// https://syzkaller.appspot.com/bug?id=28c4a71ecc4b55c2bbc7d921f0972df1a1a701b9 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif static unsigned long long procid; static __thread int clone_ongoing; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) { exit(sig); } uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; int valid = addr < prog_start || addr > prog_end; if (skip && valid) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ ({ \ int ok = 1; \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } else \ ok = 0; \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ ok; \ }) static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev, const void* addr, int addrsize) { struct ifaddrmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120; hdr.ifa_scope = RT_SCOPE_UNIVERSE; hdr.ifa_index = if_nametoindex(dev); netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize); netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize); return netlink_send(nlmsg, sock); } static void netlink_add_addr4(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in_addr in_addr; inet_pton(AF_INET, addr, &in_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr)); if (err < 0) { } } static void netlink_add_addr6(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in6_addr in6_addr; inet_pton(AF_INET6, addr, &in6_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr)); if (err < 0) { } } static void netlink_add_neigh(struct nlmsg* nlmsg, int sock, const char* name, const void* addr, int addrsize, const void* mac, int macsize) { struct ndmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ndm_ifindex = if_nametoindex(name); hdr.ndm_state = NUD_PERMANENT; netlink_init(nlmsg, RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, NDA_DST, addr, addrsize); netlink_attr(nlmsg, NDA_LLADDR, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static struct nlmsg nlmsg; static int tunfd = -1; #define TUN_IFACE "syz_tun" #define LOCAL_MAC 0xaaaaaaaaaaaa #define REMOTE_MAC 0xaaaaaaaaaabb #define LOCAL_IPV4 "172.20.20.170" #define REMOTE_IPV4 "172.20.20.187" #define LOCAL_IPV6 "fe80::aa" #define REMOTE_IPV6 "fe80::bb" #define IFF_NAPI 0x0010 static void initialize_tun(void) { tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); printf("otherwise fuzzing or reproducing might not work as intended\n"); return; } const int kTunFd = 200; if (dup2(tunfd, kTunFd) < 0) exit(1); close(tunfd); tunfd = kTunFd; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { exit(1); } char sysctl[64]; sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE); write_file(sysctl, "0"); sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE); write_file(sysctl, "0"); int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); netlink_add_addr4(&nlmsg, sock, TUN_IFACE, LOCAL_IPV4); netlink_add_addr6(&nlmsg, sock, TUN_IFACE, LOCAL_IPV6); uint64_t macaddr = REMOTE_MAC; struct in_addr in_addr; inet_pton(AF_INET, REMOTE_IPV4, &in_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr, ETH_ALEN); struct in6_addr in6_addr; inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr, ETH_ALEN); macaddr = LOCAL_MAC; netlink_device_change(&nlmsg, sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN, NULL); close(sock); } #define MAX_FDS 30 //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff(unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } if (symlink("/dev/binderfs", "./binderfs")) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); initialize_tun(); sandbox_common_mount_tmpfs(); loop(); exit(1); } static void close_fds() { for (int fd = 3; fd < MAX_FDS; fd++) close(fd); } static const char* setup_usb() { if (chmod("/dev/raw-gadget", 0666)) return "failed to chmod /dev/raw-gadget"; return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void loop(void) { intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } NONFAILING(memcpy((void*)0x200000000080, "ext4\000", 5)); NONFAILING(memcpy((void*)0x200000000140, "./bus\000", 6)); NONFAILING(memcpy((void*)0x200000000480, "auto_da_alloc", 13)); NONFAILING(*(uint8_t*)0x20000000048d = 0x2c); NONFAILING(memcpy((void*)0x20000000048e, "jqfmt=vfsold", 12)); NONFAILING(*(uint8_t*)0x20000000049a = 0x2c); NONFAILING(memcpy((void*)0x20000000049b, "noquota", 7)); NONFAILING(*(uint8_t*)0x2000000004a2 = 0x2c); NONFAILING(memcpy((void*)0x2000000004a3, "init_itable", 11)); NONFAILING(*(uint8_t*)0x2000000004ae = 0x2c); NONFAILING(memcpy((void*)0x2000000004af, "stripe", 6)); NONFAILING(*(uint8_t*)0x2000000004b5 = 0x3d); NONFAILING(sprintf((char*)0x2000000004b6, "0x%016llx", (long long)0x79)); NONFAILING(*(uint8_t*)0x2000000004c8 = 0x2c); NONFAILING(memcpy((void*)0x2000000004c9, "resgid", 6)); NONFAILING(*(uint8_t*)0x2000000004cf = 0x3d); NONFAILING(sprintf((char*)0x2000000004d0, "0x%016llx", (long long)0)); NONFAILING(*(uint8_t*)0x2000000004e2 = 0x2c); NONFAILING(memcpy((void*)0x2000000004e3, "data_err=ignore", 15)); NONFAILING(*(uint8_t*)0x2000000004f2 = 0x2c); NONFAILING(memcpy((void*)0x2000000004f3, "init_itable", 11)); NONFAILING(*(uint8_t*)0x2000000004fe = 0x2c); NONFAILING(memcpy((void*)0x2000000004ff, "errors=continue", 15)); NONFAILING(*(uint8_t*)0x20000000050e = 0x2c); NONFAILING(*(uint8_t*)0x20000000050f = 0); NONFAILING(memcpy( (void*)0x200000000540, "\x78\x9c\xec\xdd\xcf\x6b\x5c\x5b\x1d\x00\xf0\xef\xbd\xc9\xbc\xfe\xca\x33" "\xf3\xd4\xc5\xf3\x81\xef\x15\xad\xa4\x45\x3b\x93\x34\xb6\x0d\x2e\x6a\x05" "\xb1\xab\x82\xb5\xee\x6b\x4c\x26\x21\x64\x92\x09\x99\x49\xdb\x84\xa2\x29" "\xee\x15\x44\x54\x70\xe5\xca\x8d\xe0\x1f\x20\x48\xff\x04\x11\x0a\xba\x97" "\x2a\x8a\x68\xab\x0b\x17\xea\xc8\xcc\xdc\xa9\xcd\x38\x93\x04\x3a\x99\xdb" "\x97\x7c\x3e\x70\x7b\xcf\x3d\x67\x66\xbe\xdf\xd3\x32\xf7\xc7\xb9\xa7\x73" "\x03\x38\xb1\xce\x47\xc4\xcd\x88\x18\x8b\x88\x4b\x11\x31\x99\xd5\xa7\xd9" "\x72\xab\xd5\x7e\xa7\xf3\xba\x17\xcf\x1f\x2d\xb4\x96\x24\x9a\xcd\xbb\x7f" "\x4d\x22\xc9\xea\x22\x4e\xef\xf9\xcc\x73\x11\xb1\x1b\x9d\xda\xaf\xdd\x8a" "\xf8\x66\xf2\xff\x71\xeb\xdb\x3b\xab\xf3\xd5\x6a\x65\x33\xdb\x2e\x37\xd6" "\x36\xca\xf5\xed\x9d\xcb\x2b\x6b\xf3\xcb\x95\xe5\xca\xfa\xec\xec\xcc\xb5" "\xb9\xeb\x73\x57\xe7\xa6\x87\xd2\xcf\x62\x44\xdc\xf8\xf2\x1f\x7f\xf8\xbd" "\x9f\x7d\xe5\xc6\xaf\x3e\xf7\xe0\xf7\xf7\xfe\x7c\xf1\x5b\xad\xb4\x26\xb2" "\xf6\x4e\x3f\x86\xaf\xd3\xf5\xc2\x9e\xbf\xa1\xf1\x88\xd8\x3c\x8a\x60\x39" "\x18\xcb\xd6\x85\x01\xed\xdf\x1d\x1b\x61\x32\x00\x00\x1c\xa8\x75\x8e\xff" "\xd1\x88\xf8\x54\xfb\xfc\x7f\x32\xc6\xda\x67\xa7\x00\x00\x00\xc0\x71\xd2" "\xfc\xe2\x44\xfc\x2b\x89\x68\x02\x00\x00\x00\xc7\x56\xda\x9e\x03\x9b\xa4" "\xa5\x6c\x2e\xc0\x44\xa4\x69\xa9\xd4\x99\xc3\xfb\xf1\x38\x9b\x56\x6b\xf5" "\xc6\x67\x97\x6a\x5b\xeb\x8b\x9d\xb9\xb2\xc5\x28\xa4\x4b\x2b\xd5\xca\x74" "\x36\x57\xb8\x18\x85\xa4\xb5\x3d\x93\xcd\xb1\xed\x6e\x5f\xe9\xd9\x9e\x8d" "\x88\x77\x22\xe2\x07\x93\x67\xda\xdb\xa5\x85\x5a\x75\x31\xef\xc1\x0f\x00" "\x00\x00\x38\x21\xce\xf5\x5c\xff\xff\x63\xb2\x7d\xfd\x7f\x2a\xef\xbc\x00" "\x00\x00\x80\x21\x2b\xe6\x9d\x00\x00\x00\x00\x70\xe4\xf6\xbb\xfe\xff\xc8" "\x08\xf3\x00\x00\x00\x00\x8e\x8e\xfb\xff\x00\x00\x00\x70\xac\x7d\xf5\xf6" "\xed\xd6\xd2\xec\x3e\xff\x7a\xf1\xfe\xf6\xd6\x6a\xed\xfe\xe5\xc5\x4a\x7d" "\xb5\xb4\xb6\xb5\x50\x5a\xa8\x6d\x6e\x94\x96\x6b\xb5\xe5\xf6\x6f\xf6\xad" "\x1d\xf4\x79\xd5\x5a\x6d\xe3\xf3\xb1\xbe\xf5\xb0\xdc\xa8\xd4\x1b\xe5\xfa" "\xf6\xce\xbd\xb5\xda\xd6\x7a\xe3\xde\x4a\xcf\x43\xc2\x01\x00\x00\x80\x91" "\x79\xe7\x83\x27\xbf\x4b\x22\x62\xf7\x0b\x67\xda\x4b\xcb\x5b\x87\x7f\xfb" "\xdb\x47\x97\x19\x70\xd4\x92\x03\xda\xdb\x0f\x09\x79\x96\x6d\xfc\x61\x04" "\x09\x01\x23\x33\x96\x77\x02\x40\x6e\xc6\xf3\x4e\x00\xc8\x4d\x21\xef\x04" "\x80\xdc\x1d\x34\x0e\x30\x70\xf2\xce\xaf\x87\x9f\x0b\x00\x00\x70\x34\xa6" "\x3e\x31\xf8\xfe\xbf\xb1\x01\x38\xde\xd2\x81\x2d\xcd\x91\xe6\x01\x00\x8c" "\x8e\xfb\xff\x70\x72\x15\xf6\xce\x00\xbc\x9a\x5f\x26\x40\x5e\x0e\x7a\xcc" "\xc7\xeb\xdc\xff\xef\x8c\x24\x34\x0d\x28\x00\x00\x40\xce\x26\xda\x4b\x92" "\x96\xb2\x7b\x81\x13\x91\xa6\xa5\x52\xe7\x3f\xf6\x17\xa3\x90\x2c\xad\x54" "\x2b\xd3\xd9\xf5\xc1\x6f\x27\x0b\xa7\x5a\xdb\x33\xed\x77\x26\x07\xce\x19" "\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x3a\x9a\xcd\x24\x9a\x00\x00\x00\xc0\xb1\x16\x91\xfe\x29\x69\xff" "\x9a\x7f\xc4\xd4\xe4\x85\x89\xde\xf1\x81\xb7\x92\x7f\x4e\xb6\xd7\x11\xf1" "\xe0\x27\x77\x7f\xf4\x70\xbe\xd1\xd8\x9c\x69\xd5\xff\xed\x65\x7d\xe3\xc7" "\x59\xfd\x95\x3c\x46\x30\x00\x00\x00\x80\x5e\xdd\xeb\xf4\xee\x75\x3c\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x0c\xd3\x8b\xe7\x8f\x16\xba\xcb\x28\xe3\xfe\xe5\x4b\x11\x51\xec\x1b\xff" "\x83\xd3\xed\xd5\xe9\x28\x44\xc4\xd9\xbf\x27\x31\xfe\xca\xfb\x92\x88\x18" "\x1b\x42\xfc\xdd\xc7\x11\xf1\x6e\xbf\xf8\x49\x2b\xad\x28\x46\x27\x8b\x7e" "\xf1\xcf\xe4\x18\x3f\x8d\x88\x73\x43\x88\x0f\x27\xd9\x93\xd6\xfe\xe7\x66" "\xbf\xef\x5f\x1a\xe7\xdb\xeb\xfe\xdf\xbf\xf1\x6c\x79\x5d\x83\xf7\x7f\x69" "\x74\xf7\x7f\x63\x03\xf6\x3f\x6f\x1f\x32\xc6\x7b\x4f\x7f\x51\x1e\x18\xff" "\x71\xc4\x7b\xe3\xfd\xf7\x3f\xdd\xf8\xc9\x80\xf8\x9f\x3e\x64\xfc\x6f\x7c" "\x7d\x67\xa7\xa7\xea\xdb\xdd\x42\xf3\xa7\x11\x53\x7d\x8f\x3f\xc9\x9e\x58" "\xe5\xc6\xda\x46\xb9\xbe\xbd\x73\x79\x65\x6d\x7e\xb9\xb2\x5c\x59\x9f\x9d" "\x9d\xb9\x36\x77\x7d\xee\xea\xdc\x74\x79\x69\xa5\x5a\xc9\xfe\xec\x1b\xff" "\xfb\x9f\xfc\xe5\x7f\xf6\xeb\xff\xd9\x01\xf1\x8b\x07\xf4\xff\xc2\x21\xfb" "\xff\xef\xa7\x0f\x9f\x7f\xac\x53\x2c\xf4\xb6\x75\x2b\xfa\x1d\x7f\xdf\x1d" "\x10\x3f\xcd\x8e\x7d\x9f\xc9\xca\xad\xf6\xa9\x6e\x79\xb7\x53\x7e\xd5\xfb" "\x3f\xff\xcd\xfb\xfb\xf5\x7f\x71\x40\xff\x5f\xfe\xfb\xf7\x39\xd0\xb6\x62" "\x5e\x3c\x64\xff\x2f\xdd\xf9\xce\xb3\x43\xbe\x14\x00\x18\x81\xfa\xf6\xce" "\xea\x7c\xb5\x5a\xd9\xfc\x30\x16\xd2\x78\x23\xd2\x50\x18\x4a\xe1\xd4\x9b" "\x91\xc6\x3e\x85\x42\xbc\x11\x69\x8c\xa6\x90\xf7\x9e\x09\x00\x00\x18\xb6" "\xff\x9d\xf4\xe7\x9d\x09\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x9c\x5c\xa3\xf8\x39\xb1\xde\x98\xbb\xf9\x74\x15\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x60\x5f\xff\x0d\x00\x00\xff\xff\x27\x2d\xd9\x9e", 1255)); NONFAILING(syz_mount_image(/*fs=*/0x200000000080, /*dir=*/0x200000000140, /*flags=MS_LAZYTIME|MS_MANDLOCK*/ 0x2000040, /*opts=*/0x200000000480, /*chdir=*/1, /*size=*/0x4e7, /*img=*/0x200000000540)); NONFAILING(memcpy((void*)0x200000000180, "./bus\000", 6)); res = syscall(__NR_open, /*file=*/0x200000000180ul, /*flags=O_TRUNC|O_SYNC|O_NOATIME|O_LARGEFILE|O_CREAT|O_RDWR|0x3c*/ 0x14927eul, /*mode=*/0ul); if (res != -1) r[0] = res; syscall(__NR_fallocate, /*fd=*/r[0], /*mode=*/0ul, /*off=*/0ul, /*len=*/0x1000f4ul); NONFAILING(memcpy((void*)0x200000000780, "./bus\000", 6)); res = syscall( __NR_open, /*file=*/0x200000000780ul, /*flags=O_SYNC|O_NOATIME|O_DIRECT|O_CREAT|O_RDWR|0x3c*/ 0x14507eul, /*mode=*/0ul); if (res != -1) r[1] = res; syscall( __NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x600000ul, /*prot=PROT_GROWSDOWN|PROT_SEM|PROT_WRITE|PROT_EXEC|0x90e976db900956f0*/ 0x90e976db910956feul, /*flags=MAP_UNINITIALIZED|MAP_LOCKED|MAP_FIXED|MAP_SHARED*/ 0x4002011ul, /*fd=*/r[1], /*offset=*/0ul); NONFAILING(memcpy((void*)0x200000000380, "/dev/loop", 9)); NONFAILING(*(uint8_t*)0x200000000389 = 0x30); NONFAILING(*(uint8_t*)0x20000000038a = 0); NONFAILING(memcpy((void*)0x200000000140, "./bus\000", 6)); syscall(__NR_mount, /*src=*/0x200000000380ul, /*dst=*/0x200000000140ul, /*type=*/0ul, /*flags=MS_BIND*/ 0x1000ul, /*data=*/0ul); NONFAILING(memcpy( (void*)0x200000010440, "\x22\xf8\xea\x77\xe0\xc8\x70\xaa\xee\x3b\xde\x9b\xe8\x4b\xff\xfa\x3e\xab" "\xe4\x0a\x0d\x0f\x24\x3a\xe4\x4c\x67\x07\xa1\x24\xb1\x90\x7b\xf3\xec\x0e" "\x19\x1a\x6c\x2e\xc0\x5d\x77\xf6\x54\x08\x31\x4b\x75\x16\xc3\x74\xe9\x8d" "\xc1\x03\x55\x5f\x98\xe6\x9e\x16\xec\x70\x99\xc9\xb0\x7d\xbd\xe1\x94\x4d" "\x85\x79\xbd\xb3\x72\x25\x0b\xbd\x3b\x97\xd3\x70\x82\xa2\xb8\xd8\x7b\xf8" "\xf1\x7d\x51\xfc\x4f\xe3\x7b\xeb\x31\xe7\x11\x9a\x0e\x28\xf7\x3e\x10\x15" "\x61\x2e\xea\x09\x69\x50\x86\x13\xb1\xc1\x94\xfc\x6d\xbf\xba\x55\xc8\x4e" "\x52\x99\xf9\xf5\xa2\x8b\x57\xb6\xa7\xcc\x90\x60\x08\x4a\x40\x6d\xa2\x78" "\xb6\xf8\x75\x8d\x22\xb9\x1c\xe1\x76\x26\xf6\x5a\x36\x13\xd7\x8b\xf6\x35" "\x53\x3b\x96\x8d\x24\x9f\x4a\xd0\xef\x1e\x94\x44\x03\x5e\x5a\xcf\x8f\xd2" "\x48\x33\x9e\x6e\xa6\xb4\xae\xf3\x18\x65\x20\x9f\xf4\xa6\x4a\xf4\x7c\x42" "\x88\x79\x7e\x43\x03\xf1\x4e\xdc\x61\xb1\xe3\xef\x07\xad\x84\x28\xcf\xbb" "\x44\x53\xbb\x29\xdb\xb2\xcf\x34\x3c\x8b\x0e\x0b\xca\xf1\x8c\xb1\xff\x71" "\x57\x41\x8a\x90\x6b\xe6\xa0\xe7\xb2\x7a\x59\x82\xe3\xd2\x7f\x4c\x15\xdb" "\x81\x95\x66\xf9\x46\x07\x97\xb2\xb1\x64\xc5\xe0\x0c\x94\x22\xf8\x30\x4c" "\xb7\x5c\x44\xa9\x13\x50\x69\xdc\x57\x37\x6a\x4b\xcf\xc5\x48\x09\x6c\x4e" "\x00\x04\x09\xcd\xb9\x4f\xc6\xbd\x6b\x33\xfa\x9a\xc8\xe4\x8f\x13\x57\x96" "\xa9\x6f\x11\x11\x1a\xfe\x1e\xe9\x9e\xb6\x70\x4a\x49\x32\x65\x3d\xfb\x1e" "\x13\xa4\x0b\x76\x18\x71\xfb\x26\x0f\x1f\xcf\x88\x15\xd3\x79\x12\x45\x5c" "\xc3\xa9\x7d\xa9\x59\xde\xc3\xa7\xf9\x3b\xd2\x82\x94\xd2\xfe\xaa\x74\xcf" "\x48\x08\x3c\x85\xe6\x1c\x30\x64\x8f\x5b\x7c\x80\x4e\x3c\x77\x6b\x9a\x49" "\xb9\x50\x28\x75\x43\xe1\x16\xe9\x13\xb5\x39\x2b\x91\xdb\x78\x45\xab\x4f" "\xd9\x91\xd6\x06\x10\xf7\x05\xc8\x2c\x47\x37\xd7\x04\x8e\x6b\xd4\x4f\x47" "\xf5\x6d\x07\x55\x40\x6a\x51\xb4\x6e\xd1\xcd\x51\xb3\x6a\x39\xa7\xd1\xf1" "\xda\x14\x1d\x5b\x9a\xbf\xca\x02\x06\x76\x85\x61\x5f\x5b\x44\xc7\x80\xef" "\x68\x55\x76\xf0\x92\x72\x82\x04\xb8\x85\xf8\xba\xd0\x5c\x89\x87\x64\x4d" "\x18\xa5\x4a\x0d\xaa\xdb\x3f\x5f\x4f\x54\xd6\x1a\x57\x71\x9e\xdc\xb4\xed" "\x4c\xc2\xc3\x9c\x9a\x66\x1e\x62\xe2\xd3\x5a\x5b\x47\x11\x63\x69\x0c\x65" "\xa2\xd1\x5a\xd5\x47\xad\x31\xd4\x5b\x8a\xc8\x4c\xcc\xdf\xbf\x99\xb1\x31" "\x46\xe6\x42\xd4\xc8\x40\xf4\x25\x0e\x88\x24\x86\xf3\x38\x2c\x5d\x37\x4a" "\xf1\x26\x26\x82\x9d\x42\x3d\x5e\xc6\x9a\xe1\x80\xa4\x11\x4e\xd4\xf5\x89" "\x97\x4c\x7c\x64\x28\x96\x6c\x3f\xfb\xe7\x85\xd4\x52\xc9\x30\x0a\x5d\x61" "\x4e\xda\x84\x98\x34\x0f\xeb\xe5\x20\x73\x2a\xa1\x57\xe3\x97\x18\xbb\x98" "\x40\x34\x14\x9d\x11\x78\x7d\x8e\xbf\x68\x59\x62\x5e\xf1\x80\xff\x4b\x5a" "\xda\xb6\x07\xb1\xe5\x5c\x44\x41\x2a\xc2\xa2\x38\xe6\xb6\x8d\xa1\xe2\x22" "\xe4\x58\x1c\xb0\x0f\xdd\xaa\x97\xad\xab\x57\x7b\x69\x96\x9a\xba\x6b\x38" "\xc9\x12\x40\x0d\x59\x59\xc1\xb9\xf8\xd9\x5e\xfd\x43\xfa\x2f\xe6\x3a\x11" "\x2b\x49\x65\xc5\x02\x70\xd0\xc1\x74\xc2\xaa\xc0\x94\xbd\x51\xc1\x42\xde" "\xfa\x5b\x04\x31\x04\xdb\xc5\xc2\x0d\x09\x8c\xe9\xc9\xbf\xcf\x04\x67\x88" "\x8a\x4c\xdc\x0c\xfc\x2e\xf6\xa8\xe8\xc2\x41\x17\x8b\xe7\x90\x49\x64\xad" "\x18\x07\x02\x19\x16\x0b\xec\x00\x32\x3c\x59\x81\xd4\x4a\x53\xca\x52\x2c" "\x13\xbb\x03\xbf\x72\xdb\x6e\xb2\x26\x7f\xcd\xf2\xcc\x8d\x13\xcc\xff\xc0" "\x95\xd1\xce\xc3\xe8\xb9\xf6\xd1\x7a\xf5\xee\xd8\x09\xad\x96\xde\x9e\x88" "\x08\x56\x35\x92\xf0\xef\x19\x4b\x0c\x8c\xa4\xeb\x5d\x11\x7f\x6b\x4d\x66" "\x4d\x5f\x25\x5f\x4b\x62\x73\xbc\xe7\x3e\x1a\x8b\xcb\xad\x00\x71\x7c\x2f" "\x4f\x85\x27\x53\xd7\x0a\x72\xa4\xf0\xc1\x86\x96\x55\x25\xd4\x60\x3b\x29" "\x87\xc4\xbd\xd3\xd7\x8a\x6f\xf3\x87\xf9\xf1\xfb\x58\xdd\x16\xdc\x5a\x9b" "\xf0\xfe\x49\x00\x55\xde\x1b\x17\xe2\x6a\x31\x35\x4f\xac\x37\xbe\xdc\xde" "\x20\x53\x4b\xf2\x98\xd9\x7d\x1e\x0d\xa0\x86\xf0\xb5\x10\xbf\xa2\x9a\x94" "\x50\xb4\x36\x32\xed\x71\xfd\xb4\x21\x8d\x4b\x96\x11\xa2\x3c\xef\x84\x46" "\xf0\xa8\xdf\x50\x8b\x16\x4b\xd8\xc2\x39\xab\x04\x42\x00\xeb\x7a\xa7\xb5" "\xb9\x89\x22\x67\xc8\xb0\x58\xa2\x8c\x26\xf6\xf4\xf8\x71\xa2\x4e\x70\x47" "\x57\x35\x37\x3a\x68\x35\x4d\x17\x43\x4a\xd3\xba\x1f\x6d\x6a\x11\x67\xab" "\x9f\x06\x85\xf3\x96\xd7\xb4\x98\xad\xc4\x6d\x81\xd8\xd5\xf2\x06\x45\xb5" "\x20\x97\xed\x1a\xa8\x59\x8c\x4a\x6b\x6e\x14\x83\x0b\xfb\x67\xb3\x5c\xd4" "\x2b\x7a\x96\x2c\xbc\x3b\x44\xa8\xe6\x65\x45\xdd\x8c\x32\x13\xab\x50\x63" "\xc1\x58\xf5\x40\x02\x3b\x97\x76\x6a\xda\x87\x75\xc6\xc3\x5f\xd4\xe3\x53" "\x37\x50\x75\x03\xa2\x9c\x15\x9b\x24\x30\x79\x4b\xe7\xc9\xed\x26\x09\x31" "\x9e\x69\x8b\x0f\xcd\xbb\xf4\x4f\x4a\x5d\x12\x8c\x7b\x0c\x41\xd4\x01\x12" "\xde\xcf\x6a\x06\xe5\x1d\x19\x1c\xbf\xfd\x44\x4b\x8b\x32\x31\x15\xbb\xab" "\x4d\xbc\x8f\x9f\xda\xfd\x6d\x2f\x7b\x10\x80\xa4\xae\xd3\x58\x18\xc2\x6f" "\xc7\x5a\x8c\x6a\x98\x18\x2e\x1f\x9b\xd3\x5c\x94\x5e\x94\xcd\xb3\xb2\x5d" "\x89\x8b\x70\x4c\x89\x11\x4d\x22\xbd\xda\xb1\x94\x9c\x78\x1b\x91\x80\xff" "\xfe\xd0\x04\x2e\xdb\x70\x78\x8c\x12\xa9\x7c\x44\xea\x78\x16\xdb\x92\x5c" "\xe4\xd7\xf2\x17\x4e\x18\xb3\x92\x83\x4c\x89\x17\x16\xe2\xe2\x8d\x07\x64" "\x86\xf1\x86\xeb\x8f\x65\x24\xde\xe0\x7c\xe2\x20\x9b\xf9\xdf\xc6\x98\x1f" "\x8a\x93\x9a\xd9\xfd\x4c\x09\x20\x94\xf0\xbb\x48\xbf\x37\x28\x0c\x0e\xb3" "\xc7\xee\xd5\x17\x9e\x90\x9c\xc6\x26\xce\x17\x8f\xa4\xad\x70\x26\x1f\x50" "\x6e\xac\xec\xca\xc8\x27\x2b\x7c\x8e\x41\x39\x8f\xe6\x52\xd9\xf4\x86\x02" "\xe4\xef\x4d\xce\x43\x44\x96\x11\xef\x27\x05\xd6\xa6\xdd\x95\x4c\x09\xc0" "\x0d\x1e\x8d\x24\x54\xf4\x29\xff\x36\x73\x8f\x20\x76\x70\x27\xf1\xf7\x15" "\x1b\x21\x24\x35\x1a\x9f\x01\x96\xf8\xe8\x38\xad\xb8\x82\xd0\xcb\xf4\x63" "\xaf\xa9\x15\x44\x5a\x02\xed\x6c\x5b\xe4\xa0\x8c\xb8\x03\x98\xc4\xd5\xe9" "\x55\x00\xda\x86\x2b\xcc\x26\x58\xa2\x85\x99\xaf\x0a\x2b\x93\x7e\x26\x58" "\xdf\xee\x12\x10\x0c\xc4\x88\xba\x67\x6c\xe6\x12\x29\x57\x07\x8f\xf2\xa3" "\xf1\x2a\x5d\x74\x3b\x5c\x91\xa6\x8b\x80\xfc\x7a\xd1\x16\x75\x7d\x97\x40" "\xd2\xb9\x40\x41\x4f\x7a\x43\xa1\xc5\xc5\xfe\x3a\x5b\x65\xeb\x94\x26\xbd" "\xa3\xcc\xa9\x95\x17\x15\x37\xe6\x23\xcc\x8d\x0a\x41\xff\xf3\xc1\xd8\x67" "\xf4\xf4\xbc\xe5\x0f\x1e\xba\xa7\x1e\x79\xfd\x8e\xd9\xcb\xca\x12\xcb\xed" "\xe5\x04\x01\xd5\x98\x79\xad\xa3\x3d\x87\xf2\xbf\x76\x11\xdc\xd4\xb5\xb9" "\x18\x76\x57\x0d\xea\x77\xe6\xe8\x43\x3a\xba\x3a\x18\xd3\x1e\xe4\xfa\x35" "\xa4\xb3\x37\x6c\xfe\xcc\x0e\x4c\xf9\x40\xde\x70\xcf\xdb\x9b\x0b\x29\xc1" "\xe6\x8b\xd2\xd5\x8e\x5b\x07\x53\xa1\x5b\x69\xc1\x63\x68\x43\xdb\xe0\x5e" "\x98\x1d\x05\x8f\x39\x37\x60\xda\xca\x68\x6c\x12\x88\x2a\x38\xc5\xa2\x65" "\x0b\xd1\xda\xa6\x29\xf8\xd2\x85\x44\x81\x8c\x97\xdc\xbe\x60\xc8\x45\x5e" "\xfd\x62\x62\x9a\x44\x84\x18\x4c\x65\xcb\x4e\xa6\xbb\xe7\x56\xad\xab\x8f" "\x27\x45\x2d\x5f\x6b\xf7\xef\x39\x0d\x6b\xa8\x60\x93\xd8\xb3\x3d\x75\x67" "\xa3\xa8\xfb\x5d\x6d\x82\xc6\x33\xd7\xdf\x72\xa0\x99\xc1\x24\xa5\x1e\x40" "\x1d\x62\x34\xc0\x6e\xee\x0a\x37\xc8\x8e\x0c\xff\x59\xc5\x29\xa0\x57\x50" "\xb9\x6a\x00\xc5\x53\x57\xee\x98\xf6\x9b\x65\xb8\xd0\xa7\x6a\x1e\x98\x0a" "\xca\x89\x19\x5b\x04\xe5\xe9\x02\x1f\xf0\x7a\x6e\xd3\x33\xcb\x46\x19\x18" "\x19\xac\xdc\xf6\xe9\xb9\x8c\x36\x43\x30\xc8\xcf\xf6\x9c\xa3\xe7\x75\xb8" "\x4f\x1b\x0d\xee\x29\xbc\x22\x93\x21\x79\xba\x25\xde\x6b\xda\xac\x05\xd9" "\xdf\xf2\x84\xb3\xf1\x00\x31\x9b\x51\xeb\xbd\xd9\x24\x4b\x4b\x68\x6b\xa4" "\x10\x39\x1d\x61\x15\x81\x7a\x47\x4d\x05\xbc\x00\xf7\xb9\x19\x02\x7b\x74" "\xec\xe4\xd8\xb3\x4a\xb4\xa2\x49\x0c\xb3\x9b\xf6\x98\x44\xc6\x88\x1f\xa7" "\xf6\x47\x57\x62\x8e\xe8\x00\x9a\x44\x2a\xde\x79\x3f\xdd\x41\xd3\x09\x76" "\x7b\xa2\x4d\xf8\x35\x4e\x19\x79\xd4\x1e\x2f\x34\xb8\x4e\x99\x55\x7f\x91" "\xf4\x93\xf0\x1c\x69\x8e\xa7\x4f\x1a\x42\x67\xd1\xcc\xf2\x03\x0e\x15\xc8" "\x2b\xc7\x43\xeb\x4e\xbd\xc6\xc4\xf1\xb2\x4c\xdd\xa0\x16\x2a\x76\x98\x5d" "\x15\x4e\x7f\x91\x52\x1d\xe2\x04\xbc\x41\x59\x74\x7f\x16\x95\x90\xfe\xf4" "\x3e\x48\x56\x4e\x14\x45\xee\x10\xa5\x60\x60\x2c\xbc\x16\x0c\x80\xa2\x7c" "\x65\xa1\xe3\x31\xe9\x34\xed\x53\xd4\xa0\x28\x5e\xe1\x56\x90\xe6\x8f\x67" "\xea\xb4\x51\x0d\x89\x3a\x96\x15\xcc\xa0\x83\xd1\x4e\x1a\x1d\xe7\xe9\x7d" "\x95\x80\x50\xf0\xde\x8f\xe6\xc9\xc8\x15\x8a\xee\xb1\x80\xda\xf5\xdd\x84" "\xbe\x99\xa1\xc3\x71\x51\x08\xbc\x67\xba\xcd\x14\x54\x2a\x17\xe9\x78\x26" "\x48\x07\x84\x75\x90\x7d\x82\xa2\xbd\x25\xfb\x18\x1a\x1d\xcf\xd1\x23\xcf" "\xb4\x9b\x11\xf2\xa0\xa6\x9d\x33\xe7\xb5\x11\x47\xd1\x99\x14\xf1\x7c\xe6" "\x70\x8e\x93\x47\x5f\x6a\xc5\x1b\x58\x39\x2a\x43\x8e\xae\x03\x82\xbf\x86" "\xc5\xfc\x4b\x9b\xb9\x19\xdc\xe6\x98\xef\xc5\xe4\x46\x8e\xb9\x38\xfa\x69" "\x7c\xbe\x16\xb2\xaa\xd7\xee\xa6\x19\x8d\xde\x32\x71\x3f\xc2\x41\xda\xde" "\x9d\x57\x8d\x19\x14\xe4\x6d\xd0\xe7\xf4\x5c\x1d\x92\xd2\x6e\xfc\xc3\x50" "\xf2\xc4\x1d\x99\x1c\x4b\x87\x0e\x1a\xe4\x8b\x9f\x0c\x15\x39\xb9\x23\x31" "\xcf\x2d\x35\x32\x1b\xe3\xdb\xdf\xa0\x83\x24\xd0\xfc\x7f\x48\x24\x00\xee" "\x86\xfc\xb0\x6e\x02\xfe\x25\x66\x90\xe5\xa9\xec\xe7\xf0\x91\xd8\x82\x28" "\x43\xa6\xaa\x0e\x8f\x5d\x01\x21\xf9\x7d\x0f\xe5\x02\x3f\x00\x52\xeb\x24" "\xec\x06\x48\xdf\xa4\xc0\x0f\x77\xad\x31\xec\x85\xbe\xf9\x49\xc1\xa6\x45" "\xb8\x02\x56\x2f\x09\x50\x43\x71\x5f\x25\x19\x77\x05\x33\x30\xbc\xfd\xba" "\xdf\x62\xed\x2f\x35\xdd\xa4\x66\xf8\xf7\xde\x12\xfe\x80\x33\xb1\xb4\x62" "\x6b\x01\xca\xfb\x4c\x9e\x97\x9a\x76\x3d\x77\x73\xa5\xb1\x33\xdf\xe0\x45" "\xed\xcd\xbe\xcb\x05\x49\x23\x05\x29\xbc\xfa\xdd\x21\x70\xbc\x4f\x87\x84" "\x6b\x3e\x59\x20\xe6\xf7\x15\x2a\x3e\xa6\x48\xdb\x65\x18\x7b\x4f\xde\x3e" "\xbf\x2d\x06\x7c\x29\x1d\xf1\xfa\x6c\xc7\xd4\x3e\x06\xcb\xb2\xd2\x5f\x67" "\x48\x6b\x7f\x66\x29\xf9\x00\x2f\x12\x2f\x3a\xf0\x43\xf5\xcc\xa8\x0a\x07" "\x68\xa9\x89\xe5\xed\xc5\x09\x8d\x4c\xa8\x2c\xb1\x08\xdf\x90\x23\x84\xa3" "\xf1\x87\xa0\xc0\xef\xdf\x82\xa1\x73\x91\x8d\x8e\x45\x2e\x4e\x7e\x2d\xeb" "\xfd\xfc\x71\xbf\xd0\x47\x3f\xf2\x50\x47\x7c\xed\xce\x3b\x0f\x16\x85\x60" "\xfd\xf4\xeb\x43\xaf\xda\x72\x41\x97\xd2\x77\x85\x89\x9b\xd8\x29\x76\x4e" "\x3b\x9d\x79\x1c\x32\xf1\x32\x12\x9c\xf5\xe1\x1c\xf8\x11\xb5\xd4\x33\x93" "\xd8\xa2\x38\x92\xb0\x4c\x64\x9b\x42\xec\xee\xaf\x8c\x9f\x33\x3e\x53\x20" "\xc1\x83\xc2\x88\xd1\x88\x88\xce\x3a\x43\xf5\x03\xf3\x8a\x88\x50\x37\x35" "\xa0\x05\x9d\xc0\x24\x77\x14\x5c\x0e\xa8\xcd\x2d\xc3\xe0\x19\xae\x15\xb3" "\x50\x4d\x95\xd2\x44\xbd\x01\xd6\x42\x47\x80\x74\xed\x44\x3e\x49\x1e\x7e" "\x79\xc4\x7f\xd0\x14\x39\x0c\xd5\xf4\xce\xdd\x91\x54\xf3\x60\x7e\x12\x86" "\xcf\x96\x66\x28\x42\x23\x6f\xcc\xb5\x2c\x2a\x75\x32\xb5\xbc\xfc\xff\x48" "\x24\xce\x56\x92\x2d\x1f\xf8\xc1\x60\x2f\x86\xcc\x38\x5f\x7f\x05\xa2\xa6" "\x84\x74\xd8\x40\xde\x81\x7e\xc8\x4e\xa6\x11\xcd\x0e\x32\x90\xb7\x25\x05" "\x89\x74\x53\x8c\xcd\x8a\x4e\x78\x38\x0f\xe1\x55\x44\x6a\xbf\x56\xbb\x91" "\x61\x46\x31\x11\x81\x09\x55\xdb\x7a\xda\x24\xf0\xb4\xf8\x8a\xe5\xb8\x3e" "\xfa\x12\xc4\xcf\x64\x57\xf9\x41\xef\x21\x76\xc5\xce\x75\xb9\x8d\x54\x21" "\xa0\x07\x45\xaf\xac\x9b\xd9\x09\xfc\x51\x72\x97\x60\x41\x2a\x57\x20\xee" "\x24\xcb\x1f\xe4\xb2\x83\x07\xa1\xe1\x53\xe4\xcd\x2e\xec\x7b\x62\x82\x6e" "\x81\x4b\x7b\x56\x2e\x16\x86\x3e\x89\x76\xc3\x56\x59\x3d\x82\xd4\x37\x92" "\x42\x53\x35\xd3\x8d\x3e\x00\x79\x7f\xec\x4a\x97\x5e\x5e\xdb\x0e\xc4\x5f" "\xac\x21\x39\xf1\x2f\x16\xc5\x21\x8c\x26\xdc\x1c\xca\x8c\x07\x1a\xb9\x47" "\x23\xc0\xf0\xa8\x77\x1f\xa5\x64\x5a\xf6\xcb\xfd\x94\xe7\xc7\x11\x24\xa5" "\x9b\xbe\x44\xbb\xea\x29\x60\x30\x8c\x4d\x15\x31\xda\x9c\x5a\xf9\x12\x35" "\x92\xf1\x92\xf1\xd0\xba\xa2\x40\x3d\x49\xfa\x43\x36\x07\x71\x9e\xb3\x41" "\x47\x43\xe4\x0a\xa9\x28\xbd\xfc\x2a\x9e\xae\x76\xf6\x20\x38\xfe\x02\xf0" "\xdb\x13\xa8\xc8\x13\x75\x0e\x45\x62\x6f\x1e\xa1\x50\x17\x7c\x7a\x95\x60" "\xbc\x0f\xbf\xd1\x00\x42\x18\xec\x18\x42\x83\x07\x75\x3e\xce\x8e\x8e\x89" "\x55\xe6\x18\xe3\x99\xf2\xb8\xe4\xb4\xae\x85\x4c\x60\xf0\x2f\xfc\x61\xc5" "\x95\xca\x6b\x82\x6c\x31\x9e\xcc\x0b\x82\x29\xec\x71\x4d\x57\x0f\x65\x0b" "\xf4\x52\x2b\xd8\x83\xa8\x85\x26\xbb\x88\xba\x5a\x20\x11\xbe\x73\xc4\x8f" "\x2f\xdc\x44\x24\xcf\xbe\xad\x86\xc8\xb6\x91\x76\xa6\xe2\x03\x27\x95\xa0" "\x84\x6a\x4c\xde\xae\x8d\x8b\x12\xb3\x54\x58\xda\x90\x32\xc4\x67\xbe\x54" "\x75\x12\xe8\x91\x92\xf4\x23\xb8\x4e\xba\x74\x41\xbb\x2d\x38\xad\x53\xa5" "\x5b\x83\x9e\x94\x7b\xb6\x47\x71\x0b\x53\xe6\x93\x7e\x2b\x00\xe2\x23\x6f" "\x99\x41\x1f\x8f\xfb\x61\x85\x95\x1d\x91\x9c\x04\x8f\x3c\x1f\xfe\x1f\xca" "\xee\x46\x01\x1f\xb2\xc7\x80\x75\x44\x13\x9f\xb9\x12\xda\x19\x3c\x4c\xd7" "\x62\xf9\x3a\x74\x08\x6d\x96\x45\x5a\xb5\x7a\xe0\x57\xc8\xf2\x80\x2a\x76" "\xeb\x97\xe6\x32\x91\xbc\x40\x73\xc5\x39\x5a\x03\x9c\x50\xcf\x53\xb8\x8d" "\xea\x44\x48\x2e\xe7\x74\x0d\xc9\xcb\x57\x15\x70\xdc\xd3\xe5\x6e\x9a\x21" "\xeb\x17\xdc\x89\x2f\xd3\xba\x36\xc7\xf0\x3b\x7d\xbe\x6f\xfa\xb9\xa8\x09" "\x87\x8a\xbe\x16\x57\x9d\xcb\x06\xff\x96\x95\x99\xa5\xbf\xa7\xee\xd8\xa1" "\xf1\xaa\xbc\xcb\xb7\x8c\xfe\xc3\x23\x32\x9b\x2e\xf5\xd4\x54\x0b\x11\x13" "\x4c\x90\x5f\x98\x2d\x99\x58\x87\x37\xf7\x2d\xd2\x2d\xff\x10\xdf\xc1\x44" "\x35\x6e\x9b\x89\x98\x49\x13\xc0\x25\xff\x4a\x1d\x08\xf8\x82\xd7\x75\x9a" "\x32\xd5\xd8\xaa\x7f\x56\x4e\xb5\x5e\x41\x23\xba\xd1\xdf\x29\x76\xa4\xec" "\x92\xbc\x51\x8f\x0c\xca\xf0\x07\x1d\x2c\x8b\x6a\x5d\x15\xeb\x7f\x23\xe2" "\xa9\x13\x68\xd3\x10\x5e\xac\xbd\xc0\x1b\xc9\xd9\x5a\xe2\x4f\xe3\xbe\x92" "\xf1\x0c\xcc\xad\x21\xca\xe6\xd7\x5e\xe2\x0e\x0a\x4b\xd5\x87\xed\x3e\xb9" "\xb7\xa8\x81\xd5\x5d\xc3\x84\x30\xae\xd1\x57\xc4\x91\xe0\xa6\x42\xfb\x64" "\x39\x1d\xb0\x89\x62\x96\x54\xc9\xd6\x3e\x23\x72\xb2\x3c\x0c\xd5\xec\xcc" "\x99\xf8\xd4\xea\x98\x73\xb6\x13\x09\xaa\xcc\x64\x02\xc4\x84\x31\xbf\xcb" "\xbf\x53\x79\x44\x4c\x1f\x41\x36\x5a\x12\xa7\xdd\x23\xfc\x2c\xd3\x1e\x20" "\x96\xb1\xb4\x75\x0d\xaa\x89\xea\xf9\xc2\x47\xfc\xcc\x9c\x56\xd1\x23\x5c" "\x92\xb9\x06\x6a\x31\x93\xc6\x45\xd3\xe8\xd8\x8f\xb7\xc1\x92\x16\xc5\x15" "\x84\x60\x43\x77\x3e\xb9\xa6\xfa\x60\xc1\x50\x81\x38\x5f\x3e\xaf\x18\x72" "\xd8\x4e\x6d\xe2\x81\x8a\x14\xeb\x84\x92\x18\x23\x3b\x30\x58\xe9\x7a\x91" "\x17\x38\xd2\x7e\xf7\xd1\xfd\x91\x29\x59\xbd\x35\x67\x2d\x20\x88\xc5\x25" "\xc5\xb4\x53\x8a\xd9\x5a\xdb\x64\xa0\xc9\x26\xea\x38\x74\x16\x11\x09\xb9" "\x08\x7e\x41\x60\x0c\x49\x00\x8f\x69\x4b\xbf\x27\xef\x26\x31\xb0\xc0\x95" "\x4c\x83\xdf\x95\x44\xf7\x4b\xcf\x6d\xcb\x2f\xf4\xa1\xe0\xca\x90\xb0\x29" "\xb9\xbd\xd8\xab\xfe\xd4\x96\x81\x09\xbe\x96\xac\xb5\xe1\x50\x76\xf9\x85" "\x71\xdb\xc6\x5d\xc2\xee\x1f\x71\x4e\xdc\xb9\x21\xe1\x5e\xa3\xc5\x64\xbb" "\x15\x5c\x5e\xfd\x8e\xf5\x99\x92\x17\x3d\xe6\xc3\xee\x03\x5d\x77\xae\x0a" "\x96\xc3\xe0\x72\x31\x3b\x30\x7d\xd5\x42\xa3\x72\x60\x86\xa0\xd6\x04\x75" "\x01\xa9\xea\x01\xd4\x41\x00\x09\x78\x57\xf1\x6c\xde\xa7\xdc\xff\x1b\xbb" "\x63\x78\xde\x4d\x4d\x2d\xc5\x28\xa5\x7b\x7b\xc7\xfe\x41\x77\xea\x55\x17" "\x25\xe2\x84\x0e\x0d\xed\x85\x08\x4c\x7a\xe4\xad\xb8\x03\x60\xc2\x90\xa7" "\x89\x65\x92\xa1\x05\x9a\x08\x8b\xd5\x89\xcc\x1c\x32\xe1\x3d\xeb\x2b\x52" "\x33\xa8\xf2\xaf\x4a\xa2\x6f\xc1\xd0\xe5\x44\xf3\xb3\xc6\xd6\xb8\xe1\x44" "\xdd\x45\x8b\xc8\x74\xe3\x31\x50\x93\xbf\x36\xac\x99\xb3\x7a\x73\xd3\x46" "\x1c\xae\xb8\x33\x03\xe8\xc2\xd9\x52\x07\x6b\xaf\x09\x04\xba\x22\x63\xe9" "\xa5\xbb\x04\xdc\x72\x2c\x82\x94\x21\xcc\xe5\xe1\xe6\xa7\x7a\xaf\x5c\x07" "\xfd\xd2\xee\x90\x0c\x69\xfa\xb6\x2d\xc0\xd2\x3a\xeb\x12\x01\x14\xfe\x46" "\xe4\xc3\xef\xcf\x6f\x7d\xdd\xca\xb8\xfa\x48\x12\x55\x46\xb2\xae\x3c\x88" "\x4e\x8c\x9c\x4c\x1a\x74\x2f\xe9\xb6\xf2\xbd\x46\x6c\x21\x9e\x5e\xab\x81" "\x1d\xaf\xed\xdc\xef\x73\xda\xf3\xa8\xeb\x8c\x1b\xd1\xe2\x3d\x15\x79\x7e" "\x0f\x52\x0d\xa8\xd2\xf3\x30\xef\xed\x2f\x51\x10\x21\xef\x8f\x7c\xe7\x3c" "\x0f\x77\x7c\x3a\x5b\xa9\x1a\x97\xee\x1c\x6a\x8d\xd7\x19\x98\xc6\xae\xdc" "\xce\xfd\xc0\xf4\x05\x04\x2d\x02\x1b\x59\xf4\x79\x2e\x36\x2e\xb1\x15\xad" "\xa0\xf4\x7c\x1f\xd6\x76\x6b\x31\x57\xeb\x88\x9b\x3a\x9b\x7f\x47\x7b\xed" "\x5d\xc7\x78\x23\x94\xa8\x27\xa7\x0f\x14\x0c\x64\x0d\x6c\xd3\xca\xee\x98" "\xb5\x3c\xee\x83\xc5\x93\x18\x59\xc3\x0c\xf5\x8a\x34\x9c\x56\x39\xd9\xbe" "\x85\x15\xd7\x37\x36\xe9\x66\x97\x7b\xae\xce\xd1\xee\x05\x3a\xe2\x6b\x9f" "\x82\x7f\x1c\x0a\xe6\x15\x22\xfc\xdf\x7b\x96\xbc\xb1\xde\xec\x87\xb0\x6e" "\x2c\x98\x58\xe6\xef\x57\x2d\x76\xa7\xb5\x82\x53\x8b\xf5\xff\x12\xf7\xc7" "\x92\x14\x7d\x76\xc1\x60\x10\x27\xe4\xee\xac\x71\x28\x01\x61\xbd\x79\xc8" "\xcc\xed\xd3\x9f\x7e\x4c\xd8\x3e\xc8\xd9\x65\x45\x29\x77\x9a\xec\x12\xab" "\x42\x22\x4d\xd1\xbb\xc6\x20\xc4\x2b\x8c\xcd\xf3\xd6\x56\x9b\x2f\x89\x3f" "\xce\xa5\x40\x44\x84\x40\x51\xa8\xdc\x1b\x7a\xd0\x6c\x21\x61\xc2\x28\x34" "\x38\x51\x73\xd2\x1e\xb5\x70\x56\xa5\x87\xd3\x31\x83\xd5\x7e\x3e\xa0\x96" "\x2f\xa8\x13\x46\x09\xaa\x11\x56\xa1\xfa\x7c\x6d\x10\x51\xd0\x25\x6d\x17" "\x70\x54\xe2\xb0\x1c\x33\x92\x0b\x68\x47\x00\xf6\xe9\x59\x8f\x62\x4f\x9b" "\xc5\xe8\xcb\x79\xc3\x3b\x62\x4a\xcf\x4b\x48\xae\xb2\xb6\x11\xb7\xae\xdd" "\xbd\xf9\xac\x3c\xc8\xf0\xe9\xa7\xe4\xf7\x93\xcb\x83\xad\x36\x07\xe1\x2d" "\x86\xac\x2e\xaa\xb3\x12\xcc\x8b\x57\xbc\xa7\x50\x70\xfa\x77\x00\xf9\x42" "\x35\x9b\x5f\xac\xa4\x32\x44\x75\x06\xcb\x6d\x74\xd0\x21\xc0\x6c\x6a\x62" "\xbf\x88\x2b\xcd\x7a\xd4\x47\xb3\x97\x76\xd1\x72\x17\x8b\x4e\x14\x0f\x87" "\x75\x09\x3c\x5a\x57\x7b\xaa\x97\x70\x06\x6d\x80\x23\xcf\x7a\xd9\x07\x0e" "\x24\x6b\xa9\xfa\xd7\x0e\x76\xc5\xbd\xff\xfb\xfa\x36\xf9\x35\x90\x2b\x3a" "\xb5\x75\x97\xd2\x13\xd3\xae\xed\x99\xa4\x61\xfd\xcc\xa7\x36\x10\x04\x0d" "\x00\x7c\xcf\xde\x8e\x62\x24\x79\x63\x71\xe9\x75\x96\x35\xd6\xbb\xa3\x66" "\x58\x81\x54\xa2\x77\xa0\xbc\xb0\x2e\x16\x2a\xf4\x2b\x98\xed\x1b\x27\xe4" "\x8f\x81\x6d\x12\x08\x91\xc4\x6f\x8c\xf6\x7c\x0d\xd1\xab\x38\x61\x1f\x0f" "\x12\xba\x90\x61\x65\x77\xf1\x1d\xf3\xcb\x1c\xaf\x61\x97\x7f\x24\x54\x64" "\xab\xeb\x0e\x8b\x58\xde\x82\x28\xb9\x2b\x78\x09\x71\x78\xed\x88\xb2\xf1" "\x6a\x22\x2a\x51\x75\xf8\x28\xef\x52\x8c\x06\xfd\x01\x79\x40\xff\xe2\xdc" "\x8f\x68\xcd\x9d\x15\xb5\xeb\x07\x46\x94\x1f\x67\x8d\xe5\xb9\xd8\x29\xff" "\xdf\x2c\x66\x7e\xe2\x14\x8c\x18\x82\x15\xf8\x0b\xd4\x96\x3b\x4f\x02\x2b" "\x2b\xdd\xc7\x74\xec\x6a\x82\x35\x12\x88\x05\x90\x79\xb1\x7b\x70\x8a\x25" "\x7b\xbb\x21\x2e\x98\xbb\xc5\x84\xf5\x09\xa1\xd1\x3a\xb7\xa2\x7e\xa2\x49" "\xf4\x29\x31\x23\xca\xb0\xbc\xc5\x21\xd4\xf1\xee\x07\x7d\xeb\x4c\x5b\x1c" "\x15\x84\xfa\xad\xa4\x95\x5a\x52\xed\xe0\x7a\x45\x52\xa0\x70\xd7\x80\x53" "\x19\x3c\x8a\x90\x63\x31\xd3\x86\xb1\xd8\x49\x85\xb3\x0e\x74\xa0\xef\x50" "\x4f\x73\x3f\x7b\x57\x31\x96\x11\xa9\xf6\x0c\x38\xed\x59\xc2\xaf\x1d\xc9" "\x38\x53\xe2\xc4\x8a\xa3\x36\x21\x40\x81\xb7\x88\x3d\x16\x39\xbb\x2b\xfb" "\xa4\x1c\x67\xc4\x89\xc5\x69\xc2\xfe\x7a\xb2\x3c\x30\x6e\x8a\x6e\x6d\x0d" "\xa4\x09\xfe\xd4\x30\x22\x73\x65\xa5\xf6\x93\x99\xb6\xac\x73\x48\xa3\xd4" "\x31\x49\xe1\x6e\xfd\x03\xcf\xb9\x6f\xb0\xf7\x3d\x65\xa8\xa5\x2a\x91\x27" "\xb8\x4c\x85\xb9\x70\x12\xb5\xf1\x6d\xf0\x30\xea\x92\xae\xc3\xdf\x0e\x40" "\x84\x65\x8c\x8f\xda\xba\xfc\x80\xe0\xe3\xe6\x32\xf3\x44\xf6\x45\x17\x6c" "\xd5\x8b\x30\x33\xfc\x90\x96\x9e\x70\xc3\xdc\x64\x37\x49\x1f\x4e\x4b\xfc" "\xc5\x02\xa0\xbb\xf5\x9b\x90\xeb\x0b\x86\x36\xcf\xd4\xed\x0c\xce\x2a\x3e" "\x19\x7a\xa7\xbc\x48\xe1\x4f\x4f\x35\xed\xdb\xab\x49\x31\x5d\x47\x69\x5a" "\x04\x72\x81\xd1\x65\x9a\xa6\x70\x3f\x01\x73\xb2\x1e\x35\x39\x8c\xf8\x85" "\x1b\x9c\x7c\x1c\xb6\x9d\x9c\xa8\x0d\x95\xaa\x63\x20\x11\x25\x1d\x67\xbf" "\xb1\x35\x54\x5c\x70\x32\x19\xb4\x09\x4c\x28\x70\x6f\xb7\xd7\xd2\xf6\xaf" "\x87\xbe\x67\xe4\xd0\x42\x5c\x56\x4c\x6b\x09\x9c\xbe\x38\x3f\xfe\xdc\x39" "\xc8\x69\xfb\xfd\x34\x1d\x5c\xe7\xdf\x0a\x8e\x93\x05\xcf\x32\xe2\xb8\x28" "\xb3\xbb\xdc\xa7\x2f\xe7\xcc\xc7\x2b\x0d\x12\xa2\x38\x42\xd3\x4c\x05\x66" "\xe1\x61\x3f\x3f\x1e\x50\x38\x5a\xc5\xf7\x8d\xaa\xe4\x77\x10\x69\xe3\xb3" "\x8f\x73\xaf\x3c\x93\x38\x36\xa0\x50\xb7\xd7\x0d\x02\x27\x46\x6c\xc8\xe2" "\xe9\x17\xa5\x15\x10\x6b\x54\x54\xf2\xee\x3e\xad\x04\xb7\x04\x5f\xa7\x4b" "\x56\x19\x99\xee\x48\xdd\x68\x34\xfd\x04\x4a\x9b\xeb\xac\xb3\xfd\x7b\xb9" "\xfd\x40\x15\x52\xf1\xe6\xb7\x3d\xba\xeb\x01\x71\xfe\x30\x67\x62\x8d\x52" "\x41\x32\xb9\xe8\xd7\x75\x04\x71\xef\xd3\x3b\x83\x4a\x3f\xb4\x47\xe6\x6d" "\xe5\xd4\x1c\x03\xa1\x5b\x27\x27\x28\x84\xb9\x97\xa8\x6b\xe6\xa4\x5b\x28" "\xe0\x0f\x6b\x52\xf9\x1d\xc8\xc6\x46\xc9\x4c\x2b\x95\x49\x8a\x64\x4f\x72" "\x45\x1c\x5c\x0d\x46\xc3\x6b\xaa\x78\xce\x74\x89\x52\x86\x96\x57\xbc\xb5" "\x26\xeb\x82\xbd\x9e\xfa\xda\xd6\x13\x93\xf9\xf1\xf2\xde\xd5\x49\x87\xae" "\x85\x20\x74\x6d\x28\x83\x19\xb8\x17\xdd\xa8\xf0\x72\x39\xcb\xee\xaf\x3b" "\xd2\x52\xc6\xf7\xc9\x74\xc4\xfe\x18\xd3\x8d\x33\x4b\x08\x9c\xd6\x36\xb9" "\xe6\x82\xc7\x0a\xd3\x5f\xf0\xa4\xd9\x97\xa6\x4e\x97\x35\x79\x85\xac\x2c" "\x68\x5e\x6e\xda\xf2\x00\x8e\xad\xcf\xd8\x58\x69\x30\x09\x4f\x27\xfe\xca" "\x9e\x7e\xad\xa9\xc4\x7e\x79\x6a\x9e\x6f\x45\xce\x56\x06\xcc\x69\x65\x9e" "\xfc\xc2\x2c\x02\x36\x31\x2e\x25\xcd\x24\xa7\x20\x13\xa2\x2f\xde\x25\xb5" "\xfe\x3e\x06\x7d\x53\x29\x82\xe5\xd8\xa7\x78\xd1\x0b\xf0\x4a\x8c\xb8\xaa" "\x9e\x9c\x68\x9b\xf0\xee\x9a\xc4\x79\xc9\xf4\xe2\x3f\x8e\x20\x43\x33\x5b" "\x90\x3d\x5d\xff\x0f\xa6\x27\x36\x36\x2b\xe3\x1b\xce\x82\xee\xcd\x71\x3d" "\xa1\xb1\xdb\x3e\xc1\xcd\xda\x2e\xfd\xf0\xf8\xe5\xe7\xa6\x8e\x65\xf5\xf0" "\x27\xf7\x15\x3f\xad\x6c\x24\x07\xe3\x8e\xdf\x5d\xe0\xe0\x8d\x48\x13\xe5" "\x6a\x5a\xd3\x8b\xca\xb0\x9c\x57\x08\x9b\x6f\xcc\x58\xea\xe1\x8a\xd9\xe3" "\xa8\x2b\xe2\x4f\xc0\x62\x8f\x5f\xc6\x6e\xf1\xd8\xf0\x05\x77\x1b\x02\xfa" "\x77\x05\x63\xb3\x0c\x8c\xf8\xd8\x72\x2f\x89\x86\x0f\xf8\xee\xde\x15\x71" "\x12\xb8\x36\x06\xcf\x68\xf0\x91\x3e\xd1\x1b\x2b\xff\xce\x7d\x23\x11\xd1" "\xd9\x1e\x4c\xf6\xe4\x50\xd2\x60\xcc\x39\x06\x62\xd9\x6d\xf2\x13\xf4\xc0" "\x89\x40\x26\xde\xd9\xfd\xc7\x9d\x62\xd1\xcd\x43\x12\xa6\xad\xf3\xc4\xe5" "\xb7\x85\x09\x1c\x6f\xa3\xb5\x1c\x91\x4d\xeb\x42\xf1\xaa\xc1\x19\x06\xdf" "\x20\x53\x9c\xa8\x60\xe2\x8d\x10\x36\xc7\x3a\xc7\x5d\x73\x05\xad\x25\x05" "\xc4\x9a\x73\xab\x14\x57\x0c\xe5\x90\x9e\x88\x06\x2e\xf7\x03\xab\x62\x3c" "\x9b\x7f\x52\x06\x0e\x54\x73\xa5\xe8\x05\xf8\xc3\xd4\x2e\xde\x7a\x87\xff" "\x21\x82\x0c\x4a\xa9\x0f\x19\x11\x62\xc1\xe4\xb5\xe0\x41\x3b\x06\xee\x7e" "\xaa\x14\x91\x7d\xa7\xf6\x2e\xf6\xbd\xcd\xa7\x32\xf1\xa8\x9d\x1c\x36\x4f" "\x2b\x00\x23\xbc\x4b\x6f\xa2\x47\xe9\xfb\x82\x3c\x91\xc5\x7c\x0d\xc1\x0c" "\x1d\xaa\x98\x66\xa8\x68\xe9\xa6\x45\xeb\x97\xe0\xa4\x88\x58\x96\xe2\x21" "\x9e\x2b\x91\x78\xaf\xed\x4d\xaf\x94\x6b\x74\xac\x70\xc9\x74\x85\xf5\x9d" "\xb4\x67\x39\x5d\x49\x11\x38\xce\x68\xa1\xb6\xaf\xe6\xc6\xe5\xf2\xd9\x2a" "\x68\x42\x17\xa6\x30\x2c\xea\xab\x0f\x43\x5c\x41\x27\xef\x18\x05\x57\x69" "\x01\xba\x38\x31\xf0\x64\x24\x0b\xbd\x5f\x3b\x00\x81\xca\xb9\xc9\xe1\xc6" "\x54\x1a\xe2\x02\x8b\x71\x8a\x19\xa7\xa5\xd9\x24\x3e\x01\xff\x1c\xd1\x1e" "\x7e\x38\xf9\x02\xa2\x06\x8e\x8d\xbc\xb8\x05\x27\x62\xe7\x72\x45\xc0\xec" "\x31\xbd\x87\xcf\x09\x73\x09\x6e\x47\x51\x02\xb2\x43\x13\x5f\x6e\xb3\xf3" "\xb6\x2f\x8f\x30\x54\x7d\xa5\xc2\x29\x4b\x74\x4d\x02\x12\x2d\x74\x68\x60" "\x13\xe1\xb5\x33\xe7\x95\x9a\x52\xc1\x62\x5a\xbe\x75\xc0\xe8\xd1\xe1\x2d" "\x30\x3f\xbd\xdc\x78\x1b\x9b\x86\x91\xd7\xd3\x3f\xda\x5a\x59\xf5\xef\xcd" "\x20\x27\x3b\xb3\x53\xdf\x39\x59\x5c\x0f\x7c\x1f\xbe\xdf\x46\x9c\x39\xb1" "\xda\x77\xa3\xfa\x1a\xb2\x99\x41\x44\x92\x97\x0f\xed\x4d\x13\x4f\x1b\x2d" "\x07\x7d\x2c\x79\xec\xea\xe6\xd8\x00\x7d\x1d\xbc\x98\x45\xb0\x9e\x51\x62" "\x9b\xaf\xb9\xc9\x6f\x69\x8a\xa1\x75\x6e\xb1\x4f\x99\x7f\xfe\xbe\xc8\xb2" "\x3e\xf0\x32\xea\xcf\x3f\x86\xbb\x0b\x18\x85\x6a\xa1\x96\x1e\xab\x05\xac" "\xc0\x64\x07\x76\xd3\x0a\x49\xbb\xdd\x97\x3c\x4c\x16\x12\x49\xd9\x64\x64" "\x74\x90\x62\x2d\x31\x2e\x3f\x88\xa0\x58\x12\x9b\xfc\x47\xed\x44\xc5\xf5" "\x99\x00\x60\x9e\x6e\xfb\xc1\xfe\xaf\xd9\x79\x81\x80\xfd\xf3\x03\x2d\xda" "\xd3\x32\x97\xff\xab\x31\x16\xd7\x0a\xb2\x70\xb2\x50\x63\xf8\x97\x09\x66" "\x35\x06\xcd\x37\xa9\xc2\x5f\x6c\x52\x18\x62\xbb\x8a\x44\x7f\x12\x8c\xc9" "\xcc\x6e\x76\x86\xd3\x69\xce\xfb\xf0\x70\x17\x96\x9b\xad\x53\x44\x36\x33" "\xa8\x50\x4b\xf7\x2b\x78\xa8\xfa\x78\x81\x89\x4a\x4c\x79\xb7\xa6\xc6\x6b" "\xfb\xab\xcc\x29\x5e\x18\xb6\x64\x76\x94\xa0\x3f\xbc\x87\x06\x39\x19\xfd" "\xdc\x58\xf1\x52\xb2\xd1\x5f\xe6\x63\x17\x76\xd2\x34\x33\xdc\xc1\xb7\xcc" "\x22\xb3\x8d\xfc\x79\xc4\x3e\x52\x89\x8e\x9a\x86\x97\x5d\x7f\x00\x39\x32" "\xf3\xb7\x6b\x83\xf8\x08\xf6\x65\x86\xe7\x4d\x21\xf5\x34\xa4\xc8\xfb\xb6" "\x3f\xee\xce\x6b\xc4\x8f\x3d\x0c\x5d\x5b\x5b\x4b\x71\xb8\x62\x8a\xf5\x73" "\x31\xa8\x3e\x3e\x44\x67\x40\x4a\x5d\xeb\x85\x26\x83\xe1\x56\x0b\xf1\xc5" "\xf6\x5d\x47\x2b\x4e\x41\xd0\x9e\x60\x8e\x4d\xd8\xaa\x4c\xce\xec\x86\x0c" "\x12\x3b\x58\x27\xf5\x2a\xae\xa3\x6e\x65\x36\x92\x17\xa6\xed\xad\xe1\xc8" "\xba\x1e\xbd\x22\x25\xeb\x2b\xb3\x4b\x85\xc2\xcc\x16\xe6\x61\xa8\x8f\xf1" "\xd0\x93\x5a\x31\x5e\x09\x60\x22\xd6\xdd\xa5\xd7\xa7\x3d\x9b\x20\x03\x38" "\xb4\x67\x3c\x82\xfb\xe3\xdb\x00\xc0\x3e\x0b\x70\xe5\x96\x2b\x19\x63\x9b" "\x6b\x17\x80\x18\x1d\x2f\xdf\x50\xb9\x6f\x6e\xec\xd4\x0e\xde\xe1\xdb\xa7" "\x84\x57\x15\xc9\x71\x42\xe4\x19\x8b\xd3\xf2\x48\xb6\x16\x22\xc3\xa2\xc8" "\x24\xc4\x98\x35\x0f\x2c\x36\xba\x2f\xb3\xee\xca\x9a\x7f\xd9\xb3\x54\x83" "\x70\x21\xdf\xb8\x93\xa8\x39\x53\x67\xc0\x00\xd0\xea\x8b\x04\x85\xaa\xa8" "\x0a\xea\x77\xb8\x0b\x07\x2a\xe0\xe2\x70\x2d\x57\x5a\xf4\x59\x9f\x89\x91" "\xaa\xa4\x16\x84\xfd\xcb\x77\xf1\xd2\x5e\x03\x35\x36\xf4\x0b\x2e\x35\x7f" "\xc7\x45\x59\xdf\x6c\x92\x24\xdb\xab\xb1\x97\x4a\x7b\xcb\x44\x1e\x2c\x89" "\x73\x43\xa0\x3a\x08\x6d\x35\x3b\x1b\x56\xd4\x3a\xda\x04\x50\x84\x65\xf9" "\x45\xa1\x78\x68\x39\x43\xb9\xc7\xa1\x6a\x80\xc5\xbb\x6f\x2c\x27\xec\x49" "\x1f\x90\xc6\xf2\x0b\x98\xfc\xb9\x28\x29\x1b\x3f\x19\xb6\x65\x40\xbd\xcf" "\x27\x8d\x4c\x88\x35\x1b\x6a\x28\x9c\x29\x93\x50\x5b\x6e\xff\xe6\x00\x22" "\xcc\xc0\x66\x6f\x4b\xd5\x46\xb4\x0a\xf4\x3f\xa7\x17\x11\x09\xbb\xa1\x07" "\x60\x7a\x0a\xff\xb1\x55\x31\x13\x39\x3f\x02\x67\xb2\xc9\x49\x43\x60\x4d" "\x92\x76\xc9\xd0\x11\x77\xed\xf6\x4e\x11\xc1\x28\x3f\x40\x87\x61\x07\x0b" "\x89\x8e\xda\x2a\xd6\xed\xd1\x95\x62\xd9\xbe\x89\xf1\x4a\x61\x17\x80\xfa" "\x59\xea\x57\x77\x2f\x06\x82\xbe\xc6\xfe\xfb\xbf\x1b\x2f\x51\xdb\x85\xb1" "\xec\x25\x62\x62\xee\x51\x16\x87\x55\x2e\xf3\xf0\x37\x66\xd8\x18\x44\x54" "\xf1\xe1\x51\xc4\x1c\xaa\xd0\x0c\x74\x23\xff\xf5\xa8\x87\xca\xfb\x1e\x47" "\xae\x16\x81\x1f\xfb\x58\x39\x14\xa6\x2c\x56\x95\x9a\xd3\x02\x82\x8b\xaf" "\xb6\xc1\x80\x15\x9d\xe7\x6b\x5b\x6a\x22\x77\xec\xd6\x63\x5d\x28\x2c\x02" "\x61\xe8\xfe\xfd\xbc\x78\x3f\x87\x10\xf6\x03\x5e\x28\xd0\xa4\xac\x7b\xdf" "\x97\x03\x7a\xb8\xb5\x71\x75\x08\x40\x77\x1f\xe2\xe5\x40\x9a\xc6\xc3\x6f" "\x97\xd4\x83\xec\xc5\x2a\x84\x55\xe7\xed\xe1\xe1\xc2\xcf\xe5\xa7\x2d\xaf" "\x9d\x1b\x5d\xbb\x36\x19\xa7\xf6\xcb\xbf\x00\xbb\x68\x5d\x1d\xad\xc1\xdf" "\xf9\x4b\x30\x83\xa8\x3c\xc5\x40\xcb\xd8\x7b\xdf\xf5\x3e\xf3\xa6\xb2\xdf" "\x04\xfc\x21\xb1\x1c\xe6\x0f\xcd\x78\xea\x29\xd6\x5b\x87\x07\xc6\xf1\xf8" "\xee\xf7\x88\x53\xa7\xb3\x90\x40\x0a\xeb\x7c\x05\xaa\x7f\x95\xe6\x7c\xce" "\x4a\xde\x14\xbd\xd6\x65\x4a\x23\x0d\x94\x9d\x2f\xb3\x33\x0f\xf0\x08\x8e" "\xaa\xa1\x97\xef\x61\x4f\xf6\x94\x59\x44\x02\x40\xd6\xb8\x85\x87\x6c\xd5" "\xa3\xd7\xa9\xea\x1c\x28\x02\x81\x3a\xa0\x82\xe8\xe5\xd1\xc4\x4a\x71\x56" "\x42\x2f\x9e\xc7\x50\x8e\x09\x46\xac\x70\x6c\xa7\xc7\xb5\xdd\xd9\x51\x76" "\xc6\xb1\x65\x37\xaa\x24\x2e\x05\x38\x77\x30\xe4\x1f\xc3\x83\x92\x98\x37" "\x21\xa4\x76\xc7\xbf\xf7\x9c\xc3\xe7\x6c\x2c\x77\x5c\xb3\x5c\xe5\x09\xc6" "\xde\xf9\x47\x6f\x54\x8d\x90\xe0\xee\x64\x2d\x0a\xc8\xc2\xac\x1b\xeb\x20" "\xb2\x6a\xff\x70\x30\xee\x02\x71\xf6\x49\x3d\x46\xc9\xfb\x44\xec\x2d\xcf" "\x6b\x11\x1c\xec\xbc\xf0\x45\x72\x8f\x62\x4b\xb2\xbf\x27\x23\xc0\x05\xb4" "\xd9\xb1\x9a\xc7\xb7\x69\x82\x50\xf0\x4e\xbc\x94\xfa\x90\x04\xc4\xf8\x2e" "\x6f\xfc\xc3\xff\x95\x84\xbc\xaf\xb6\x88\xda\x91\x95\xec\xcc\x39\x87\xf0" "\xaf\x58\x90\x80\x8b\x8b\x13\x91\x0e\x01\x95\x54\x50\xab\x5f\x7e\xe2\x1b" "\x79\x38\xd1\xcc\xaa\x33\xb9\xde\x31\xd0\x6e\x01\x58\x42\x25\x4f\x1d\x5f" "\x39\xd6\xbb\xb0\xae\xb9\xfb\x97\xb1\x53\xeb\xa5\x74\x9d\x19\xfc\xc1\x10" "\x34\x27\x33\x09\x4d\x5c\x8d\x82\xb7\xe1\xc4\x6f\xe5\xc1\xa7\x23\xe7\xcf" "\x2a\x35\x96\xec\x49\x94\x82\x91\xd4\x77\x4b\xf9\xdd\xbd\xbf\x7a\x26\x1b" "\x88\x04\x47\xd3\xca\xb3\x2f\x7b\x05\x5c\xd4\x17\x14\x2a\xcd\x22\x40\xbb" "\xa2\xd7\xfe\x3f\x00\x3d\x3a\x78\x96\x02\x67\x3b\xc3\x4f\xa8\x4c\x40\x10" "\x1f\xb8\x0a\x4c\x23\xde\x6f\x68\x9f\x13\x01\x4e\x78\xcc\x21\xd1\xb5\x8f" "\x2e\x83\x8a\x00\xf1\x67\x9e\x5c\xee\x78\x48\x98\xc5\xc2\x5b\xe9\x94\x95" "\x09\x86\x2d\x70\xb5\x38\xf0\xfe\x38\x23\x25\xef\x77\xb5\x05\x37\xdd\x32" "\xd3\xda\x5c\x41\xd2\x06\xf9\x46\xd7\xf1\xf8\x6f\x5f\x86\xf4\x1f\x39\xdc" "\x21\x6e\xdf\x78\x69\xfa\x2f\x4b\x1d\x53\x4c\x7c\xfb\x29\x6b\x2c\x5d\x32" "\x3e\x43\x57\xc0\x40\x0f\xdd\xf4\x57\x1e\x8a\xd3\xb6\x3c\x94\x10\xec\x3f" "\x6a\xd6\xc0\x4e\xd5\x99\xbc\x60\xf0\x4d\x4c\x0e\x95\x6b\xab\x7c\xb0\xff" "\x1c\x32\x42\x15\x29\x19\x95\x2f\x57\xbf\x32\x41\x38\x91\x52\x15\x02\x69" "\x21\xf3\x4c\x19\x7a\x07\x6c\x62\xee\x70\xba\x3b\x04\xf7\x3d\x4f\xa9\x1b" "\xf7\x21\xa3\x89\x2f\xd5\x2a\xd2\x04\x5d\x8b\xac\xb0\x06\x04\xd2\xfb\xda" "\xc0\x92\x68\x79\x4e\xdb\x92\x93\xf9\x96\x5e\x74\xc2\x83\x7a\xf8\x89\xde" "\x27\x46\x66\x1b\x14\x15\xeb\x0f\x2c\x72\x29\xe5\x91\x62\x8b\x42\x7d\xdd" "\x3c\x8f\xc6\xf5\xf5\x97\xa7\xb1\xf2\xa0\x3f\x96\x57\x44\x45\x0d\x40\x67" "\xb7\xeb\x5b\x54\xdd\xc2\xb2\xbf\xf2\x22\x21\xb7\x3b\xd9\x14\x35\xdb\xe9" "\x08\x4f\x88\x1b\xc1\x27\x16\x5b\xc4\x42\x3e\x88\xfb\x55\x33\x4b\xa2\x50" "\xff\xd1\x50\x2a\xa4\x86\x52\xce\x5d\x05\x4e\x1c\xe1\x4c\x2c\x8c\x8a\xf8" "\x37\xff\xb2\x3c\x17\x28\x2f\xa5\x9b\xae\x4d\xf6\x06\xf3\x3a\x5d\xb2\xbc" "\x38\x8a\x2a\x62\xcb\x30\xb0\x8c\xf0\x75\x86\xa4\xf8\xc8\xc6\x20\x9f\x22" "\x5f\xe0\xb3\x0d\x7b\xde\x2a\xb8\xd7\xbe\x90\x49\x47\x3b\x9e\xfe\x4e\x45" "\xad\x43\x22\xce\xde\x4b\x1f\x31\xb0\x0c\x24\x6f\xca\x13\x2e\x60\x61\x16" "\x51\x8c\x37\x76\xbb\x87\xa4\x60\xd3\x61\x86\xef\x55\xac\x77\x2d\x04\x54" "\x07\x89\x03\x52\x42\xec\xc5\x32\x4d\x18\x45\xf9\x13\x2a\x08\xdd\xda\xff" "\x09\x40\xe0\x0b\x97\x70\x1f\xf1\xdc\x42\x4b\x42\xdf\xe4\xac\x37\x01\x82" "\x04\x04\xdb\x18\x3c\x89\x60\x44\x03\xb1\x4e\x1b\x3f\x25\x4c\x20\xe3\xfa" "\x40\xee\x8d\x86\x84\xee\x3c\xee\xfc\x4e\x92\x09\x11\x65\x5e\x4a\xcd\xbc" "\x3b\x7d\x2b\xb0\xe1\x24\x0e\x49\x6b\x96\x57\xf2\xc4\xcd\x71\x85\x82\x0f" "\x7c\x46\x8e\xdd\xcf\x40\xad\xaa\x02\xb7\x49\xb4\x63\xd8\x3d\x21\xe2\x17" "\xcd\x90\x6f\x4a\x91\x5b\x4a\x46\x42\x06\x30\xd4\xbc\xb8\xcf\x28\x10\xef" "\x41\xf9\x46\xe8\xbc\xc9\x55\x35\x05\xd7\x0f\x10\x82\x5a\x8e\xf7\x89\xc2" "\xee\xd7\x80\xba\xa2\x74\xc0\x36\xc4\x2f\x58\x86\x52\x73\xaf\x2e\x5f\x81" "\xa8\x2f\xd2\xb7\xb3\x15\x99\x89\x48\xfa\xf1\x45\xd4\x79\x52\x77\x38\x76" "\x21\x0c\x89\x0c\x77\xfe\x36\xf4\xe5\xee\x1f\xc2\xc9\xd6\xfb\x4e\xc6\x04" "\x11\xe1\x37\x3d\xe7\xff\x7a\xdf\x5a\x7d\xaf\x30\x31\x29\x7b\xf7\x08\xc7" "\x5e\xda\x9a\xf6\xe3\x1b\x49\x3e\x2e\xd3\x04\x17\xce\xb0\x02\x52\x88\xc2" "\xdd\xbd\xad\x4c\x56\x24\x1d\x57\x18\x41\x03\x65\x9c\x53\xf3\x55\x13\x20" "\xc8\x00\x73\x3f\x05\x80\x0f\x80\x49\x00\x49\x67\xf6\x90\x76\x83\x1c\x2d" "\x65\xf4\x52\x3f\xac\x28\x42\xb9\xa2\xcb\x69\x2b\x4b\x18\xd4\x6f\x6c\xda" "\xe3\xd4\x45\xe1\x32\xd8\x7b\xf7\xf7\x14\x11\x16\x1e\x6d\xb1\xbe\x5d\x16" "\x32\x30\xce\x22\x58\x27\x94\x38\xb2\xcb\x71\x61\xe3\x8c\x5e\x96\xe5\x8d" "\x30\xc1\xee\x97\x0d\x18\x59\x3a\x2b\xd1\xff\xe9\x8d\xfd\xe0\xd2\xb3\x34" "\xe4\x89\x1c\x2c\xca\x77\xbf\x77\x8f\xb9\xc5\x1b\x96\x74\x24\x06\xe2\x9a" "\x9f\x17\x3f\xd4\x05\xc1\x1f\x07\xd2\xff\xc0\x04\x21\x6a\xa7\xaf\xf2\xb8" "\x28\x4f\x79\xbc\x01\x29\x86\x95\x53\x87\x95\xeb\x22\x27\xf5\x5f\x42\xfe" "\xfd\x3b\xc1\x45\x57\xd2\x95\x6c\xcf\x5a\x08\x00\xb2\xcf\xa3\xeb\xd4\xdd" "\xd2\x1b\x55\xe8\x6d\xde\x2f\x65\xf7\x3b\x2e\x4e\x0e\x7f\xcc\xb8\x8e\xc4" "\x44\x4b\x90\xd4\xa2\xfc\x9c\x44\x77\x24\xcc\xc6\xd7\x2d\xd5\x9a\x6e\x47" "\x0e\xdf\x27\x13\xad\xc9\xa3\xce\x42\x7b\x02\x26\x56\xd6\xad\x25\x2a\xd8" "\x11\x78\xc4\x03\x04\x59\xf5\x22\xd8\x8e\x14\x35\x67\xb8\x80\xb9\x44\x3d" "\x1e\x1e\x23\x22\x1c\xd9\x7e\xde\x71\x7c\x8a\xd0\x23\x04\xe9\x1e\xda\xa6" "\xd9\xda\x90\x3a\xc3\xfc\x69\x38\x70\x49\xe3\xa2\x39\x3a\x65\x4f\x90\x0a" "\x7d\x42\xc5\x63\xae\xc0\x36\x0c\x73\x49\xde\xfb\xbc\x81\xf2\x20\xf2\x41" "\xb3\xcd\xba\x55\x6a\xd9\xe4\xa5\xf1\x08\xda\x42\xee\xc9\x0b\xff\x26\x4f" "\x4e\x96\x93\xba\x92\xd6\x2a\x7a\x13\x1a\xf5\x45\x5a\xbe\x59\x41\x3b\x90" "\x0a\x7c\x47\xe2\x3d\xf2\x92\x23\x3b\xc3\x99\x14\xe2\xc2\xee\x1b\x03\x19" "\x1e\x8a\xed\x03\x22\x74\x87\x62\xc5\xd1\x67\x2f\x25\x06\x72\x90\x4f\x22" "\xbf\x79\x66\x31\xa2\x62\x25\xde\xa2\xc8\x55\x6a\xb9\xce\x5c\x76\x80\xbc" "\x77\x02\x8c\x7b\x59\x8a\x17\xe5\xa6\xcb\x3f\xd3\x82\xc5\x09\xfc\x82\xe4" "\x39\x52\xfc\x2c\x00\xc7\xd7\x41\x4e\xd3\xb5\x37\x81\xd5\xda\xb0\xae\x7a" "\x4e\x7e\xed\xfa\x89\x54\x4f\x69\x37\xf3\xb7\x9c\x16\x44\x7e\xde\x80\x84" "\x0f\xe2\x26\x3e\xb2\xad\xdb\x32\xab\xa1\xea\x7a\x4a\xab\x94\x9c\x5c\x9b" "\xf9\x3b\x6e\x46\x03\xda\x89\x06\xd5\xd9\x65\x59\x3b\x9a\x57\x47\x78\x66" "\xf6\xb9\x8d\x51\xe6\x57\xe8\x6a\x81\x72\xf6\x53\x6b\x44\x1f\x9c\xbf\x6a" "\xee\x80\x0d\x16\x50\xd3\x13\x86\xb4\x84\x1a\x62\x50\x03\x0d\xe7\x72\x22" "\x2d\x05\x73\xe3\x4e\x7b\xa8\x6f\x4c\x2d\x0d\xd0\xfd\x32\x00\xf6\xbb\x9c" "\x34\x74\x2f\x21\xd4\x81\x80\x97\x76\xbb\xb0\xa9\xbf\x04\xaf\xc3\x47\xdc" "\x4d\xc6\xff\x63\x31\xe4\x25\x78\x96\x31\x5a\x39\x4e\xef\xdc\xf4\xbf\xd9" "\x1f\x6c\x21\x0d\x4a\x69\x86\x9b\x02\x5f\x9c\xf9\xd0\x38\x1c\x88\xbf\xef" "\x1a\x6f\x8e\x7c\x69\x97\xd2\x60\x86\x2d\xcc\x9c\xdc\xd2\x03\x07\x0b\xb0" "\x65\x58\xe7\x22\xbe\x4a\x47\xda\x45\x85\x78\x4f\xe3\x61\x14\x55\x01\xf3" "\x9c\x12\x9a\x67\x8a\x36\x6b\x18\x05\xfd\xe5\xe1\xff\xcc\x24\x78\x46\x1f" "\xb9\x91\xdc\x62\x45\xd0\x5c\xed\x7a\xfa\x4d\x0e\xa2\x38\x3e\xff\xb0\x8e" "\x4e\xfc\xb3\x6e\x17\x9d\x91\x78\xf7\xc8\xa4\x03\xe2\x71\x04\x50\xe8\x62" "\x24\x17\x1c\xec\x1e\x6d\x8d\xe3\x54\x35\xd7\x33\x60\xe5\xf8\x70\x6d\xe7" "\xc8\x08\xb4\x79\x50\xec\xe4\x17\x51\x30\x3b\xeb\x28\x9b\x26\x33\x70\x49" "\x55\x40\xfc\x9e\x9c\xeb\x59\x48\x22\x00\x39\x8e\x3b\x8a\x92\x89\x7f\x9a" "\x5e\x7c\xa3\xcc\x3b\x2f\x4b\x24\x44\x30\xb6\xc7\x91\x8e\xa8\xb5\x56\x58" "\x70\xfe\xfb\x49\x40\x22\x3d\x08\x7f\xde\xc9\xc3\x71\xf3\x8e\x2d\x8a\x77" "\x6e\x54\xd7\xbe\xdb\x16\x17\x03\xa3\xb6\x71\x88\x61\xec\x7e\xa6\xec\x7b" "\xc6\xa2\x88\x25\x40\xa2\x31\x5c\xfa\x75\x27\xda\xf1\x52\x1c\x8e\x07\xa3" "\xf2\x57\xe0\xac\x98\xfc\xe8\xac\xaf\x55\x32\xe5\x02\xbf\x89\xe7\x18\x5d" "\x8c\xea\xaa\x90\x42\x02\x89\x87\xbb\xd3\x9d\xc1\x0a\x6c\xb2\x12\xf3\xe0" "\x4e\xb5\xfc\xf8\xfb\x36\x43\xb1\x21\x06\x55\x47\x9c\xbb\x17\xf4\x5b\x38" "\x61\x3d\xce\x8c\xeb\x18\x4c\x8c\x9c\xbc\x7f\x61\xd3\xa5\x76\x6c\x0d\xc6" "\x04\x74\xe8\xd6\xa2\xca\xc5\xf7\x85\xad\x29\xd6\x8f\xf5\x92\xa8\xc4\xc2" "\x15\x38\xff\x0f\x5c\x78\x62\x47\xb8\x5d\x39\xf7\x3f\x99\xae\xb9\x22\x8f" "\x51\x2a\xc4\xaa\x9a\xb7\xa4\x33\x99\x68\xed\xa1\x4a\x9b\xa4\x36\xf3\xd1" "\xd5\xdb\x08\x62\x16\xa8\xb4\x71\x5c\xeb\xb9\x33\x58\xae\x80\x29\x53\x42" "\x43\x7a\x85\x5f\xdb\xb5\x00\x00\x2f\x7b\xff\x57\x4f\xf6\xbd\x4d\xe9\x1a" "\xe5\xf4\x4a\x8d\xd9\x1c\xa9\x75\xf3\x57\xa7\xa1\x52\xfb\x65\x8e\xcd\xc8" "\x95\x96", 8192)); NONFAILING(syz_fuse_handle_req(/*fd=*/-1, /*buf=*/0x200000010440, /*len=*/0x2000, /*res=*/0)); NONFAILING(memcpy((void*)0x200000000100, "./bus\000", 6)); res = syscall(__NR_open, /*file=*/0x200000000100ul, /*flags=O_SYNC|O_NOCTTY|O_NOATIME|O_RDWR|0x3c*/ 0x14113eul, /*mode=*/0ul); if (res != -1) r[2] = res; NONFAILING(memcpy((void*)0x200000000080, "#! ", 3)); NONFAILING(*(uint8_t*)0x200000000083 = 0xa); syscall(__NR_write, /*fd=*/r[2], /*data=*/0x200000000080ul, /*len=*/0x208e24bul); close_fds(); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_usb())) printf("the reproducer may not work as expected: USB injection setup " "failed: %s\n", reason); install_segv_handler(); do_sandbox_none(); return 0; }