e4 // 8f 81 6d 12 08 91 c4 6f 8c f6 7c 0d d1 ab 38 61 1f 0f 12 ba 90 61 65 // 77 f1 1d f3 cb 1c af 61 97 7f 24 54 64 ab eb 0e 8b 58 de 82 28 b9 2b // 78 09 71 78 ed 88 b2 f1 6a 22 2a 51 75 f8 28 ef 52 8c 06 fd 01 79 40 // ff e2 dc 8f 68 cd 9d 15 b5 eb 07 46 94 1f 67 8d e5 b9 d8 29 ff df 2c // 66 7e e2 14 8c 18 82 15 f8 0b d4 96 3b 4f 02 2b 2b dd c7 74 ec 6a 82 // 35 12 88 05 90 79 b1 7b 70 8a 25 7b bb 21 2e 98 bb c5 84 f5 09 a1 d1 // 3a b7 a2 7e a2 49 f4 29 31 23 ca b0 bc c5 21 d4 f1 ee 07 7d eb 4c 5b // 1c 15 84 fa ad a4 95 5a 52 ed e0 7a 45 52 a0 70 d7 80 53 19 3c 8a 90 // 63 31 d3 86 b1 d8 49 85 b3 0e 74 a0 ef 50 4f 73 3f 7b 57 31 96 11 a9 // f6 0c 38 ed 59 c2 af 1d c9 38 53 e2 c4 8a a3 36 21 40 81 b7 88 3d 16 // 39 bb 2b fb a4 1c 67 c4 89 c5 69 c2 fe 7a b2 3c 30 6e 8a 6e 6d 0d a4 // 09 fe d4 30 22 73 65 a5 f6 93 99 b6 ac 73 48 a3 d4 31 49 e1 6e fd 03 // cf b9 6f b0 f7 3d 65 a8 a5 2a 91 27 b8 4c 85 b9 70 12 b5 f1 6d f0 30 // ea 92 ae c3 df 0e 40 84 65 8c 8f da ba fc 80 e0 e3 e6 32 f3 44 f6 45 // 17 6c d5 8b 30 33 fc 90 96 9e 70 c3 dc 64 37 49 1f 4e 4b fc c5 02 a0 // bb f5 9b 90 eb 0b 86 36 cf d4 ed 0c ce 2a 3e 19 7a a7 bc 48 e1 4f 4f // 35 ed db ab 49 31 5d 47 69 5a 04 72 81 d1 65 9a a6 70 3f 01 73 b2 1e // 35 39 8c f8 85 1b 9c 7c 1c b6 9d 9c a8 0d 95 aa 63 20 11 25 1d 67 bf // b1 35 54 5c 70 32 19 b4 09 4c 28 70 6f b7 d7 d2 f6 af 87 be 67 e4 d0 // 42 5c 56 4c 6b 09 9c be 38 3f fe dc 39 c8 69 fb fd 34 1d 5c e7 df 0a // 8e 93 05 cf 32 e2 b8 28 b3 bb dc a7 2f e7 cc c7 2b 0d 12 a2 38 42 d3 // 4c 05 66 e1 61 3f 3f 1e 50 38 5a c5 f7 8d aa e4 77 10 69 e3 b3 8f 73 // af 3c 93 38 36 a0 50 b7 d7 0d 02 27 46 6c c8 e2 e9 17 a5 15 10 6b 54 // 54 f2 ee 3e ad 04 b7 04 5f a7 4b 56 19 99 ee 48 dd 68 34 fd 04 4a 9b // eb ac b3 fd 7b b9 fd 40 15 52 f1 e6 b7 3d ba eb 01 71 fe 30 67 62 8d // 52 41 32 b9 e8 d7 75 04 71 ef d3 3b 83 4a 3f b4 47 e6 6d e5 d4 1c 03 // a1 5b 27 27 28 84 b9 97 a8 6b e6 a4 5b 28 e0 0f 6b 52 f9 1d c8 c6 46 // c9 4c 2b 95 49 8a 64 4f 72 45 1c 5c 0d 46 c3 6b aa 78 ce 74 89 52 86 // 96 57 bc b5 26 eb 82 bd 9e fa da d6 13 93 f9 f1 f2 de d5 49 87 ae 85 // 20 74 6d 28 83 19 b8 17 dd a8 f0 72 39 cb ee af 3b d2 52 c6 f7 c9 74 // c4 fe 18 d3 8d 33 4b 08 9c d6 36 b9 e6 82 c7 0a d3 5f f0 a4 d9 97 a6 // 4e 97 35 79 85 ac 2c 68 5e 6e da f2 00 8e ad cf d8 58 69 30 09 4f 27 // fe ca 9e 7e ad a9 c4 7e 79 6a 9e 6f 45 ce 56 06 cc 69 65 9e fc c2 2c // 02 36 31 2e 25 cd 24 a7 20 13 a2 2f de 25 b5 fe 3e 06 7d 53 29 82 e5 // d8 a7 78 d1 0b f0 4a 8c b8 aa 9e 9c 68 9b f0 ee 9a c4 79 c9 f4 e2 3f // 8e 20 43 33 5b 90 3d 5d ff 0f a6 27 36 36 2b e3 1b ce 82 ee cd 71 3d // a1 b1 db 3e c1 cd da 2e fd f0 f8 e5 e7 a6 8e 65 f5 f0 27 f7 15 3f ad // 6c 24 07 e3 8e df 5d e0 e0 8d 48 13 e5 6a 5a d3 8b ca b0 9c 57 08 9b // 6f cc 58 ea e1 8a d9 e3 a8 2b e2 4f c0 62 8f 5f c6 6e f1 d8 f0 05 77 // 1b 02 fa 77 05 63 b3 0c 8c f8 d8 72 2f 89 86 0f f8 ee de 15 71 12 b8 // 36 06 cf 68 f0 91 3e d1 1b 2b ff ce 7d 23 11 d1 d9 1e 4c f6 e4 50 d2 // 60 cc 39 06 62 d9 6d f2 13 f4 c0 89 40 26 de d9 fd c7 9d 62 d1 cd 43 // 12 a6 ad f3 c4 e5 b7 85 09 1c 6f a3 b5 1c 91 4d eb 42 f1 aa c1 19 06 // df 20 53 9c a8 60 e2 8d 10 36 c7 3a c7 5d 73 05 ad 25 05 c4 9a 73 ab // 14 57 0c e5 90 9e 88 06 2e f7 03 ab 62 3c 9b 7f 52 06 0e 54 73 a5 e8 // 05 f8 c3 d4 2e de 7a 87 ff 21 82 0c 4a a9 0f 19 11 62 c1 e4 b5 e0 41 // 3b 06 ee 7e aa 14 91 7d a7 f6 2e f6 bd cd a7 32 f1 a8 9d 1c 36 4f 2b // 00 23 bc 4b 6f a2 47 e9 fb 82 3c 91 c5 7c 0d c1 0c 1d aa 98 66 a8 68 // e9 a6 45 eb 97 e0 a4 88 58 96 e2 21 9e 2b 91 78 af ed 4d af 94 6b 74 // ac 70 c9 74 85 f5 9d b4 67 39 5d 49 11 38 ce 68 a1 b6 af e6 c6 e5 f2 // d9 2a 68 42 17 a6 30 2c ea ab 0f 43 5c 41 27 ef 18 05 57 69 01 ba 38 // 31 f0 64 24 0b bd 5f 3b 00 81 ca b9 c9 e1 c6 54 1a e2 02 8b 71 8a 19 // a7 a5 d9 24 3e 01 ff 1c d1 1e 7e 38 f9 02 a2 06 8e 8d bc b8 05 27 62 // e7 72 45 c0 ec 31 bd 87 cf 09 73 09 6e 47 51 02 b2 43 13 5f 6e b3 f3 // b6 2f 8f 30 54 7d a5 c2 29 4b 74 4d 02 12 2d 74 68 60 13 e1 b5 33 e7 // 95 9a 52 c1 62 5a be 75 c0 e8 d1 e1 2d 30 3f bd dc 78 1b 9b 86 91 d7 // d3 3f da 5a 59 f5 ef cd 20 27 3b b3 53 df 39 59 5c 0f 7c 1f be df 46 // 9c 39 b1 da 77 a3 fa 1a b2 99 41 44 92 97 0f ed 4d 13 4f 1b 2d 07 7d // 2c 79 ec ea e6 d8 00 7d 1d bc 98 45 b0 9e 51 62 9b af b9 c9 6f 69 8a // a1 75 6e b1 4f 99 7f fe be c8 b2 3e f0 32 ea cf 3f 86 bb 0b 18 85 6a // a1 96 1e ab 05 ac c0 64 07 76 d3 0a 49 bb dd 97 3c 4c 16 12 49 d9 64 // 64 74 90 62 2d 31 2e 3f 88 a0 58 12 9b fc 47 ed 44 c5 f5 99 00 60 9e // 6e fb c1 fe af d9 79 81 80 fd f3 03 2d da d3 32 97 ff ab 31 16 d7 0a // b2 70 b2 50 63 f8 97 09 66 35 06 cd 37 a9 c2 5f 6c 52 18 62 bb 8a 44 // 7f 12 8c c9 cc 6e 76 86 d3 69 ce fb f0 70 17 96 9b ad 53 44 36 33 a8 // 50 4b f7 2b 78 a8 fa 78 81 89 4a 4c 79 b7 a6 c6 6b fb ab cc 29 5e 18 // b6 64 76 94 a0 3f bc 87 06 39 19 fd dc 58 f1 52 b2 d1 5f e6 63 17 76 // d2 34 33 dc c1 b7 cc 22 b3 8d fc 79 c4 3e 52 89 8e 9a 86 97 5d 7f 00 // 39 32 f3 b7 6b 83 f8 08 f6 65 86 e7 4d 21 f5 34 a4 c8 fb b6 3f ee ce // 6b c4 8f 3d 0c 5d 5b 5b 4b 71 b8 62 8a f5 73 31 a8 3e 3e 44 67 40 4a // 5d eb 85 26 83 e1 56 0b f1 c5 f6 5d 47 2b 4e 41 d0 9e 60 8e 4d d8 aa // 4c ce ec 86 0c 12 3b 58 27 f5 2a ae a3 6e 65 36 92 17 a6 ed ad e1 c8 // ba 1e bd 22 25 eb 2b b3 4b 85 c2 cc 16 e6 61 a8 8f f1 d0 93 5a 31 5e // 09 60 22 d6 dd a5 d7 a7 3d 9b 20 03 38 b4 67 3c 82 fb e3 db 00 c0 3e // 0b 70 e5 96 2b 19 63 9b 6b 17 80 18 1d 2f df 50 b9 6f 6e ec d4 0e de // e1 db a7 84 57 15 c9 71 42 e4 19 8b d3 f2 48 b6 16 22 c3 a2 c8 24 c4 // 98 35 0f 2c 36 ba 2f b3 ee ca 9a 7f d9 b3 54 83 70 21 df b8 93 a8 39 // 53 67 c0 00 d0 ea 8b 04 85 aa a8 0a ea 77 b8 0b 07 2a e0 e2 70 2d 57 // 5a f4 59 9f 89 91 aa a4 16 84 fd cb 77 f1 d2 5e 03 35 36 f4 0b 2e 35 // 7f c7 45 59 df 6c 92 24 db ab b1 97 4a 7b cb 44 1e 2c 89 73 43 a0 3a // 08 6d 35 3b 1b 56 d4 3a da 04 50 84 65 f9 45 a1 78 68 39 43 b9 c7 a1 // 6a 80 c5 bb 6f 2c 27 ec 49 1f 90 c6 f2 0b 98 fc b9 28 29 1b 3f 19 b6 // 65 40 bd cf 27 8d 4c 88 35 1b 6a 28 9c 29 93 50 5b 6e ff e6 00 22 cc // c0 66 6f 4b d5 46 b4 0a f4 3f a7 17 11 09 bb a1 07 60 7a 0a ff b1 55 // 31 13 39 3f 02 67 b2 c9 49 43 60 4d 92 76 c9 d0 11 77 ed f6 4e 11 c1 // 28 3f 40 87 61 07 0b 89 8e da 2a d6 ed d1 95 62 d9 be 89 f1 4a 61 17 // 80 fa 59 ea 57 77 2f 06 82 be c6 fe fb bf 1b 2f 51 db 85 b1 ec 25 62 // 62 ee 51 16 87 55 2e f3 f0 37 66 d8 18 44 54 f1 e1 51 c4 1c aa d0 0c // 74 23 ff f5 a8 87 ca fb 1e 47 ae 16 81 1f fb 58 39 14 a6 2c 56 95 9a // d3 02 82 8b af b6 c1 80 15 9d e7 6b 5b 6a 22 77 ec d6 63 5d 28 2c 02 // 61 e8 fe fd bc 78 3f 87 10 f6 03 5e 28 d0 a4 ac 7b df 97 03 7a b8 b5 // 71 75 08 40 77 1f e2 e5 40 9a c6 c3 6f 97 d4 83 ec c5 2a 84 55 e7 ed // e1 e1 c2 cf e5 a7 2d af 9d 1b 5d bb 36 19 a7 f6 cb bf 00 bb 68 5d 1d // ad c1 df f9 4b 30 83 a8 3c c5 40 cb d8 7b df f5 3e f3 a6 b2 df 04 fc // 21 b1 1c e6 0f cd 78 ea 29 d6 5b 87 07 c6 f1 f8 ee f7 88 53 a7 b3 90 // 40 0a eb 7c 05 aa 7f 95 e6 7c ce 4a de 14 bd d6 65 4a 23 0d 94 9d 2f // b3 33 0f f0 08 8e aa a1 97 ef 61 4f f6 94 59 44 02 40 d6 b8 85 87 6c // d5 a3 d7 a9 ea 1c 28 02 81 3a a0 82 e8 e5 d1 c4 4a 71 56 42 2f 9e c7 // 50 8e 09 46 ac 70 6c a7 c7 b5 dd d9 51 76 c6 b1 65 37 aa 24 2e 05 38 // 77 30 e4 1f c3 83 92 98 37 21 a4 76 c7 bf f7 9c c3 e7 6c 2c 77 5c b3 // 5c e5 09 c6 de f9 47 6f 54 8d 90 e0 ee 64 2d 0a c8 c2 ac 1b eb 20 b2 // 6a ff 70 30 ee 02 71 f6 49 3d 46 c9 fb 44 ec 2d cf 6b 11 1c ec bc f0 // 45 72 8f 62 4b b2 bf 27 23 c0 05 b4 d9 b1 9a c7 b7 69 82 50 f0 4e bc // 94 fa 90 04 c4 f8 2e 6f fc c3 ff 95 84 bc af b6 88 da 91 95 ec cc 39 // 87 f0 af 58 90 80 8b 8b 13 91 0e 01 95 54 50 ab 5f 7e e2 1b 79 38 d1 // cc aa 33 b9 de 31 d0 6e 01 58 42 25 4f 1d 5f 39 d6 bb b0 ae b9 fb 97 // b1 53 eb a5 74 9d 19 fc c1 10 34 27 33 09 4d 5c 8d 82 b7 e1 c4 6f e5 // c1 a7 23 e7 cf 2a 35 96 ec 49 94 82 91 d4 77 4b f9 dd bd bf 7a 26 1b // 88 04 47 d3 ca b3 2f 7b 05 5c d4 17 14 2a cd 22 40 bb a2 d7 fe 3f 00 // 3d 3a 78 96 02 67 3b c3 4f a8 4c 40 10 1f b8 0a 4c 23 de 6f 68 9f 13 // 01 4e 78 cc 21 d1 b5 8f 2e 83 8a 00 f1 67 9e 5c ee 78 48 98 c5 c2 5b // e9 94 95 09 86 2d 70 b5 38 f0 fe 38 23 25 ef 77 b5 05 37 dd 32 d3 da // 5c 41 d2 06 f9 46 d7 f1 f8 6f 5f 86 f4 1f 39 dc 21 6e df 78 69 fa 2f // 4b 1d 53 4c 7c fb 29 6b 2c 5d 32 3e 43 57 c0 40 0f dd f4 57 1e 8a d3 // b6 3c 94 10 ec 3f 6a d6 c0 4e d5 99 bc 60 f0 4d 4c 0e 95 6b ab 7c b0 // ff 1c 32 42 15 29 19 95 2f 57 bf 32 41 38 91 52 15 02 69 21 f3 4c 19 // 7a 07 6c 62 ee 70 ba 3b 04 f7 3d 4f a9 1b f7 21 a3 89 2f d5 2a d2 04 // 5d 8b ac b0 06 04 d2 fb da c0 92 68 79 4e db 92 93 f9 96 5e 74 c2 83 // 7a f8 89 de 27 46 66 1b 14 15 eb 0f 2c 72 29 e5 91 62 8b 42 7d dd 3c // 8f c6 f5 f5 97 a7 b1 f2 a0 3f 96 57 44 45 0d 40 67 b7 eb 5b 54 dd c2 // b2 bf f2 22 21 b7 3b d9 14 35 db e9 08 4f 88 1b c1 27 16 5b c4 42 3e // 88 fb 55 33 4b a2 50 ff d1 50 2a a4 86 52 ce 5d 05 4e 1c e1 4c 2c 8c // 8a f8 37 ff b2 3c 17 28 2f a5 9b ae 4d f6 06 f3 3a 5d b2 bc 38 8a 2a // 62 cb 30 b0 8c f0 75 86 a4 f8 c8 c6 20 9f 22 5f e0 b3 0d 7b de 2a b8 // d7 be 90 49 47 3b 9e fe 4e 45 ad 43 22 ce de 4b 1f 31 b0 0c 24 6f ca // 13 2e 60 61 16 51 8c 37 76 bb 87 a4 60 d3 61 86 ef 55 ac 77 2d 04 54 // 07 89 03 52 42 ec c5 32 4d 18 45 f9 13 2a 08 dd da ff 09 40 e0 0b 97 // 70 1f f1 dc 42 4b 42 df e4 ac 37 01 82 04 04 db 18 3c 89 60 44 03 b1 // 4e 1b 3f 25 4c 20 e3 fa 40 ee 8d 86 84 ee 3c ee fc 4e 92 09 11 65 5e // 4a cd bc 3b 7d 2b b0 e1 24 0e 49 6b 96 57 f2 c4 cd 71 85 82 0f 7c 46 // 8e dd cf 40 ad aa 02 b7 49 b4 63 d8 3d 21 e2 17 cd 90 6f 4a 91 5b 4a // 46 42 06 30 d4 bc b8 cf 28 10 ef 41 f9 46 e8 bc c9 55 35 05 d7 0f 10 // 82 5a 8e f7 89 c2 ee d7 80 ba a2 74 c0 36 c4 2f 58 86 52 73 af 2e 5f // 81 a8 2f d2 b7 b3 15 99 89 48 fa f1 45 d4 79 52 77 38 76 21 0c 89 0c // 77 fe 36 f4 e5 ee 1f c2 c9 d6 fb 4e c6 04 11 e1 37 3d e7 ff 7a df 5a // 7d af 30 31 29 7b f7 08 c7 5e da 9a f6 e3 1b 49 3e 2e d3 04 17 ce b0 // 02 52 88 c2 dd bd ad 4c 56 24 1d 57 18 41 03 65 9c 53 f3 55 13 20 c8 // 00 73 3f 05 80 0f 80 49 00 49 67 f6 90 76 83 1c 2d 65 f4 52 3f ac 28 // 42 b9 a2 cb 69 2b 4b 18 d4 6f 6c da e3 d4 45 e1 32 d8 7b f7 f7 14 11 // 16 1e 6d b1 be 5d 16 32 30 ce 22 58 27 94 38 b2 cb 71 61 e3 8c 5e 96 // e5 8d 30 c1 ee 97 0d 18 59 3a 2b d1 ff e9 8d fd e0 d2 b3 34 e4 89 1c // 2c ca 77 bf 77 8f b9 c5 1b 96 74 24 06 e2 9a 9f 17 3f d4 05 c1 1f 07 // d2 ff c0 04 21 6a a7 af f2 b8 28 4f 79 bc 01 29 86 95 53 87 95 eb 22 // 27 f5 5f 42 fe fd 3b c1 45 57 d2 95 6c cf 5a 08 00 b2 cf a3 eb d4 dd // d2 1b 55 e8 6d de 2f 65 f7 3b 2e 4e 0e 7f cc b8 8e c4 44 4b 90 d4 a2 // fc 9c 44 77 24 cc c6 d7 2d d5 9a 6e 47 0e df 27 13 ad c9 a3 ce 42 7b // 02 26 56 d6 ad 25 2a d8 11 78 c4 03 04 59 f5 22 d8 8e 14 35 67 b8 80 // b9 44 3d 1e 1e 23 22 1c d9 7e de 71 7c 8a d0 23 04 e9 1e da a6 d9 da // 90 3a c3 fc 69 38 70 49 e3 a2 39 3a 65 4f 90 0a 7d 42 c5 63 ae c0 36 // 0c 73 49 de fb bc 81 f2 20 f2 41 b3 cd ba 55 6a d9 e4 a5 f1 08 da 42 // ee c9 0b ff 26 4f 4e 96 93 ba 92 d6 2a 7a 13 1a f5 45 5a be 59 41 3b // 90 0a 7c 47 e2 3d f2 92 23 3b c3 99 14 e2 c2 ee 1b 03 19 1e 8a ed 03 // 22 74 87 62 c5 d1 67 2f 25 06 72 90 4f 22 bf 79 66 31 a2 62 25 de a2 // c8 55 6a b9 ce 5c 76 80 bc 77 02 8c 7b 59 8a 17 e5 a6 cb 3f d3 82 c5 // 09 fc 82 e4 39 52 fc 2c 00 c7 d7 41 4e d3 b5 37 81 d5 da b0 ae 7a 4e // 7e ed fa 89 54 4f 69 37 f3 b7 9c 16 44 7e de 80 84 0f e2 26 3e b2 ad // db 32 ab a1 ea 7a 4a ab 94 9c 5c 9b f9 3b 6e 46 03 da 89 06 d5 d9 65 // 59 3b 9a 57 47 78 66 f6 b9 8d 51 e6 57 e8 6a 81 72 f6 53 6b 44 1f 9c // bf 6a ee 80 0d 16 50 d3 13 86 b4 84 1a 62 50 03 0d e7 72 22 2d 05 73 // e3 4e 7b a8 6f 4c 2d 0d d0 fd 32 00 f6 bb 9c 34 74 2f 21 d4 81 80 97 // 76 bb b0 a9 bf 04 af c3 47 dc 4d c6 ff 63 31 e4 25 78 96 31 5a 39 4e // ef dc f4 bf d9 1f 6c 21 0d 4a 69 86 9b 02 5f 9c f9 d0 38 1c 88 bf ef // 1a 6f 8e 7c 69 97 d2 60 86 2d cc 9c dc d2 03 07 0b b0 65 58 e7 22 be // 4a 47 da 45 85 78 4f e3 61 14 55 01 f3 9c 12 9a 67 8a 36 6b 18 05 fd // e5 e1 ff cc 24 78 46 1f b9 91 dc 62 45 d0 5c ed 7a fa 4d 0e a2 38 3e // ff b0 8e 4e fc b3 6e 17 9d 91 78 f7 c8 a4 03 e2 71 04 50 e8 62 24 17 // 1c ec 1e 6d 8d e3 54 35 d7 33 60 e5 f8 70 6d e7 c8 08 b4 79 50 ec e4 // 17 51 30 3b eb 28 9b 26 33 70 49 55 40 fc 9e 9c eb 59 48 22 00 39 8e // 3b 8a 92 89 7f 9a 5e 7c a3 cc 3b 2f 4b 24 44 30 b6 c7 91 8e a8 b5 56 // 58 70 fe fb 49 40 22 3d 08 7f de c9 c3 71 f3 8e 2d 8a 77 6e 54 d7 be // db 16 17 03 a3 b6 71 88 61 ec 7e a6 ec 7b c6 a2 88 25 40 a2 31 5c fa // 75 27 da f1 52 1c 8e 07 a3 f2 57 e0 ac 98 fc e8 ac af 55 32 e5 02 bf // 89 e7 18 5d 8c ea aa 90 42 02 89 87 bb d3 9d c1 0a 6c b2 12 f3 e0 4e // b5 fc f8 fb 36 43 b1 21 06 55 47 9c bb 17 f4 5b 38 61 3d ce 8c eb 18 // 4c 8c 9c bc 7f 61 d3 a5 76 6c 0d c6 04 74 e8 d6 a2 ca c5 f7 85 ad 29 // d6 8f f5 92 a8 c4 c2 15 38 ff 0f 5c 78 62 47 b8 5d 39 f7 3f 99 ae b9 // 22 8f 51 2a c4 aa 9a b7 a4 33 99 68 ed a1 4a 9b a4 36 f3 d1 d5 db 08 // 62 16 a8 b4 71 5c eb b9 33 58 ae 80 29 53 42 43 7a 85 5f db b5 00 00 // 2f 7b ff 57 4f f6 bd 4d e9 1a e5 f4 4a 8d d9 1c a9 75 f3 57 a7 a1 52 // fb 65 8e cd c8 95 96} (length 0x2000) // } // len: bytesize = 0x2000 (8 bytes) // res: nil // ] NONFAILING(memcpy( (void*)0x200000010440, "\x22\xf8\xea\x77\xe0\xc8\x70\xaa\xee\x3b\xde\x9b\xe8\x4b\xff\xfa\x3e\xab" "\xe4\x0a\x0d\x0f\x24\x3a\xe4\x4c\x67\x07\xa1\x24\xb1\x90\x7b\xf3\xec\x0e" "\x19\x1a\x6c\x2e\xc0\x5d\x77\xf6\x54\x08\x31\x4b\x75\x16\xc3\x74\xe9\x8d" "\xc1\x03\x55\x5f\x98\xe6\x9e\x16\xec\x70\x99\xc9\xb0\x7d\xbd\xe1\x94\x4d" "\x85\x79\xbd\xb3\x72\x25\x0b\xbd\x3b\x97\xd3\x70\x82\xa2\xb8\xd8\x7b\xf8" "\xf1\x7d\x51\xfc\x4f\xe3\x7b\xeb\x31\xe7\x11\x9a\x0e\x28\xf7\x3e\x10\x15" "\x61\x2e\xea\x09\x69\x50\x86\x13\xb1\xc1\x94\xfc\x6d\xbf\xba\x55\xc8\x4e" "\x52\x99\xf9\xf5\xa2\x8b\x57\xb6\xa7\xcc\x90\x60\x08\x4a\x40\x6d\xa2\x78" "\xb6\xf8\x75\x8d\x22\xb9\x1c\xe1\x76\x26\xf6\x5a\x36\x13\xd7\x8b\xf6\x35" "\x53\x3b\x96\x8d\x24\x9f\x4a\xd0\xef\x1e\x94\x44\x03\x5e\x5a\xcf\x8f\xd2" "\x48\x33\x9e\x6e\xa6\xb4\xae\xf3\x18\x65\x20\x9f\xf4\xa6\x4a\xf4\x7c\x42" "\x88\x79\x7e\x43\x03\xf1\x4e\xdc\x61\xb1\xe3\xef\x07\xad\x84\x28\xcf\xbb" "\x44\x53\xbb\x29\xdb\xb2\xcf\x34\x3c\x8b\x0e\x0b\xca\xf1\x8c\xb1\xff\x71" "\x57\x41\x8a\x90\x6b\xe6\xa0\xe7\xb2\x7a\x59\x82\xe3\xd2\x7f\x4c\x15\xdb" "\x81\x95\x66\xf9\x46\x07\x97\xb2\xb1\x64\xc5\xe0\x0c\x94\x22\xf8\x30\x4c" "\xb7\x5c\x44\xa9\x13\x50\x69\xdc\x57\x37\x6a\x4b\xcf\xc5\x48\x09\x6c\x4e" "\x00\x04\x09\xcd\xb9\x4f\xc6\xbd\x6b\x33\xfa\x9a\xc8\xe4\x8f\x13\x57\x96" "\xa9\x6f\x11\x11\x1a\xfe\x1e\xe9\x9e\xb6\x70\x4a\x49\x32\x65\x3d\xfb\x1e" "\x13\xa4\x0b\x76\x18\x71\xfb\x26\x0f\x1f\xcf\x88\x15\xd3\x79\x12\x45\x5c" "\xc3\xa9\x7d\xa9\x59\xde\xc3\xa7\xf9\x3b\xd2\x82\x94\xd2\xfe\xaa\x74\xcf" "\x48\x08\x3c\x85\xe6\x1c\x30\x64\x8f\x5b\x7c\x80\x4e\x3c\x77\x6b\x9a\x49" "\xb9\x50\x28\x75\x43\xe1\x16\xe9\x13\xb5\x39\x2b\x91\xdb\x78\x45\xab\x4f" "\xd9\x91\xd6\x06\x10\xf7\x05\xc8\x2c\x47\x37\xd7\x04\x8e\x6b\xd4\x4f\x47" "\xf5\x6d\x07\x55\x40\x6a\x51\xb4\x6e\xd1\xcd\x51\xb3\x6a\x39\xa7\xd1\xf1" "\xda\x14\x1d\x5b\x9a\xbf\xca\x02\x06\x76\x85\x61\x5f\x5b\x44\xc7\x80\xef" "\x68\x55\x76\xf0\x92\x72\x82\x04\xb8\x85\xf8\xba\xd0\x5c\x89\x87\x64\x4d" "\x18\xa5\x4a\x0d\xaa\xdb\x3f\x5f\x4f\x54\xd6\x1a\x57\x71\x9e\xdc\xb4\xed" "\x4c\xc2\xc3\x9c\x9a\x66\x1e\x62\xe2\xd3\x5a\x5b\x47\x11\x63\x69\x0c\x65" "\xa2\xd1\x5a\xd5\x47\xad\x31\xd4\x5b\x8a\xc8\x4c\xcc\xdf\xbf\x99\xb1\x31" "\x46\xe6\x42\xd4\xc8\x40\xf4\x25\x0e\x88\x24\x86\xf3\x38\x2c\x5d\x37\x4a" "\xf1\x26\x26\x82\x9d\x42\x3d\x5e\xc6\x9a\xe1\x80\xa4\x11\x4e\xd4\xf5\x89" "\x97\x4c\x7c\x64\x28\x96\x6c\x3f\xfb\xe7\x85\xd4\x52\xc9\x30\x0a\x5d\x61" "\x4e\xda\x84\x98\x34\x0f\xeb\xe5\x20\x73\x2a\xa1\x57\xe3\x97\x18\xbb\x98" "\x40\x34\x14\x9d\x11\x78\x7d\x8e\xbf\x68\x59\x62\x5e\xf1\x80\xff\x4b\x5a" "\xda\xb6\x07\xb1\xe5\x5c\x44\x41\x2a\xc2\xa2\x38\xe6\xb6\x8d\xa1\xe2\x22" "\xe4\x58\x1c\xb0\x0f\xdd\xaa\x97\xad\xab\x57\x7b\x69\x96\x9a\xba\x6b\x38" "\xc9\x12\x40\x0d\x59\x59\xc1\xb9\xf8\xd9\x5e\xfd\x43\xfa\x2f\xe6\x3a\x11" "\x2b\x49\x65\xc5\x02\x70\xd0\xc1\x74\xc2\xaa\xc0\x94\xbd\x51\xc1\x42\xde" "\xfa\x5b\x04\x31\x04\xdb\xc5\xc2\x0d\x09\x8c\xe9\xc9\xbf\xcf\x04\x67\x88" "\x8a\x4c\xdc\x0c\xfc\x2e\xf6\xa8\xe8\xc2\x41\x17\x8b\xe7\x90\x49\x64\xad" "\x18\x07\x02\x19\x16\x0b\xec\x00\x32\x3c\x59\x81\xd4\x4a\x53\xca\x52\x2c" "\x13\xbb\x03\xbf\x72\xdb\x6e\xb2\x26\x7f\xcd\xf2\xcc\x8d\x13\xcc\xff\xc0" "\x95\xd1\xce\xc3\xe8\xb9\xf6\xd1\x7a\xf5\xee\xd8\x09\xad\x96\xde\x9e\x88" "\x08\x56\x35\x92\xf0\xef\x19\x4b\x0c\x8c\xa4\xeb\x5d\x11\x7f\x6b\x4d\x66" "\x4d\x5f\x25\x5f\x4b\x62\x73\xbc\xe7\x3e\x1a\x8b\xcb\xad\x00\x71\x7c\x2f" "\x4f\x85\x27\x53\xd7\x0a\x72\xa4\xf0\xc1\x86\x96\x55\x25\xd4\x60\x3b\x29" "\x87\xc4\xbd\xd3\xd7\x8a\x6f\xf3\x87\xf9\xf1\xfb\x58\xdd\x16\xdc\x5a\x9b" "\xf0\xfe\x49\x00\x55\xde\x1b\x17\xe2\x6a\x31\x35\x4f\xac\x37\xbe\xdc\xde" "\x20\x53\x4b\xf2\x98\xd9\x7d\x1e\x0d\xa0\x86\xf0\xb5\x10\xbf\xa2\x9a\x94" "\x50\xb4\x36\x32\xed\x71\xfd\xb4\x21\x8d\x4b\x96\x11\xa2\x3c\xef\x84\x46" "\xf0\xa8\xdf\x50\x8b\x16\x4b\xd8\xc2\x39\xab\x04\x42\x00\xeb\x7a\xa7\xb5" "\xb9\x89\x22\x67\xc8\xb0\x58\xa2\x8c\x26\xf6\xf4\xf8\x71\xa2\x4e\x70\x47" "\x57\x35\x37\x3a\x68\x35\x4d\x17\x43\x4a\xd3\xba\x1f\x6d\x6a\x11\x67\xab" "\x9f\x06\x85\xf3\x96\xd7\xb4\x98\xad\xc4\x6d\x81\xd8\xd5\xf2\x06\x45\xb5" "\x20\x97\xed\x1a\xa8\x59\x8c\x4a\x6b\x6e\x14\x83\x0b\xfb\x67\xb3\x5c\xd4" "\x2b\x7a\x96\x2c\xbc\x3b\x44\xa8\xe6\x65\x45\xdd\x8c\x32\x13\xab\x50\x63" "\xc1\x58\xf5\x40\x02\x3b\x97\x76\x6a\xda\x87\x75\xc6\xc3\x5f\xd4\xe3\x53" "\x37\x50\x75\x03\xa2\x9c\x15\x9b\x24\x30\x79\x4b\xe7\xc9\xed\x26\x09\x31" "\x9e\x69\x8b\x0f\xcd\xbb\xf4\x4f\x4a\x5d\x12\x8c\x7b\x0c\x41\xd4\x01\x12" "\xde\xcf\x6a\x06\xe5\x1d\x19\x1c\xbf\xfd\x44\x4b\x8b\x32\x31\x15\xbb\xab" "\x4d\xbc\x8f\x9f\xda\xfd\x6d\x2f\x7b\x10\x80\xa4\xae\xd3\x58\x18\xc2\x6f" "\xc7\x5a\x8c\x6a\x98\x18\x2e\x1f\x9b\xd3\x5c\x94\x5e\x94\xcd\xb3\xb2\x5d" "\x89\x8b\x70\x4c\x89\x11\x4d\x22\xbd\xda\xb1\x94\x9c\x78\x1b\x91\x80\xff" "\xfe\xd0\x04\x2e\xdb\x70\x78\x8c\x12\xa9\x7c\x44\xea\x78\x16\xdb\x92\x5c" "\xe4\xd7\xf2\x17\x4e\x18\xb3\x92\x83\x4c\x89\x17\x16\xe2\xe2\x8d\x07\x64" "\x86\xf1\x86\xeb\x8f\x65\x24\xde\xe0\x7c\xe2\x20\x9b\xf9\xdf\xc6\x98\x1f" "\x8a\x93\x9a\xd9\xfd\x4c\x09\x20\x94\xf0\xbb\x48\xbf\x37\x28\x0c\x0e\xb3" "\xc7\xee\xd5\x17\x9e\x90\x9c\xc6\x26\xce\x17\x8f\xa4\xad\x70\x26\x1f\x50" "\x6e\xac\xec\xca\xc8\x27\x2b\x7c\x8e\x41\x39\x8f\xe6\x52\xd9\xf4\x86\x02" "\xe4\xef\x4d\xce\x43\x44\x96\x11\xef\x27\x05\xd6\xa6\xdd\x95\x4c\x09\xc0" "\x0d\x1e\x8d\x24\x54\xf4\x29\xff\x36\x73\x8f\x20\x76\x70\x27\xf1\xf7\x15" "\x1b\x21\x24\x35\x1a\x9f\x01\x96\xf8\xe8\x38\xad\xb8\x82\xd0\xcb\xf4\x63" "\xaf\xa9\x15\x44\x5a\x02\xed\x6c\x5b\xe4\xa0\x8c\xb8\x03\x98\xc4\xd5\xe9" "\x55\x00\xda\x86\x2b\xcc\x26\x58\xa2\x85\x99\xaf\x0a\x2b\x93\x7e\x26\x58" "\xdf\xee\x12\x10\x0c\xc4\x88\xba\x67\x6c\xe6\x12\x29\x57\x07\x8f\xf2\xa3" "\xf1\x2a\x5d\x74\x3b\x5c\x91\xa6\x8b\x80\xfc\x7a\xd1\x16\x75\x7d\x97\x40" "\xd2\xb9\x40\x41\x4f\x7a\x43\xa1\xc5\xc5\xfe\x3a\x5b\x65\xeb\x94\x26\xbd" "\xa3\xcc\xa9\x95\x17\x15\x37\xe6\x23\xcc\x8d\x0a\x41\xff\xf3\xc1\xd8\x67" "\xf4\xf4\xbc\xe5\x0f\x1e\xba\xa7\x1e\x79\xfd\x8e\xd9\xcb\xca\x12\xcb\xed" "\xe5\x04\x01\xd5\x98\x79\xad\xa3\x3d\x87\xf2\xbf\x76\x11\xdc\xd4\xb5\xb9" "\x18\x76\x57\x0d\xea\x77\xe6\xe8\x43\x3a\xba\x3a\x18\xd3\x1e\xe4\xfa\x35" "\xa4\xb3\x37\x6c\xfe\xcc\x0e\x4c\xf9\x40\xde\x70\xcf\xdb\x9b\x0b\x29\xc1" "\xe6\x8b\xd2\xd5\x8e\x5b\x07\x53\xa1\x5b\x69\xc1\x63\x68\x43\xdb\xe0\x5e" "\x98\x1d\x05\x8f\x39\x37\x60\xda\xca\x68\x6c\x12\x88\x2a\x38\xc5\xa2\x65" "\x0b\xd1\xda\xa6\x29\xf8\xd2\x85\x44\x81\x8c\x97\xdc\xbe\x60\xc8\x45\x5e" "\xfd\x62\x62\x9a\x44\x84\x18\x4c\x65\xcb\x4e\xa6\xbb\xe7\x56\xad\xab\x8f" "\x27\x45\x2d\x5f\x6b\xf7\xef\x39\x0d\x6b\xa8\x60\x93\xd8\xb3\x3d\x75\x67" "\xa3\xa8\xfb\x5d\x6d\x82\xc6\x33\xd7\xdf\x72\xa0\x99\xc1\x24\xa5\x1e\x40" "\x1d\x62\x34\xc0\x6e\xee\x0a\x37\xc8\x8e\x0c\xff\x59\xc5\x29\xa0\x57\x50" "\xb9\x6a\x00\xc5\x53\x57\xee\x98\xf6\x9b\x65\xb8\xd0\xa7\x6a\x1e\x98\x0a" "\xca\x89\x19\x5b\x04\xe5\xe9\x02\x1f\xf0\x7a\x6e\xd3\x33\xcb\x46\x19\x18" "\x19\xac\xdc\xf6\xe9\xb9\x8c\x36\x43\x30\xc8\xcf\xf6\x9c\xa3\xe7\x75\xb8" "\x4f\x1b\x0d\xee\x29\xbc\x22\x93\x21\x79\xba\x25\xde\x6b\xda\xac\x05\xd9" "\xdf\xf2\x84\xb3\xf1\x00\x31\x9b\x51\xeb\xbd\xd9\x24\x4b\x4b\x68\x6b\xa4" "\x10\x39\x1d\x61\x15\x81\x7a\x47\x4d\x05\xbc\x00\xf7\xb9\x19\x02\x7b\x74" "\xec\xe4\xd8\xb3\x4a\xb4\xa2\x49\x0c\xb3\x9b\xf6\x98\x44\xc6\x88\x1f\xa7" "\xf6\x47\x57\x62\x8e\xe8\x00\x9a\x44\x2a\xde\x79\x3f\xdd\x41\xd3\x09\x76" "\x7b\xa2\x4d\xf8\x35\x4e\x19\x79\xd4\x1e\x2f\x34\xb8\x4e\x99\x55\x7f\x91" "\xf4\x93\xf0\x1c\x69\x8e\xa7\x4f\x1a\x42\x67\xd1\xcc\xf2\x03\x0e\x15\xc8" "\x2b\xc7\x43\xeb\x4e\xbd\xc6\xc4\xf1\xb2\x4c\xdd\xa0\x16\x2a\x76\x98\x5d" "\x15\x4e\x7f\x91\x52\x1d\xe2\x04\xbc\x41\x59\x74\x7f\x16\x95\x90\xfe\xf4" "\x3e\x48\x56\x4e\x14\x45\xee\x10\xa5\x60\x60\x2c\xbc\x16\x0c\x80\xa2\x7c" "\x65\xa1\xe3\x31\xe9\x34\xed\x53\xd4\xa0\x28\x5e\xe1\x56\x90\xe6\x8f\x67" "\xea\xb4\x51\x0d\x89\x3a\x96\x15\xcc\xa0\x83\xd1\x4e\x1a\x1d\xe7\xe9\x7d" "\x95\x80\x50\xf0\xde\x8f\xe6\xc9\xc8\x15\x8a\xee\xb1\x80\xda\xf5\xdd\x84" "\xbe\x99\xa1\xc3\x71\x51\x08\xbc\x67\xba\xcd\x14\x54\x2a\x17\xe9\x78\x26" "\x48\x07\x84\x75\x90\x7d\x82\xa2\xbd\x25\xfb\x18\x1a\x1d\xcf\xd1\x23\xcf" "\xb4\x9b\x11\xf2\xa0\xa6\x9d\x33\xe7\xb5\x11\x47\xd1\x99\x14\xf1\x7c\xe6" "\x70\x8e\x93\x47\x5f\x6a\xc5\x1b\x58\x39\x2a\x43\x8e\xae\x03\x82\xbf\x86" "\xc5\xfc\x4b\x9b\xb9\x19\xdc\xe6\x98\xef\xc5\xe4\x46\x8e\xb9\x38\xfa\x69" "\x7c\xbe\x16\xb2\xaa\xd7\xee\xa6\x19\x8d\xde\x32\x71\x3f\xc2\x41\xda\xde" "\x9d\x57\x8d\x19\x14\xe4\x6d\xd0\xe7\xf4\x5c\x1d\x92\xd2\x6e\xfc\xc3\x50" "\xf2\xc4\x1d\x99\x1c\x4b\x87\x0e\x1a\xe4\x8b\x9f\x0c\x15\x39\xb9\x23\x31" "\xcf\x2d\x35\x32\x1b\xe3\xdb\xdf\xa0\x83\x24\xd0\xfc\x7f\x48\x24\x00\xee" "\x86\xfc\xb0\x6e\x02\xfe\x25\x66\x90\xe5\xa9\xec\xe7\xf0\x91\xd8\x82\x28" "\x43\xa6\xaa\x0e\x8f\x5d\x01\x21\xf9\x7d\x0f\xe5\x02\x3f\x00\x52\xeb\x24" "\xec\x06\x48\xdf\xa4\xc0\x0f\x77\xad\x31\xec\x85\xbe\xf9\x49\xc1\xa6\x45" "\xb8\x02\x56\x2f\x09\x50\x43\x71\x5f\x25\x19\x77\x05\x33\x30\xbc\xfd\xba" "\xdf\x62\xed\x2f\x35\xdd\xa4\x66\xf8\xf7\xde\x12\xfe\x80\x33\xb1\xb4\x62" "\x6b\x01\xca\xfb\x4c\x9e\x97\x9a\x76\x3d\x77\x73\xa5\xb1\x33\xdf\xe0\x45" "\xed\xcd\xbe\xcb\x05\x49\x23\x05\x29\xbc\xfa\xdd\x21\x70\xbc\x4f\x87\x84" "\x6b\x3e\x59\x20\xe6\xf7\x15\x2a\x3e\xa6\x48\xdb\x65\x18\x7b\x4f\xde\x3e" "\xbf\x2d\x06\x7c\x29\x1d\xf1\xfa\x6c\xc7\xd4\x3e\x06\xcb\xb2\xd2\x5f\x67" "\x48\x6b\x7f\x66\x29\xf9\x00\x2f\x12\x2f\x3a\xf0\x43\xf5\xcc\xa8\x0a\x07" "\x68\xa9\x89\xe5\xed\xc5\x09\x8d\x4c\xa8\x2c\xb1\x08\xdf\x90\x23\x84\xa3" "\xf1\x87\xa0\xc0\xef\xdf\x82\xa1\x73\x91\x8d\x8e\x45\x2e\x4e\x7e\x2d\xeb" "\xfd\xfc\x71\xbf\xd0\x47\x3f\xf2\x50\x47\x7c\xed\xce\x3b\x0f\x16\x85\x60" "\xfd\xf4\xeb\x43\xaf\xda\x72\x41\x97\xd2\x77\x85\x89\x9b\xd8\x29\x76\x4e" "\x3b\x9d\x79\x1c\x32\xf1\x32\x12\x9c\xf5\xe1\x1c\xf8\x11\xb5\xd4\x33\x93" "\xd8\xa2\x38\x92\xb0\x4c\x64\x9b\x42\xec\xee\xaf\x8c\x9f\x33\x3e\x53\x20" "\xc1\x83\xc2\x88\xd1\x88\x88\xce\x3a\x43\xf5\x03\xf3\x8a\x88\x50\x37\x35" "\xa0\x05\x9d\xc0\x24\x77\x14\x5c\x0e\xa8\xcd\x2d\xc3\xe0\x19\xae\x15\xb3" "\x50\x4d\x95\xd2\x44\xbd\x01\xd6\x42\x47\x80\x74\xed\x44\x3e\x49\x1e\x7e" "\x79\xc4\x7f\xd0\x14\x39\x0c\xd5\xf4\xce\xdd\x91\x54\xf3\x60\x7e\x12\x86" "\xcf\x96\x66\x28\x42\x23\x6f\xcc\xb5\x2c\x2a\x75\x32\xb5\xbc\xfc\xff\x48" "\x24\xce\x56\x92\x2d\x1f\xf8\xc1\x60\x2f\x86\xcc\x38\x5f\x7f\x05\xa2\xa6" "\x84\x74\xd8\x40\xde\x81\x7e\xc8\x4e\xa6\x11\xcd\x0e\x32\x90\xb7\x25\x05" "\x89\x74\x53\x8c\xcd\x8a\x4e\x78\x38\x0f\xe1\x55\x44\x6a\xbf\x56\xbb\x91" "\x61\x46\x31\x11\x81\x09\x55\xdb\x7a\xda\x24\xf0\xb4\xf8\x8a\xe5\xb8\x3e" "\xfa\x12\xc4\xcf\x64\x57\xf9\x41\xef\x21\x76\xc5\xce\x75\xb9\x8d\x54\x21" "\xa0\x07\x45\xaf\xac\x9b\xd9\x09\xfc\x51\x72\x97\x60\x41\x2a\x57\x20\xee" "\x24\xcb\x1f\xe4\xb2\x83\x07\xa1\xe1\x53\xe4\xcd\x2e\xec\x7b\x62\x82\x6e" "\x81\x4b\x7b\x56\x2e\x16\x86\x3e\x89\x76\xc3\x56\x59\x3d\x82\xd4\x37\x92" "\x42\x53\x35\xd3\x8d\x3e\x00\x79\x7f\xec\x4a\x97\x5e\x5e\xdb\x0e\xc4\x5f" "\xac\x21\x39\xf1\x2f\x16\xc5\x21\x8c\x26\xdc\x1c\xca\x8c\x07\x1a\xb9\x47" "\x23\xc0\xf0\xa8\x77\x1f\xa5\x64\x5a\xf6\xcb\xfd\x94\xe7\xc7\x11\x24\xa5" "\x9b\xbe\x44\xbb\xea\x29\x60\x30\x8c\x4d\x15\x31\xda\x9c\x5a\xf9\x12\x35" "\x92\xf1\x92\xf1\xd0\xba\xa2\x40\x3d\x49\xfa\x43\x36\x07\x71\x9e\xb3\x41" "\x47\x43\xe4\x0a\xa9\x28\xbd\xfc\x2a\x9e\xae\x76\xf6\x20\x38\xfe\x02\xf0" "\xdb\x13\xa8\xc8\x13\x75\x0e\x45\x62\x6f\x1e\xa1\x50\x17\x7c\x7a\x95\x60" "\xbc\x0f\xbf\xd1\x00\x42\x18\xec\x18\x42\x83\x07\x75\x3e\xce\x8e\x8e\x89" "\x55\xe6\x18\xe3\x99\xf2\xb8\xe4\xb4\xae\x85\x4c\x60\xf0\x2f\xfc\x61\xc5" "\x95\xca\x6b\x82\x6c\x31\x9e\xcc\x0b\x82\x29\xec\x71\x4d\x57\x0f\x65\x0b" "\xf4\x52\x2b\xd8\x83\xa8\x85\x26\xbb\x88\xba\x5a\x20\x11\xbe\x73\xc4\x8f" "\x2f\xdc\x44\x24\xcf\xbe\xad\x86\xc8\xb6\x91\x76\xa6\xe2\x03\x27\x95\xa0" "\x84\x6a\x4c\xde\xae\x8d\x8b\x12\xb3\x54\x58\xda\x90\x32\xc4\x67\xbe\x54" "\x75\x12\xe8\x91\x92\xf4\x23\xb8\x4e\xba\x74\x41\xbb\x2d\x38\xad\x53\xa5" "\x5b\x83\x9e\x94\x7b\xb6\x47\x71\x0b\x53\xe6\x93\x7e\x2b\x00\xe2\x23\x6f" "\x99\x41\x1f\x8f\xfb\x61\x85\x95\x1d\x91\x9c\x04\x8f\x3c\x1f\xfe\x1f\xca" "\xee\x46\x01\x1f\xb2\xc7\x80\x75\x44\x13\x9f\xb9\x12\xda\x19\x3c\x4c\xd7" "\x62\xf9\x3a\x74\x08\x6d\x96\x45\x5a\xb5\x7a\xe0\x57\xc8\xf2\x80\x2a\x76" "\xeb\x97\xe6\x32\x91\xbc\x40\x73\xc5\x39\x5a\x03\x9c\x50\xcf\x53\xb8\x8d" "\xea\x44\x48\x2e\xe7\x74\x0d\xc9\xcb\x57\x15\x70\xdc\xd3\xe5\x6e\x9a\x21" "\xeb\x17\xdc\x89\x2f\xd3\xba\x36\xc7\xf0\x3b\x7d\xbe\x6f\xfa\xb9\xa8\x09" "\x87\x8a\xbe\x16\x57\x9d\xcb\x06\xff\x96\x95\x99\xa5\xbf\xa7\xee\xd8\xa1" "\xf1\xaa\xbc\xcb\xb7\x8c\xfe\xc3\x23\x32\x9b\x2e\xf5\xd4\x54\x0b\x11\x13" "\x4c\x90\x5f\x98\x2d\x99\x58\x87\x37\xf7\x2d\xd2\x2d\xff\x10\xdf\xc1\x44" "\x35\x6e\x9b\x89\x98\x49\x13\xc0\x25\xff\x4a\x1d\x08\xf8\x82\xd7\x75\x9a" "\x32\xd5\xd8\xaa\x7f\x56\x4e\xb5\x5e\x41\x23\xba\xd1\xdf\x29\x76\xa4\xec" "\x92\xbc\x51\x8f\x0c\xca\xf0\x07\x1d\x2c\x8b\x6a\x5d\x15\xeb\x7f\x23\xe2" "\xa9\x13\x68\xd3\x10\x5e\xac\xbd\xc0\x1b\xc9\xd9\x5a\xe2\x4f\xe3\xbe\x92" "\xf1\x0c\xcc\xad\x21\xca\xe6\xd7\x5e\xe2\x0e\x0a\x4b\xd5\x87\xed\x3e\xb9" "\xb7\xa8\x81\xd5\x5d\xc3\x84\x30\xae\xd1\x57\xc4\x91\xe0\xa6\x42\xfb\x64" "\x39\x1d\xb0\x89\x62\x96\x54\xc9\xd6\x3e\x23\x72\xb2\x3c\x0c\xd5\xec\xcc" "\x99\xf8\xd4\xea\x98\x73\xb6\x13\x09\xaa\xcc\x64\x02\xc4\x84\x31\xbf\xcb" "\xbf\x53\x79\x44\x4c\x1f\x41\x36\x5a\x12\xa7\xdd\x23\xfc\x2c\xd3\x1e\x20" "\x96\xb1\xb4\x75\x0d\xaa\x89\xea\xf9\xc2\x47\xfc\xcc\x9c\x56\xd1\x23\x5c" "\x92\xb9\x06\x6a\x31\x93\xc6\x45\xd3\xe8\xd8\x8f\xb7\xc1\x92\x16\xc5\x15" "\x84\x60\x43\x77\x3e\xb9\xa6\xfa\x60\xc1\x50\x81\x38\x5f\x3e\xaf\x18\x72" "\xd8\x4e\x6d\xe2\x81\x8a\x14\xeb\x84\x92\x18\x23\x3b\x30\x58\xe9\x7a\x91" "\x17\x38\xd2\x7e\xf7\xd1\xfd\x91\x29\x59\xbd\x35\x67\x2d\x20\x88\xc5\x25" "\xc5\xb4\x53\x8a\xd9\x5a\xdb\x64\xa0\xc9\x26\xea\x38\x74\x16\x11\x09\xb9" "\x08\x7e\x41\x60\x0c\x49\x00\x8f\x69\x4b\xbf\x27\xef\x26\x31\xb0\xc0\x95" "\x4c\x83\xdf\x95\x44\xf7\x4b\xcf\x6d\xcb\x2f\xf4\xa1\xe0\xca\x90\xb0\x29" "\xb9\xbd\xd8\xab\xfe\xd4\x96\x81\x09\xbe\x96\xac\xb5\xe1\x50\x76\xf9\x85" "\x71\xdb\xc6\x5d\xc2\xee\x1f\x71\x4e\xdc\xb9\x21\xe1\x5e\xa3\xc5\x64\xbb" "\x15\x5c\x5e\xfd\x8e\xf5\x99\x92\x17\x3d\xe6\xc3\xee\x03\x5d\x77\xae\x0a" "\x96\xc3\xe0\x72\x31\x3b\x30\x7d\xd5\x42\xa3\x72\x60\x86\xa0\xd6\x04\x75" "\x01\xa9\xea\x01\xd4\x41\x00\x09\x78\x57\xf1\x6c\xde\xa7\xdc\xff\x1b\xbb" "\x63\x78\xde\x4d\x4d\x2d\xc5\x28\xa5\x7b\x7b\xc7\xfe\x41\x77\xea\x55\x17" "\x25\xe2\x84\x0e\x0d\xed\x85\x08\x4c\x7a\xe4\xad\xb8\x03\x60\xc2\x90\xa7" "\x89\x65\x92\xa1\x05\x9a\x08\x8b\xd5\x89\xcc\x1c\x32\xe1\x3d\xeb\x2b\x52" "\x33\xa8\xf2\xaf\x4a\xa2\x6f\xc1\xd0\xe5\x44\xf3\xb3\xc6\xd6\xb8\xe1\x44" "\xdd\x45\x8b\xc8\x74\xe3\x31\x50\x93\xbf\x36\xac\x99\xb3\x7a\x73\xd3\x46" "\x1c\xae\xb8\x33\x03\xe8\xc2\xd9\x52\x07\x6b\xaf\x09\x04\xba\x22\x63\xe9" "\xa5\xbb\x04\xdc\x72\x2c\x82\x94\x21\xcc\xe5\xe1\xe6\xa7\x7a\xaf\x5c\x07" "\xfd\xd2\xee\x90\x0c\x69\xfa\xb6\x2d\xc0\xd2\x3a\xeb\x12\x01\x14\xfe\x46" "\xe4\xc3\xef\xcf\x6f\x7d\xdd\xca\xb8\xfa\x48\x12\x55\x46\xb2\xae\x3c\x88" "\x4e\x8c\x9c\x4c\x1a\x74\x2f\xe9\xb6\xf2\xbd\x46\x6c\x21\x9e\x5e\xab\x81" "\x1d\xaf\xed\xdc\xef\x73\xda\xf3\xa8\xeb\x8c\x1b\xd1\xe2\x3d\x15\x79\x7e" "\x0f\x52\x0d\xa8\xd2\xf3\x30\xef\xed\x2f\x51\x10\x21\xef\x8f\x7c\xe7\x3c" "\x0f\x77\x7c\x3a\x5b\xa9\x1a\x97\xee\x1c\x6a\x8d\xd7\x19\x98\xc6\xae\xdc" "\xce\xfd\xc0\xf4\x05\x04\x2d\x02\x1b\x59\xf4\x79\x2e\x36\x2e\xb1\x15\xad" "\xa0\xf4\x7c\x1f\xd6\x76\x6b\x31\x57\xeb\x88\x9b\x3a\x9b\x7f\x47\x7b\xed" "\x5d\xc7\x78\x23\x94\xa8\x27\xa7\x0f\x14\x0c\x64\x0d\x6c\xd3\xca\xee\x98" "\xb5\x3c\xee\x83\xc5\x93\x18\x59\xc3\x0c\xf5\x8a\x34\x9c\x56\x39\xd9\xbe" "\x85\x15\xd7\x37\x36\xe9\x66\x97\x7b\xae\xce\xd1\xee\x05\x3a\xe2\x6b\x9f" "\x82\x7f\x1c\x0a\xe6\x15\x22\xfc\xdf\x7b\x96\xbc\xb1\xde\xec\x87\xb0\x6e" "\x2c\x98\x58\xe6\xef\x57\x2d\x76\xa7\xb5\x82\x53\x8b\xf5\xff\x12\xf7\xc7" "\x92\x14\x7d\x76\xc1\x60\x10\x27\xe4\xee\xac\x71\x28\x01\x61\xbd\x79\xc8" "\xcc\xed\xd3\x9f\x7e\x4c\xd8\x3e\xc8\xd9\x65\x45\x29\x77\x9a\xec\x12\xab" "\x42\x22\x4d\xd1\xbb\xc6\x20\xc4\x2b\x8c\xcd\xf3\xd6\x56\x9b\x2f\x89\x3f" "\xce\xa5\x40\x44\x84\x40\x51\xa8\xdc\x1b\x7a\xd0\x6c\x21\x61\xc2\x28\x34" "\x38\x51\x73\xd2\x1e\xb5\x70\x56\xa5\x87\xd3\x31\x83\xd5\x7e\x3e\xa0\x96" "\x2f\xa8\x13\x46\x09\xaa\x11\x56\xa1\xfa\x7c\x6d\x10\x51\xd0\x25\x6d\x17" "\x70\x54\xe2\xb0\x1c\x33\x92\x0b\x68\x47\x00\xf6\xe9\x59\x8f\x62\x4f\x9b" "\xc5\xe8\xcb\x79\xc3\x3b\x62\x4a\xcf\x4b\x48\xae\xb2\xb6\x11\xb7\xae\xdd" "\xbd\xf9\xac\x3c\xc8\xf0\xe9\xa7\xe4\xf7\x93\xcb\x83\xad\x36\x07\xe1\x2d" "\x86\xac\x2e\xaa\xb3\x12\xcc\x8b\x57\xbc\xa7\x50\x70\xfa\x77\x00\xf9\x42" "\x35\x9b\x5f\xac\xa4\x32\x44\x75\x06\xcb\x6d\x74\xd0\x21\xc0\x6c\x6a\x62" "\xbf\x88\x2b\xcd\x7a\xd4\x47\xb3\x97\x76\xd1\x72\x17\x8b\x4e\x14\x0f\x87" "\x75\x09\x3c\x5a\x57\x7b\xaa\x97\x70\x06\x6d\x80\x23\xcf\x7a\xd9\x07\x0e" "\x24\x6b\xa9\xfa\xd7\x0e\x76\xc5\xbd\xff\xfb\xfa\x36\xf9\x35\x90\x2b\x3a" "\xb5\x75\x97\xd2\x13\xd3\xae\xed\x99\xa4\x61\xfd\xcc\xa7\x36\x10\x04\x0d" "\x00\x7c\xcf\xde\x8e\x62\x24\x79\x63\x71\xe9\x75\x96\x35\xd6\xbb\xa3\x66" "\x58\x81\x54\xa2\x77\xa0\xbc\xb0\x2e\x16\x2a\xf4\x2b\x98\xed\x1b\x27\xe4" "\x8f\x81\x6d\x12\x08\x91\xc4\x6f\x8c\xf6\x7c\x0d\xd1\xab\x38\x61\x1f\x0f" "\x12\xba\x90\x61\x65\x77\xf1\x1d\xf3\xcb\x1c\xaf\x61\x97\x7f\x24\x54\x64" "\xab\xeb\x0e\x8b\x58\xde\x82\x28\xb9\x2b\x78\x09\x71\x78\xed\x88\xb2\xf1" "\x6a\x22\x2a\x51\x75\xf8\x28\xef\x52\x8c\x06\xfd\x01\x79\x40\xff\xe2\xdc" "\x8f\x68\xcd\x9d\x15\xb5\xeb\x07\x46\x94\x1f\x67\x8d\xe5\xb9\xd8\x29\xff" "\xdf\x2c\x66\x7e\xe2\x14\x8c\x18\x82\x15\xf8\x0b\xd4\x96\x3b\x4f\x02\x2b" "\x2b\xdd\xc7\x74\xec\x6a\x82\x35\x12\x88\x05\x90\x79\xb1\x7b\x70\x8a\x25" "\x7b\xbb\x21\x2e\x98\xbb\xc5\x84\xf5\x09\xa1\xd1\x3a\xb7\xa2\x7e\xa2\x49" "\xf4\x29\x31\x23\xca\xb0\xbc\xc5\x21\xd4\xf1\xee\x07\x7d\xeb\x4c\x5b\x1c" "\x15\x84\xfa\xad\xa4\x95\x5a\x52\xed\xe0\x7a\x45\x52\xa0\x70\xd7\x80\x53" "\x19\x3c\x8a\x90\x63\x31\xd3\x86\xb1\xd8\x49\x85\xb3\x0e\x74\xa0\xef\x50" "\x4f\x73\x3f\x7b\x57\x31\x96\x11\xa9\xf6\x0c\x38\xed\x59\xc2\xaf\x1d\xc9" "\x38\x53\xe2\xc4\x8a\xa3\x36\x21\x40\x81\xb7\x88\x3d\x16\x39\xbb\x2b\xfb" "\xa4\x1c\x67\xc4\x89\xc5\x69\xc2\xfe\x7a\xb2\x3c\x30\x6e\x8a\x6e\x6d\x0d" "\xa4\x09\xfe\xd4\x30\x22\x73\x65\xa5\xf6\x93\x99\xb6\xac\x73\x48\xa3\xd4" "\x31\x49\xe1\x6e\xfd\x03\xcf\xb9\x6f\xb0\xf7\x3d\x65\xa8\xa5\x2a\x91\x27" "\xb8\x4c\x85\xb9\x70\x12\xb5\xf1\x6d\xf0\x30\xea\x92\xae\xc3\xdf\x0e\x40" "\x84\x65\x8c\x8f\xda\xba\xfc\x80\xe0\xe3\xe6\x32\xf3\x44\xf6\x45\x17\x6c" "\xd5\x8b\x30\x33\xfc\x90\x96\x9e\x70\xc3\xdc\x64\x37\x49\x1f\x4e\x4b\xfc" "\xc5\x02\xa0\xbb\xf5\x9b\x90\xeb\x0b\x86\x36\xcf\xd4\xed\x0c\xce\x2a\x3e" "\x19\x7a\xa7\xbc\x48\xe1\x4f\x4f\x35\xed\xdb\xab\x49\x31\x5d\x47\x69\x5a" "\x04\x72\x81\xd1\x65\x9a\xa6\x70\x3f\x01\x73\xb2\x1e\x35\x39\x8c\xf8\x85" "\x1b\x9c\x7c\x1c\xb6\x9d\x9c\xa8\x0d\x95\xaa\x63\x20\x11\x25\x1d\x67\xbf" "\xb1\x35\x54\x5c\x70\x32\x19\xb4\x09\x4c\x28\x70\x6f\xb7\xd7\xd2\xf6\xaf" "\x87\xbe\x67\xe4\xd0\x42\x5c\x56\x4c\x6b\x09\x9c\xbe\x38\x3f\xfe\xdc\x39" "\xc8\x69\xfb\xfd\x34\x1d\x5c\xe7\xdf\x0a\x8e\x93\x05\xcf\x32\xe2\xb8\x28" "\xb3\xbb\xdc\xa7\x2f\xe7\xcc\xc7\x2b\x0d\x12\xa2\x38\x42\xd3\x4c\x05\x66" "\xe1\x61\x3f\x3f\x1e\x50\x38\x5a\xc5\xf7\x8d\xaa\xe4\x77\x10\x69\xe3\xb3" "\x8f\x73\xaf\x3c\x93\x38\x36\xa0\x50\xb7\xd7\x0d\x02\x27\x46\x6c\xc8\xe2" "\xe9\x17\xa5\x15\x10\x6b\x54\x54\xf2\xee\x3e\xad\x04\xb7\x04\x5f\xa7\x4b" "\x56\x19\x99\xee\x48\xdd\x68\x34\xfd\x04\x4a\x9b\xeb\xac\xb3\xfd\x7b\xb9" "\xfd\x40\x15\x52\xf1\xe6\xb7\x3d\xba\xeb\x01\x71\xfe\x30\x67\x62\x8d\x52" "\x41\x32\xb9\xe8\xd7\x75\x04\x71\xef\xd3\x3b\x83\x4a\x3f\xb4\x47\xe6\x6d" "\xe5\xd4\x1c\x03\xa1\x5b\x27\x27\x28\x84\xb9\x97\xa8\x6b\xe6\xa4\x5b\x28" "\xe0\x0f\x6b\x52\xf9\x1d\xc8\xc6\x46\xc9\x4c\x2b\x95\x49\x8a\x64\x4f\x72" "\x45\x1c\x5c\x0d\x46\xc3\x6b\xaa\x78\xce\x74\x89\x52\x86\x96\x57\xbc\xb5" "\x26\xeb\x82\xbd\x9e\xfa\xda\xd6\x13\x93\xf9\xf1\xf2\xde\xd5\x49\x87\xae" "\x85\x20\x74\x6d\x28\x83\x19\xb8\x17\xdd\xa8\xf0\x72\x39\xcb\xee\xaf\x3b" "\xd2\x52\xc6\xf7\xc9\x74\xc4\xfe\x18\xd3\x8d\x33\x4b\x08\x9c\xd6\x36\xb9" "\xe6\x82\xc7\x0a\xd3\x5f\xf0\xa4\xd9\x97\xa6\x4e\x97\x35\x79\x85\xac\x2c" "\x68\x5e\x6e\xda\xf2\x00\x8e\xad\xcf\xd8\x58\x69\x30\x09\x4f\x27\xfe\xca" "\x9e\x7e\xad\xa9\xc4\x7e\x79\x6a\x9e\x6f\x45\xce\x56\x06\xcc\x69\x65\x9e" "\xfc\xc2\x2c\x02\x36\x31\x2e\x25\xcd\x24\xa7\x20\x13\xa2\x2f\xde\x25\xb5" "\xfe\x3e\x06\x7d\x53\x29\x82\xe5\xd8\xa7\x78\xd1\x0b\xf0\x4a\x8c\xb8\xaa" "\x9e\x9c\x68\x9b\xf0\xee\x9a\xc4\x79\xc9\xf4\xe2\x3f\x8e\x20\x43\x33\x5b" "\x90\x3d\x5d\xff\x0f\xa6\x27\x36\x36\x2b\xe3\x1b\xce\x82\xee\xcd\x71\x3d" "\xa1\xb1\xdb\x3e\xc1\xcd\xda\x2e\xfd\xf0\xf8\xe5\xe7\xa6\x8e\x65\xf5\xf0" "\x27\xf7\x15\x3f\xad\x6c\x24\x07\xe3\x8e\xdf\x5d\xe0\xe0\x8d\x48\x13\xe5" "\x6a\x5a\xd3\x8b\xca\xb0\x9c\x57\x08\x9b\x6f\xcc\x58\xea\xe1\x8a\xd9\xe3" "\xa8\x2b\xe2\x4f\xc0\x62\x8f\x5f\xc6\x6e\xf1\xd8\xf0\x05\x77\x1b\x02\xfa" "\x77\x05\x63\xb3\x0c\x8c\xf8\xd8\x72\x2f\x89\x86\x0f\xf8\xee\xde\x15\x71" "\x12\xb8\x36\x06\xcf\x68\xf0\x91\x3e\xd1\x1b\x2b\xff\xce\x7d\x23\x11\xd1" "\xd9\x1e\x4c\xf6\xe4\x50\xd2\x60\xcc\x39\x06\x62\xd9\x6d\xf2\x13\xf4\xc0" "\x89\x40\x26\xde\xd9\xfd\xc7\x9d\x62\xd1\xcd\x43\x12\xa6\xad\xf3\xc4\xe5" "\xb7\x85\x09\x1c\x6f\xa3\xb5\x1c\x91\x4d\xeb\x42\xf1\xaa\xc1\x19\x06\xdf" "\x20\x53\x9c\xa8\x60\xe2\x8d\x10\x36\xc7\x3a\xc7\x5d\x73\x05\xad\x25\x05" "\xc4\x9a\x73\xab\x14\x57\x0c\xe5\x90\x9e\x88\x06\x2e\xf7\x03\xab\x62\x3c" "\x9b\x7f\x52\x06\x0e\x54\x73\xa5\xe8\x05\xf8\xc3\xd4\x2e\xde\x7a\x87\xff" "\x21\x82\x0c\x4a\xa9\x0f\x19\x11\x62\xc1\xe4\xb5\xe0\x41\x3b\x06\xee\x7e" "\xaa\x14\x91\x7d\xa7\xf6\x2e\xf6\xbd\xcd\xa7\x32\xf1\xa8\x9d\x1c\x36\x4f" "\x2b\x00\x23\xbc\x4b\x6f\xa2\x47\xe9\xfb\x82\x3c\x91\xc5\x7c\x0d\xc1\x0c" "\x1d\xaa\x98\x66\xa8\x68\xe9\xa6\x45\xeb\x97\xe0\xa4\x88\x58\x96\xe2\x21" "\x9e\x2b\x91\x78\xaf\xed\x4d\xaf\x94\x6b\x74\xac\x70\xc9\x74\x85\xf5\x9d" "\xb4\x67\x39\x5d\x49\x11\x38\xce\x68\xa1\xb6\xaf\xe6\xc6\xe5\xf2\xd9\x2a" "\x68\x42\x17\xa6\x30\x2c\xea\xab\x0f\x43\x5c\x41\x27\xef\x18\x05\x57\x69" "\x01\xba\x38\x31\xf0\x64\x24\x0b\xbd\x5f\x3b\x00\x81\xca\xb9\xc9\xe1\xc6" "\x54\x1a\xe2\x02\x8b\x71\x8a\x19\xa7\xa5\xd9\x24\x3e\x01\xff\x1c\xd1\x1e" "\x7e\x38\xf9\x02\xa2\x06\x8e\x8d\xbc\xb8\x05\x27\x62\xe7\x72\x45\xc0\xec" "\x31\xbd\x87\xcf\x09\x73\x09\x6e\x47\x51\x02\xb2\x43\x13\x5f\x6e\xb3\xf3" "\xb6\x2f\x8f\x30\x54\x7d\xa5\xc2\x29\x4b\x74\x4d\x02\x12\x2d\x74\x68\x60" "\x13\xe1\xb5\x33\xe7\x95\x9a\x52\xc1\x62\x5a\xbe\x75\xc0\xe8\xd1\xe1\x2d" "\x30\x3f\xbd\xdc\x78\x1b\x9b\x86\x91\xd7\xd3\x3f\xda\x5a\x59\xf5\xef\xcd" "\x20\x27\x3b\xb3\x53\xdf\x39\x59\x5c\x0f\x7c\x1f\xbe\xdf\x46\x9c\x39\xb1" "\xda\x77\xa3\xfa\x1a\xb2\x99\x41\x44\x92\x97\x0f\xed\x4d\x13\x4f\x1b\x2d" "\x07\x7d\x2c\x79\xec\xea\xe6\xd8\x00\x7d\x1d\xbc\x98\x45\xb0\x9e\x51\x62" "\x9b\xaf\xb9\xc9\x6f\x69\x8a\xa1\x75\x6e\xb1\x4f\x99\x7f\xfe\xbe\xc8\xb2" "\x3e\xf0\x32\xea\xcf\x3f\x86\xbb\x0b\x18\x85\x6a\xa1\x96\x1e\xab\x05\xac" "\xc0\x64\x07\x76\xd3\x0a\x49\xbb\xdd\x97\x3c\x4c\x16\x12\x49\xd9\x64\x64" "\x74\x90\x62\x2d\x31\x2e\x3f\x88\xa0\x58\x12\x9b\xfc\x47\xed\x44\xc5\xf5" "\x99\x00\x60\x9e\x6e\xfb\xc1\xfe\xaf\xd9\x79\x81\x80\xfd\xf3\x03\x2d\xda" "\xd3\x32\x97\xff\xab\x31\x16\xd7\x0a\xb2\x70\xb2\x50\x63\xf8\x97\x09\x66" "\x35\x06\xcd\x37\xa9\xc2\x5f\x6c\x52\x18\x62\xbb\x8a\x44\x7f\x12\x8c\xc9" "\xcc\x6e\x76\x86\xd3\x69\xce\xfb\xf0\x70\x17\x96\x9b\xad\x53\x44\x36\x33" "\xa8\x50\x4b\xf7\x2b\x78\xa8\xfa\x78\x81\x89\x4a\x4c\x79\xb7\xa6\xc6\x6b" "\xfb\xab\xcc\x29\x5e\x18\xb6\x64\x76\x94\xa0\x3f\xbc\x87\x06\x39\x19\xfd" "\xdc\x58\xf1\x52\xb2\xd1\x5f\xe6\x63\x17\x76\xd2\x34\x33\xdc\xc1\xb7\xcc" "\x22\xb3\x8d\xfc\x79\xc4\x3e\x52\x89\x8e\x9a\x86\x97\x5d\x7f\x00\x39\x32" "\xf3\xb7\x6b\x83\xf8\x08\xf6\x65\x86\xe7\x4d\x21\xf5\x34\xa4\xc8\xfb\xb6" "\x3f\xee\xce\x6b\xc4\x8f\x3d\x0c\x5d\x5b\x5b\x4b\x71\xb8\x62\x8a\xf5\x73" "\x31\xa8\x3e\x3e\x44\x67\x40\x4a\x5d\xeb\x85\x26\x83\xe1\x56\x0b\xf1\xc5" "\xf6\x5d\x47\x2b\x4e\x41\xd0\x9e\x60\x8e\x4d\xd8\xaa\x4c\xce\xec\x86\x0c" "\x12\x3b\x58\x27\xf5\x2a\xae\xa3\x6e\x65\x36\x92\x17\xa6\xed\xad\xe1\xc8" "\xba\x1e\xbd\x22\x25\xeb\x2b\xb3\x4b\x85\xc2\xcc\x16\xe6\x61\xa8\x8f\xf1" "\xd0\x93\x5a\x31\x5e\x09\x60\x22\xd6\xdd\xa5\xd7\xa7\x3d\x9b\x20\x03\x38" "\xb4\x67\x3c\x82\xfb\xe3\xdb\x00\xc0\x3e\x0b\x70\xe5\x96\x2b\x19\x63\x9b" "\x6b\x17\x80\x18\x1d\x2f\xdf\x50\xb9\x6f\x6e\xec\xd4\x0e\xde\xe1\xdb\xa7" "\x84\x57\x15\xc9\x71\x42\xe4\x19\x8b\xd3\xf2\x48\xb6\x16\x22\xc3\xa2\xc8" "\x24\xc4\x98\x35\x0f\x2c\x36\xba\x2f\xb3\xee\xca\x9a\x7f\xd9\xb3\x54\x83" "\x70\x21\xdf\xb8\x93\xa8\x39\x53\x67\xc0\x00\xd0\xea\x8b\x04\x85\xaa\xa8" "\x0a\xea\x77\xb8\x0b\x07\x2a\xe0\xe2\x70\x2d\x57\x5a\xf4\x59\x9f\x89\x91" "\xaa\xa4\x16\x84\xfd\xcb\x77\xf1\xd2\x5e\x03\x35\x36\xf4\x0b\x2e\x35\x7f" "\xc7\x45\x59\xdf\x6c\x92\x24\xdb\xab\xb1\x97\x4a\x7b\xcb\x44\x1e\x2c\x89" "\x73\x43\xa0\x3a\x08\x6d\x35\x3b\x1b\x56\xd4\x3a\xda\x04\x50\x84\x65\xf9" "\x45\xa1\x78\x68\x39\x43\xb9\xc7\xa1\x6a\x80\xc5\xbb\x6f\x2c\x27\xec\x49" "\x1f\x90\xc6\xf2\x0b\x98\xfc\xb9\x28\x29\x1b\x3f\x19\xb6\x65\x40\xbd\xcf" "\x27\x8d\x4c\x88\x35\x1b\x6a\x28\x9c\x29\x93\x50\x5b\x6e\xff\xe6\x00\x22" "\xcc\xc0\x66\x6f\x4b\xd5\x46\xb4\x0a\xf4\x3f\xa7\x17\x11\x09\xbb\xa1\x07" "\x60\x7a\x0a\xff\xb1\x55\x31\x13\x39\x3f\x02\x67\xb2\xc9\x49\x43\x60\x4d" "\x92\x76\xc9\xd0\x11\x77\xed\xf6\x4e\x11\xc1\x28\x3f\x40\x87\x61\x07\x0b" "\x89\x8e\xda\x2a\xd6\xed\xd1\x95\x62\xd9\xbe\x89\xf1\x4a\x61\x17\x80\xfa" "\x59\xea\x57\x77\x2f\x06\x82\xbe\xc6\xfe\xfb\xbf\x1b\x2f\x51\xdb\x85\xb1" "\xec\x25\x62\x62\xee\x51\x16\x87\x55\x2e\xf3\xf0\x37\x66\xd8\x18\x44\x54" "\xf1\xe1\x51\xc4\x1c\xaa\xd0\x0c\x74\x23\xff\xf5\xa8\x87\xca\xfb\x1e\x47" "\xae\x16\x81\x1f\xfb\x58\x39\x14\xa6\x2c\x56\x95\x9a\xd3\x02\x82\x8b\xaf" "\xb6\xc1\x80\x15\x9d\xe7\x6b\x5b\x6a\x22\x77\xec\xd6\x63\x5d\x28\x2c\x02" "\x61\xe8\xfe\xfd\xbc\x78\x3f\x87\x10\xf6\x03\x5e\x28\xd0\xa4\xac\x7b\xdf" "\x97\x03\x7a\xb8\xb5\x71\x75\x08\x40\x77\x1f\xe2\xe5\x40\x9a\xc6\xc3\x6f" "\x97\xd4\x83\xec\xc5\x2a\x84\x55\xe7\xed\xe1\xe1\xc2\xcf\xe5\xa7\x2d\xaf" "\x9d\x1b\x5d\xbb\x36\x19\xa7\xf6\xcb\xbf\x00\xbb\x68\x5d\x1d\xad\xc1\xdf" "\xf9\x4b\x30\x83\xa8\x3c\xc5\x40\xcb\xd8\x7b\xdf\xf5\x3e\xf3\xa6\xb2\xdf" "\x04\xfc\x21\xb1\x1c\xe6\x0f\xcd\x78\xea\x29\xd6\x5b\x87\x07\xc6\xf1\xf8" "\xee\xf7\x88\x53\xa7\xb3\x90\x40\x0a\xeb\x7c\x05\xaa\x7f\x95\xe6\x7c\xce" "\x4a\xde\x14\xbd\xd6\x65\x4a\x23\x0d\x94\x9d\x2f\xb3\x33\x0f\xf0\x08\x8e" "\xaa\xa1\x97\xef\x61\x4f\xf6\x94\x59\x44\x02\x40\xd6\xb8\x85\x87\x6c\xd5" "\xa3\xd7\xa9\xea\x1c\x28\x02\x81\x3a\xa0\x82\xe8\xe5\xd1\xc4\x4a\x71\x56" "\x42\x2f\x9e\xc7\x50\x8e\x09\x46\xac\x70\x6c\xa7\xc7\xb5\xdd\xd9\x51\x76" "\xc6\xb1\x65\x37\xaa\x24\x2e\x05\x38\x77\x30\xe4\x1f\xc3\x83\x92\x98\x37" "\x21\xa4\x76\xc7\xbf\xf7\x9c\xc3\xe7\x6c\x2c\x77\x5c\xb3\x5c\xe5\x09\xc6" "\xde\xf9\x47\x6f\x54\x8d\x90\xe0\xee\x64\x2d\x0a\xc8\xc2\xac\x1b\xeb\x20" "\xb2\x6a\xff\x70\x30\xee\x02\x71\xf6\x49\x3d\x46\xc9\xfb\x44\xec\x2d\xcf" "\x6b\x11\x1c\xec\xbc\xf0\x45\x72\x8f\x62\x4b\xb2\xbf\x27\x23\xc0\x05\xb4" "\xd9\xb1\x9a\xc7\xb7\x69\x82\x50\xf0\x4e\xbc\x94\xfa\x90\x04\xc4\xf8\x2e" "\x6f\xfc\xc3\xff\x95\x84\xbc\xaf\xb6\x88\xda\x91\x95\xec\xcc\x39\x87\xf0" "\xaf\x58\x90\x80\x8b\x8b\x13\x91\x0e\x01\x95\x54\x50\xab\x5f\x7e\xe2\x1b" "\x79\x38\xd1\xcc\xaa\x33\xb9\xde\x31\xd0\x6e\x01\x58\x42\x25\x4f\x1d\x5f" "\x39\xd6\xbb\xb0\xae\xb9\xfb\x97\xb1\x53\xeb\xa5\x74\x9d\x19\xfc\xc1\x10" "\x34\x27\x33\x09\x4d\x5c\x8d\x82\xb7\xe1\xc4\x6f\xe5\xc1\xa7\x23\xe7\xcf" "\x2a\x35\x96\xec\x49\x94\x82\x91\xd4\x77\x4b\xf9\xdd\xbd\xbf\x7a\x26\x1b" "\x88\x04\x47\xd3\xca\xb3\x2f\x7b\x05\x5c\xd4\x17\x14\x2a\xcd\x22\x40\xbb" "\xa2\xd7\xfe\x3f\x00\x3d\x3a\x78\x96\x02\x67\x3b\xc3\x4f\xa8\x4c\x40\x10" "\x1f\xb8\x0a\x4c\x23\xde\x6f\x68\x9f\x13\x01\x4e\x78\xcc\x21\xd1\xb5\x8f" "\x2e\x83\x8a\x00\xf1\x67\x9e\x5c\xee\x78\x48\x98\xc5\xc2\x5b\xe9\x94\x95" "\x09\x86\x2d\x70\xb5\x38\xf0\xfe\x38\x23\x25\xef\x77\xb5\x05\x37\xdd\x32" "\xd3\xda\x5c\x41\xd2\x06\xf9\x46\xd7\xf1\xf8\x6f\x5f\x86\xf4\x1f\x39\xdc" "\x21\x6e\xdf\x78\x69\xfa\x2f\x4b\x1d\x53\x4c\x7c\xfb\x29\x6b\x2c\x5d\x32" "\x3e\x43\x57\xc0\x40\x0f\xdd\xf4\x57\x1e\x8a\xd3\xb6\x3c\x94\x10\xec\x3f" "\x6a\xd6\xc0\x4e\xd5\x99\xbc\x60\xf0\x4d\x4c\x0e\x95\x6b\xab\x7c\xb0\xff" "\x1c\x32\x42\x15\x29\x19\x95\x2f\x57\xbf\x32\x41\x38\x91\x52\x15\x02\x69" "\x21\xf3\x4c\x19\x7a\x07\x6c\x62\xee\x70\xba\x3b\x04\xf7\x3d\x4f\xa9\x1b" "\xf7\x21\xa3\x89\x2f\xd5\x2a\xd2\x04\x5d\x8b\xac\xb0\x06\x04\xd2\xfb\xda" "\xc0\x92\x68\x79\x4e\xdb\x92\x93\xf9\x96\x5e\x74\xc2\x83\x7a\xf8\x89\xde" "\x27\x46\x66\x1b\x14\x15\xeb\x0f\x2c\x72\x29\xe5\x91\x62\x8b\x42\x7d\xdd" "\x3c\x8f\xc6\xf5\xf5\x97\xa7\xb1\xf2\xa0\x3f\x96\x57\x44\x45\x0d\x40\x67" "\xb7\xeb\x5b\x54\xdd\xc2\xb2\xbf\xf2\x22\x21\xb7\x3b\xd9\x14\x35\xdb\xe9" "\x08\x4f\x88\x1b\xc1\x27\x16\x5b\xc4\x42\x3e\x88\xfb\x55\x33\x4b\xa2\x50" "\xff\xd1\x50\x2a\xa4\x86\x52\xce\x5d\x05\x4e\x1c\xe1\x4c\x2c\x8c\x8a\xf8" "\x37\xff\xb2\x3c\x17\x28\x2f\xa5\x9b\xae\x4d\xf6\x06\xf3\x3a\x5d\xb2\xbc" "\x38\x8a\x2a\x62\xcb\x30\xb0\x8c\xf0\x75\x86\xa4\xf8\xc8\xc6\x20\x9f\x22" "\x5f\xe0\xb3\x0d\x7b\xde\x2a\xb8\xd7\xbe\x90\x49\x47\x3b\x9e\xfe\x4e\x45" "\xad\x43\x22\xce\xde\x4b\x1f\x31\xb0\x0c\x24\x6f\xca\x13\x2e\x60\x61\x16" "\x51\x8c\x37\x76\xbb\x87\xa4\x60\xd3\x61\x86\xef\x55\xac\x77\x2d\x04\x54" "\x07\x89\x03\x52\x42\xec\xc5\x32\x4d\x18\x45\xf9\x13\x2a\x08\xdd\xda\xff" "\x09\x40\xe0\x0b\x97\x70\x1f\xf1\xdc\x42\x4b\x42\xdf\xe4\xac\x37\x01\x82" "\x04\x04\xdb\x18\x3c\x89\x60\x44\x03\xb1\x4e\x1b\x3f\x25\x4c\x20\xe3\xfa" "\x40\xee\x8d\x86\x84\xee\x3c\xee\xfc\x4e\x92\x09\x11\x65\x5e\x4a\xcd\xbc" "\x3b\x7d\x2b\xb0\xe1\x24\x0e\x49\x6b\x96\x57\xf2\xc4\xcd\x71\x85\x82\x0f" "\x7c\x46\x8e\xdd\xcf\x40\xad\xaa\x02\xb7\x49\xb4\x63\xd8\x3d\x21\xe2\x17" "\xcd\x90\x6f\x4a\x91\x5b\x4a\x46\x42\x06\x30\xd4\xbc\xb8\xcf\x28\x10\xef" "\x41\xf9\x46\xe8\xbc\xc9\x55\x35\x05\xd7\x0f\x10\x82\x5a\x8e\xf7\x89\xc2" "\xee\xd7\x80\xba\xa2\x74\xc0\x36\xc4\x2f\x58\x86\x52\x73\xaf\x2e\x5f\x81" "\xa8\x2f\xd2\xb7\xb3\x15\x99\x89\x48\xfa\xf1\x45\xd4\x79\x52\x77\x38\x76" "\x21\x0c\x89\x0c\x77\xfe\x36\xf4\xe5\xee\x1f\xc2\xc9\xd6\xfb\x4e\xc6\x04" "\x11\xe1\x37\x3d\xe7\xff\x7a\xdf\x5a\x7d\xaf\x30\x31\x29\x7b\xf7\x08\xc7" "\x5e\xda\x9a\xf6\xe3\x1b\x49\x3e\x2e\xd3\x04\x17\xce\xb0\x02\x52\x88\xc2" "\xdd\xbd\xad\x4c\x56\x24\x1d\x57\x18\x41\x03\x65\x9c\x53\xf3\x55\x13\x20" "\xc8\x00\x73\x3f\x05\x80\x0f\x80\x49\x00\x49\x67\xf6\x90\x76\x83\x1c\x2d" "\x65\xf4\x52\x3f\xac\x28\x42\xb9\xa2\xcb\x69\x2b\x4b\x18\xd4\x6f\x6c\xda" "\xe3\xd4\x45\xe1\x32\xd8\x7b\xf7\xf7\x14\x11\x16\x1e\x6d\xb1\xbe\x5d\x16" "\x32\x30\xce\x22\x58\x27\x94\x38\xb2\xcb\x71\x61\xe3\x8c\x5e\x96\xe5\x8d" "\x30\xc1\xee\x97\x0d\x18\x59\x3a\x2b\xd1\xff\xe9\x8d\xfd\xe0\xd2\xb3\x34" "\xe4\x89\x1c\x2c\xca\x77\xbf\x77\x8f\xb9\xc5\x1b\x96\x74\x24\x06\xe2\x9a" "\x9f\x17\x3f\xd4\x05\xc1\x1f\x07\xd2\xff\xc0\x04\x21\x6a\xa7\xaf\xf2\xb8" "\x28\x4f\x79\xbc\x01\x29\x86\x95\x53\x87\x95\xeb\x22\x27\xf5\x5f\x42\xfe" "\xfd\x3b\xc1\x45\x57\xd2\x95\x6c\xcf\x5a\x08\x00\xb2\xcf\xa3\xeb\xd4\xdd" "\xd2\x1b\x55\xe8\x6d\xde\x2f\x65\xf7\x3b\x2e\x4e\x0e\x7f\xcc\xb8\x8e\xc4" "\x44\x4b\x90\xd4\xa2\xfc\x9c\x44\x77\x24\xcc\xc6\xd7\x2d\xd5\x9a\x6e\x47" "\x0e\xdf\x27\x13\xad\xc9\xa3\xce\x42\x7b\x02\x26\x56\xd6\xad\x25\x2a\xd8" "\x11\x78\xc4\x03\x04\x59\xf5\x22\xd8\x8e\x14\x35\x67\xb8\x80\xb9\x44\x3d" "\x1e\x1e\x23\x22\x1c\xd9\x7e\xde\x71\x7c\x8a\xd0\x23\x04\xe9\x1e\xda\xa6" "\xd9\xda\x90\x3a\xc3\xfc\x69\x38\x70\x49\xe3\xa2\x39\x3a\x65\x4f\x90\x0a" "\x7d\x42\xc5\x63\xae\xc0\x36\x0c\x73\x49\xde\xfb\xbc\x81\xf2\x20\xf2\x41" "\xb3\xcd\xba\x55\x6a\xd9\xe4\xa5\xf1\x08\xda\x42\xee\xc9\x0b\xff\x26\x4f" "\x4e\x96\x93\xba\x92\xd6\x2a\x7a\x13\x1a\xf5\x45\x5a\xbe\x59\x41\x3b\x90" "\x0a\x7c\x47\xe2\x3d\xf2\x92\x23\x3b\xc3\x99\x14\xe2\xc2\xee\x1b\x03\x19" "\x1e\x8a\xed\x03\x22\x74\x87\x62\xc5\xd1\x67\x2f\x25\x06\x72\x90\x4f\x22" "\xbf\x79\x66\x31\xa2\x62\x25\xde\xa2\xc8\x55\x6a\xb9\xce\x5c\x76\x80\xbc" "\x77\x02\x8c\x7b\x59\x8a\x17\xe5\xa6\xcb\x3f\xd3\x82\xc5\x09\xfc\x82\xe4" "\x39\x52\xfc\x2c\x00\xc7\xd7\x41\x4e\xd3\xb5\x37\x81\xd5\xda\xb0\xae\x7a" "\x4e\x7e\xed\xfa\x89\x54\x4f\x69\x37\xf3\xb7\x9c\x16\x44\x7e\xde\x80\x84" "\x0f\xe2\x26\x3e\xb2\xad\xdb\x32\xab\xa1\xea\x7a\x4a\xab\x94\x9c\x5c\x9b" "\xf9\x3b\x6e\x46\x03\xda\x89\x06\xd5\xd9\x65\x59\x3b\x9a\x57\x47\x78\x66" "\xf6\xb9\x8d\x51\xe6\x57\xe8\x6a\x81\x72\xf6\x53\x6b\x44\x1f\x9c\xbf\x6a" "\xee\x80\x0d\x16\x50\xd3\x13\x86\xb4\x84\x1a\x62\x50\x03\x0d\xe7\x72\x22" "\x2d\x05\x73\xe3\x4e\x7b\xa8\x6f\x4c\x2d\x0d\xd0\xfd\x32\x00\xf6\xbb\x9c" "\x34\x74\x2f\x21\xd4\x81\x80\x97\x76\xbb\xb0\xa9\xbf\x04\xaf\xc3\x47\xdc" "\x4d\xc6\xff\x63\x31\xe4\x25\x78\x96\x31\x5a\x39\x4e\xef\xdc\xf4\xbf\xd9" "\x1f\x6c\x21\x0d\x4a\x69\x86\x9b\x02\x5f\x9c\xf9\xd0\x38\x1c\x88\xbf\xef" "\x1a\x6f\x8e\x7c\x69\x97\xd2\x60\x86\x2d\xcc\x9c\xdc\xd2\x03\x07\x0b\xb0" "\x65\x58\xe7\x22\xbe\x4a\x47\xda\x45\x85\x78\x4f\xe3\x61\x14\x55\x01\xf3" "\x9c\x12\x9a\x67\x8a\x36\x6b\x18\x05\xfd\xe5\xe1\xff\xcc\x24\x78\x46\x1f" "\xb9\x91\xdc\x62\x45\xd0\x5c\xed\x7a\xfa\x4d\x0e\xa2\x38\x3e\xff\xb0\x8e" "\x4e\xfc\xb3\x6e\x17\x9d\x91\x78\xf7\xc8\xa4\x03\xe2\x71\x04\x50\xe8\x62" "\x24\x17\x1c\xec\x1e\x6d\x8d\xe3\x54\x35\xd7\x33\x60\xe5\xf8\x70\x6d\xe7" "\xc8\x08\xb4\x79\x50\xec\xe4\x17\x51\x30\x3b\xeb\x28\x9b\x26\x33\x70\x49" "\x55\x40\xfc\x9e\x9c\xeb\x59\x48\x22\x00\x39\x8e\x3b\x8a\x92\x89\x7f\x9a" "\x5e\x7c\xa3\xcc\x3b\x2f\x4b\x24\x44\x30\xb6\xc7\x91\x8e\xa8\xb5\x56\x58" "\x70\xfe\xfb\x49\x40\x22\x3d\x08\x7f\xde\xc9\xc3\x71\xf3\x8e\x2d\x8a\x77" "\x6e\x54\xd7\xbe\xdb\x16\x17\x03\xa3\xb6\x71\x88\x61\xec\x7e\xa6\xec\x7b" "\xc6\xa2\x88\x25\x40\xa2\x31\x5c\xfa\x75\x27\xda\xf1\x52\x1c\x8e\x07\xa3" "\xf2\x57\xe0\xac\x98\xfc\xe8\xac\xaf\x55\x32\xe5\x02\xbf\x89\xe7\x18\x5d" "\x8c\xea\xaa\x90\x42\x02\x89\x87\xbb\xd3\x9d\xc1\x0a\x6c\xb2\x12\xf3\xe0" "\x4e\xb5\xfc\xf8\xfb\x36\x43\xb1\x21\x06\x55\x47\x9c\xbb\x17\xf4\x5b\x38" "\x61\x3d\xce\x8c\xeb\x18\x4c\x8c\x9c\xbc\x7f\x61\xd3\xa5\x76\x6c\x0d\xc6" "\x04\x74\xe8\xd6\xa2\xca\xc5\xf7\x85\xad\x29\xd6\x8f\xf5\x92\xa8\xc4\xc2" "\x15\x38\xff\x0f\x5c\x78\x62\x47\xb8\x5d\x39\xf7\x3f\x99\xae\xb9\x22\x8f" "\x51\x2a\xc4\xaa\x9a\xb7\xa4\x33\x99\x68\xed\xa1\x4a\x9b\xa4\x36\xf3\xd1" "\xd5\xdb\x08\x62\x16\xa8\xb4\x71\x5c\xeb\xb9\x33\x58\xae\x80\x29\x53\x42" "\x43\x7a\x85\x5f\xdb\xb5\x00\x00\x2f\x7b\xff\x57\x4f\xf6\xbd\x4d\xe9\x1a" "\xe5\xf4\x4a\x8d\xd9\x1c\xa9\x75\xf3\x57\xa7\xa1\x52\xfb\x65\x8e\xcd\xc8" "\x95\x96", 8192)); NONFAILING(syz_fuse_handle_req(/*fd=*/-1, /*buf=*/0x200000010440, /*len=*/0x2000, /*res=*/0)); // open arguments: [ // file: ptr[in, buffer] { // buffer: {2e 2f 62 75 73 00} (length 0x6) // } // flags: open_flags = 0x14113e (8 bytes) // mode: open_mode = 0x0 (8 bytes) // ] // returns fd NONFAILING(memcpy((void*)0x200000000100, "./bus\000", 6)); res = syscall(__NR_open, /*file=*/0x200000000100ul, /*flags=O_SYNC|O_NOCTTY|O_NOATIME|O_RDWR|0x3c*/ 0x14113eul, /*mode=*/0ul); if (res != -1) r[2] = res; // write$binfmt_script arguments: [ // fd: fd_binfmt (resource) // data: ptr[in, binfmt_script] { // binfmt_script { // hdr: buffer: {23 21 20} (length 0x3) // bin: buffer: {} (length 0x0) // args: array[binfmt_script_arg] { // } // nl: const = 0xa (1 bytes) // data: buffer: {} (length 0x0) // } // } // len: bytesize = 0x208e24b (8 bytes) // ] NONFAILING(memcpy((void*)0x200000000080, "#! ", 3)); NONFAILING(*(uint8_t*)0x200000000083 = 0xa); syscall(__NR_write, /*fd=*/r[2], /*data=*/0x200000000080ul, /*len=*/0x208e24bul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); setup_sysctl(); setup_cgroups(); const char* reason; (void)reason; if ((reason = setup_binfmt_misc())) printf("the reproducer may not work as expected: binfmt_misc setup failed: " "%s\n", reason); if ((reason = setup_usb())) printf("the reproducer may not work as expected: USB injection setup " "failed: %s\n", reason); if ((reason = setup_swap())) printf("the reproducer may not work as expected: swap setup failed: %s\n", reason); install_segv_handler(); use_temporary_dir(); do_sandbox_none(); return 0; }