if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } fprintf(stderr, "### start\n"); int i, call, thread; for (call = 0; call < 57; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 41 ? 4000 : 0) + (call == 48 ? 200 : 0) + (call == 50 ? 3000 : 0) + (call == 51 ? 3000 : 0) + (call == 52 ? 300 : 0) + (call == 53 ? 300 : 0) + (call == 54 ? 300 : 0) + (call == 55 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[29] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x200000000000, "/dev/admmidi#\000", 14); inject_fault(1); res = -1; errno = EFAULT; res = syz_open_dev(/*dev=*/0x200000000000, /*id=*/0x302d694, /*flags=O_NOFOLLOW|O_DIRECTORY|FASYNC|O_APPEND*/0x32400); fprintf(stderr, "### call=0 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[0] = res; break; case 1: res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x80045700, /*arg=*/0x200000000040ul); fprintf(stderr, "### call=1 errno=%u\n", res == -1 ? errno : 0); break; case 2: memcpy((void*)0x200000000080, "/dev/hpet\000", 10); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000080ul, /*flags=*/0, /*mode=*/0); fprintf(stderr, "### call=2 errno=%u\n", res == -1 ? errno : 0); for (int i = 0; i < 4; i++) { syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000080ul, /*flags=*/0, /*mode=*/0); } if (res != -1) r[1] = res; break; case 3: res = syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x40045436, /*arg=*/0x17ul); fprintf(stderr, "### call=3 errno=%u\n", res == -1 ? errno : 0); break; case 4: *(uint32_t*)0x200000000100 = 0x14; res = syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/6, /*optname=*/0x1d, /*optval=*/0x2000000000c0ul, /*optlen=*/0x200000000100ul); fprintf(stderr, "### call=4 errno=%u\n", res == -1 ? errno : 0); break; case 5: *(uint64_t*)0x200000000340 = 0x8800000; *(uint64_t*)0x200000000348 = 0x200000000140; *(uint64_t*)0x200000000350 = 0x200000000180; *(uint64_t*)0x200000000358 = 0x2000000001c0; *(uint32_t*)0x200000000360 = 0; *(uint64_t*)0x200000000368 = 0x200000000200; *(uint64_t*)0x200000000370 = 0x72; *(uint64_t*)0x200000000378 = 0x200000000280; *(uint64_t*)0x200000000380 = 0x200000000300; *(uint32_t*)0x200000000300 = 0; *(uint32_t*)0x200000000304 = -1; *(uint32_t*)0x200000000308 = 0; *(uint32_t*)0x20000000030c = -1; *(uint32_t*)0x200000000310 = 0; *(uint32_t*)0x200000000314 = 0; *(uint32_t*)0x200000000318 = -1; *(uint32_t*)0x20000000031c = 0; *(uint64_t*)0x200000000388 = 8; *(uint32_t*)0x200000000390 = r[1]; res = -1; errno = EFAULT; res = syz_clone3(/*args=*/0x200000000340, /*size=*/0x58); fprintf(stderr, "### call=5 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[2] = *(uint32_t*)0x200000000180; break; case 6: res = syscall(__NR_kcmp, /*pid1=*/r[2], /*pid2=*/0, /*type=KCMP_FILES*/2ul, /*fd1=*/r[0], /*fd2=*/(intptr_t)-1); fprintf(stderr, "### call=6 errno=%u\n", res == -1 ? errno : 0); break; case 7: *(uint32_t*)0x2000000003c0 = 0; *(uint32_t*)0x2000000003c4 = 4; *(uint32_t*)0x2000000003c8 = 0; *(uint32_t*)0x2000000003cc = 8; *(uint32_t*)0x200000000400 = 0x10; res = syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/0x84, /*opt=*/0, /*val=*/0x2000000003c0ul, /*len=*/0x200000000400ul); fprintf(stderr, "### call=7 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[3] = *(uint32_t*)0x2000000003c0; break; case 8: *(uint16_t*)0x200000000440 = 6; *(uint16_t*)0x200000000442 = 0x8207; *(uint32_t*)0x200000000444 = 0x96d; *(uint32_t*)0x200000000448 = 0x10; *(uint32_t*)0x20000000044c = r[3]; *(uint32_t*)0x200000000480 = 0x10; res = syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/0x84, /*opt=*/0x22, /*val=*/0x200000000440ul, /*len=*/0x200000000480ul); fprintf(stderr, "### call=8 errno=%u\n", res == -1 ? errno : 0); break; case 9: res = syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc04c6100, /*arg=*/0x200000000500ul); fprintf(stderr, "### call=9 errno=%u\n", res == -1 ? errno : 0); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 1, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xa, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 6); *(uint16_t*)0x200000000042 = 0x8000; memcpy((void*)0x200000000044, "\x63\x44\x8e\xdb\x2f\xb0", 6); *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 0; res = -1; errno = EFAULT; res = syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x10); fprintf(stderr, "### call=10 errno=%u\n", res == -1 ? errno : 0); break; case 11: memcpy((void*)0x200000000080, "wlan0\000", 6); memset((void*)0x2000000000c0, 2, 6); res = -1; errno = EFAULT; res = syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/6, /*join_mode=JOIN_IBSS_BG_NO_SCAN*/2); fprintf(stderr, "### call=11 errno=%u\n", res == -1 ? errno : 0); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_kernel_create_files_as\000", 31); res = -1; errno = EFAULT; res = syz_btf_id_by_name(/*name=*/0x200000000100); fprintf(stderr, "### call=12 errno=%u\n", res == -1 ? errno : 0); break; case 13: memcpy((void*)0x200000000140, "\x28\x03\x83\x7c\xbc\xf3\x7b\xce\x72\xc1\xa7\x3b\x90\x9c\x68\xfe\x5b\xf7\xa6\x36\x3c\xdc\x90\xc0\x0d\xc6\x01\x3b\x35\xda\x02\xa6\x6a\x05\x91\x66\x71\x54\xa5\x56\x7c\x0e\x5e\xe6\x93\x3d\x6d\xa8\xbf\xed\xac\x5d\x27\x8a\x29\x1e\xfa\x30\x20\xba\x15\xe3\x90\xeb\x38\xda\x76\x26\x1c\x3a\xef\xf9\xee\xa8\xab\xea\xce", 77); memcpy((void*)0x200000000240, "\x6a\x0b\x56\xff\x4b\x8f\xac\x28\x77\x3c\xa1\x37\x65\x2b\x5b\x0f\xd8\x03\xa0\x41\x3c\x28\x20\x37\xf7\x21\xcb\x96\xec\xf2\xbb\x1a\x61\x6d\xc3\xd5\x6e\xee\xa2\x6f\x6b\x16\xf4\x56\x2d\x17\xc6\xd8\xb8\x83\x8f\x18\x44\xb5\x85\xeb\xcc\x0b\x56\x2f\x05\x57\xb2\xc7\xe9\xf0\xdd\xa1\xce\x4c\xc6\x1d", 72); res = -1; errno = EFAULT; res = syz_clone(/*flags=CLONE_NEWCGROUP|CLONE_SETTLS*/0x2080000, /*stack=*/0x200000000140, /*stack_len=*/0x4d, /*parentid=*/0x2000000001c0, /*childtid=*/0x200000000200, /*tls=*/0x200000000240); fprintf(stderr, "### call=13 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[4] = res; break; case 14: *(uint64_t*)0x200000000480 = 0xc2e0; res = syscall(__NR_socketcall, /*call=*/8ul, /*args=*/0x200000000480ul); fprintf(stderr, "### call=14 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[5] = res; break; case 15: *(uint64_t*)0x2000000004c0 = 0x18000000; *(uint64_t*)0x2000000004c8 = 0x2000000002c0; *(uint64_t*)0x2000000004d0 = 0x200000000300; *(uint64_t*)0x2000000004d8 = 0x200000000340; *(uint32_t*)0x2000000004e0 = 9; *(uint64_t*)0x2000000004e8 = 0x200000000380; *(uint64_t*)0x2000000004f0 = 0x29; *(uint64_t*)0x2000000004f8 = 0x2000000003c0; *(uint64_t*)0x200000000500 = 0x200000000440; *(uint32_t*)0x200000000440 = r[4]; *(uint32_t*)0x200000000444 = r[4]; *(uint32_t*)0x200000000448 = r[4]; *(uint64_t*)0x200000000508 = 3; *(uint32_t*)0x200000000510 = r[5]; res = -1; errno = EFAULT; res = syz_clone3(/*args=*/0x2000000004c0, /*size=*/0x58); fprintf(stderr, "### call=15 errno=%u\n", res == -1 ? errno : 0); if (res != -1) { r[6] = *(uint32_t*)0x2000000002c0; r[7] = *(uint32_t*)0x200000000300; r[8] = *(uint32_t*)0x200000000340; } break; case 16: memcpy((void*)0x200000000540, "./file0\000", 8); res = -1; errno = EFAULT; res = syz_create_resource(/*file=*/0x200000000540); fprintf(stderr, "### call=16 errno=%u\n", res == -1 ? errno : 0); break; case 17: memcpy((void*)0x2000000006c0, "/dev/fuse\000", 10); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x2000000006c0ul, /*flags=*/2, /*mode=*/0); fprintf(stderr, "### call=17 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[9] = res; break; case 18: *(uint32_t*)0x200000002b00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/r[5], /*level=*/0, /*optname=*/0x11, /*optval=*/0x200000002a00ul, /*optlen=*/0x200000002b00ul); fprintf(stderr, "### call=18 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[10] = *(uint32_t*)0x200000002a34; break; case 19: *(uint32_t*)0x200000002b40 = 5; *(uint32_t*)0x200000002b44 = 0xee00; *(uint64_t*)0x200000002b48 = 1; *(uint64_t*)0x200000002b50 = 5; res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0x4018aee3, /*arg=*/0x200000002b40ul); fprintf(stderr, "### call=19 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[11] = *(uint32_t*)0x200000002b44; break; case 20: *(uint32_t*)0x200000002c00 = 0xee00; *(uint64_t*)0x200000002c08 = 0; *(uint64_t*)0x200000002c10 = 8; *(uint64_t*)0x200000002c18 = 1; *(uint32_t*)0x200000002c20 = 6; *(uint16_t*)0x200000002c24 = 5; *(uint16_t*)0x200000002c26 = 0; res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0x40286608, /*arg=*/0x200000002c00ul); fprintf(stderr, "### call=20 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[12] = *(uint32_t*)0x200000002c00; break; case 21: *(uint32_t*)0x200000002f00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/r[5], /*level=*/0x29, /*optname=*/0x23, /*optval=*/0x200000002e00ul, /*optlen=*/0x200000002f00ul); fprintf(stderr, "### call=21 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[13] = *(uint32_t*)0x200000002e34; break; case 22: *(uint32_t*)0x200000004040 = 8; *(uint32_t*)0x200000004044 = 0; *(uint32_t*)0x200000004048 = -1; *(uint32_t*)0x20000000404c = 2; *(uint32_t*)0x200000004050 = 0x10; *(uint32_t*)0x200000004054 = 4; *(uint16_t*)0x200000004058 = 7; *(uint32_t*)0x20000000405c = 0x7f; *(uint64_t*)0x200000004060 = 0xbb; *(uint64_t*)0x200000004068 = 0xf; *(uint64_t*)0x200000004070 = 4; *(uint32_t*)0x200000004078 = 0x800; *(uint32_t*)0x20000000407c = 2; *(uint16_t*)0x200000004080 = 5; *(uint16_t*)0x200000004082 = 0; *(uint64_t*)0x200000004088 = 0x200000002f40; memcpy((void*)0x200000002f40, "\xa0\xfc\x03\x37\xfa\xea\x63\x1f\x70\x4d\x04\xb5\xa5\x94\xdd\x3a\x87\xe2\x74\x7c\x38\x74\x0f\x43\x57\xe5\xcb\x22\x1b\xf4\x40\x57\x95\xc2\x99\x06\x22\x7d\x36\x4e\x04\x46\xeb\xf7\x7d\x11\x1a\xb6\x66\x81\x06\xa0\x02\x14\x0a\x81\x07\x1b\x6d\x28\xcf\xab\xb3\x7a\xea\x4e\x26\xc4\x65\x7d\xb3\x19\x16\xf1\x71\x81\xef\x2f\xbb\xa8\xcf\x19\x4a\x98\xc4\x35\xa1\x00\x7c\x27\x0c\xd6\xef\xf5\xc6\x42\x45\x37\x19\x7a\x13\x02\x02\xf2\x8c\xe2\x58\x6b\xe0\xce\xff\x0d\xb4\x7a\x35\x35\x12\x18\xf4\x9a\x45\x99\xa9\x8e\x93\xfd\x6f\xa6\xbe\x92\x17\x67\x82\xd2\x9c\xcf\xc9\x00\xc7\x67\xf4\xde\x10\x2c\x3a\x77\x79\x57\x7f\xf3\x6f\x42\x7d\xca\xed\x1e\x8d\xd3\x89\x65\x0f\xbe\x9c\xc0\xca\xb5\xb4\x39\x0e\x80\x5e\xc3\x0a\xd6\x41\x1c\xff\x60\x65\xa8\xa5\x76\x10\xab\x7c\x61\x01\x32\xa2\xa1\xbf\x37\xc8\x71\xd0\x6a\x9d\x78\xcc\x27\x68\x8f\x4b\xef\xa7\xbd\x11\x2a\x69\xdf\x64\xb5\x51\xe3", 214); *(uint64_t*)0x200000004090 = 0x200000003040; memcpy((void*)0x200000003040, "\x64\xb9\x52\x0e\xb1\x74\x93\x9e\xc8\x76\x43\xa2\xfd\xaf\xfe\xa4\x52\x7b\xbf\xd5\x1b\x07\xac\x94\x67\x16\x9d\x3c\x7b\xaa\x5d\xc6\x5b\x8a\x38\xd9\x50\xc8\x58\xff\x99\x23\x7e\x6e\xc0\x6b\x46\x56\xa5\x2a\xcb\x76\xc7\x55\xc1\xcf\xf1\xc0\xa6\x5e\x3d\x16\x32\xfa\xbd\x9e\x1b\x38\x18\x52\xb6\xfc\xfc\x05\x87\x44\x85\x6a\x80\xa2\x9f\xb4\xdb\xdd\x71\x5b\x3c\xd0\x8e\x15\xa5\x34\x05\xd0\xfd\x2f\xf7\xea\xc8\x36\x33\x8c\x4e\xca\x04\x56\xff\x78\xcc\x57\x12\x33\x21\x46\xb6\x71\xbc\x42\x86\x1c\xd8\xbb\x43\x20\x09\x85\xa3\x62\xf3\x9f\x15\xbd\x43\x7f\x06\x45\x8b\x86\x7d\x4b\xea\x22\x27\x49\x32\x50\xd8\x3f\xb4\x6f\x72\x97\xb8\xf8\xc2\x73\x51\xcc\xbe\xc4\xff\xd0\x71\x75\xa7\xc5\xe2\x31\x9e\x94\x21\x0d\x4a\xf5\x06\x1e\x74\x3f\x05\x0f\x2e\xa5\x38\xa3\xed\x9d\x03\x59\xf5\xa7\x54\x6c\x3d\x01\x13\xe2\x55\x26\x8c\xd0\x48\x3a\xb1\x86\xf9\xc5\x55\x02\x02\xa9\xfa\x3f\xa0\xc4\xa2\xa5\x80\x52\x41\x81\x9c\xf9\xc3\x45\xce\xcc\x6b\x77\xdd\x7c\x29\x97\x50\xb6\x7f\xf8\xcb\x5d\x9a\x6b\x0d\x3d\x98\x16\xdb\xeb\x6f\xdb\xc5\xea\x9f\xae\x4a\x25\xe1\x9b\x48\xe5\x10\xdd\xb5\xd4\xd1\x27\x1b\xa0\xc4\xa0\x83\xd0\x4c\xc5\x09\xb4\x0f\x1a\x84\x91\x95\xf3\xbc\x3e\x9f\x63\xb7\xcc\x74\x73\xff\xc7\x40\xcf\x1a\x97\x9b\xd1\xd7\xe9\x31\x7f\x6f\xc7\x7a\x62\xe5\xac\xab\x36\xc4\xa0\x63\x06\x9c\xfb\x20\x7d\xcc\x7a\xf7\x0b\x77\xa7\x43\xb3\x62\xd9\xd9\xfa\xe0\xdb\xc6\x80\x92\x3a\x0e\x34\x54\x02\x6b\x6d\xa9\x57\x9f\x35\x2a\xfe\xf7\xab\xbc\xa7\xbf\xc1\x4a\xef\x0f\xb3\xd1\x30\x55\x06\xb9\x79\x40\xea\x12\x7f\xfe\xd1\x3e\xee\xa6\xca\xe0\xbe\x96\xf5\xbe\x73\x85\xe8\xe9\xba\x4f\x00\xfd\xc5\x18\x59\xd8\x25\x19\x27\x18\xdc\xf2\x3e\x0b\x6d\xa4\x13\xaf\xf8\x54\xba\x52\x21\xba\x8d\x27\xff\x02\xb6\xc0\xf9\x66\x7f\x2f\xfe\x72\xf4\x34\xf4\xc7\x08\x5a\x52\xfe\xe5\xf0\x87\x1b\xc2\x0a\xeb\xc8\xef\x87\xc1\x7c\x49\xb2\xa4\x34\x24\x21\x54\x77\x0e\x3a\xe2\x68\xd5\xba\xe1\x1f\x22\xf2\x14\x61\x69\xd7\xa9\xc1\x6b\x5d\xaf\x83\x03\x11\x11\xce\x5c\xe9\x92\xd2\x75\xbb\x9b\xc5\xd1\x29\x0f\x7f\xea\x35\x66\x07\xe8\xdd\x9a\xcc\x55\x84\x9e\xeb\x50\x28\x27\x37\x4c\x45\xdc\x89\xdd\x11\x86\xec\x92\x10\xbf\xf8\xe0\x05\xb7\xcb\x2c\x13\x4a\x92\x2d\x6d\xdc\x51\x22\x81\xe6\xf5\xaa\x9b\x10\x4d\x04\xbc\xc6\x00\x0b\x9f\x95\xf7\x43\x93\xf3\x12\xc9\x90\xf7\xd2\x9d\xee\x0e\xf7\xa4\xb1\x58\xfe\x69\x19\x6b\x06\x83\xf3\x5e\x8b\x4b\xa6\x5b\xb4\x9b\x31\x3d\x92\xd6\xf6\x7f\x72\xf7\xc3\xe7\xde\x4d\xd8\x84\xd7\x2c\x78\x6d\x66\xbd\xf5\x98\xa1\x5f\x9a\xc2\x96\xea\x70\x74\x03\x43\xd9\x45\x91\x18\x64\x48\xae\x73\xee\xa6\x10\x1d\xe1\x3d\xf6\x67\xab\x6e\xa1\xf5\x5a\xba\x4c\x11\x3d\x0a\xc4\x2b\xba\x7e\xc5\xbd\x1d\x56\xb6\xbc\x94\x70\x45\x59\x5c\x76\xc8\xf6\x93\x39\xbd\x2f\x19\x3d\xe2\x46\x53\x30\x10\xf4\x2a\xc9\x3c\xe0\xaf\x99\xf4\x0a\xe8\xbf\x3a\x30\x54\x3d\x68\x61\xb2\xca\x30\x6c\x0c\x08\x1d\xb7\x92\xaf\x44\x88\x20\x40\x9c\x05\x33\x0b\xdb\xe4\x4f\x70\xc5\x56\x1d\xff\x87\x04\xb5\xee\xb7\x12\xac\xd3\x21\xfb\x7b\xd5\x8c\x80\x9f\xb1\x1d\x01\x7c\x34\x87\x98\x54\xf1\x53\x24\x17\x41\xfd\xf8\xde\x35\x35\x6b\xee\x7a\x0c\xb4\x0a\x72\x6c\xc7\x83\x17\x57\x59\xe2\x66\xdd\xbc\x98\xe3\xe5\xf8\x22\x02\x4e\x33\x59\xa7\xfe\xc0\xe0\x9f\x0d\x1e\x21\x42\x62\xea\x20\x9a\x9d\xdf\x12\x28\x0e\x28\x72\x33\x93\x36\x88\x17\xde\x6d\x20\x0a\xc6\xf9\xd1\x4c\xee\x80\xcb\x71\x35\x47\xca\xd5\x53\x33\xac\xaf\xf3\xa3\x2b\x48\x96\x48\x45\x50\x1b\xf1\x08\xe8\xf5\x15\x72\x8b\x36\x72\x62\x90\xb4\x78\xf7\xf3\xda\x9a\x62\xdd\xb1\xd4\x4f\x5e\xd5\x69\xc7\xcf\xf3\x04\x51\xb1\x35\x5d\x34\x91\xeb\x80\x34\x5c\xfd\xb9\x38\x47\x5f\x9d\x16\x18\x1c\xb1\xe3\xd7\x33\xea\x45\xab\xa0\x4c\xbe\x41\x9b\x1f\xe3\x9d\xe5\x14\xe8\xb0\x0d\xb8\x27\xfe\xc1\x95\xae\x77\x31\xb2\xa6\x4a\xd2\x58\xc1\xcf\x2d\x4c\xd9\x7d\xd9\xde\xc3\x56\x4f\x9c\xa7\x4e\xd6\x25\x83\x0e\xd3\x2b\x05\x07\xad\x8c\x97\xf6\x3f\x5a\x2b\x39\xbb\xae\xc0\x4b\x3b\x88\x9b\x6d\x7c\x9f\xb9\x89\x93\xd5\xe5\xae\x40\xcd\x6b\x63\x72\xbc\x63\x1d\x37\xda\xc4\xab\x3d\x48\xb5\x89\x5b\x00\x30\xe0\x02\xe7\xf4\x43\xbe\xad\x14\xa5\x77\x7e\xcf\x5e\xe9\x99\x83\xb3\xc0\xf5\x00\x53\x9d\x02\xba\x11\xcb\x4b\xf3\x25\x99\x06\xbb\xcc\x34\x85\x5e\x6d\x4b\x2c\x49\x31\x68\x16\xd4\xd1\x73\x40\xd8\x93\x8d\xbb\xad\x5f\x2c\xbf\xe8\x3d\xa5\x7f\x59\xe5\x1c\x9e\xb6\xff\x62\x15\xf7\x94\xf6\x82\x28\x20\xb0\x59\x12\xdf\x85\xfe\xa5\x3c\x04\x6d\xd6\xe8\x89\x24\xa1\x8e\x71\xc0\xcd\xa6\x58\xb5\x8a\xff\x26\x19\x4f\x88\xdf\x81\xda\xf0\x6e\xe0\x94\x2c\xda\x0d\xf1\x8b\x41\xb0\xe2\x30\xb3\x05\xb4\xf9\xa4\x7f\xdb\x18\xc6\xd6\x8c\xce\xba\x1f\x24\xf2\x75\x6b\xd9\x6a\x79\x91\x12\xc3\x48\x5e\x39\x4d\x2d\xd9\xfc\x87\xab\x1b\x46\x51\xad\x05\x8a\x3e\x44\x46\x1d\x2c\x72\xf0\x38\xff\x88\x11\x04\xcb\x75\xcc\x79\x68\x3a\x9d\x97\xd8\x81\xcf\xfb\x92\xb0\x5c\x12\xbf\x4d\x3a\xb4\xdb\xe1\x79\x08\xfb\x79\x9e\xaf\xfa\x9c\xaf\xa4\xa6\x1c\xe2\x0a\xa4\xb3\xeb\xc3\xc7\x52\x20\xaa\x65\xc9\x80\x3a\x77\xf1\x81\xda\x39\x24\xcc\xa5\xf6\x05\x96\x12\xe4\x54\x86\x10\x6f\x22\xb8\xc8\x91\xf7\xb1\x46\x62\xab\xd6\x4b\x32\x58\xed\x13\xbd\xcd\x6d\x1a\x77\xc6\xa4\x15\x19\xd6\x60\x63\x74\x3a\x19\x18\xbb\x13\xe9\xb7\x57\x7f\xb6\xbb\x7d\xf2\x3f\xf1\xb9\x6e\x78\x2b\xda\x63\x94\xd4\x86\x1a\x7e\x0a\xc8\x0d\x1c\x6c\xc8\x4a\x30\x3b\x78\x41\xe5\x89\xd6\x6b\xed\x37\xcc\xc0\x5f\x4e\x9b\x4d\xfb\xc5\x3d\x3b\x50\xd5\x0e\x02\xc8\x7d\x41\xf5\x3f\x86\xde\xcb\x39\xc7\x06\xf5\x37\x2e\x9d\x6e\x3d\xde\x53\x05\x96\x20\xd2\x78\x45\xf3\xed\x77\xcd\x58\x99\xe3\x3a\xed\x5c\x4f\xb1\x40\xf8\xe4\x05\xfa\x2e\x0e\x11\x72\xea\xa7\xd4\xe9\x12\x98\x7a\x0a\xa3\xac\xf7\xc2\xd8\xe9\x4d\x16\xc9\x98\xc9\x87\xfd\x40\x4b\x23\x4e\xf7\x36\x1d\x0c\x53\x87\xe6\xb9\xd5\x5f\xb9\x72\xc7\xdc\x21\x72\x26\xce\x13\xd8\x2a\x59\x31\x1f\xe2\x69\xa0\x9c\x38\x4e\x73\x9a\x66\xbe\x43\x54\x79\x1f\x38\x1e\x74\xcc\x5d\xfb\x9a\x92\xfb\xff\xf8\x59\x5d\xf2\x4b\x40\x3e\xaf\xb0\x04\x73\xeb\x0b\x2e\x7f\xee\x36\xdb\xa4\xa9\x08\x93\x8b\xcf\xcc\xe9\x61\xfd\x10\xec\x29\xe5\x6d\xfe\x40\x59\x1e\x13\xd5\xe5\x3f\x16\xc8\x75\x9c\xa2\x7f\x80\xce\x90\x4f\x2d\x7c\x43\x32\x10\x97\x59\x5e\x90\x76\x39\xf2\x0f\x9e\x8d\xce\x70\x0c\x39\xd0\xe4\x42\xda\x88\x7a\x4d\xf0\x82\xeb\x7e\x17\x2f\xaf\xdc\xb0\x0b\x00\x8c\xaf\x55\x23\xd1\xfe\x5f\x24\x0a\xe9\x91\x49\x6d\xb9\x33\x89\xaf\x41\x85\xe9\xc9\xcc\xbd\xcb\x97\x31\xce\x7a\x77\x0a\xe2\xab\xac\x9d\x8c\xdd\xf3\x13\x23\x1a\x55\xe1\x27\x7b\xd3\x6c\x1e\x44\x84\x2b\x38\x72\x55\x5c\xcd\xcb\x3a\x06\x84\x59\x13\x21\xff\x15\xdc\x6d\x2c\xef\xfd\x58\x5d\xbe\xb9\x90\xe4\x05\x4f\xab\xc1\x8a\x9e\x9f\x1d\xe1\x3b\xfa\xd9\xde\x7f\x8d\xeb\x6b\x6c\x47\x2c\x42\x33\x67\xee\xad\x52\x50\x04\xde\xfa\x9e\x17\xc6\x79\x02\x36\x0b\xf1\x63\xa0\x1e\x98\xf6\xe7\x55\xcf\xf6\x28\x2a\xee\xbd\x1e\x8a\x09\x71\x5c\x15\xb9\xed\xaa\x50\x0d\xe0\x74\xc2\x8b\xad\x6d\x03\x57\x8c\x5e\x1c\x87\xbe\x71\x17\xf5\x4e\xef\xc3\x31\x3c\x38\xb6\x1d\x88\xa6\xa5\x0a\x0f\x36\xfd\xbf\x08\x4c\xb4\x14\x47\xc6\x90\xd3\xff\xcc\x83\x14\xe9\x1a\xda\x81\xd3\x4a\xcc\xd3\xe0\x6d\x19\xbc\xa2\x8f\xb4\x9b\xed\x5e\x32\xf4\xeb\xd5\x49\x29\xe4\xab\x51\xa6\x59\xb8\x1c\x1c\x35\xdf\x9e\x51\x47\x69\xb9\xeb\x31\xd7\x1d\x43\x78\x64\xf5\x4e\x99\x2a\x2b\x9b\x15\xe2\xfd\x32\x07\x81\x77\x56\xb4\x86\xd0\x81\xaf\x39\x7b\x21\xa2\x58\x44\x3d\x86\xa2\x0a\x82\xda\xb3\x09\x4a\x48\x83\x32\x47\x91\xd6\x7c\xea\x91\x8b\xec\x79\x94\xab\xce\xc1\x80\xf8\xfb\xd4\xae\x90\xad\x2c\x78\x5d\xe7\x74\x73\x08\xd8\x0a\x73\x31\x86\x4b\xd1\xa9\xbf\xfb\x51\x44\x07\x78\x51\x93\x92\x74\x05\xf7\x78\xa1\x66\x51\x4a\x33\x9b\xfe\x16\xf5\xcb\x8e\xe3\x49\xa0\x8e\x25\xb9\x4d\xc3\x51\xc7\x2e\x98\xc6\xba\xf1\x86\x02\x50\x60\xcd\x98\xd7\xd1\x4b\xf8\xee\x06\x02\x40\x40\x5a\x1c\x10\x20\x2c\xb3\x48\x57\xab\x67\x4e\xff\x41\xcd\x46\xc0\x3d\x2f\xfc\xca\xbf\x19\x4e\x0f\x35\x16\x58\xab\x02\xd9\xa1\xf9\x28\x30\x61\x7d\xe6\x91\x35\x50\x95\x34\x64\x7b\xc4\xcc\x20\x52\x87\xb2\x51\x55\x3f\xcc\x76\x89\xd5\xe6\x69\xf9\xba\x4b\xdb\x40\x36\xe0\x64\xb2\xa7\x91\xea\x5d\xe9\x3c\x66\x91\x8a\xd6\x1c\xf1\x0b\xe4\xf5\x56\x4a\x07\x1b\x02\xb9\x36\x5b\xc5\x87\x31\x6e\x65\xbd\x12\x64\xfe\x1f\x8d\xc7\xd2\x44\xab\x33\x19\xe9\xa9\x05\xe2\x44\xa0\xd0\x00\xbf\x3c\x56\x68\x11\xf7\x29\xd1\x0f\x9d\x81\xb0\x60\xcb\x7f\xf9\x3d\xa8\x05\x6d\x64\x1f\x93\x12\x1c\x50\xb9\x87\xe4\x14\x9d\x44\xc2\x34\x91\xe9\xde\x6a\x5c\x1d\x6b\x26\xf6\x44\xb3\xb0\x20\x62\x7c\xaf\x32\xd4\x7f\x95\xa4\x85\x7b\x36\x53\x0f\xf5\xc5\xbe\x38\xca\x37\xb9\x0d\xec\x3b\xde\x10\x75\x61\x58\xd6\xdb\x91\xbc\xbb\xea\x66\x65\xfa\x14\x08\xae\xc0\x02\x5d\x9d\xfe\x3d\xe8\xa5\x7b\x8a\xf3\x00\x17\x9b\xff\x26\x03\x2e\x61\xdb\x60\xd6\xe2\x0a\xcb\x67\x15\x95\x05\x6f\xd6\x5e\x84\x03\x80\x40\xf0\x7d\x46\xdb\xd4\xcb\x8c\x0d\x3c\xe9\xfd\xa0\x02\xd2\x2e\x24\x75\x0f\x14\x58\x01\xaf\x85\xd7\x82\x68\x1b\xb9\xb1\x22\x8f\xb2\x81\xc5\x43\xe5\xdc\xde\xf8\x4b\x7a\x26\x26\xde\x59\xe1\xec\x79\xe4\x4d\x1a\x23\x0f\xed\xda\x6e\x30\x37\xb0\xe9\xc4\xca\x47\x5d\xcd\x31\x9b\x86\xbd\x4a\xb2\xcc\x3c\xd5\xee\x47\x85\x7a\xda\xa8\x8e\x7e\x77\xaf\xaa\xb3\xfd\x85\x07\x6e\xdb\x36\x15\xba\x44\xe9\x7b\x5e\x18\x1b\x5e\x8c\x86\x11\x78\x48\x54\xa8\xae\xbd\xcc\x09\x83\xe0\xb8\x37\x45\x5a\x29\x01\xb9\x19\x80\xb0\x5e\xfc\x92\x23\xd2\x06\xdc\xaa\x5b\xe6\x74\x5c\xbd\xfb\x6f\x9a\xf1\x38\x73\xb3\x77\x3f\x5a\x59\xbe\xaa\x0f\x4a\x36\xdd\xd3\x83\xd6\x3e\x12\xf5\x0e\x0f\x7c\x53\x3e\x6a\x55\x9e\x54\x5d\x28\x51\xd0\x4b\xd3\x6e\x41\x2d\x89\x1e\xac\x7b\xbf\xf3\x99\x36\x93\x7f\xa3\xe4\xfb\xfa\xf5\x10\x37\xc5\x0a\x7d\x57\x30\x05\x1e\x4c\x69\x84\xf3\x94\xf3\xf5\x9f\xaa\x61\xac\x96\xfc\x2b\xa4\xe3\x35\x64\xc2\xbb\xc6\x07\xb1\x8e\xf8\xae\xf1\x9b\x88\xb7\xac\x63\xce\xf3\xe0\x97\x1f\xa1\x15\x62\x33\x37\x3f\xa5\xb5\x8f\x16\xfa\x99\x31\x2d\x84\xa6\xb7\x90\xe7\xa6\x63\xba\x05\xe2\x37\x38\x5e\xb4\x13\xe4\x26\x0e\x02\x1b\xa3\x87\x91\x23\x57\xfe\xd3\x9f\x13\x66\xe7\x31\x8e\xbe\xa7\xb9\x21\xde\xd5\xd9\xf9\xab\x5a\x86\x12\x16\x48\x31\x0f\x09\x04\x25\x8a\x9e\x4d\x59\x0d\x65\x43\x1d\x23\xe6\x22\x30\x9d\xe9\x64\xcb\x77\xdf\x8f\x28\x07\x66\x7b\xd5\x81\x81\xe4\x85\xc2\xe0\x3c\x29\x5c\x15\xe5\x27\x4c\x70\x6c\x1a\x00\x27\xb6\x75\x1e\x40\x95\x9a\x15\x81\xc7\x10\x77\x4b\xd5\x57\x53\x67\xc9\x3c\x17\xfb\x84\x44\x97\x6e\x38\x47\x11\xd4\xde\xbc\xe0\x97\x54\xe9\x7b\x04\x8d\x47\xb3\xdd\x82\xf7\x5f\xa9\x39\x37\xd0\x72\x2c\xb2\x37\x9e\x8b\x4b\x02\x67\x59\x91\xed\x1b\xc5\xf1\xf1\x5f\xea\x5f\xbe\x59\xc6\x3a\x29\x91\xaf\x99\x8a\x21\x99\x1f\x1d\x46\xcd\x3d\x21\x1a\x53\x2c\xee\x73\x2f\xfb\xcf\x55\xb2\x87\x90\xc4\xba\xdb\xa7\x68\xc5\x7a\x26\x23\xdf\x69\xb3\x96\xc2\xac\xcf\x92\x58\x06\xd5\x52\x61\xb7\x08\x74\x35\xe4\x97\x45\x29\x75\xb1\x52\x66\x52\x2e\xf9\x76\x37\x95\x6f\xaa\x20\xe8\xec\x65\x3c\x9c\x0c\x07\x73\x60\x3d\x77\x67\x7d\x0e\xf1\xec\x99\xa0\xf6\x1c\xcc\xf7\xe1\x10\x30\x51\xa7\x85\x2a\x00\x77\xf9\x73\x36\x9f\x6d\x80\x56\xb7\x9c\x53\x7a\xea\x6b\x41\x07\x09\xdf\x69\x37\xb6\xb7\xce\x03\x39\x8e\x1a\x7a\x1e\xf8\xe0\x62\xbf\x5b\x5a\x11\x0b\xc0\xda\xf2\x76\x5c\x92\xe6\x95\x83\x4a\xdd\x9a\xc0\x3f\x5e\xa5\x6f\x8e\xc1\xd6\x4a\x8f\xad\x07\x41\x0e\x30\x19\xd8\x4c\x0e\x7c\xdf\x1c\x49\xe9\x50\x91\x79\x4a\x3a\xad\x82\xab\xf6\x3e\x9c\x6c\xeb\xab\xdf\x05\xe8\x05\x03\xd1\xba\x70\x37\xe9\xb0\xb3\x5a\xad\x55\x17\xa0\x29\x88\xa3\x43\xb6\xa4\xaf\x6d\x82\x77\x96\x4f\xcd\x3e\x72\x0c\x19\xeb\xcb\xca\x7c\x4a\x87\x7c\x4b\x17\x40\x5d\x4e\x04\xe2\xbf\xf0\x36\xd6\xf5\xe8\xda\x62\xd6\xec\x70\xd1\xcd\xd9\x70\xe8\xba\x36\xf7\xfa\x95\x6c\xbd\xe7\x89\x25\xa4\x43\xb9\x57\x9b\xe0\x39\xe5\x65\x39\x66\xe7\x45\xb1\xd9\x3c\x62\x97\x0f\x29\x07\xfb\x53\x5c\x88\x82\x0b\x95\xb2\x44\x09\xd1\xbb\x81\xe0\xcd\xfb\xdc\x39\x72\x78\xa8\xb1\xeb\xa6\x32\x5e\x69\x3a\x93\xb5\x50\xdc\x2d\x7f\xf0\x55\x98\xf8\x24\x67\x94\xb2\xd0\x1b\x58\xf3\x03\x24\xe4\x4c\x43\x9e\xc6\xe1\x70\xb6\x92\xef\x2d\x55\x2f\x33\x22\x42\x10\x1f\xe2\x45\x86\x56\x4b\x87\xe4\xd0\x4c\x5c\x41\x37\xf4\x53\x45\x1d\xc8\x2c\xe4\x9f\x93\xd5\x0e\x49\xac\xf2\xb9\x66\xd0\xd5\x00\xff\xf9\x9b\x98\x4d\x70\xfa\xa2\x06\x11\x87\x36\x9a\x3d\xd5\x03\x37\x87\x2c\x23\x0e\x6f\xbd\xa2\x42\x0e\x56\x58\x86\xb6\xee\xf5\x3e\xb5\x32\x23\x9a\x98\x23\x7b\xf8\xcf\x35\x49\xf6\x0b\x08\x3d\x81\xa1\x6e\x6a\x30\xc2\x6a\x74\x45\x6f\xbf\x8d\xdc\x24\x76\x78\x4e\x77\x6d\xf7\x49\x0a\x31\xe1\x11\x3c\xb0\xd8\x76\xd5\xca\x9f\xbf\xc3\x2c\xf6\x08\x1f\x75\x42\x01\x5b\x41\xae\x86\xf9\xc0\xbb\xfe\xd2\xb8\x47\x4b\xfc\xd7\x82\x84\x46\x7c\x22\xf1\xd6\xdf\x54\xbb\x3e\x28\xf5\xcf\xf0\x07\xe9\xd5\xd5\x59\x7c\x83\x7a\x72\xeb\x04\xef\x8d\x1f\x3a\xc0\x60\xb9\xf1\xff\xf3\xd7\x4d\xa3\x5b\xf1\xcc\x3f\xf9\xd8\x36\xbf\xc8\xd2\xcc\xb0\x72\x14\xaf\xd3\x57\xc2\x96\xae\x04\xa5\xce\x01\xfd\xc7\x79\xe9\xb4\xae\x6d\x67\x7c\x6f\xc4\x8f\x73\x83\x06\x4f\x2d\x21\x7d\x51\xe3\x90\x60\x9d\xad\x93\x30\x22\xed\x7c\x35\xf8\x9e\x83\xb5\x55\xc8\xe3\xcc\xec\x20\x4e\x59\x32\x28\xf3\x24\x44\x27\xcf\xed\x43\xbd\x37\x1e\xe5\xf5\x84\xce\xab\x01\xf8\x8d\x1c\x99\x47\x41\x89\xb8\x76\xc9\x53\x40\x89\xdd\x5d\x04\x60\xda\x83\x3a\xfb\x14\xcb\x1c\xb1\xf4\xbf\x85\x17\xff\xf8\x6f\x94\xa9\x19\xb9\xf8\xee\xb3\x60\x88\x7b\x13\x9f\x67\x59\x05\xce\xee\xfa\x05\x78\x6f\xd7\xea\xa8\xcc\x60\x10\xee\x28\x69\x89\xb6\x26\x9a\x45\x05\x2d\x4c\x62\xf7\x42\xbd\xc2\x52\xfb\xfd\xb2\x16\x6f\x9b\x02\x15\x31\x6c\xe5\x69\xd5\x3f\x12\xd7\xff\x1e\x92\xd2\xbf\x11\xb6\xed\x6a\xec\x3f\xe3\xf6\x2c\x49\xa4\xcd\x2f\xeb\xca\xe8\xe1\xb4\x4b\x38\xea\xf1\xa6\xe7\x8f\x2d\xa3\xcd\xd9\x4e\xde\xa7\x15\x00\x00\xd7\x01\x5c\xb6\x52\xba\x46\xd3\xb2\x31\x5b\x64\x9e\xdc\xcf\x47\xb5\x1d\x45\x85\xdb\xc7\x60\x64\xa1\x2b\x05\xce\xd6\xfd\x11\xfe\x37\x03\xad\x22\x67\xf9\x62\x97\xbc\xd4\x55\x81\x07\x69\x74\x6e\xe2\x64\xe7\x3d\x90\x43\x38\x4e\x3a\xf7\xb4\x45\xfd\xa9\xf1\x2f\xff\xbc\x7d\x63\xcd\xc1\x05\xeb\xf8\xec\x1f\x52\x47\x5c\x73\xb0\x6b\x4a\xf0\x80\x03\x7b\xab\xda\x88\x88\xb0\x5b\x3d\x00\x51\xd7\xaa\x6c\x94\x91\x40\xdf\x65\x80\x6c\x83\x66\xf8\xe3\x64\x0f\x5a\x74\x70\x26\x26\x96\xbd\x3c\xd4\xdb\x85\x50\x2c\xbd\x5f\xe2\x2b\xb0\xf5\x92\x87\x76\x8f\xb9\xc5\x2e\x69\x33\xe5\x68\xe0\xd3\xce\x72\x83\xa4\x20\xc8\x9f\xd0\x4e\x93\xe5\x65\xdf\x0f\xf6\x8c\xc7\x43\xcd\xcf\x4d\xfc\x7f\xf0\x9c\xbe\x8a\x77\xa0\x20\x80\x4f\x4c\x17\x61\x28\x46\x16\xd9\x58\x40\x1f\x57\xaf\x9d\xc7\x13\x62\x99\x2b\x3f\xf3\x43\x9c\xcf\x85\xf4\x3b\x6c\x08\x50\x98\x96\x50\xd8\xf5\x5b\xa1\x92\x2a\x65\x00\xd2\x72\xdd\x42\x38\x6c\xbb\x23\xe6\xe6\x7e\xc9\x26\xa1\xca\x93\x57\xf4\xc8\x4b\x76\x71\x52\xe6\xc4\x36\x17\xde\xf9\x4a\xc6\x01\x4a\xa3\xc6\xca\x84\x18\x59\xdc\x57\x52\x4a\x72\x27\x41\x24\x65\x30\xda\x55\x06\x71\xec\x17\xd2\xa3\x42\xe5\x57\xb4\x3c\x08\xa9\x3c\x12\x67\x63\x7f\xff\x37\xff\x4a\x40\x85\x52\x8e\x7c\xe6\xd0\x9d\xe6\x42\x99\x6f\xff\x98\x68\x85\x44\xa7\xc2\x3b\xff\x8b\x6f\xdb\xe5\x33\x42\x4c\xcb\x11\x9a\x56\x7f\x1f\x15\xc0\xb4\x65\x0e\xd8\x0e\xfe\x24\xab\x4d\x1c\x1e\x33\x30\x5a\xfd\x2c\xea\xc6\x82\xc0\xea\xca\xa5\x66\x9e\x44\x34\xf6\x34\xb1\xc6\x12\x71\xd9\x5b\x00\x95\xc7\xb1\xa6\x2a\x2d\x07\x3a\xad\x80\xc5\x10\x15\xbb\x51\x50\x84\x5c\x11\x86\x33\xa3\xc4\xc9\x4b\x74\x63\xfe\x73\x39\x18\x2e\xa0\x1a\x7e\x28\x63\x7c\x27\xb5\xf8\x60\x68\xa7\x37\x4a\xe7\x7c\x5c\xdd\x6d\xd9\xb4\x69\xdd\x9a\x47\x5c\x37\x52\x8e\x2f\x1c\x40\x13\x23\x59\xe9\xe6\x5e\x23\xad\x45\x95\xb1\x60\xad\x9a\x2d\x83\xcc\xe0\x78\xf4\xd6\x18\x1f\xd3\x02\x6c\x2a\x0b\x13\x02\xfa\xa6\x9a\x51\x80\xa2\xc2\x0b\x3a\x32\x87\x6e\xfc\x2a\x62\x81\xc4\x09\xc2\xe6\x6e\x00\xde\xb5\x30\x98\x19\x7f\x13\x18\x5b\x7d\xa5\x89\xb0\xcf\xe2\xa3\x12\xf0\xf6\x1e\xfa\xb2\x9a\x7b\x1b\x61\x4f\xaa\x57\xed\x37\xe0\x1f\x8b\x0c\xdf\xb2\xea\x78\x67\x74\x5d\x66\x69\xa4\xa8\x95\xb9\x7e\x1e\xd2\x4c\x2f\x3c\xf2\x3e\x88\x51\x13\x8d\x9a\x64\x0c\x2c\x0b\x32\x1d\x00\xf0\xa4\xdd\x9a\x72\xfe\x5b\xa4\x3a\xc4\x7d\xd3\x1a\x01\x4d\x31\xb7\x25\xee\x28\xcd\x8f\xbe\xd0\xbc\x78\x14\x59\x80\xb5\x86\xd3\x71\x84\x8b\xb9\x67\x48\x30\x3d\x0a\xd1\xfe\x2a\x2e\x7f\x5d\xd3\x40\x70\xc6\xfc\x50\xe1\x09\xdb\xb1\x5c\xdd\xcb\xc0\x4e\x1c\xf6\x35\x8d\x10\x50\xe6\x31\x9a\x34\xf1\x45\x2f\x44\x43\x6d\x8c\xea\x13\x7a\x37\xa1\xda\xd1\x3e\xfc\x2b\x9a\x95\x87\xa4\x3c\x2c\x3f\x3d\x5a\xa3\x2c\x09\x78\x52\x0d\x24\xda\xdd\x18\xef\xa8\x12\xa7\x2d\x33\xb2\xf4\x41\xac\x88\x52\x26\x55\x5f\x7c\xd2\x54\xab\x27\x71\x75\xc4\x35\x68\x3c\x36\xdf\x69\x7c\x2f\xb5\x36\x27\x19\x48\xe5\x38\xdd\x3b\xce\x39\x09\xa5\xc8\xc3\x7e\x97\xea\x37\x36\xcd\x1a\xda\x26\xf1\x3f\x12\x1a\x99\x06\x33\xd9\x5b\x59\xe6\x73\x93\x43\x29\x93\xc0\xc8\x4f\xd6\xd5\x2b\xeb\x7e\x3d\x02\xa4\x37\xeb\x28\x1a\xf5\x73\xba\x1c\x47\xf3\x73\xf6\xcc\xd6\xe0\xb1\x83\xa2\x1c\xbe\x9f\xdb\xb8\x2c\xcc\x39\x6f\x16\xaf\xf1\x99\x9f\xb8\x39\xeb\xca\xff\x97\xfa\x0b\xfd\x0d\x34\xcf\x8e\x57\x60\x6f\xd8\x23\x41\xdb\x31\x8e\x40\xcd\x9e\x85\xc1\x54\x46\x5d\xcc\xe1\xb7\xfd\x8b\x22\x80\x8f\x0e\x0d\x45\x4e\xf9\xa2\xb5\xa4\xc3\x5c\x0a\x12\x5b\x92\x37\x07\x00\x72\xd1\xcd\x82\x7c\xfd\xea\x8e\x3d\xe8\x33\xb0\x81\x4c\x8f\xf2\x60\xe6\xb3\x98\x07\xef\x86\xac\x67\x7a\xbd\xeb\x50\x7d\xd5\x7f\x69\x93\xd3\x03\xd5\x55\x17\x84\x0b\xd7\xaf\x1d\xb3\x98\x08\x21", 4096); res = syscall(__NR_shmctl, /*shmid=*/2, /*cmd=*/6, /*buf=*/0x200000004040ul); fprintf(stderr, "### call=22 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[14] = *(uint32_t*)0x200000004048; break; case 23: *(uint32_t*)0x2000000042c0 = 2; *(uint32_t*)0x2000000042c4 = 0; *(uint32_t*)0x2000000042c8 = 0; *(uint32_t*)0x2000000042cc = 3; *(uint32_t*)0x2000000042d0 = 0x44; *(uint32_t*)0x2000000042d4 = 7; *(uint16_t*)0x2000000042d8 = 0xff00; *(uint32_t*)0x2000000042dc = 0x80; *(uint64_t*)0x2000000042e0 = 0xe5; *(uint64_t*)0x2000000042e8 = 0; *(uint64_t*)0x2000000042f0 = 8; *(uint32_t*)0x2000000042f8 = r[7]; *(uint32_t*)0x2000000042fc = r[4]; *(uint16_t*)0x200000004300 = 0x800; *(uint16_t*)0x200000004302 = 0; *(uint64_t*)0x200000004308 = 0x200000004180; memcpy((void*)0x200000004180, "\xb8\x47\x2d\xa7\x63\xb7\xf2\x33\xe5\xd2\x38\x7c\x99\x8e\xd4\x35\x56\x57", 18); *(uint64_t*)0x200000004310 = 0x2000000041c0; memcpy((void*)0x2000000041c0, "\x10\xf1\x21\x59\x35\x43\xac\x48\x3e\xe5\xd9\xfc\x00\x93\xe2\x03\xb9\x27\xb4\x4b\xb5\x34\xa8\x71\x1a\x28\xdf\x30\xc8\x75\x70\xf2\x5d\x8d\xd6\x43\x46\x7a\x2c\x9e\x53\x1e\x8a\x4a\xa6\xe0\x33\xf5\x71\xb9\xfe\xea\xe8\xb6\x5d\x09\x3f\x91\x56\x28\x88\x5d\x3f\x02\x8c\x3f\x44\x47\x63\x2b\x36\xf2\x2e\x16\xc1\xfc\xb5\xe7\xbd\x69\x92\xc0\x89\xdf\x96\x1f\xee\x65\xda\x52\x26\x3c\x86\x54\x31\xc8\x32\x4d\x25\x20\x54\x27\x65\x39\x02\x00\x0e\xe5\xf2\x31\xb0\x3d\xf0\x0c\xf5\xb4\xff\x9f\x87\x79\xd3\x31\xa8\xb5\x11\xc4\xdd\xf3\xba\x9b\x68\xb4\x81\x33\xa4\xcd\x4f\x26\xe7\x37\x66\x50\xcb\xa6\x10\xc6\x2a\x68\xf4\x81\x02\x20\x00\x97\x06\xa8\x5a\x06\x31\x03\xdc\x90\xdf\x67\x13\x7a\x34\xa2\xdc\x60\xea\xcd\x86\x8a\x66\xd7\xf6\x8e\x69\xc0\x4c\xc1\x95\xfd\xc8\x08\x1c\x4b\xe4\x14\x86\x03\x24\x2c\xaf\x94\x67\x0f\x9e\x25\x55\x7e\xf9\xad\xa0\xf2\x3c\x59\x61\xfc\x07\xfe\x58\xc7\x8b\xff\x01\x3f\x83\x44\xdd\x96\x11\xe2\x31\x49\x63\xbf\x51\xdf\x6c\x98\x4c\x56\xb9\xaf", 236); res = syscall(__NR_shmctl, /*shmid=*/0x10000, /*cmd=*/2ul, /*buf=*/0x2000000042c0ul); fprintf(stderr, "### call=23 errno=%u\n", res == -1 ? errno : 0); if (res != -1) { r[15] = *(uint32_t*)0x2000000042c4; r[16] = *(uint32_t*)0x2000000042c8; } break; case 24: *(uint32_t*)0x200000004540 = 0x9732; *(uint32_t*)0x200000004544 = 0xee01; *(uint32_t*)0x200000004548 = 0xee01; *(uint32_t*)0x20000000454c = 5; *(uint32_t*)0x200000004550 = 4; *(uint32_t*)0x200000004554 = -1; *(uint16_t*)0x200000004558 = 5; *(uint32_t*)0x20000000455c = 0x80000000; *(uint64_t*)0x200000004560 = 9; *(uint64_t*)0x200000004568 = 5; *(uint64_t*)0x200000004570 = 0x8001; *(uint32_t*)0x200000004578 = r[7]; *(uint32_t*)0x20000000457c = 2; *(uint16_t*)0x200000004580 = 0xffc; *(uint16_t*)0x200000004582 = 0; *(uint64_t*)0x200000004588 = 0x200000004440; memcpy((void*)0x200000004440, "\xae\xb6\xd5\x07\x3a\xfa\xa3\x1c\x2e\x2b\x2c\x26\x91\x12\xdf\xff\x49\x39\x37\x39\x22\x07\xd1\x3f\xcd\x1a\x8e\xba\xa9\x97\xfd\x97\x6c\xcf\x81\x7f\x42\x90\xa8\x95\x65\xf4\x5f\x54\x38\x2b\x31\x3d\x34\x98\xe2\xa6\x76\xfb\x90\x8e\xe4\xd8\x92\x13\x1f\x01\xb8\x3d\xed\xd0\x94\x98\xc8\xc2\xc5\x6d\xf4\xef\x1c\x82\x32\x32\x0b\x42\xd5\x83\xcc\x60\x61\xc9\x2c\xc0\x6c\x76\x4f\xb0\xd4\x46\xa8\xb9\xa5\xf1\x90\x3c\x9b\x2b\x2b\xa4\x5c\x1e\xce\x47\xcd\x24\x9f\x20\x1b\x45\x7e\xe0\x3c\x79\xfb\xe2\x6f\xee\xa6\xde\xc1\x42\x68\x9a\xe2\x1b\x9c\xed\x84\x39\xf1\x0a\x2e\x3b\x65\x7a\x1e\x3a\xb7\x38\x54\xc1\x33\x8b\x6d\xb9\x05\x24\x8a\xe4\xbc\xee\x97\x3d\x06\x8e\x9b\xd4\x9b\xf4\xf9\xe8\xd0\x17\x7c\x72\x61\x2b\xce\x4e\xf6\xb4\xd7\x6c\x09\x39\x96\xde\x65", 183); *(uint64_t*)0x200000004590 = 0x200000004500; memcpy((void*)0x200000004500, "\x24\xa7\x29\x1c\x4a\xbc\x17\xba\x4a\xcd\xe1\xc6\xfb\xdb\x58\x89\x6a\xd2\x7d\xad\x25\x64\x40\x20\x7f\xf6\xa5\xe4\x8f\xf2\xa6\x18\x5f\x2c", 34); res = syscall(__NR_shmctl, /*shmid=*/0xfa95, /*cmd=*/0xbul, /*buf=*/0x200000004540ul); fprintf(stderr, "### call=24 errno=%u\n", res == -1 ? errno : 0); if (res != -1) { r[17] = *(uint32_t*)0x200000004544; r[18] = *(uint32_t*)0x200000004578; } break; case 25: memcpy((void*)0x200000000700, "\x2b\xce\x17\x78\xfe\xc9\xa1\x28\x6b\xf6\xab\xa5\x3c\x3a\xc4\x02\x86\xad\x6a\xa7\x11\x2d\x6f\x2f\xca\xbf\xd2\xba\x71\x3e\xaa\xdc\x81\x39\xe1\x4f\x61\x80\x70\x12\x6a\xc3\xa3\x8a\xd9\xcd\x7b\x5c\x94\xb1\x78\x3b\x26\x11\x52\x07\x29\x35\x3d\x56\xfc\x5b\xd5\xcb\xd4\xf1\x1d\x01\x35\x9c\xa9\xeb\x2e\x0c\x4c\xc6\x60\x95\x84\x6c\x2b\x10\xd4\x1e\xb8\x46\x77\xf1\xc3\x52\xbd\x90\xeb\xfa\x66\x12\x3a\x7a\x19\xf4\x5c\xae\xa8\x4f\x12\xe7\x76\x57\x93\x32\x46\xc4\x4a\x20\x9a\x4b\x9f\x15\x56\x87\xe2\xa4\xfd\x90\x2f\x57\xea\x49\x08\x5f\xaa\x76\x01\x19\x40\x68\x27\xdb\x2e\x6a\xde\x20\x29\xf8\x20\x1d\xe4\x7e\x97\xb1\x33\x85\x3a\xe7\x32\x14\xa7\x96\xe4\x81\x8d\x39\xcf\x10\xa8\xe6\xa6\xf1\x1a\x88\xe0\x82\xc9\xaa\x25\x85\x7a\x67\xa3\x2f\x35\xbc\x8f\x86\x7f\x04\x4d\x0f\x32\x99\x53\xdc\x06\x02\x24\x9d\x83\x19\x7e\x0e\xf5\xc9\x83\xb9\xd5\x56\xbd\x52\x7a\x6a\x59\x9f\x52\xa2\x11\xf9\xc7\x11\x3e\xdc\xc0\xe9\x3f\xc1\x8e\x79\xed\x69\xfb\x2a\x7f\xde\x97\xc9\xc3\x5e\x31\xe3\x5f\x07\x71\x37\xc8\xfd\x8b\xec\x40\x18\x14\xfb\x99\x81\x6d\x1e\xe5\xa5\xe7\xed\xc2\x10\xc6\x10\x97\x0d\xaf\x8a\xea\x89\xac\xbb\x75\x40\x82\xd8\xf6\x8e\xb4\xa0\x01\x06\x53\xc7\x06\x84\xa8\xdd\x7c\x00\x2b\xa7\xe4\x61\xc8\xdc\xc4\x5c\x22\x86\xda\x34\x27\x35\x14\x18\xcb\x24\xa9\x4d\x65\x56\xd6\x9e\x2a\x31\x9b\x5c\x0e\x69\xe6\xbf\x11\x1a\x9c\x45\x46\x7c\x41\x57\x5f\xdb\xfc\x26\x46\xda\xfd\xa3\x17\x9b\x0f\xca\xcc\x14\x9b\x45\xef\x10\xdc\x13\xf5\xfc\xe2\xe4\xa2\xc2\x2c\x2a\xe9\x92\xbc\x6b\xd5\x13\x23\xe7\x24\xe4\x66\xc7\x36\xdb\x1d\x34\x57\xee\x0f\x7d\xe1\x47\x66\x1d\xba\xdc\x94\x2b\xf0\xdf\x2f\x08\x9e\x98\x03\x81\xae\x88\x8a\xb0\x22\xfb\x54\x5c\x03\x43\xc4\x08\x7f\x2c\x1b\x6a\xe0\xcd\x21\xd0\xfd\x65\x65\x79\x09\x58\xc9\x3a\x67\x59\xa5\x75\x4b\x70\x0a\x6f\x53\xab\xbc\xa7\xd2\x2c\xdd\xcd\xd7\x09\xb2\x79\xd1\x11\xd6\xce\x1f\xd7\x91\xeb\xca\xf2\x60\x48\x09\x86\xb3\x21\xce\xcc\xf9\x55\x61\x8b\xbe\xa2\x78\x1d\x33\x14\x90\xcd\xe5\x73\x47\x93\xab\x07\x5f\x5a\x72\x93\x21\xae\xe1\x77\xfc\x3c\x20\xef\xd0\x79\x74\x46\xe5\x12\xc6\x25\xa3\xbc\x1a\x56\xf4\xc0\x18\x89\xf5\x74\x93\x3b\x72\x6f\x74\x37\xee\x04\x94\x91\xbc\xb9\x1f\x1c\x63\xa0\xb1\x75\xe2\xce\x56\x75\x07\xdd\x35\x4b\xf2\x6b\x08\x05\x9a\xc2\x29\x04\x6a\x6e\x75\xd3\xd3\x21\xee\x63\xc5\xab\xc1\xa7\x40\x9e\x20\x7e\x6f\xc5\x16\x79\xdf\x37\xbc\x7b\xa3\x39\xcb\xce\x32\xd4\x5a\x96\x09\x06\x88\x51\xb0\xa7\xf5\x81\xaa\xed\x7e\x99\x5c\x36\x77\x9d\x07\xc3\x57\xe5\xd9\x76\xf6\xde\xee\x4f\x36\x84\xf9\x7e\x7c\x61\x9d\x3c\xcc\x28\x72\x2f\x13\x0d\x93\x6d\x3c\x07\x3b\x9b\xb5\x19\x4e\xb9\xff\x69\x91\x0c\x6a\x3d\x58\x58\xc2\x86\x2b\xa8\xce\x94\x25\xce\xc1\xe8\x01\x18\x2a\x7f\xb5\xc7\x01\x7a\x41\x85\xd1\x3f\xeb\x35\x38\x29\xdc\x68\x1a\x56\x19\xf0\xa0\x2d\xb6\xeb\xde\x86\x0c\xf7\xc6\x29\x4d\x21\x45\xf9\xa5\x29\x18\x49\x76\x2d\x93\x81\x66\x82\xd1\x91\x89\xdd\x76\x82\x80\xdf\x4a\x68\xc8\x08\x01\xf6\x6a\xba\xbd\xf7\x22\xec\x21\x3a\x7b\x7f\x58\xc4\x61\x48\x68\x69\x00\x66\x9b\xdb\x0c\x64\x3d\x00\x5d\x60\x0d\x95\xc5\xcb\x5d\x28\xac\x4c\xd4\xc7\x02\x22\x94\x35\x2e\xd1\x35\x0c\x4e\x75\xfe\x89\x27\x89\x53\x92\xb0\x06\x2c\x78\x29\x2f\xc1\x5a\xd7\x03\x8d\x1b\xdd\xc9\x94\x53\x5e\x73\xcc\xc3\x3c\x9a\xb2\x33\x11\xd6\xf6\x5d\xe5\x98\xf5\xee\x9f\x91\x34\xca\x4e\x4b\x40\x9f\x21\xb0\xb0\xe4\x0f\x36\xaa\x5c\x78\x2b\x7b\xb8\x64\x70\x7a\xfd\xce\x1e\x7c\xfe\x5a\x27\xc1\xef\x3d\x2d\xc1\x41\x05\xd6\xa4\x89\xb8\x7e\x7a\xe1\x67\xae\x87\xa5\xf3\xcd\xa0\xb8\xa6\x22\x17\x62\x97\xf5\x32\x8b\x79\x69\x0d\xf9\x89\x79\xa4\x80\x6d\xea\x06\x93\x95\xf5\xb8\xe5\xbc\xec\x68\x3f\xd3\x9b\x86\xbc\xef\x86\x5d\xe6\x0f\xe4\x07\x29\x1d\x12\x7c\x4f\x00\x68\xbe\xc8\xae\x95\x73\x8f\xce\x42\x20\x5e\xf7\xcb\xba\x2a\x10\x76\x6e\x32\x19\x1c\xb4\xe5\x0c\x06\xdc\xf6\xca\x3a\xe7\x8c\x0c\xaa\x65\x8f\xd5\x8b\x65\x2c\xab\xdd\xe1\xdf\xa9\xd1\xf5\x4a\x44\x79\xad\x61\xd2\x5a\x47\xff\x08\xb3\x12\x25\x60\x09\x9b\xde\xc5\x5d\xeb\x11\x0e\x40\x6e\x08\x59\x53\x40\x88\x7e\x49\x67\x74\x54\xb6\x08\x60\x15\x3c\x4b\x1f\x7c\xeb\xef\x25\xda\xd0\x82\xf4\xd3\x40\x20\x78\x29\x8b\xfd\x39\x0b\xc7\x66\x23\x45\x95\x91\x8c\xbb\x3b\x6c\xdb\x99\x61\xe1\xbb\x1d\x4f\x7c\x7f\x24\x01\xa8\xd8\x0a\xc6\x2b\x14\x62\x4a\x3b\x16\xd9\x70\x46\xfc\xef\x8d\x02\x5d\xeb\x79\x40\x94\xd2\xce\xa5\x0c\xcb\xe2\x72\xe1\xc7\x9a\x71\x67\x80\x3c\x40\xa4\xcc\xee\x13\x84\x44\xe7\xa4\x15\x34\x77\x83\xbf\xe0\xff\xda\x3d\x50\x01\x6d\x0f\x6b\x1b\x06\x12\x6f\xcd\xd9\x23\x7a\xac\x40\x0b\x85\x49\xe4\xc1\x91\x7a\x25\xdb\x59\xcd\xba\xe2\x9d\x1e\xa5\xbd\x7d\x25\xc5\x75\x02\x2d\xc5\x5f\xf3\x2e\xd4\x2a\x61\x0e\x23\x94\x79\xbe\xab\x0d\xd6\x2a\x30\xa4\xfb\xed\xa0\xfc\xfe\x1d\x0b\x61\x3a\x8d\x06\x69\x33\x46\x6a\x9a\xb3\x12\x62\x70\x1d\x08\xe7\x79\x28\xf8\x8c\xf8\xa8\x38\xe9\x72\x98\x93\xe5\x50\x70\xef\xcc\x83\x73\x6f\x3c\xb3\x2e\xef\xc0\x8f\x24\x0d\x44\x9a\x61\xcd\xf2\x11\x6c\xe4\xea\xe7\xb9\x66\x9c\xe6\xfc\x52\x8b\x98\x34\x01\x2b\x0f\x7c\x54\x25\xc2\x62\x23\x7a\xe8\xa3\x01\xb6\xcf\xc0\x3a\x57\x9c\xb1\x09\xdf\x41\x7d\x85\x14\xaf\x61\x2d\x32\x0d\x0e\xd9\x6b\x7f\x7e\x4a\x48\xaa\xa3\x0f\x6c\x8f\x42\x7d\xb2\xf9\x81\xbe\xf3\x60\xb9\xd8\xc2\x77\xc8\x4a\x80\x15\xf4\x9b\xb8\x84\x0d\xfd\xbf\xd5\x40\x2a\x05\x3f\xbe\xdc\x07\x51\x58\x7e\xbf\x6d\xf4\xd6\x92\x85\xcc\x39\x8e\x98\xa7\xfc\xd6\x88\x76\xeb\x2b\xf6\xf9\x4f\xc0\xd0\x3d\x7a\x93\xb1\x44\x6c\xf2\xac\x7e\xc1\x1f\x8c\x3b\x62\xfc\xc0\x74\x1c\x37\x6d\x15\xcc\xd8\xdc\x9c\x85\x92\x94\x53\xa1\x77\xbc\x24\x24\xb3\x74\xcc\xad\x51\xa5\x7b\xd0\x52\x90\x24\x1e\x00\x38\x9e\x5d\x97\x33\xda\xc8\x43\xb2\x5f\x43\x94\xdb\x45\x0f\xe1\x6f\xdc\xbb\x56\x33\x37\x90\x04\x4d\x65\xad\x60\x6a\xe8\xca\x97\xce\xec\x3f\x80\x9d\x78\x90\x49\xa3\x29\x88\x81\x33\x9d\x2e\xd1\x60\x2f\x2b\xf2\xbd\xe3\xcc\x87\x16\x3c\xf1\xdc\x3f\x8e\x32\xe8\x59\xac\x7b\x2d\x27\x1a\xe4\x2a\x7a\xd0\x5e\x6f\xda\x9b\x98\xc1\x4b\xe9\xa3\xf6\x5b\x16\x25\x37\x43\x99\x59\x82\x23\x7d\x31\x30\xd1\x5a\x18\xf8\xf5\x32\xa8\xd0\x27\x3e\xab\xb3\x38\x67\x02\x85\x98\x33\x84\x47\x81\xdc\xeb\xf2\x16\x4f\x0a\x4b\x14\x11\xd8\x82\x99\xfa\x82\xe7\xba\xb7\x1a\x08\x36\xd5\x0b\x41\x8a\x6a\x47\xf7\x47\x22\x0f\xef\xee\x26\x85\xaf\x32\xc2\xde\x7c\x33\x75\xcc\xa1\x19\x14\xf2\xda\x17\xec\xc4\x6e\x63\x5a\xfd\xa8\xc3\x6f\xef\xf1\x0c\x7d\x6e\xbd\xcf\x7d\xa4\x41\x4b\x4f\xdb\x28\xc4\x2f\x73\x8c\x95\x61\xa6\x56\xb0\x1c\xa0\xbc\xb0\x22\x4e\xc8\x03\xe6\xa2\x38\x64\xe0\x14\x38\x97\x4b\xba\x22\x36\x92\x12\xca\xf0\x53\xe5\x60\xcf\x11\xac\x83\xec\x04\x85\xf5\x70\xf6\xe5\x36\x74\x42\x43\xc2\x11\xfd\xc0\x3c\xb3\x59\x04\xf1\xb3\xad\x1e\x79\x65\xd4\x73\x1a\xa0\x48\x21\x5d\xbe\x3b\x33\xd0\x96\x3b\x0d\x5c\x0e\xcc\x90\xfa\x99\x99\x7f\x19\xb5\x83\x57\x48\x68\xb4\x08\x1c\x9e\xa2\x71\x23\x43\xb9\x18\xd2\x2f\xa3\x7e\x8d\xf4\xdb\x67\x0a\x4b\xe4\x29\x5f\x69\x9c\x92\x4c\x4b\x7f\xeb\x71\x10\x3d\x9a\xef\x02\x70\xde\xd2\x9d\x4f\x42\xaf\x37\xa4\x87\xe2\xbc\x8d\xc0\xb0\xbd\x3f\x68\x70\x38\x5a\x1a\x8a\x98\x42\x20\xf7\x9a\x47\xa9\x81\xe9\x87\xdc\xa4\x46\x95\xce\x64\x87\xd5\x3c\x01\x90\x10\x54\x3b\x20\x42\x22\xef\xae\xf7\x20\x8d\xfa\x23\xf8\x08\xc4\x56\x13\xd5\x14\x46\x8b\x97\xfe\x57\xdf\x91\x1e\xac\x0c\x90\xed\x04\xf0\x06\x49\x32\x1c\x3a\xbd\x27\x01\xec\x1a\x01\x22\xb4\xbb\x48\x37\x7b\x5e\x92\x51\xc0\x20\x3f\xaf\x08\x98\x26\x0f\xf7\x47\xc5\xa8\x2e\xed\x23\x42\x50\x15\x88\x51\xa5\x09\x06\xac\x54\x92\x71\x9f\x97\x0a\x90\x62\x00\x5e\xf1\x67\x55\x76\x35\x1a\x8b\x3d\x9d\xda\x73\x5c\xc6\x5b\x82\x09\xe9\x86\x68\xb8\xd4\x97\x88\x5f\xb1\xd9\x1d\x89\x3e\x3e\x3f\xe9\x6d\xbf\x56\xb6\x1c\x60\x6a\x84\x63\xc4\x1f\xd8\xc9\xbe\x64\xdf\x1a\x59\x56\x27\xfc\x71\x14\x38\xee\xa8\xdf\xb7\x32\x35\xa4\x7b\xe9\xc0\x37\x04\xfe\xda\x19\xe5\x4f\x65\xa2\x87\x62\x94\x49\x5a\xca\x4d\x61\x1c\x9b\x43\x84\x29\x15\xfa\x7a\x51\xe4\x5e\x16\xc7\xd2\x28\x17\xc1\xb1\x59\xe0\xbf\x53\xdf\xfe\x16\xed\x63\x41\x61\xbe\x4c\xc9\x16\x9c\x95\x2b\x0b\xb5\xfb\xf4\x45\xae\xe0\xe9\xd3\x86\xd3\x00\x61\x18\x57\xc7\x0e\x95\xcf\x2e\x42\xa3\xe7\x9b\xf7\xc2\x02\xb7\x7c\xe4\xf5\x2d\x5e\x8d\xdf\x50\xd5\xdb\x3f\xa1\x0e\x95\xf2\x4d\x65\x61\x86\xd3\x56\xde\xdc\x85\xc6\xf8\x68\x4b\x81\x02\xeb\x01\x9c\x18\xda\x8a\x66\x3d\x70\xbe\x24\xea\xd9\xf1\xdc\xed\x78\xbd\x06\x8a\x6c\x9b\x32\x4d\xd7\x47\x73\x43\x18\xeb\xc6\x2a\x4a\x9c\x74\xeb\x34\x22\xcc\xde\xe0\x2f\x94\x7c\x1a\x76\xe7\x38\x54\x28\x06\xff\x2c\x9c\x85\x1a\xb7\x12\x17\xf7\x53\x9d\xa9\xc3\x35\x0a\x1f\xbd\x5e\x53\x90\xa0\x48\xcc\xac\x1f\x54\x13\xab\x2d\x81\x47\xd7\xb2\xd7\xd4\x93\x3e\x24\xd7\xff\x0d\x16\xfa\x34\xe2\x38\xe9\x31\x62\x27\x30\xda\x47\xe8\xee\x85\x35\x49\xf5\x7d\x8c\xd0\x41\x1f\xd3\xdd\xcd\x5d\x6b\xf3\x63\x88\xd0\x36\x86\x62\xf9\x5d\xae\x7d\x3b\xcb\x93\x2d\x62\xe0\xf8\x95\xa5\x6b\xd8\x79\xd1\xf5\x70\x43\xeb\x6a\xd4\x6e\x35\x97\x6c\x4f\xa6\x24\x42\x21\xe9\xa6\x8f\xb5\xa9\x3f\x25\x68\xc1\x77\x2a\xd1\xfa\xef\x2a\xab\x00\x21\xfe\x7d\xbc\x57\xf3\xa7\x77\xdd\xfe\x61\xf4\x1c\xc3\xf7\xdb\x0b\xbf\x63\x7b\xd4\x8f\x72\xd1\x1d\xd0\x52\xfb\x4e\x32\x52\x0d\x41\x39\xce\x9b\x92\x06\x21\xf1\xeb\x6f\x37\x88\x71\xf1\xe7\x94\xc3\x87\x59\x65\x0a\x0a\x74\x2c\x0e\x34\x03\xb6\xbe\x88\xe3\x19\x20\xc0\xf3\xaf\xb5\x8c\x68\x6b\xea\xee\x1d\x65\xd6\xd8\x3b\x8e\xaf\xa7\xd0\xbc\xaa\xef\x87\x5e\xfa\x7a\x27\x37\x1c\xac\x05\x99\xd4\x1b\xa5\x1a\xa5\xce\x65\xce\x48\xbc\xa2\x4d\x4a\x43\x8e\x6e\x3a\xc3\x3c\xf1\xfc\x7c\xd8\xcc\x3c\xd9\xb7\x51\x16\xb5\x3a\x09\xd9\x81\x41\xfc\xcd\xf0\xb0\x8d\x8f\x9d\x6e\xfd\xed\x52\xd1\x01\xc3\xed\x6b\x27\xf6\xc6\xe4\x2f\x9b\xa1\x99\xf3\x9c\x9a\x33\x77\x28\xbd\xe0\x5b\xbe\xee\x63\xe4\xdc\x68\x0e\xcf\x0f\x02\x0b\xcb\xbb\x7b\x6a\xd0\xba\x9b\x2a\xa6\x14\x39\x1e\x8a\xa4\x15\x52\x13\x73\x56\x95\x3e\xf2\x15\x35\xca\x4e\x32\x20\xa2\x6f\x06\x1c\x7e\x78\xeb\x42\x42\x88\x98\x16\x95\xe6\x51\xf6\xda\x90\x57\xc6\x11\x02\xf5\xd5\x8d\x33\x13\x58\xd6\x91\xce\x1b\xd7\xf6\x81\x60\xcb\x76\xfe\x77\xf0\x3f\xfd\x46\x0e\xcd\xa1\xfd\xb1\xa7\x83\x33\x89\x3f\x1d\xc5\xd0\x35\x7d\xc2\x43\x35\xd3\xf1\x2d\x7d\xf9\x13\x31\x69\xd9\xd2\x14\x45\xb6\xa5\x81\x95\x66\x3d\xa0\x33\x06\x31\xb7\x32\xc1\xdc\xc3\xe6\x58\xf2\x37\xf0\xf6\x9a\x11\x60\x2d\x4c\xac\x64\x68\x35\x3f\xaf\xcb\xf4\xca\xd1\xa3\xa2\x6d\x2d\xed\xdb\xa7\xcc\xc8\x86\x34\x7f\xf0\x59\xda\xcf\x96\x96\x98\x00\x18\x53\x30\x7a\x3c\x5b\x36\x34\xde\xa1\x62\xe6\x3b\xd2\x7b\x7c\x9d\xab\x63\xa6\x70\x59\x29\x9d\x69\x42\x67\x5d\x10\x68\x8a\x79\x7d\x6b\x51\x63\xea\xb8\x3b\x45\xb1\x84\x60\xc2\x8d\x6a\x83\x37\x1e\xca\x62\x6e\x9b\xdb\x94\xb9\x0a\x11\xa7\xfb\x7f\x7d\x9f\xec\x0d\x77\x3c\xc0\x56\x66\x36\x29\x2c\x7d\x90\xde\x64\x79\xae\x9f\xfc\xe8\xc3\x4e\x28\x4f\xf2\xfb\x4d\xa4\xc0\xb4\x62\x9a\x02\x3f\x1e\x9c\x1e\x79\xc5\xd6\xba\xe6\x25\x2c\xd4\xa3\x01\x53\xe8\xc1\xeb\xf0\x83\x89\xc2\x06\xd6\x6b\xec\xe9\x02\xed\x87\x7c\x36\x75\x6b\x3f\x9c\xaf\xe8\x41\xca\x61\xbf\xf3\x15\xfa\xe3\xaf\x3a\x18\x56\x3f\x71\xa7\x7e\xeb\x6f\xde\x0d\xb2\xce\xa7\xfe\x49\x4a\x78\x39\x1a\xfc\x1b\x21\xb2\x33\xe0\xc4\xb4\xa1\xa2\x3e\xee\x6f\xeb\xa1\xae\xe1\x12\x4e\xb0\x4e\xc4\xd2\x3b\x6a\xe5\xcc\xaf\x13\xac\xdb\x65\x6c\x72\x70\x7f\xed\x01\x0f\xc4\xab\x31\xba\x09\x3a\x22\xfa\x85\xe4\x73\x89\xac\xaf\xe2\xa2\x22\x98\xe5\x1d\x36\x73\x26\x95\x00\x8e\x65\xaf\xfd\xa7\x56\x13\xbb\xd2\x2f\x86\x9b\x05\xe9\xda\xfe\x41\x1d\xa8\x54\x9f\x14\x1e\x01\x8b\x36\x20\x49\xc6\xaf\x4e\xd7\x82\x37\x81\x72\xc5\x5a\xe7\xb1\xd0\x05\xa1\x90\x86\xc2\xab\x19\x74\x2f\xf7\xf9\xb3\x29\xdc\x56\x7f\x61\x47\x30\xef\x3e\x74\x78\xb6\x22\x09\xec\x2d\xb9\x0f\x3a\x60\x37\xaf\x0c\xb7\xbd\xcc\x8b\xad\x8b\x32\x86\x4a\x41\x67\xa3\x70\xd0\xf9\x16\xdc\x75\x1f\xb2\x8e\xe9\xc8\x00\xe5\x9e\x2e\x37\x20\xdb\xff\x36\x3b\x28\xcf\x26\x98\xfd\xb3\x06\x1b\xc3\x91\x97\x67\x7e\xfb\xca\x4f\x86\xda\x8a\x97\x6a\x1f\xe5\xf9\xe1\x83\xab\x9f\x3b\xdc\x9a\xb6\xae\x44\xb8\x71\x3a\x1e\xe0\x7b\x89\x4b\xf3\x74\x90\x46\x4f\x9d\x2c\x4f\x5a\x2a\x46\xc6\xb3\x03\x53\x43\xb9\x26\xdc\xa5\xd9\x93\xec\xb0\x74\x19\x1d\xf0\xe5\x0f\xbb\x11\x4c\x82\xb3\x69\xe1\x9d\x8c\xe9\x58\x02\x5e\x12\xa6\xe1\x35\xc3\x3c\x4e\x70\x40\xf2\xe5\xe4\xab\xb1\x43\xba\xfb\x7c\x71\x21\x44\xa9\x91\x09\xb0\x0d\xfd\x72\xf6\x6d\x6a\x5d\x7d\x1e\x6a\xea\xef\x79\x4f\xa4\x04\x57\x53\x28\xfe\xef\xd9\xc2\x08\xae\x71\x02\x36\xda\x12\xde\x52\x5c\x78\x40\x3e\x78\xfd\xcf\xb5\xcb\x34\x48\xf9\x38\x09\xea\xdb\xf8\xc6\xca\xec\xa7\x02\x83\x3a\x3d\x30\xbb\xaf\xe9\x4c\xa1\x4b\x5e\x91\x86\x4a\xa5\x75\x40\x94\x98\x93\x9c\x5b\x2c\xce\x2d\x33\xd1\xf1\x4a\xe3\xd7\x16\x9f\xfd\x51\xa7\x42\x1d\x2b\xe6\xa4\xf6\xce\x0d\x7f\xd5\xdd\x83\x4e\x02\x0c\x3e\x69\xcf\x5d\xeb\xe6\x9e\xe8\x63\xf5\x70\x2b\xab\x78\xfe\xcc\xd2\x85\xab\x47\x2b\x56\xd1\xc0\x6c\xe4\x0a\x79\xef\x15\xc0\x72\x36\x16\x36\x31\x74\x13\x72\x66\x43\xc9\x50\xc6\x7e\x57\x6f\xfd\x80\xd5\xf8\x08\x07\xb6\x72\x97\x36\x54\x7b\x00\xa0\xd4\x58\xe9\x3b\xf9\x64\xf4\x7d\xa3\x50\x77\x47\xec\x32\x3d\x31\x08\xc4\x49\x82\x62\x24\xea\x09\xaf\xa3\x66\x13\x33\x1a\x96\x1c\x5c\xf2\x59\x25\x2d\x0d\xac\xb5\x02\xfb\xc9\x87\xbb\xf6\xb1\xc8\xc6\x22\x5a\x6c\x0e\x65\xeb\xb5\xa5\x59\x45\xc5\xa0\x64\xec\x34\x6f\x84\x27\x0e\x3b\x38\xa1\x2a\xe7\x2c\x17\x80\x99\x75\xad\xa7\x2b\xad\x05\xa1\x2f\xda\x83\xf1\xb0\x0a\x42\x31\x04\x81\xca\x2a\x09\x90\xb6\x63\x96\x4e\x19\x4c\x92\x5c\x99\xce\xe8\x62\x79\xf6\x2c\x64\x54\x8a\x57\xd3\xf1\x67\xd6\x21\x3a\xcc\xbe\x67\x9a\x9f\xc2\x04\xd2\x10\x31\xf6\x4b\xd5\xf6\x8e\x8c\x75\xcf\x80\xaf\x20\x7c\xba\x25\xaa\x42\xfb\xc7\xdf\x07\x34\x25\x70\x00\xe5\xe9\xc2\x23\x36\x6d\x1d\xf4\x6f\x50\x8b\x8a\x8f\xba\x49\x33\x35\x2c\xb7\xc3\xf0\xe2\x5d\x66\xd8\xc5\x12\x9b\xdc\x46\x7d\xcd\xaf\x4f\x4a\x87\x1f\xea\x52\xb7\x07\xc8\x5c\xa1\xad\x30\xf0\x08\x04\xba\x50\x0c\xfb\xb2\xee\xe1\x8c\x68\x42\x09\x1c\x12\x0f\xf9\xf5\xfe\x91\x5a\x75\xa6\x23\xe5\x40\x7e\x77\xb2\xf2\xd7\xaa\x46\xe2\x4c\x96\x98\x6a\x60\x86\x55\x17\xc2\x67\x94\x5d\x39\x16\x92\xa1\xd3\xfe\xff\xc9\x35\x57\x67\x87\xc9\x0d\xa8\x46\xf9\x59\xe2\x6e\xef\x2f\x98\xce\x0b\x13\x17\x4f\xe4\x56\xc5\xd3\x3f\xb6\xbb\x65\xe8\x60\x3a\xf4\xf1\x02\x92\x9d\x84\x22\xb8\xbb\x5a\x24\xe0\xbe\xc7\x21\x4e\xe2\x3d\x9b\x8d\xd0\x7e\x7d\xaf\x18\xd8\x3f\xa6\x6d\x84\x9b\x91\xc7\x08\xf9\x9b\x46\x85\xc7\xb5\xdc\x95\x6d\x95\xc7\xfc\xea\xe7\x75\x9f\xea\xa0\xd2\xa0\x1f\x26\xb1\x7b\x9e\x5a\x23\x0c\x18\xc6\x10\xa7\xe7\x24\xdb\x79\xbe\xcd\x4a\xc0\xf1\x76\xbc\xf2\x04\x49\xe9\x0c\x3f\xae\x89\xc3\xa9\x93\xe2\xf9\xc5\x1e\x42\x8d\xc0\xbd\xdf\x67\xa7\xcd\x11\xf9\xce\x0d\xaf\xb4\x27\x7c\x32\x81\xb8\x8f\xa7\x13\x8d\x21\x7d\x79\xfe\x3e\xd7\x2b\x19\x5f\x27\x82\x0e\x33\x22\x9c\x5a\x6d\x7f\x49\x37\x20\xf9\x19\x0a\x1c\xb2\x29\xa3\xbe\xa0\xa7\x8f\x62\x9d\x00\x59\x3c\x98\x8c\x2d\x3f\xa0\x9f\x89\x35\xe2\x5b\xcd\x4c\xe0\x27\x6a\x16\xf2\x30\x6f\x7c\xbc\x89\x12\x52\x35\x91\xed\x88\x92\x1a\xa7\xae\xfe\x26\x71\x2f\x81\x02\x89\x06\xd7\x30\xfb\xe8\x19\x95\x52\x1e\x02\xe3\xdd\xfc\xa0\xf8\x81\xcb\x98\xa6\x61\xd2\xcf\x8d\x1f\xc3\x10\x84\x5d\xf4\xec\x58\x8c\x2b\x30\xfd\xfc\xe1\x81\xe6\xef\x9a\x65\x4e\x83\xfa\x69\xb7\x73\xfb\x51\x71\x77\x74\x93\x6e\x6d\x03\x77\x54\x78\x2f\xbf\xf1\x3d\x32\xa5\x0c\x75\xe2\x75\x3b\xca\xf4\xae\x37\x35\x26\xe6\x10\x60\x5f\x07\xc6\x77\xae\xda\xc8\xda\xf3\x79\x28\x3f\x2e\x59\xae\xdd\xe2\xc0\x19\x53\xd1\xbe\x45\x91\xef\x16\x5c\xa1\x90\x6d\xeb\xdc\x0b\x8e\x47\xde\xf1\xa3\x4d\x3c\x3a\x4c\x12\xea\xe8\x96\x68\xd1\x43\xd1\xb0\x98\x4f\x94\x50\x44\x70\x9d\xf8\x68\xd0\x97\x55\x14\xdc\x10\x93\x09\x0b\x0f\xe4\x29\x62\x34\x5e\xf4\x0b\x0d\xd8\x4f\xf7\xa2\x0f\x39\x4d\x5b\x3f\xc5\xa5\x5d\x69\xb4\xbb\xd0\x0b\x53\xe3\x17\x4c\x76\x0c\xb9\xc7\x9f\x27\x52\x75\x55\x8c\x69\x67\xf0\x3c\xb7\xb5\x4e\xc6\xc2\xa8\x60\x2a\x55\x57\xc4\x8e\x0c\xce\xae\xbc\x38\xc4\xcb\x35\xf1\x71\xfa\x42\x62\x2b\x1e\x8b\xe6\xdd\x32\x33\x75\x03\x3e\xde\x7b\xea\x93\xb6\xd6\x67\x75\x8f\xb9\x97\xcc\xee\x89\x6c\xb3\xa0\x3e\x47\xfe\x8b\x51\xbf\xef\xd7\x16\x5b\x4b\x16\x25\x46\xc2\xe4\xd4\x67\x10\x35\x3b\x73\xf6\xf1\xde\xa1\x7e\x44\x2b\x82\x72\xf6\xaf\xf9\x9c\x86\x43\x72\xe4\xc3\xe5\x63\x1b\xb7\x39\xb5\x9a\xd1\x23\x5a\x18\xaf\x7d\x59\xb7\x93\x20\xa4\x1b\x7c\x0e\x8d\x64\xd5\xa7\x94\x81\xcc\xe1\xe3\x1b\x33\x4a\xb3\x3e\x92\xe6\xa4\x29\x7f\x3d\xef\x0f\x1b\x34\x67\x5c\x7d\xe9\x10\xfe\x38\xe4\x94\xee\x01\x4b\xb8\x44\xe7\x07\xbd\x30\x2b\x24\x78\x6b\xd6\x06\x2b\xac\xb8\x2d\x52\x7a\xcd\xca\x23\x6f\x21\x7b\xf0\x47\x47\x42\x47\x6e\x6a\x93\x25\xd9\xee\x28\x2d\xee\x43\x63\x6b\xeb\xa5\x41\xe6\xaf\x65\xba\xb1\xf5\x82\x33\xa6\xf5\x58\xd8\xc6\x01\x9f\x4e\xe4\xc8\xe8\x33\xea\x16\x18\xb0\x53\xb3\xcd\xb8\xf8\x8f\x09\xce\x12\x25\xa6\x8f\x31\x9d\xe5\xbc\x58\x3e\xb3\xd2\x2f\x27\x32\x34\x3e\x9c\x0a\xcb\xd8\xef\xde\x7d\x9c\x0f\x22\x40\x6b\x9d\x1b\xeb\x10\xe7\xbc\x92\x80\x7c\x7b\xbd\xc0\x0b\x1d\x88\x53\x4e\x65\xdb\xa2\x56\x21\x67\xe2\xcf\x12\xa6\xf4\xb1\xe8\x9b\x24\x95\xbe\x63\x1f\xe9\xa7\xaf\xaf\x3e\x44\x02\x54\xa2\xda\x7e\xeb\x26\x1b\x40\xb4\xb2\xc8\xa2\x25\x7d\x75\xb0\x9b\x85\xb8\x1d\x79\x54\xac\x55\x31\x3a\xc4\x99\x0c\x54\xae\x40\x79\x3c\x21\x58\xcf\xeb\xf3\x29\xb2\x67\x40\x5d\xd2\xa5\xe7\x61\x54\xd2\x1d\x74\xed\xd4\xa1\xe0\x86\xf0\xf2\x40\xe7\x19\x96\xa0\x4e\x8f\x96\xec\x88\x22\xbc\x5f\xc9\x18\x38\xd1\x7d\x97\xb0\x3c\xab\x99\x58\x33\xaa\xd9\xfe\xd8\xdb\xd9\x44\xfc\x11\xab\x74\xfc\x51\x5f\xd8\xbc\x5c\x06\x74\x24\xd3\x2d\xbb\x99\xe4\x9e\x0d\x42\xa5\x97\xdd\x80\x73\x17\xd6\x69\xdf\x7c\x08\x97\x9d\xd6\x47\xca\xe4\xb9\xd1\x23\xa6\x44\x03\x7c\x68\xfd\x7b\x45\x4d\x15\x8b\x51\x28\x18\x5b\x7a\x07\x1b\x77\x45\x3e\x29\xef\x51\x83\xc0\x3f\x3d\xac\x27\x58\xfa\xd6\x67\x3d\x17\xb9\x5a\x42\xd4\x28\xb5\x6d\xd7\xac\xd6\xb4\x4a\x15\xf8\xa6\xac\xc4\xc7\x3d\x23\xfd\xdf\xc4\x4f\xe5\x7a\x9a\xdd\x19\x57\x96\xcf\x45\xc0\x00\x6f\x6a\x24\x16\x0d\xfb\x87\x98\x62\xb0\x11\xe7\x4b\x88\x0f\x5a\x4f\x5d\xc8\x05\x3a\x1f\x2c\x7d\x0e\x1d\x77\x2c\x62\xca\x02\x8b\x09\xce\xba\xc8\x8e\xa7\xa8\xa1\x85\x59\x96\x20\x16\x74\xf2\xeb\x71\xac\x52\x6c\x0a\x0e\xc4\x49\x3d\xaf\x01\xa5\x51\x6d\x2b\xf8\x8b\xd8\x11\x72\xa2\xf7\x5f\xaf\xb3\xcd\xe2\xc9\x2b\x7a\x02\x0e\x07\x67\xcb\xda\xdf\x65\x57\x55\xc3\x71\x5c\x6b\xf9\xcc\x3d\xf3\x8c\x38\x34\xa7\x24\x95\x05\xa6\x89\x48\x0c\xa3\xa9\x78\x79\x2a\xe9\xbe\xfd\xfb\x3f\x25\xe3\xdf\xec\x22\xa9\x0d\x66\xac\xbc\xe1\x63\x3a\x29\x7c\xc2\xbe\xd9\x75\x73\x1f\xbc\x97\xc0\x9d\xa8\x94\x22\x65\x33\x6d\x17\xb1\x3a\x52\xef\xff\x98\x62\x6a\x8b\x7b\x18\x8c\xfb\x9d\xfd\x33\xeb\x28\x76\x34\x08\x73\x2b\xba\xe7\xb8\x01\x22\xa9\x1a\xd9\x81\x38\x97\x75\x7e\xff\xb8\x43\x58\xdb\xd6\x2b\x01\x33\x24\x1a\xb9\xaf\xa7\x9e\x35\x3f\x5e\x7d\xb9\x16\x39\x21\xd6\x5e\xfc\x93\xe4\x08\xbc\x38\xff\x95\x84\x29\x05\xa9\x13\xd0\x84\xd2\x4f\xa2\x23\x59\xdf\x71\x0b\x39\x69\x4d\xe2\x40\x38\x98\x31\xe3\x44\xe9\xd5\x33\x2a\xc0\xc5\x48\x4e\xdc\x3a\x9a\xc6\x12\xf6\x68\xe4\xe7\x81\x80\x10\x9e\x12\x49\xef\x5d\xc2\x7c\xfd\xed\x52\xea\x37\xef\x3a\x7d\x1d\x02\x88\xa9\xf7\x53\x2f\xb9\xf3\xa3\x80\x29\x4c\xf0\x33\x29\x62\x8f\xe8\xfa\xc3\xb8\x12\x11\x30\xbc\x3d\xff\x51\xed\x6f\x83\x00\x80\x67\x86\xf9\xe5\x05\xde\x5d\x25\xd6\x87\xc4\x02\xc0\xbe\xdb\x7d\x41\xcd\xb9\xcf\xb8\x77\x14\xba\x29\x28\xbe\xce\xcb\xe1\xaa\x32\xdf\xda\x00\x17\x07\xc7\x84\xce\xe7\xf6\x46\x48\x77\xef\x87\x98\xc1\x60\x8c\x48\x7c\xe0\x88\xd0\x73\x08\xb4\xf1\x67\x2f\xb2\x8e\xfa\xd8\xae\xe8\x45\xff\x99\xe0\x0d\xb8\xd0\xa4\xef\xf1\x0e\x7e\x04\x82\xe1\x0d\x2d\x4f\x53\x6b\x90\xa1\x7f\x2c\xd0\x64\x99\x58\x61\x9a\x3b\xfc\x4c\x72\x65\x4a\xb9\xa0\xda\xe3\x09\x9d\x69\x58\xcc\x43\xac\xee\x94\xa4\x50\x15\x24\xe0\xa9\xdd\x76\x70\x0d\x81\x46\x1f\xfc\x9c\xde\x22\x27\x15\xd4\xc8\x91\x7c\x2e\x53\x56\x0b\x63\x53\xa0\x98\xc9\x48\xce\x16\x13\x1b\xca\xc5\x69\x48\x46\x94\x26\x57\xfb\xbd\x47\xd1\x4f\x0b\x9e\x6e\x0e\x38\x3e\x7d\x60\xef\xe2\xd9\x93\x5c\x04\xdf\xee\x10\xe2\x2f\x47\x4c\xf3\x82\x32\x9c\xce\x12\xae\x8d\x21\x0f\xfb\xd1\x7d\xd0\xf1\x86\x8f\x6c\x10\xaa\x34\xdc\x1f\xb7\xbb\xb7\xa2\x5d\xb0\xcd\xb0\xaf\xcb\x3a\x52\x34\x45\x56\x4c\x6b\xc6\xc0\xf8\x43\x3a\x67\x75\x88\x18\x52\xd9\x97\x0a\xa4\x20\x3c\x92\x58\xa9\x44\x27\x41\x68\x89\x9d\x5a\x81\x5d\x66\x50\x37\xda\x71\x6d\x53\x04\xe4\xf2\x6c\x28\x9a\x46\x38\x4b\x96\x5f\x2c\xa5\xaa\xcc\x1c\x81\x23\xb5\x4c\x14\xe8\x3a\x59\xb9\x97\x99\x64\x88\x14\x79\x77\x84\x25\x4e\x3f\xcc\xca\x53\x79\x0c\xe3\xf0\xc2\x4b\xa0\x17\x22\xd4\x2b\xaf\xfc\x81\x68\xa3\x6c\x95\xb5\x38\x8d\xef\x13\x7e\x6c\x92\x9e\x2e\xd1\x42\x99\x10\xd1\x38\xe7\x91\xf8\xc4\x5c\x37\xea\x0b\x8d\x5f\x25\xdb\xb2\xb4\x3a\x4c\x2e\x05\x27\x32\x7a\x58\x47\xdf\x44\xa2\x14\x22\x23\x30\x14\x4d\x26\x44\x63\x66\x76\x4f\x81\x6d\xb2\x84\x7b\xba\x48\x60\xf2\x2d\xca\x28\xae\xa5\xba\xd2\x98\xdc\x4e\x58\x88\xce\x73\x7b\x16\x96\xc9\x52\xc2\xa5\x15\x57\x4d\x10\xd4\xd2\xc3\xd0\xa2\x12\x32\x42\x2d\x0d\x60\x07\x45\x86\x2a\x31\x51\x3c\x97\x8c\x84\x42\xbe\xba\xb3\xe3\xef\xbc\x5b\xf0\x65\x72\x70\xd1\xdb\x26\xe9\x79\xcf\x50\xef\x7a\x3c\xfe\xe8\x80\xf7\x7a\x0b\x80\x2c\x7b\x37\x1b\xf9\x66\xa5\x41\x3d\x68\x74\xd9\x11\x1e\x7b\x98\xa9\x72\xbe\x26\xe2\x8f\xa9\xec\x1f\x77\x93\x91\xe3\xa4\x91\xd5\xe8\x69\x5f\x73\xd8\x87\x73\xa3\xd4\x06\x82\xff\xe1\xce\xa2\x37\xfa\x5a\x91\xd4\x8b\xd8\x2d\x8e\xcd\x25\xe6\xa6\x29\x2d\x17\x77\xe3\x8b\xe3\x7c\xcc\x8d\x96\xcf\x9d\x19\x1b\xa9\x05\x85\xe7\x28\xdc\x41\x5b\xc4\x06\xfd\x94\xe5\x3c\x67\x40\x71\xdf\x12\xea\x08\x9d\xcd\x94\xf9\xd9\x6b\x03\x86\xf7\x26\x05\x12\x67\xc9\x6e\x5c\x3d\x79\x49\xe8\x55\x02\xb5\xda\x43\xf1\x04\x93\xba\xa2\xfd\x77\xa0\x2f\xaa\xca\x33\x55\x8f\x78\xf0\x9f\x00\x43\x3b\xa9\x91\xef\x1b\x40\xc5\x99\x90\x39\xbe\xe1\x77\xfd\xa3\xba\x5d\xc0\x92\x51\x62\xe5\x9a\x8e\x32\x7c\x19\xe7\xd4\xe0\xaa\x8f\x13\x71\x07\x02\x71\xe0\x03\xce\x63\xf4\x27\x26\x5b\x6a\x2d\xfb\x1d\x68\x64\xf8\xcd\xf2\xa9\xd0\xf8\xb3\x8e\x57\x71\x2b\x85\x43\xa2\x0b\xe5\x02\x4a\xef\xfd\x25\x0a\x10\x6e\x78\x3a\x08\xa5\xae\x38\x5a\xc9\xa5\x76\xb3\xc1\xb0\x90\x36\xc5\x0f\x1a\x8d\x56\x99\xf1\xba\xd3\xd1\x69\x68\xf1\x1e\x9b\x1f\x54\xef\xdf\x3c\x2e\xc0\x3a\x1f\x12\x4a\xb5\xe5\xc4\x53\xd1\x9b\x93\x9b\x68\xd0\xa3\x39\x95\x1b\x5b\xb5\x5d\xa3\xeb\x45\x9c\x3f\x86\xa1\xde\x1b\x8b\x9c\xef\xe6\xe6\x0d\x14\xd8\xc6\x14\x31\x45\xe2\x4a\x85\xe9\xc0\x62\xa8\xf6\xbf\x5c\x9a\x51\xb2\xa5\x07\xff\xdf\x6f\x60\x1c\xd7\xd1\x0a\x7f\x3c\xb1\x6f\x38\xd7\xf2\xc4\x6e\xb2\xc1\xeb\xd2\x05\xd5\xb6\x0c\x5d\x5e\xc3\xd6\x0e\x15\x18\x9b\x9f\x44\x5c\xbf\x29\x17\x7b\x83\x55\xd8\xaf\x6b\xad\x6c\x6e\x3a\xda\xb3\x9d\xf7\x1e\xe2\xcf\x90\xdf\x9a\xb8\x68\x08\xe6\x2d\x1e\xc2\x4f\xf2\xbd\xe6\xfd\x56\xa2\x31\xe4\xe5\x56\xcc\x22\x7f\x5f\xa6\xd6\x17\xd5\x49\xae\xd8\xe2\xe3\x66\x01\x3d\x8a\x2c\x28\x99\xa5\xc7\x52\x62\x0d\x54\x47\x1f\x9c\xfe\x17\xb6\x87\xfe\xe4\x27\x99\xeb\x86\x21\xca\xbf\x3b\x81\x76\xdf\x65\x4b\x20\xf3\x48\xc9\x16\x7d\x70\xe9\x59\x22\x13\x38\xbf\x47\xcf\x3b\x34\x7d\xdb\x46\xe4\xea\x71\xfc\x82\x50\xcf\x48\x18\x60\x7a\x35\x95\x16\x65\xae\xec\x1b\x46\x84\xa9\xf2\xd5\x40\x39\xb6\x44\xe3\xff\xcf\x5e\xf2\xa2\x67\x3d\x97\x40\x8f\xb9\xc5\xb9\xee\x80\x28\x67\xfc\xfc\xbf\x3c\xed\x42\x95\xe5\x9e\x78\x36\x5d\xe8\xf3\x8d\x98\x06\x6b\xc1\x63\xb7\x55\x56\x8b\xb0\x2e\xec\xa3\x8e\x04\xfe\x45\xb7\x80\x9c\xc4\x42\x40\x23\xa2\x3b\x15\xe3\x74\xe3\x83\xd0\x1e\x02\xdc\x66\x92\x48\x47\xf3\x72\xd8\xad\xc3\xb8\xaa\xdd\xb6\xea\xf9\x57\x5f\x52\x42\x51\xca\x6f\xea\x93\xfa\x33\x57\xe8\x1e\x94\x71\x5f\xbb\xe3\xce\x2b\xbc\x0c\x3d\x44\x7a\x51\x18\xd8\x59\xb1\xa7\x43\xb3\xe8\xee\xbf\xd3\x52\xfc\x50\xc2\x8c\x89\xd9\xfb\xf2\x08\x7c\xbe\xdc\xdd\xad\xd1\x99\x3a\x35\xf7\x1b\xff\x4b\x6e\x91\x90\xfb\x18\x26\xfa\x2b\x30\x89\x01\x87\x61\x65\xc7\x04\x17\xdc\xe1\x6e\xa0\xc1\x97\x55\x74\xbd\xc7\xcc\xf8\xd9\x2b\x3e\x77\x2b\x57\xfb\xad\xee\x74\xfc\xfe\x7b\x73\xdb\xef\x59\xc7\xf2\xe5\xba\x57\xb9\xbe\x68\x43\xe0\x6d\x0c\x13\xda\x2f\x48\x78\x40\x73\x7a\x8d\xfc\x79\x0c\xd5\x53\xc6\x93\xa9\xd1\x26\x8a\x13\xac\xfa\x44\xfa\x5e\x4b\x4f\x0d\xa3\x76\xfc\xc0\xec\x82\x94\xfd\xc0\x18\x23\x89\x7f\x91\x21\x27\xdb\x76\x90\x3d\xf2\xcd\xbf\xb9\x90\x24\x00\xc8\x6b\xf5\x26\xdd\xbb\x47\xc8\xe4\x9b\x67\x30\x55\xf7\x0a\x7d\x90\x08\x1c\xd3\x19\x64\xe0\x51\x9d\x50\x4c\x17\x1c\xd4\x1a\xb7\x99\x79\x16\xa7\x11\xcd\xec\x24\xf8\x0f\x80\x39\xce\xc9\xf6\x5b\xfb\xfa\x93\xe7\xbf\x22\x83\x51\xa8\x18\x92\xe5\x71\x80\xae\xce\x3e\x6b\x0f\xf3\x36\x6d\xc6\x66\x44\x47\xfa\xe5\xbe\xd3\x81\xf6\x29\x13\x4a\xdf\xcc\x51\xec\xa2\xab\x32\x76\x68\x2e\x5d\x9f\x67\x7b\x30\x1d\x6e\x6d\xcf\xa8\x64\x61\xa5\x67\xcb\x9c\xbf\xda\x3d\x2f\x91\xb3\xab\xc2\x0a\x5a\x7d\x46\x5d\x57\xc5\x07\xfe\x9c\xad\x83\x43\xd6\x4f\x51\xbe\x63\x0c\xe8\x18\xab\x78\xe9\x2c\xc5\x40\x8f\x48\x02\x5f\xbb\xf8\x39\x6d\x88\x20\x1c\x04\x2f\xd7\x11\x82\xc3\xd5\xdd\x62\xac\xe3\xec\x92\x31\xf8\x47\xbd\xff\x19\xb7\xbc\xe4\xe0\x4d\x10\x22\xb3\x2d\x46\xc7\x47\x09\xaa\x49\x63\x16\x6a\xef\xc5\xad\x6e\xd9\x47\x01\xd4\x32\x7f\x39\x4e\x1c\x9d\x01\xfb\xd3\xf2\x59\x03\xc5\x02\x0a\x84\x87\x96\x30\x08\xf8\xe4\xee\xdf\xe9\xc8\xd6\x2c\xa9\xcd\x72\xa9\x62\x39\xb1\xc0\x42\x7c\xb4\xe1\x71\x18\x21\x9b\x42\xcb\x89\x73\x53\x62\x1d\x66\x7a\x53\x8d\x3b\xa3\xe9\x26\x67\x38\xfd\x25\x24\x68\x1f\xd6\x33\xc1\xf7\x1a\x51\x28\x62\x10\xbc\x79\x3f\xc8\x9c\x0f\x04\x38\x66\x48\x0b\x7e\x08\x62\xb7\xa1\x08\x59\x3b\x2e\x9f\x8d\x1f\xc6\x2b\x7c\x67\xf5\x0d\xff\x63\x8f\x93\x18\xfa\x26\x0f\x37\x30\xce\xc7\x08\x0a\xfd\x74\x36\x41\xde\x7d\x59\xbc\xa4\xd3\x21\xf0\x31\xf3\x5f\xa6\x16\xc4\x33\xed\x57\x2a\x39\xbb\x17\xb9\x3c\x85\x81\xb1\x2a\xa1\xd2\x51\x54\x1b\xb5\xb2\x1c\x63\x91\x7c\x5b\x70\xec\x65\xe9\x57\xc5\x9c\x64\x3a\x6c\x0a\xb0\x02\xb5\x46\xdd\x97\x03\x50\xbe\x2a\x57\xe1\xa8\xf0\xf4\x6b\x01\x19\x95\x0a\xab\x33\x01\xe5\xca\x05\x43\x53\x2e\x1f\x08\x19\x90\x75\x60\x9f\x22\xcb\x8c\x8f\xfc\xba\x4b\xc8\x1d\xf5\xda\x4b\xa7\xae\x6b\x11\x1b\x4c\xd9\xc6\xe2\xe6\xc2\x0a\xda\x23\x28\x20\xb4\x77\x53\xd6\x26\x2c\x2b\x9e\xa6\x1e\xad\x28\x1b\xa0\xc3\x1c\x3b\xdf\xc0\x6b\x8a\x42\x98\x22\x82\xa2\x15\xbe\xad\xa3\xae\x9b\x2e\xad\x9a\xfd\x24\xf5\x0b\xc2\x28\x18\x90\x09\x77\x91\xcf\x37\xb1\x96\x9b\x45\xba\x7e\xb1\x30\x53\x66\x76\x7e\xda\x01\xef\xd0\x57\xda\x56\x74\x31\xc4\x9e\x79\xc5\x5a\x58\x95\x4f\x12\xda\xb8\xf1\xb6\x88\x51\x3f\x4c\x3c\x49\xa5\xf2\x7e\xe5\x37\x50\xd8\x9b\x63\x37\x79\x98\x00\x58\x78\x9d\x26\xa6\xb1\x72\x0b\xe7\xca\x54\x9d\xe7\x4b\xdb\x76\x3f\x4d\xb1\xa6\xbb\x86\x0b\x05\xdb\xc4\x77\x5b\x20\xce\xd8\x71\xb4\xa9\xd9\xd8\x77\xab\xef\x6c\x4b\xb3\x9d\x36\x8e\xf7\xe7\xfb\xba\xc5\xcb\x88\x21\x2d\x87\xf3\xc7\x62\x06\x59\xcf\x4c\xe1\xc6\xee\xb0\xea\x83\x84\xa6\xdf\x2f\x29\x13\x34\xe5\x80\x84\xfc\x55\xa3\xb6\xd7\xa8\x35\x1f\x62\x5a\x71\xee\xce\x16\xfc\xb5\x2f\xcc\xa8\x88\x09\x3a\x04\x0f\x5f\x15\x7a\xe2\x7d\xd7\x9d\x26\xae\x55\x5d\xd0\xd2\x19\xb5\x85\x53\xdb\x3b\xd8\xb4\x8d\x85\x6b\x3e\x23\x3d\x19\x72\x65\x78\xd3\x82\xbe\x3d\x12\x3f\x86\x56\xdb\xa5\xe6\x1d\xb1\x4b\x62\x7e\xb0\x74\xdb\x68\xd5\xa6\x9c\x93\x51\x17\x44\x92\xb5\x08\x24\x82\x4d\x3d\x3a\xf7\x92\x95\xf0\x5c\xdb\xb4\x7c\x8e\xf7\xc8\x5d\x81\x5b\xdc\xba\xcf\x4b\x86\x27\x96\x5c\x07\xc8\xe1\x07\x9f\x20\x1e\x50\x98\x02\x84\xf2\x00\x5a\x92\xba\x82\x15\xd0\x6e\xf5\xef\xed\x59\x1f\x52\x79\xf1\x8a\x2f\xea\x04\x24\x66\xd7\x83\xe1\x08\x64\xe9\x3a\x54\xb8\x64\x9b\xb4\x43\x6d\x88\x6c\x78\x81\x9e\x92\x7c\x16\x3c\x76\x9c\x22\xfd\x6c\x1f\xfc\x50\x98\x49\xf6\x85\xac\xbc\x5c\x6e\xab\xe4\xbf\xb2\xe2\x65\x0b\xab\x17\x39\xa6\x95\x3b\x27\xa1\x84\x64\x64\xea\x8f\x56\xa7\x6c\xd3\x71\xa7\x47\x45\x95\x94\x9b\x6f\xd4\xdb\x07\x6d\x44\xce\xca\x31\x12\x22\x74\xec\x56\x8c\x58\x1d\x08\x8e\xe7\xf5\x68\xc0\x02\x4a\x49\x19\x20\x40\x1f\x16\x5d\xd1\x71\x1a\x2f\x9b\x03\x7e\xf4\xb4\x01\x9d\x22\x72\xe1\x9e\xd5\xcf\x41\x40\xe5\x8d\x74\xae\x1d\x93\x01\x8d\x09\xfe\xe3\x26\x3e\x81\x19\xfc\x7a\x48\x09\x45\x9c\x43\x4e\x93\xd3\x04\x70\x2f\x11\x0f\xc3\xa4\x0d\xfa\x78\xfd\xac\x5e\xdf\x24\x25\xd8\xdc\x16\x29\xbc\x95\xba\xb9\x32\x70\x32\x59\x8c\x2f\x55\x30\x78\x18\x7c\x3d\x07\x6f\x15\x67\x4c\xfb\x9e\x0f\x18\x2b\x68\xce\xdc\xec\x34\xcf\x04\x90\x90\x1a\xf1\x0a\x2d\x10\xac\x87\x31\xf7\x9e\x60\xea\x1e\xb1\x78\xa6\x01\x42\x97\xa5\xa3\xb8\x4b\x80\xde\xb5\xf3\xb5\x62\x04\xcd\xaf\x3a\x4c\xa0\xbc\xa0\x08\x3a\xca\xc6\xd2\xa5\x63\x71\x7e\xb7\x0b\x9d\x82\x75\xbb\x31\xdd\x4d\xa2\x5f\x6a\xaf\x3b\xb5\x76\x15\x2c\xc5\x98\x39\x9b\xfc\x1f\x70\x3f\x9d\x65\xc7\xca\x6f\xc4\x5d\x7c\xd8\x19\x12\x07\x1a\x94\xb4\x98\x17\x28\xbd\x3f\xa5\x32\xdd\x3a\xb9\x5e\xdc\x2c\x8a\x87\x92\x31\x6b\x78\x28\xc1\x7a\x0a\x11\x5a\x80\xee\x5f\x7c\x63\x2f\xa1\x23\xfc\xce\xae\xcb\x31\x19\x15\x34\x9c\x9b\x26\xf2\xed\x27\x52\x23\xd7\x9b\xac\x0c\x13\x76\x71\xc3\xac\x5f\x48\x9b\x42\xfb\xf5\xb1\x9b\x3a\x46\xae\x22\xa7\x2f\xe3\x47\xd8\xab\xf1\x11\x42\x96\x85\x62\xc6\x32\x9d\xfb\x94\x22\x49\xb5\x93\xd3\x7d\x17\xf4\x0d\x79\x3a\x48\x18\x92\x10\xe0\xb6\x0b\x95\x83\x75\xc0\x89\x93\xd3\x4e\x3e\xb0\xba\x69\x32\x43\x5c\xde\x73\xd5\x68\xd8\x1e\x0d\xf7\xf7\x6d\xab\x7c\x1c\x1f\x7e\x5b\x76\x41\x44\x89\x6f\xe5\xa8\x19\xa4\xf0\xae\xfa\x09\x9e\x1d\x84\xf8\xc1\x12\x02\xbc\x14\x1f\x7a\xe0\x3f\xb4\xfd\xbf\x5b\x6c\x30\x83\x4a\x4d\xcc\x7f\x9a\x64\xbb\xe1\x40\x76\x11\x0b\x97\x29\x76\x7e\x5f\x31\xed\xbf\x5d\xdc\x54\x0f\x3a\x31\xa3\x6f\x4a\x33\x2b\x5a\x24\xd9\xe0\xbe\x54\xf8\x16\x1b\x52\xf7\x6b\x78\x08\x3e\x40\xa6\x63\xc8\xd2\x0b\xfb\xc4\x46\x53\x3c\x2c\x4b\x78\xe6\x30\xbb\xc9\x4a\x24\xd9\x51\x60\x18\xfa\xff\xed\xc2\xe8\x5f\xb0\x91\xde\xea\xd3\x61\x2c\x8a\xb2\x41\xb1\x26\x47\xc2\xe7\x14\x07\xa9\xbb\xef\x11\xc9\x75\xed\xbb\x97\x22\xab\x61\x74\xa9\x19\x1c\x5f\x01\x28\xc1\xe0\xf4\x39\x33\x53\x68\x9a\xd1\x8b\x96\x78\x5a\x7d\x8e\x04\x5a\xdb\x80\x1a\xfe\x79\x00\x0f\x18\xec\xbc\x07\xea\x83\x93\x06\xbe\xcb\x86\x2b\x17\x53\xfe\xd5\x04\xdf\x00\x95\x46\x67\x2f\xd6\x5e\x60\xa2\xb5\x23\xae\x74\x77\x50\x2d\xb7\x5d\xeb\x99\x44\x52\xe0\xb3\xf7\xa8\x41\xa9\x8b\x8c\x0b\x0e\x82\x8f\x0c\xa6\x79\xe1\xfb\x97\xf8\xdf\x29\x2e\x2d\xb3\x0f\x75\x6f\xba\x17\x75\x45\xa0\x9b\xeb\x2b\xe1\x93\xfb\x3a\x1a\x94\xd3\x44\x56\xd9\x07\x1e\x63\x4b\xb8\xa4\x33\x09\x30\x2f\x6c\xe4\xc3\x38\xd4\x39\x27\x0c\x42\x6b\xaa\x04\x8b\xb9\x2e\xc1\x39\xe5\x0f\xc4\x57\xdb\x0f\x37\xb4\x94\xc5\x91\xf6\x71\x15\xbc\x9c\x52\x21\x52\xd2\x8f\x9c\xad\x16\x10\xbf\xfc\xea\x13\x9b\xf2\xc5\xe0\x23\x9d\x4f\x8d\xb1\x25\xf0\xc6\x68\x76\x8a\x02\xab\x70\x28\x14\xab\x61\xb5\x7e\x0d\xd8\x39\x54\x9c\xd7\x8c\x1d\x33\x1d\x3c\xf4\x2e\x0e\x94\x35\x9d\xf9\xf9\xd8\xd4\xfa\x2b\x98\x2a\x19\x77\xcc\x55\xa8\x88\x80\x56\x46\x23\x15\x45\xc2\xe9\x6a\x8b\x80\xc9\xdb\xda\xf7\xb7\x64\x40\x21\xf8\xdb\xdd\x8f\x3c\x37\x3a\x72\xa9\xc5\xa8\xad\x05\xc6\x7f\x50\xbd\x32\xa9\x6e\x19\xa6\x06\x17\x00\x61\x54\x2a\x0b\x1e\xe9\x0e\x3c\x75\x61\x9d\x95\x41\x6e\x1d\x2f\x6c\x76\xef\x08\xf6\x11\x88\x2c\x87\xd0\x96\xb2\xf8\x4c\x1b\x5f\x79\xc7\x28\x72\x7e\x00\xb0\x58\x9f\xf8\x67\x82\x4b\x88\x93\x9c\x3a\xcb\xa9\x6f\x59\xa3\xe3\x08\xef\x70\x68\xbd\x4a\xd8\x47\x8b\x9f\x0d\x6d\x5c\x90\xc8\xd3\xfd\xb1\xbc\xe0\x82\x2f\xd4\xdb\xf6\x04\x33\xd0\xfd\x9a\x1d\x00\xfa\xd0\x5b\x13\x5b\x0f\xca\x52\x29\x82\xbd\x41\xa1\xd3\x2c\xa9\xe1\x3c\xc2\xde\x18\x09\xe5\x1e\x12\xb5\x40\xdf\x58\xcc\x4b\xca\xcb\xc3\x94\x53\xe6\x2e\xff\xe1\xcb\xa6\x2a\x72\x5b\x7b\x69\x0a\x53\x1a\x16\x9b\x16\xcd\x4f\xb4\x23\x00\x18\xad\xbf\xeb\xfd\x58\xec\x47\x67\x42\xa8\xea\x7e\x8f\xf7\xe5\x6a\xb4\x63\xb3\x45\xa8\x42\x99\x86\x7f\x85\x7d\xe6\xea\x30\x75\x9a\x8d\xd0\x93\xe9\x8f\x99\xc6\x2f\x40\x95\x97\xf9\xa3\xdd\xd4\x90\xc8\x81\x33\xd9\x83\x1a\x7d\xdd\x0b\xbc\x35\x36\xd8\x0d\xea\xee\x38\xac\xb1\xba\x95\xba\x0c\xda\x91\x0f\x4b\x12\x0a\x59\x2b\xc9\x15\x04\xf4\xb0\xd9\x91\x71\xe2\xc4\x5d\x4e\x25\x6d\xc0\x3f\xed\xe6\x8e\xe1\xda\xbf\x80\x29\xc9\x9d\xec\x19\x8c\x4a\xad\xdb\x68\x17\xf8\x39\xf1\xda\x74\x97\x12\x67\xc2\x12\xbd\x22\x69\xf8\xcc\xcd\x32\x49\x5e\x8f\x72\x04\x48\x6d\x98\x59\x87\xc2\x5a\x5c\xb7\xef\xd6\x39\xb1\xdb\xd2\x50\x60\x22\xf6\xca\xf2\x4b\x09\x22\x62\x27\xd8\x03\x5c\xea\x83\xb9\xcb\x82\x1a\xc3\xfd\xae\xda\x5f\x22\xdf\xb1\x19\x15\x93\xf4\xd1\x65\x5e\x23\x54\x6c\x84\xa8\xff\x48\x27\x89\xbc\x92\xf1\x94\xdd\xa5\xf6\x14\xd6\x98\x6e\xac\x82\x9b\xab\x2b\x7a\x29\x22\x5b\xd5\x51\x76\x12\xd4\x0f\xda\x6a\x15\x3f\xc5\x2b\x24\x66\x33\x68\xad\xc2\xed\xf5\x6b\x07\xbb\x22\xf1\xb5\xd5\x26\xbf\xfb\x21\x28\x2c\x65\x4a\x77\x95\xa2\x76\x31\xf9\x5d\x88\x5d\xf4\xc0\xbc\xeb\x07\x12\xbf\xdd\xc0\x58\xdc\xbf\x32\x83\xa8\xb9\x66\x64\xdf\x54\x83\x40\x46\x6b\xd7\x17\x32\x9e\x6d\x54\x25\xcb\xd8\xf9\xe6\x44\x2e\xc4\x67\x13\x81\xb8\x01\x7e\x04\xba\xf1\x66\xd7\xb1\x4d\xdb\x51\x6a\x62\x4a\xc5\xc7\x65\x87\xa0\x0c\x65\x02\xa9\x40\x1c\xee\xc4\x82\x69\xc4\xeb\xf6\x70\xbd\x1c\xaf\x46\x13\xbc\xe8\x6e\x29\x7f\x9d\xd0\x02\x24\x08\xaf\x5c\x7a\x7e\x9c\xa4\xa1\xa2\xc7\xea\x50\x6d\xcc\xd7\xf8\x40\xeb\x4d\xe4\xdd\x3c\x73\x40\x06\xcb\x85\xe9\xa0\x53\x9f\x98\x8a\xb4\x5f\x59\x3d\x1d\x96\x06\x12\x2a\x2f\x10\x6e\x9f\x84\xf5\x2f\xf9\x17\x97\x07\x61\x03\xd0\x42\x58\x68\x46\xff\x73\x05\xc2\x73\xfe\x8e\xaf\x05\x3f\x6f\x2c\x7f\xd4\xf1\x18\x13\x4a\x8c\x82\x4b\xbb\x27\xe3\x19\x1a\x8b\x19\x25\x55\xc6\x61\x49\x08\xba\x54\x36\xa6\x73\x83\x0c\x27\xa6\x31\x69\xd3\xc6\x9d\x3f\x7e\x05\x2a\x6b\x6d\xe6\xfd\x2a\x54\x45\x72\xcb\xce\x67\xf6\x7a\x3b\x37\x83\xf4\xc8\xdb\x22\x71\xa4\xa1\x3c\x03\x55\xa9\x2c\x6b\x03\x6e\x5e\xf0\x6f\x53\x32\x3d\xb1\x43\x2b\xd5\xbe\xd2\x60\x15\x44\x38\x7d\xfe\xa3\xf5\xed\x9b\x25\x2f\xc9\xa2\x04\x11\x99\x94\x23\x94\x4f\xdc\x2d\x16\x3f\x66\xba\x18\x26\xc7\xbd\x6d\xa8\xe8\x95\xef\xb1\x9b\x4f\xe0\xf2\x03\x81\x42\xd7\x66\x5f\xaf\xaf\x97\x9c\x56\x35\x29\x40\xb5\x5c\xae\xf5\xf8\xf8\x81\xdb\x23\x06\x0d\xdd\x71\xf9\x9f\xca\xb6\xbf\xe4\x12\xbe\xb2\xa1\x7d\x10\x6f\xa4\x50\x91\x4a\xa7\x92\x0c\xb2\x12\x67\xe1\x6c\xb4\x94\x36\x05\x60\x98\x36\x14\x9f\x19\x70\xd5\xca\x6f\x31\x10\x14\xd5\xb6\x91\xc1\x45\xba\x81\xb4\xff\x94\xc7\x2f\xe1\x50\xea\x49\xe5\x60\x70\xcf\xf3\x4a\xbe\xe3\x70\x61\xe8\x71\xae\xcf\x5d\xcf\x9f\x91\xb5\x2a\x36\xeb\x99\x3c\x67\x89\xf0\x21\xbe\x51\x70\x89\x2c\xa8\x0d\x1c\x2a\xd5\xbb\xce\x3c\xe4\x06\xcf\xb4\x12\xbd\x66\xfd\x64\x42\xd7\x0e\xbe\x18\xcd\xcc\x29\x58\xc5\x09\x34\x1f\x05\x10", 8192); *(uint64_t*)0x200000004700 = 0x200000002700; *(uint32_t*)0x200000002700 = 0x50; *(uint32_t*)0x200000002704 = 0xfffffff5; *(uint64_t*)0x200000002708 = 6; *(uint32_t*)0x200000002710 = 7; *(uint32_t*)0x200000002714 = 0x2d; *(uint32_t*)0x200000002718 = 2; *(uint32_t*)0x20000000271c = 0x400000c; *(uint16_t*)0x200000002720 = 7; *(uint16_t*)0x200000002722 = 0x6b; *(uint32_t*)0x200000002724 = 0x80; *(uint32_t*)0x200000002728 = 3; *(uint16_t*)0x20000000272c = 0; *(uint16_t*)0x20000000272e = 0; *(uint32_t*)0x200000002730 = 1; *(uint32_t*)0x200000002734 = 4; memset((void*)0x200000002738, 0, 24); *(uint64_t*)0x200000004708 = 0x200000002780; *(uint32_t*)0x200000002780 = 0x18; *(uint32_t*)0x200000002784 = 0xfffffffe; *(uint64_t*)0x200000002788 = 4; *(uint64_t*)0x200000002790 = 5; *(uint64_t*)0x200000004710 = 0x2000000027c0; *(uint32_t*)0x2000000027c0 = 0x18; *(uint32_t*)0x2000000027c4 = 0; *(uint64_t*)0x2000000027c8 = 8; *(uint64_t*)0x2000000027d0 = 0x101; *(uint64_t*)0x200000004718 = 0x200000002800; *(uint32_t*)0x200000002800 = 0x18; *(uint32_t*)0x200000002804 = 0xfffffffe; *(uint64_t*)0x200000002808 = 4; *(uint32_t*)0x200000002810 = 0x50bf; *(uint32_t*)0x200000002814 = 0; *(uint64_t*)0x200000004720 = 0x200000002840; *(uint32_t*)0x200000002840 = 0x18; *(uint32_t*)0x200000002844 = 0; *(uint64_t*)0x200000002848 = 3; *(uint32_t*)0x200000002850 = 0xffff; *(uint32_t*)0x200000002854 = 0; *(uint64_t*)0x200000004728 = 0x200000002880; *(uint32_t*)0x200000002880 = 0x28; *(uint32_t*)0x200000002884 = 0; *(uint64_t*)0x200000002888 = 6; *(uint64_t*)0x200000002890 = 0xfffffffffffffff7; *(uint64_t*)0x200000002898 = 0; *(uint32_t*)0x2000000028a0 = 0; *(uint32_t*)0x2000000028a4 = r[4]; *(uint64_t*)0x200000004730 = 0x2000000028c0; *(uint32_t*)0x2000000028c0 = 0x60; *(uint32_t*)0x2000000028c4 = 0; *(uint64_t*)0x2000000028c8 = 0xa2; *(uint64_t*)0x2000000028d0 = 0xfffffffffffffffb; *(uint64_t*)0x2000000028d8 = 0; *(uint64_t*)0x2000000028e0 = 0x2867; *(uint64_t*)0x2000000028e8 = 0xd7f; *(uint64_t*)0x2000000028f0 = 2; *(uint32_t*)0x2000000028f8 = 0x28; *(uint32_t*)0x2000000028fc = 0xafb; *(uint32_t*)0x200000002900 = 7; *(uint32_t*)0x200000002904 = 0; memset((void*)0x200000002908, 0, 24); *(uint64_t*)0x200000004738 = 0x200000002940; *(uint32_t*)0x200000002940 = 0x18; *(uint32_t*)0x200000002944 = 0; *(uint64_t*)0x200000002948 = 0; *(uint32_t*)0x200000002950 = 0xb; *(uint32_t*)0x200000002954 = 0; *(uint64_t*)0x200000004740 = 0x200000002980; *(uint32_t*)0x200000002980 = 0x13; *(uint32_t*)0x200000002984 = 0; *(uint64_t*)0x200000002988 = 0x80000000; memcpy((void*)0x200000002990, "&,\000", 3); *(uint64_t*)0x200000004748 = 0x2000000029c0; *(uint32_t*)0x2000000029c0 = 0x20; *(uint32_t*)0x2000000029c4 = 0; *(uint64_t*)0x2000000029c8 = 0x41f; *(uint64_t*)0x2000000029d0 = 0; *(uint32_t*)0x2000000029d8 = 0; *(uint32_t*)0x2000000029dc = 0; *(uint64_t*)0x200000004750 = 0x200000002b80; *(uint32_t*)0x200000002b80 = 0x78; *(uint32_t*)0x200000002b84 = 0xfffffff5; *(uint64_t*)0x200000002b88 = 5; *(uint64_t*)0x200000002b90 = 0; *(uint32_t*)0x200000002b98 = 0x30; *(uint32_t*)0x200000002b9c = 0; *(uint64_t*)0x200000002ba0 = 0; *(uint64_t*)0x200000002ba8 = 0; *(uint64_t*)0x200000002bb0 = 0x9cb; *(uint64_t*)0x200000002bb8 = 6; *(uint64_t*)0x200000002bc0 = 0x45ff; *(uint64_t*)0x200000002bc8 = 8; *(uint32_t*)0x200000002bd0 = 0x7fffffff; *(uint32_t*)0x200000002bd4 = -1; *(uint32_t*)0x200000002bd8 = 2; *(uint32_t*)0x200000002bdc = 0x8000; *(uint32_t*)0x200000002be0 = 0xffff0001; *(uint32_t*)0x200000002be4 = r[10]; *(uint32_t*)0x200000002be8 = r[11]; *(uint32_t*)0x200000002bec = 0xb; *(uint32_t*)0x200000002bf0 = 7; *(uint32_t*)0x200000002bf4 = 0; *(uint64_t*)0x200000004758 = 0x200000002c40; *(uint32_t*)0x200000002c40 = 0x90; *(uint32_t*)0x200000002c44 = 0xffffffda; *(uint64_t*)0x200000002c48 = 0xfffffffffffffc00; *(uint64_t*)0x200000002c50 = 3; *(uint64_t*)0x200000002c58 = 0; *(uint64_t*)0x200000002c60 = 6; *(uint64_t*)0x200000002c68 = 4; *(uint32_t*)0x200000002c70 = 7; *(uint32_t*)0x200000002c74 = 6; *(uint64_t*)0x200000002c78 = 6; *(uint64_t*)0x200000002c80 = 0x5d; *(uint64_t*)0x200000002c88 = 8; *(uint64_t*)0x200000002c90 = 0; *(uint64_t*)0x200000002c98 = 0xfffffffffffffffc; *(uint64_t*)0x200000002ca0 = 1; *(uint32_t*)0x200000002ca8 = 3; *(uint32_t*)0x200000002cac = 8; *(uint32_t*)0x200000002cb0 = 8; *(uint32_t*)0x200000002cb4 = 0xa000; *(uint32_t*)0x200000002cb8 = 2; *(uint32_t*)0x200000002cbc = 0xee01; *(uint32_t*)0x200000002cc0 = r[12]; *(uint32_t*)0x200000002cc4 = 6; *(uint32_t*)0x200000002cc8 = 7; *(uint32_t*)0x200000002ccc = 0; *(uint64_t*)0x200000004760 = 0x200000002d00; *(uint32_t*)0x200000002d00 = 0xc8; *(uint32_t*)0x200000002d04 = 0xfffffffe; *(uint64_t*)0x200000002d08 = 1; *(uint64_t*)0x200000002d10 = 6; *(uint64_t*)0x200000002d18 = 5; *(uint32_t*)0x200000002d20 = 5; *(uint32_t*)0x200000002d24 = -1; memset((void*)0x200000002d28, 170, 5); *(uint64_t*)0x200000002d30 = 2; *(uint64_t*)0x200000002d38 = -1; *(uint32_t*)0x200000002d40 = 6; *(uint32_t*)0x200000002d44 = 7; memset((void*)0x200000002d48, 255, 6); *(uint64_t*)0x200000002d50 = 5; *(uint64_t*)0x200000002d58 = 5; *(uint32_t*)0x200000002d60 = 6; *(uint32_t*)0x200000002d64 = 0xc828; memset((void*)0x200000002d68, 2, 6); *(uint64_t*)0x200000002d70 = 3; *(uint64_t*)0x200000002d78 = 0xa; *(uint32_t*)0x200000002d80 = 0x1f; *(uint32_t*)0x200000002d84 = 2; memcpy((void*)0x200000002d88, "bpf_lsm_kernel_create_files_as\000", 31); *(uint64_t*)0x200000002da8 = 5; *(uint64_t*)0x200000002db0 = 0x100; *(uint32_t*)0x200000002db8 = 5; *(uint32_t*)0x200000002dbc = 9; memset((void*)0x200000002dc0, 170, 5); *(uint64_t*)0x200000004768 = 0x2000000040c0; *(uint32_t*)0x2000000040c0 = 0xb0; *(uint32_t*)0x2000000040c4 = 0; *(uint64_t*)0x2000000040c8 = 0xffffffffffff51c6; *(uint64_t*)0x2000000040d0 = 0; *(uint64_t*)0x2000000040d8 = 1; *(uint64_t*)0x2000000040e0 = 0x7fffffff; *(uint64_t*)0x2000000040e8 = 4; *(uint32_t*)0x2000000040f0 = 0x80; *(uint32_t*)0x2000000040f4 = 0xe; *(uint64_t*)0x2000000040f8 = 5; *(uint64_t*)0x200000004100 = 6; *(uint64_t*)0x200000004108 = 9; *(uint64_t*)0x200000004110 = 0; *(uint64_t*)0x200000004118 = 0x80; *(uint64_t*)0x200000004120 = 3; *(uint32_t*)0x200000004128 = 7; *(uint32_t*)0x20000000412c = 0xffffff01; *(uint32_t*)0x200000004130 = 5; *(uint32_t*)0x200000004134 = 0x6000; *(uint32_t*)0x200000004138 = 5; *(uint32_t*)0x20000000413c = r[13]; *(uint32_t*)0x200000004140 = r[14]; *(uint32_t*)0x200000004144 = 9; *(uint32_t*)0x200000004148 = 4; *(uint32_t*)0x20000000414c = 0; *(uint64_t*)0x200000004150 = 1; *(uint64_t*)0x200000004158 = 0x7fffffff; *(uint32_t*)0x200000004160 = 6; *(uint32_t*)0x200000004164 = 7; memset((void*)0x200000004168, 2, 6); *(uint64_t*)0x200000004770 = 0x200000004340; *(uint32_t*)0x200000004340 = 0xa0; *(uint32_t*)0x200000004344 = 0xfffffffe; *(uint64_t*)0x200000004348 = 0x4f4; *(uint64_t*)0x200000004350 = 0; *(uint64_t*)0x200000004358 = 3; *(uint64_t*)0x200000004360 = 0x58be8e49; *(uint64_t*)0x200000004368 = 0x88; *(uint32_t*)0x200000004370 = 0x80; *(uint32_t*)0x200000004374 = 2; *(uint64_t*)0x200000004378 = 0; *(uint64_t*)0x200000004380 = 7; *(uint64_t*)0x200000004388 = 0x8000000000000000; *(uint64_t*)0x200000004390 = 6; *(uint64_t*)0x200000004398 = 2; *(uint64_t*)0x2000000043a0 = 0; *(uint32_t*)0x2000000043a8 = 0x81; *(uint32_t*)0x2000000043ac = 0xb; *(uint32_t*)0x2000000043b0 = 0xfff; *(uint32_t*)0x2000000043b4 = 0x8000; *(uint32_t*)0x2000000043b8 = 0xc093; *(uint32_t*)0x2000000043bc = r[15]; *(uint32_t*)0x2000000043c0 = 0; *(uint32_t*)0x2000000043c4 = -1; *(uint32_t*)0x2000000043c8 = 0x9e9; *(uint32_t*)0x2000000043cc = 0; *(uint64_t*)0x2000000043d0 = 0; *(uint32_t*)0x2000000043d8 = 4; *(uint32_t*)0x2000000043dc = 0; *(uint64_t*)0x200000004778 = 0x200000004400; *(uint32_t*)0x200000004400 = 0x20; *(uint32_t*)0x200000004404 = 0xfffffffe; *(uint64_t*)0x200000004408 = 4; *(uint32_t*)0x200000004410 = 0x1000; *(uint32_t*)0x200000004414 = 4; *(uint32_t*)0x200000004418 = 7; *(uint32_t*)0x20000000441c = 3; *(uint64_t*)0x200000004780 = 0x2000000045c0; *(uint32_t*)0x2000000045c0 = 0x130; *(uint32_t*)0x2000000045c4 = 0; *(uint64_t*)0x2000000045c8 = 6; *(uint64_t*)0x2000000045d0 = 7; *(uint32_t*)0x2000000045d8 = 0xf; *(uint32_t*)0x2000000045dc = 0; memset((void*)0x2000000045e0, 0, 16); *(uint32_t*)0x2000000045f0 = 4; *(uint32_t*)0x2000000045f4 = 0xfffffffb; *(uint64_t*)0x2000000045f8 = 0xc3f; *(uint32_t*)0x200000004600 = 0xc6; *(uint32_t*)0x200000004604 = r[17]; *(uint32_t*)0x200000004608 = 0xee01; *(uint16_t*)0x20000000460c = 0x1000; memset((void*)0x20000000460e, 0, 2); *(uint64_t*)0x200000004610 = 0xc42b; *(uint64_t*)0x200000004618 = 0xfffffffffffffffb; *(uint64_t*)0x200000004620 = 8; *(uint64_t*)0x200000004628 = 0xfffffffffffff3f4; *(uint64_t*)0x200000004630 = 7; *(uint32_t*)0x200000004638 = 9; *(uint32_t*)0x20000000463c = 0; *(uint64_t*)0x200000004640 = 0x893b; *(uint32_t*)0x200000004648 = 0xc160; *(uint32_t*)0x20000000464c = 0; *(uint64_t*)0x200000004650 = 3; *(uint32_t*)0x200000004658 = 0x6a48; *(uint32_t*)0x20000000465c = 0; *(uint64_t*)0x200000004660 = 0x40; *(uint32_t*)0x200000004668 = 6; *(uint32_t*)0x20000000466c = 0; *(uint32_t*)0x200000004670 = 5; *(uint32_t*)0x200000004674 = 0; *(uint32_t*)0x200000004678 = 9; *(uint32_t*)0x20000000467c = 3; memset((void*)0x200000004680, 0, 112); res = -1; errno = EFAULT; res = syz_fuse_handle_req(/*fd=*/r[9], /*buf=*/0x200000000700, /*len=*/0x2000, /*res=*/0x200000004700); fprintf(stderr, "### call=25 errno=%u\n", res == -1 ? errno : 0); break; case 26: res = syscall(__NR_pidfd_getfd, /*pidfd=*/r[6], /*fd=*/r[9], /*flags=*/0ul); fprintf(stderr, "### call=26 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[19] = res; break; case 27: memcpy((void*)0x2000000047c0, "SEG6\000", 5); res = -1; errno = EFAULT; res = syz_genetlink_get_family_id(/*name=*/0x2000000047c0, /*fd=*/r[19]); fprintf(stderr, "### call=27 errno=%u\n", res == -1 ? errno : 0); break; case 28: res = -1; errno = EFAULT; res = syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); fprintf(stderr, "### call=28 errno=%u\n", res == -1 ? errno : 0); break; case 29: res = -1; errno = EFAULT; res = syz_io_uring_complete(/*ring_ptr=*/0); fprintf(stderr, "### call=29 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[20] = res; break; case 30: *(uint32_t*)0x200000004804 = 0x87d1; *(uint32_t*)0x200000004808 = 0x200; *(uint32_t*)0x20000000480c = 3; *(uint32_t*)0x200000004810 = 0x92; *(uint32_t*)0x200000004818 = r[19]; memset((void*)0x20000000481c, 0, 12); res = -1; errno = EFAULT; res = syz_io_uring_setup(/*entries=*/0x70d3, /*params=*/0x200000004800, /*ring_ptr=*/0x200000004880, /*sqes_ptr=*/0x2000000048c0); fprintf(stderr, "### call=30 errno=%u\n", res == -1 ? errno : 0); if (res != -1) { r[21] = *(uint64_t*)0x200000004880; r[22] = *(uint64_t*)0x2000000048c0; } break; case 31: *(uint8_t*)0x200000004980 = 0x1c; *(uint8_t*)0x200000004981 = 0x40; *(uint16_t*)0x200000004982 = 0; *(uint32_t*)0x200000004984 = r[20]; *(uint64_t*)0x200000004988 = 0x200000004900; *(uint64_t*)0x200000004900 = 0x8000; *(uint64_t*)0x200000004908 = 0x190; *(uint64_t*)0x200000004910 = 0x10; *(uint64_t*)0x200000004990 = 0x200000004940; memcpy((void*)0x200000004940, "./file0\000", 8); *(uint32_t*)0x200000004998 = 0x18; *(uint32_t*)0x20000000499c = 0; *(uint64_t*)0x2000000049a0 = 0x23456; *(uint16_t*)0x2000000049a8 = 0; *(uint16_t*)0x2000000049aa = 0; memset((void*)0x2000000049ac, 0, 20); res = -1; errno = EFAULT; res = syz_io_uring_submit(/*ring_ptr=*/r[21], /*sqes_ptr=*/r[22], /*sqe=*/0x200000004980); fprintf(stderr, "### call=31 errno=%u\n", res == -1 ? errno : 0); break; case 32: memcpy((void*)0x2000000049c0, "*(z,\000", 5); memcpy((void*)0x200000004ac0, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x8a\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x7e\xf6\xbf\x4c\x19\xc0\x4a\xa5\x7c\x4c\x2f\xf9\x2e\xe1\x46\x0e\xbf\x0e\x57\x59\x5c\xc3\x55\xaa\x22\x67\x95\x47\xef\x84\x49\x9e\xf9\x9d\x9b\xdd\x69\x1a\x9a\x0e\xe1\x9f\xba\x5f\xee\x97\xd9\xa9\x2b\xb7\xae\x3d\x75\x4a\x98\x45\x6c\xdb\xfd\x27\xda\x20\xf9\x77\xf4\xbf\x46\x30\xc3\xca\x42\x1a\x6a\xcf\x8d\x9f\x81\xd2\x93\xd3\xa0\xb0\x23\x27\xe4\x06\x32\x3e\x77\x3c\x64\xb8\x65\xc2\xc7\xa1\x02\x36\xfb\xbb\xb9\xc9\xea\xc5\xd1\x4f\x18\x75\x2a\x03\x89\xa5\x81\x59\x64\x04\x1b\x84\x4f\x71\x45\x5e\xa1\x2d\xdc\x9d\xcf\xb6\xe9\x00\xa3\x66\x57\x58\xcb\xa3\xc7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 192); res = -1; errno = EFAULT; res = syz_kfuzztest_run(/*name=*/0x2000000049c0, /*data=*/0x200000004a00, /*len=*/0xc0, /*buf=*/0x200000004ac0); fprintf(stderr, "### call=32 errno=%u\n", res == -1 ? errno : 0); break; case 33: *(uint64_t*)0x200000014f40 = 0; *(uint64_t*)0x200000014f48 = 0x200000014ac0; *(uint64_t*)0x200000014ac0 = 0x17d; *(uint64_t*)0x200000014ac8 = 0x20; *(uint64_t*)0x200000014ad0 = 0x25000; *(uint64_t*)0x200000014ad8 = 0x5591; *(uint64_t*)0x200000014ae0 = 0x64; *(uint64_t*)0x200000014ae8 = 0x18; *(uint32_t*)0x200000014af0 = 8; *(uint32_t*)0x200000014af4 = 0x57; *(uint64_t*)0x200000014af8 = 0x12d; *(uint64_t*)0x200000014b00 = 0x18; *(uint64_t*)0x200000014b08 = 3; *(uint64_t*)0x200000014b10 = 0x64; *(uint64_t*)0x200000014b18 = 0x18; *(uint32_t*)0x200000014b20 = 0; *(uint32_t*)0x200000014b24 = 2; *(uint64_t*)0x200000014b28 = 0x69; *(uint64_t*)0x200000014b30 = 0x20; *(uint64_t*)0x200000014b38 = 0xc003; *(uint64_t*)0x200000014b40 = 1; *(uint64_t*)0x200000014b48 = 0x64; *(uint64_t*)0x200000014b50 = 0x18; *(uint32_t*)0x200000014b58 = 0x10; *(uint32_t*)0x200000014b5c = 0xc; *(uint64_t*)0x200000014b60 = 0x12d; *(uint64_t*)0x200000014b68 = 0x18; *(uint64_t*)0x200000014b70 = 0; *(uint64_t*)0x200000014b78 = 0x12e; *(uint64_t*)0x200000014b80 = 0x7e; *(uint64_t*)0x200000014b88 = 1; memcpy((void*)0x200000014b90, "\x36\x2e\x36\x3e\x66\x43\x0f\x57\xa9\x00\x98\x00\x00\x66\xba\xf8\x0c\xb8\x28\x8f\xc6\x86\xef\x66\xba\xfc\x0c\xed\xb9\x71\x03\x00\x00\xb8\xc7\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x30\x42\x0f\x01\xc8\x66\xb8\x78\x00\x0f\x00\xd0\x40\x0f\x01\xc5\x66\xba\x43\x00\x66\xed\x40\x1d\x03\x00\x00\x00\xc7\x44\x24\x00\x00\x00\x00\x00\xc7\x44\x24\x02\x49\x3a\x56\x64\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\x0f\x32", 102); *(uint64_t*)0x200000014bf6 = 0x64; *(uint64_t*)0x200000014bfe = 0x18; *(uint32_t*)0x200000014c06 = 0xf; *(uint32_t*)0x200000014c0a = 4; *(uint64_t*)0x200000014c0e = 0x12e; *(uint64_t*)0x200000014c16 = 0x60; *(uint64_t*)0x200000014c1e = 0; memcpy((void*)0x200000014c26, "\xc4\x21\xf8\x10\x7a\xf0\x0f\xe7\x64\x9a\x4f\x47\xfb\x0f\x01\xca\x46\x0f\x08\xb9\x80\x00\x00\xc0\x0f\x32\x35\x00\x80\x00\x00\x0f\x30\x0f\x01\xcb\x40\x0f\x01\xcb\xc7\x44\x24\x00\x8d\x00\x00\x00\xc7\x44\x24\x02\x07\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\x0f\x52\x4b\x00", 72); *(uint64_t*)0x200000014c6e = 0; *(uint64_t*)0x200000014c76 = 0x18; *(uint64_t*)0x200000014c7e = 2; *(uint64_t*)0x200000014c86 = 0x12d; *(uint64_t*)0x200000014c8e = 0x18; *(uint64_t*)0x200000014c96 = 3; *(uint64_t*)0x200000014c9e = 0x17f; *(uint64_t*)0x200000014ca6 = 0x10; *(uint64_t*)0x200000014cae = 0; *(uint64_t*)0x200000014cb6 = 0x18; *(uint64_t*)0x200000014cbe = 4; *(uint64_t*)0x200000014cc6 = 0x12f; *(uint64_t*)0x200000014cce = 0x18; *(uint64_t*)0x200000014cd6 = 2; *(uint64_t*)0x200000014cde = 0x12e; *(uint64_t*)0x200000014ce6 = 0x56; *(uint64_t*)0x200000014cee = 3; memcpy((void*)0x200000014cf6, "\x0f\x01\xdf\x0f\xa8\x66\xba\xf8\x0c\xb8\x82\xca\xa9\x8f\xef\x66\xba\xfc\x0c\x66\xed\x67\x0f\x01\xca\x0f\xfd\xca\x46\x0f\x01\xb3\x90\x4e\x00\x00\x66\xba\x20\x00\x66\xb8\xb7\xea\x66\xef\x0f\x01\x32\xc4\xe1\x61\xeb\x58\x00\xb9\x81\x05\x00\x00\x0f\x32", 62); *(uint64_t*)0x200000014d34 = 0x180; *(uint64_t*)0x200000014d3c = 0x38; *(uint64_t*)0x200000014d44 = 1; *(uint64_t*)0x200000014d4c = 0x17; *(uint64_t*)0x200000014d54 = 4; *(uint64_t*)0x200000014d5c = 4; *(uint64_t*)0x200000014d64 = 0; *(uint64_t*)0x200000014d6c = 0x183; *(uint64_t*)0x200000014d74 = 0x18; *(uint64_t*)0x200000014d7c = 3; *(uint64_t*)0x200000014d84 = 0x65; *(uint64_t*)0x200000014d8c = 0x20; *(uint64_t*)0x200000014d94 = 0x32c; *(uint64_t*)0x200000014d9c = 0x10; *(uint64_t*)0x200000014da4 = 0x68; *(uint64_t*)0x200000014dac = 0x20; *(uint64_t*)0x200000014db4 = 7; *(uint64_t*)0x200000014dbc = 2; *(uint64_t*)0x200000014dc4 = 0xa; *(uint64_t*)0x200000014dcc = 0x56; memcpy((void*)0x200000014dd4, "\xf3\x41\xaf\x66\xb8\x3e\x00\x8e\xd0\xc4\xe1\x35\x73\xfa\xe7\x66\x0f\x74\xa6\x00\x00\x00\x00\x47\xdb\xc1\x45\x0f\x08\x66\x41\x0f\x38\x82\x94\x1f\x0e\x58\x39\xba\x47\x0f\x79\x55\x00\xc4\x01\x56\x51\xaf\x41\x04\x00\x00\x66\xba\xf8\x0c\xb8\xe2\x7f\xf4\x8d\xef\x66\xba\xfc\x0c\xec", 69); *(uint8_t*)0x200000014e19 = 0xc3; *(uint64_t*)0x200000014e1a = 0x12d; *(uint64_t*)0x200000014e22 = 0x18; *(uint64_t*)0x200000014e2a = 3; *(uint64_t*)0x200000014e32 = 0x12c; *(uint64_t*)0x200000014e3a = 0x18; *(uint64_t*)0x200000014e42 = 0; *(uint64_t*)0x200000014e4a = 0x12e; *(uint64_t*)0x200000014e52 = 0x6f; *(uint64_t*)0x200000014e5a = 3; memcpy((void*)0x200000014e62, "\xf3\x41\x0f\x22\x17\x66\xba\xf8\x0c\xb8\x61\x8e\xa1\x84\xef\x66\xba\xfc\x0c\xb0\x00\xee\x36\x64\x0f\x21\x39\xc4\x62\x41\x40\x32\x66\xba\x43\x00\x66\xb8\x0b\x00\x66\xef\x66\xba\x43\x00\xec\x40\x0f\x23\x38\x3e\x0f\xc7\x32\xc7\x44\x24\x00\xac\x00\x00\x00\xc7\x44\x24\x02\x90\x7c\x03\xe6\xff\x2c\x24\xb8\x05\x00\x00\x00\xb9\x97\x00\x00\x00\x0f\x01\xd9", 87); *(uint64_t*)0x200000014eb9 = 0x69; *(uint64_t*)0x200000014ec1 = 0x20; *(uint64_t*)0x200000014ec9 = 0xc3e5; *(uint64_t*)0x200000014ed1 = 2; *(uint64_t*)0x200000014ed9 = 0xc8; *(uint64_t*)0x200000014ee1 = 0x20; *(uint64_t*)0x200000014ee9 = 0xa1; *(uint64_t*)0x200000014ef1 = 2; *(uint64_t*)0x200000014ef9 = 0x65; *(uint64_t*)0x200000014f01 = 0x20; *(uint64_t*)0x200000014f09 = 0x12f; *(uint64_t*)0x200000014f11 = 2; *(uint64_t*)0x200000014f19 = 0x12c; *(uint64_t*)0x200000014f21 = 0x18; *(uint64_t*)0x200000014f29 = 0; *(uint64_t*)0x200000014f50 = 0x471; res = -1; errno = EFAULT; res = syz_kvm_add_vcpu(/*vm=*/0, /*text=*/0x200000014f40); fprintf(stderr, "### call=33 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[23] = res; break; case 34: res = syscall(__NR_mmap, /*addr=*/0x200000fff000ul, /*len=*/0ul, /*prot=PROT_GROWSDOWN|PROT_SEM*/0x1000008ul, /*flags=MAP_PRIVATE*/2ul, /*cpufd=*/r[23], /*offset=*/0ul); fprintf(stderr, "### call=34 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[24] = res; break; case 35: res = -1; errno = EFAULT; res = syz_kvm_assert_syzos_kvm_exit(/*run=*/r[24], /*exitcode=*/2); fprintf(stderr, "### call=35 errno=%u\n", res == -1 ? errno : 0); break; case 36: res = -1; errno = EFAULT; res = syz_kvm_assert_syzos_uexit(/*cpufd=*/r[20], /*run=*/r[24], /*exitcode=*/0x10); fprintf(stderr, "### call=36 errno=%u\n", res == -1 ? errno : 0); break; case 37: *(uint64_t*)0x200000015140 = 0; *(uint64_t*)0x200000015148 = 0x200000014f80; memcpy((void*)0x200000014f80, "\x04\xea\xa0\xef\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x04\x01\x63\x60\x14\xc2\x80\x3c\xd1\xc0\x84\x60\x04\x00\x84\x78\x83\x0a\x84\x64\xbe\x01\x84\x60\x27\x3b\xa0\x3c\x00\x3c\xa5\x60\x04\x00\xa5\x78\x27\x72\xa5\x64\x9d\x4f\xa5\x60\x7c\x62\xc0\x3c\xdf\xa5\xc6\x60\x04\x00\xc6\x78\x78\x11\xc6\x64\x30\xb5\xc6\x60\xf2\xd6\xe0\x3c\xac\xca\xe7\x60\x04\x00\xe7\x78\x51\x98\xe7\x64\xfb\x3b\xe7\x60\x02\x00\x00\x44\x00\x00\xe0\x3f\x00\x00\xff\x63\x04\x00\xff\x7b\x00\x00\xff\x67\x00\x48\xff\x63\x60\x7b\xff\x1b\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\xfc\xf4\x63\x60\x76\x09\x80\x3c\x6c\xdf\x84\x60\x04\x00\x84\x78\x7c\xb5\x84\x64\x5d\x85\x84\x60\xf3\xc8\xa0\x3c\x84\x98\xa5\x60\x04\x00\xa5\x78\xa1\x6b\xa5\x64\x7c\x44\xa5\x60\x02\x00\x00\x44\x00\x00\x20\x3e\x00\x00\x31\x62\x04\x00\x31\x7a\x00\x00\x31\x66\x98\x00\x31\x62\x00\x00\x40\x3f\x00\x00\x5a\x63\x04\x00\x5a\x7b\x00\x00\x5a\x67\xe5\x13\x5a\x63\xaa\xfe\xf9\x7d\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x00\x80\x84\x60\xdc\x39\x00\x7c\x00\x00\x40\x3d\x00\x00\x4a\x61\x04\x00\x4a\x79\x00\x00\x4a\x65\x71\x99\x4a\x61\xa7\x5f\xc0\x7f\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x08\xef\x63\x60\x09\xc6\x80\x3c\x1c\x64\x84\x60\x04\x00\x84\x78\xb4\xf7\x84\x64\x66\xcc\x84\x60\x03\x80\xa0\x3c\x45\x8f\xa5\x60\x04\x00\xa5\x78\xcf\x35\xa5\x64\x75\x97\xa5\x60\xae\x5a\xc0\x3c\x19\x31\xc6\x60\x04\x00\xc6\x78\xa9\x6d\xc6\x64\x6f\x30\xc6\x60\x22\x00\x00\x44\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x12\x00\x00\x60\x24\x01\x00\x7c\x00\x00\xe0\x3f\x01\x00\xff\x63\x04\x00\xff\x7b\x00\x00\xff\x67\x00\x00\xff\x63\xa7\xff\xa0\x7e", 420); *(uint64_t*)0x200000015150 = 0x1a4; *(uint64_t*)0x200000015180 = 1; *(uint64_t*)0x200000015188 = 1; res = -1; errno = EFAULT; res = syz_kvm_setup_cpu(/*fd=*/r[20], /*cpufd=*/r[5], /*usermem=*/0x200000fe8000, /*text=*/0x200000015140, /*ntext=*/1, /*flags=*/0, /*opts=*/0x200000015180, /*nopt=*/1); fprintf(stderr, "### call=37 errno=%u\n", res == -1 ? errno : 0); break; case 38: res = -1; errno = EFAULT; res = syz_kvm_setup_syzos_vm(/*fd=*/r[5], /*usermem=*/0x200000c00000); fprintf(stderr, "### call=38 errno=%u\n", res == -1 ? errno : 0); break; case 39: *(uint32_t*)0x2000000151c0 = 1; res = -1; errno = EFAULT; res = syz_memcpy_off(/*ring_ptr=*/r[21], /*flag_off=SQ_FLAGS_OFFSET*/0x114, /*src=*/0x2000000151c0, /*src_off=*/0, /*nbytes=*/4); fprintf(stderr, "### call=39 errno=%u\n", res == -1 ? errno : 0); break; case 40: res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0xb704, /*arg=*/0x200000015280ul); fprintf(stderr, "### call=40 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[25] = *(uint32_t*)0x200000015280; break; case 41: memcpy((void*)0x200000015200, "adfs\000", 5); memcpy((void*)0x200000015240, "./file0\000", 8); memcpy((void*)0x2000000152c0, "gid", 3); *(uint8_t*)0x2000000152c3 = 0x3d; sprintf((char*)0x2000000152c4, "0x%016llx", (long long)r[16]); *(uint8_t*)0x2000000152d6 = 0x2c; memcpy((void*)0x2000000152d7, "uid", 3); *(uint8_t*)0x2000000152da = 0x3d; sprintf((char*)0x2000000152db, "0x%016llx", (long long)r[17]); *(uint8_t*)0x2000000152ed = 0x2c; memcpy((void*)0x2000000152ee, "uid", 3); *(uint8_t*)0x2000000152f1 = 0x3d; sprintf((char*)0x2000000152f2, "0x%016llx", (long long)r[13]); *(uint8_t*)0x200000015304 = 0x2c; memcpy((void*)0x200000015305, "othmask", 7); *(uint8_t*)0x20000001530c = 0x3d; sprintf((char*)0x20000001530d, "%023llo", (long long)7); *(uint8_t*)0x200000015324 = 0x2c; memcpy((void*)0x200000015325, "ftsuffix", 8); *(uint8_t*)0x20000001532d = 0x3d; sprintf((char*)0x20000001532e, "%020llu", (long long)0x100); *(uint8_t*)0x200000015342 = 0x2c; memcpy((void*)0x200000015343, "othmask", 7); *(uint8_t*)0x20000001534a = 0x3d; sprintf((char*)0x20000001534b, "%023llo", (long long)8); *(uint8_t*)0x200000015362 = 0x2c; memcpy((void*)0x200000015363, "fowner<", 7); sprintf((char*)0x20000001536a, "%020llu", (long long)r[25]); *(uint8_t*)0x20000001537e = 0x2c; memcpy((void*)0x20000001537f, "func", 4); *(uint8_t*)0x200000015383 = 0x3d; memcpy((void*)0x200000015384, "FIRMWARE_CHECK", 14); *(uint8_t*)0x200000015392 = 0x2c; memcpy((void*)0x200000015393, "smackfsdef", 10); *(uint8_t*)0x20000001539d = 0x3d; memset((void*)0x20000001539e, 0, 1); *(uint8_t*)0x20000001539f = 0x2c; memcpy((void*)0x2000000153a0, "hash", 4); *(uint8_t*)0x2000000153a4 = 0x2c; *(uint8_t*)0x2000000153a5 = 0; memcpy((void*)0x2000000153c0, "\x78\x9c\x6a\x9b\xe0\xf0\xd7\x80\xc9\x48\xed\x7f\x7b\xc9\xbd\xed\xdf\xf6\x00\x02\x00\x00\xff\xff\x38\xa7\x08\x1f", 28); res = -1; errno = EFAULT; res = syz_mount_image(/*fs=*/0x200000015200, /*dir=*/0x200000015240, /*flags=MS_PRIVATE|MS_NODIRATIME|MS_NODEV|MS_DIRSYNC*/0x40884, /*opts=*/0x2000000152c0, /*chdir=*/0, /*size=*/0x1c, /*img=*/0x2000000153c0); fprintf(stderr, "### call=41 errno=%u\n", res == -1 ? errno : 0); break; case 42: memcpy((void*)0x200000015400, "/dev/i2c-#\000", 11); res = -1; errno = EFAULT; res = syz_open_dev(/*dev=*/0x200000015400, /*id=*/0xe, /*flags=__O_TMPFILE|O_TRUNC|O_NOFOLLOW*/0x420200); fprintf(stderr, "### call=42 errno=%u\n", res == -1 ? errno : 0); break; case 43: memcpy((void*)0x200000015440, "net/mcfilter6\000", 14); res = -1; errno = EFAULT; res = syz_open_procfs(/*pid=*/r[18], /*file=*/0x200000015440); fprintf(stderr, "### call=43 errno=%u\n", res == -1 ? errno : 0); break; case 44: res = -1; errno = EFAULT; res = syz_open_pts(/*fd=*/-1, /*flags=*/0); fprintf(stderr, "### call=44 errno=%u\n", res == -1 ? errno : 0); break; case 45: res = -1; errno = EFAULT; res = syz_pidfd_open(/*pid=*/r[8], /*flags=*/0); fprintf(stderr, "### call=45 errno=%u\n", res == -1 ? errno : 0); break; case 46: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=PKEY_DISABLE_ACCESS*/1ul); fprintf(stderr, "### call=46 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[26] = res; break; case 47: res = -1; errno = EFAULT; res = syz_pkey_set(/*key=*/r[26], /*val=PKEY_DISABLE_WRITE*/2); fprintf(stderr, "### call=47 errno=%u\n", res == -1 ? errno : 0); break; case 48: memcpy((void*)0x200000015480, "\x78\x9c\x00\x43\x00\xbc\xff\x1a\xa5\x3b\x2d\x97\x22\x56\x58\x64\x62\x48\x11\x35\x5b\x94\xa0\xd2\xd7\x8d\x09\xd2\x09\x51\xdf\x3c\x2c\x1a\x49\x88\xca\x48\xd4\x52\x61\xcc\x47\x3e\x4f\x65\xf6\x76\xe4\xe9\xb3\x8c\xde\x4a\xab\xa0\x5c\x20\xea\x6f\x37\xa5\x29\x42\x97\xe2\xc2\xa7\x6d\x7e\x55\x2d\xca\xd8\x01\x00\x00\xff\xff\xd6\x63\x1f\xa5", 83); res = -1; errno = EFAULT; res = syz_read_part_table(/*size=*/0x53, /*img=*/0x200000015480); fprintf(stderr, "### call=48 errno=%u\n", res == -1 ? errno : 0); break; case 49: res = -1; errno = EFAULT; res = syz_socket_connect_nvme_tcp(); fprintf(stderr, "### call=49 errno=%u\n", res == -1 ? errno : 0); break; case 50: *(uint8_t*)0x200000015500 = 0x12; *(uint8_t*)0x200000015501 = 1; *(uint16_t*)0x200000015502 = 0x310; *(uint8_t*)0x200000015504 = 0x99; *(uint8_t*)0x200000015505 = 0x45; *(uint8_t*)0x200000015506 = 0xdf; *(uint8_t*)0x200000015507 = -1; *(uint16_t*)0x200000015508 = 0x19d2; *(uint16_t*)0x20000001550a = 0xfff8; *(uint16_t*)0x20000001550c = 0xcd35; *(uint8_t*)0x20000001550e = 1; *(uint8_t*)0x20000001550f = 2; *(uint8_t*)0x200000015510 = 3; *(uint8_t*)0x200000015511 = 1; *(uint8_t*)0x200000015512 = 9; *(uint8_t*)0x200000015513 = 2; *(uint16_t*)0x200000015514 = 0xd8d; *(uint8_t*)0x200000015516 = 4; *(uint8_t*)0x200000015517 = 0xc; *(uint8_t*)0x200000015518 = 0xd4; *(uint8_t*)0x200000015519 = 0xb0; *(uint8_t*)0x20000001551a = 8; *(uint8_t*)0x20000001551b = 9; *(uint8_t*)0x20000001551c = 4; *(uint8_t*)0x20000001551d = 5; *(uint8_t*)0x20000001551e = 0xe; *(uint8_t*)0x20000001551f = 6; *(uint8_t*)0x200000015520 = -1; *(uint8_t*)0x200000015521 = -1; *(uint8_t*)0x200000015522 = -1; *(uint8_t*)0x200000015523 = 5; *(uint8_t*)0x200000015524 = 0xa; *(uint8_t*)0x200000015525 = 0x24; *(uint8_t*)0x200000015526 = 2; *(uint8_t*)0x200000015527 = 2; *(uint16_t*)0x200000015528 = 0x82; *(uint16_t*)0x20000001552a = 0x97; *(uint8_t*)0x20000001552c = 9; *(uint8_t*)0x20000001552d = 9; *(uint8_t*)0x20000001552e = 7; *(uint8_t*)0x20000001552f = 0x24; *(uint8_t*)0x200000015530 = 1; *(uint8_t*)0x200000015531 = 0x91; *(uint8_t*)0x200000015532 = 0x10; *(uint16_t*)0x200000015533 = 1; *(uint8_t*)0x200000015535 = 0xa; *(uint8_t*)0x200000015536 = 0x24; *(uint8_t*)0x200000015537 = 2; *(uint8_t*)0x200000015538 = 2; *(uint16_t*)0x200000015539 = 0x64; *(uint16_t*)0x20000001553b = 5; *(uint8_t*)0x20000001553d = 5; *(uint8_t*)0x20000001553e = 9; *(uint8_t*)0x20000001553f = 0xa; *(uint8_t*)0x200000015540 = 0x24; *(uint8_t*)0x200000015541 = 2; *(uint8_t*)0x200000015542 = 2; *(uint16_t*)0x200000015543 = 9; *(uint16_t*)0x200000015545 = 1; *(uint8_t*)0x200000015547 = 1; *(uint8_t*)0x200000015548 = 0x18; *(uint8_t*)0x200000015549 = 0xa; *(uint8_t*)0x20000001554a = 0x24; *(uint8_t*)0x20000001554b = 2; *(uint8_t*)0x20000001554c = 2; *(uint16_t*)0x20000001554d = 5; *(uint16_t*)0x20000001554f = 0x100; *(uint8_t*)0x200000015551 = 0; *(uint8_t*)0x200000015552 = 0x1f; *(uint8_t*)0x200000015553 = 0xa; *(uint8_t*)0x200000015554 = 0x24; *(uint8_t*)0x200000015555 = 2; *(uint8_t*)0x200000015556 = 2; *(uint16_t*)0x200000015557 = 0x200; *(uint16_t*)0x200000015559 = 2; *(uint8_t*)0x20000001555b = 6; *(uint8_t*)0x20000001555c = 6; *(uint8_t*)0x20000001555d = 9; *(uint8_t*)0x20000001555e = 0x24; *(uint8_t*)0x20000001555f = 2; *(uint8_t*)0x200000015560 = 1; *(uint8_t*)0x200000015561 = 0; *(uint8_t*)0x200000015562 = 9; *(uint8_t*)0x200000015563 = 4; *(uint8_t*)0x200000015564 = 1; *(uint8_t*)0x200000015565 = 0xdc; *(uint8_t*)0x200000015566 = 0xb; *(uint8_t*)0x200000015567 = 0x24; *(uint8_t*)0x200000015568 = 2; *(uint8_t*)0x200000015569 = 2; *(uint16_t*)0x20000001556a = 5; *(uint16_t*)0x20000001556c = 9; *(uint8_t*)0x20000001556e = 6; memcpy((void*)0x20000001556f, "\x42\xe9", 2); *(uint8_t*)0x200000015571 = 0x12; *(uint8_t*)0x200000015572 = 0x24; *(uint8_t*)0x200000015573 = 2; *(uint8_t*)0x200000015574 = 2; *(uint16_t*)0x200000015575 = 2; *(uint16_t*)0x200000015577 = 0xaecb; *(uint8_t*)0x200000015579 = 0; memcpy((void*)0x20000001557a, "\xe0\xff\x89\xcc\x39\xb2\x42\xb2\xb0", 9); *(uint8_t*)0x200000015583 = 7; *(uint8_t*)0x200000015584 = 0x24; *(uint8_t*)0x200000015585 = 1; *(uint8_t*)0x200000015586 = 0xc; *(uint8_t*)0x200000015587 = 2; *(uint16_t*)0x200000015588 = 2; *(uint8_t*)0x20000001558a = 9; *(uint8_t*)0x20000001558b = 5; *(uint8_t*)0x20000001558c = 1; *(uint8_t*)0x20000001558d = 0x1d; *(uint16_t*)0x20000001558e = 0x20; *(uint8_t*)0x200000015590 = 5; *(uint8_t*)0x200000015591 = 9; *(uint8_t*)0x200000015592 = 0xf; *(uint8_t*)0x200000015593 = 9; *(uint8_t*)0x200000015594 = 5; *(uint8_t*)0x200000015595 = 4; *(uint8_t*)0x200000015596 = 0x10; *(uint16_t*)0x200000015597 = 0x10; *(uint8_t*)0x200000015599 = 5; *(uint8_t*)0x20000001559a = 7; *(uint8_t*)0x20000001559b = 1; *(uint8_t*)0x20000001559c = 0x49; *(uint8_t*)0x20000001559d = 1; memcpy((void*)0x20000001559e, "\xbe\xdb\xdc\x40\xb6\x57\x91\x5a\xee\xa3\x6b\xef\xa7\x43\xbb\xf4\x76\xbb\xcc\x3a\x55\x77\x74\x37\xfd\x0c\x08\x62\xa5\x59\x1f\x0b\x80\x91\x62\x6c\x65\x64\xa6\x2b\x69\x95\xd0\xb1\xac\x34\x99\x5d\x44\x2d\xe5\x0d\x21\xf3\x0d\xa0\x8f\x64\xd3\xbb\x0e\x86\x08\x6e\x62\x96\x82\x16\xd8\xcb\xfe", 71); *(uint8_t*)0x2000000155e5 = 0xc; *(uint8_t*)0x2000000155e6 = 0xe; memcpy((void*)0x2000000155e7, "\x1c\xca\x42\xd0\xd4\xc1\x24\x78\xdb\xc7", 10); *(uint8_t*)0x2000000155f1 = 9; *(uint8_t*)0x2000000155f2 = 5; *(uint8_t*)0x2000000155f3 = 0xc; *(uint8_t*)0x2000000155f4 = 0xd; *(uint16_t*)0x2000000155f5 = 0x10; *(uint8_t*)0x2000000155f7 = 4; *(uint8_t*)0x2000000155f8 = 0xef; *(uint8_t*)0x2000000155f9 = 0xd; *(uint8_t*)0x2000000155fa = 9; *(uint8_t*)0x2000000155fb = 5; *(uint8_t*)0x2000000155fc = 0; *(uint8_t*)0x2000000155fd = 2; *(uint16_t*)0x2000000155fe = 0x40; *(uint8_t*)0x200000015600 = 1; *(uint8_t*)0x200000015601 = 0x92; *(uint8_t*)0x200000015602 = 1; *(uint8_t*)0x200000015603 = 7; *(uint8_t*)0x200000015604 = 0x25; *(uint8_t*)0x200000015605 = 1; *(uint8_t*)0x200000015606 = 8; *(uint8_t*)0x200000015607 = 0xf; *(uint16_t*)0x200000015608 = 9; *(uint8_t*)0x20000001560a = 0x9c; *(uint8_t*)0x20000001560b = 0x24; memcpy((void*)0x20000001560c, "\x94\x62\xe7\x8d\x67\xa7\x93\x83\x09\xf8\x93\x38\x8b\x58\x5f\x99\xed\x3c\xae\x5a\xeb\x24\x1e\x37\xea\xcc\x73\xfb\x04\x0b\x91\x7d\x69\x75\x87\xfd\x88\x85\xdc\xc8\x92\xbf\xee\x22\x87\x19\x88\xc7\x01\x88\xe9\xe8\x45\x46\xa7\x96\xe5\x6e\xa4\x83\x70\xdf\xca\x68\x9a\xaa\x0f\xfd\x08\x41\xc7\xe2\x8c\xbc\xec\xbc\x3b\xee\xb2\x54\xd9\x02\x49\x8d\xde\x37\x3f\x5e\x92\x09\x32\xac\xdf\x32\x22\xa5\x61\x17\x4a\x85\xce\x36\xd5\xf5\xc7\x09\x82\x9a\x04\x29\xf4\x8d\xe3\x26\x62\x11\xe3\x53\x22\x35\xca\xcb\x3a\x64\xff\xf3\xe3\x01\x82\xcd\x02\x7e\xa6\x60\xbc\xe2\x4c\xc1\x97\xbf\x35\x8f\x77\x95\x3c\x96\x4d\xe4\x53\x04\x16\x90\x7f\xa1", 154); *(uint8_t*)0x2000000156a6 = 9; *(uint8_t*)0x2000000156a7 = 5; *(uint8_t*)0x2000000156a8 = 6; *(uint8_t*)0x2000000156a9 = 0; *(uint16_t*)0x2000000156aa = 0x400; *(uint8_t*)0x2000000156ac = 4; *(uint8_t*)0x2000000156ad = 0; *(uint8_t*)0x2000000156ae = 6; *(uint8_t*)0x2000000156af = 9; *(uint8_t*)0x2000000156b0 = 5; *(uint8_t*)0x2000000156b1 = 0x1f; *(uint8_t*)0x2000000156b2 = 0xc; *(uint16_t*)0x2000000156b3 = 0x20; *(uint8_t*)0x2000000156b5 = 8; *(uint8_t*)0x2000000156b6 = 0x80; *(uint8_t*)0x2000000156b7 = 4; *(uint8_t*)0x2000000156b8 = 7; *(uint8_t*)0x2000000156b9 = 0x25; *(uint8_t*)0x2000000156ba = 1; *(uint8_t*)0x2000000156bb = 4; *(uint8_t*)0x2000000156bc = 0x40; *(uint16_t*)0x2000000156bd = 0xfff; *(uint8_t*)0x2000000156bf = 0x4a; *(uint8_t*)0x2000000156c0 = 9; memcpy((void*)0x2000000156c1, "\x13\xdf\x6f\x0c\x72\x3d\x23\x38\x80\xc0\x86\x9f\x46\xc9\x39\x9e\x14\x8e\xf0\xd9\x87\x29\x76\x35\xb6\xbf\x6f\x36\x9c\xbf\x8f\x07\xb3\x4b\x93\x76\xff\x57\xdc\xbd\xf2\x74\x65\xeb\x51\x53\xfb\x8d\xd7\xca\x2f\xab\x27\x37\xdd\x51\x5e\xde\xf1\xc9\x66\x91\x5e\x06\x76\xdb\x83\x1f\x2b\x91\x8d\x82", 72); *(uint8_t*)0x200000015709 = 9; *(uint8_t*)0x20000001570a = 4; *(uint8_t*)0x20000001570b = 0xe4; *(uint8_t*)0x20000001570c = 0xb; *(uint8_t*)0x20000001570d = 0xd; *(uint8_t*)0x20000001570e = -1; *(uint8_t*)0x20000001570f = 0xde; *(uint8_t*)0x200000015710 = 0x55; *(uint8_t*)0x200000015711 = 3; *(uint8_t*)0x200000015712 = 0xa; *(uint8_t*)0x200000015713 = 0x24; *(uint8_t*)0x200000015714 = 1; *(uint16_t*)0x200000015715 = 3; *(uint16_t*)0x200000015717 = 0xa; *(uint8_t*)0x200000015719 = 2; *(uint8_t*)0x20000001571a = 1; *(uint8_t*)0x20000001571b = 2; *(uint8_t*)0x20000001571c = 9; *(uint8_t*)0x20000001571d = 5; *(uint8_t*)0x20000001571e = 1; *(uint8_t*)0x20000001571f = 3; *(uint16_t*)0x200000015720 = 0x20; *(uint8_t*)0x200000015722 = 1; *(uint8_t*)0x200000015723 = 0x66; *(uint8_t*)0x200000015724 = 7; *(uint8_t*)0x200000015725 = 0x8c; *(uint8_t*)0x200000015726 = 0x23; memcpy((void*)0x200000015727, "\xc3\x44\xbd\x7f\x69\x0e\x11\x22\xd6\x52\x4c\xcd\x02\x57\xc1\x18\x5e\x61\xc3\xab\x3c\xcb\x36\x6e\xf9\x03\x7a\x58\x03\x54\x18\x72\x8d\x9a\xab\x96\x71\x7e\x22\x0d\x72\x20\xfb\x96\x4b\x7e\x92\x8d\x75\xef\x45\x85\x91\x31\x15\x90\x97\xfa\x85\xb2\xd2\x4e\xeb\x7f\xc5\x90\xe0\x48\xeb\x1b\xa8\x30\xac\x34\x3b\xfd\x9a\x3c\x32\xdf\xc9\x3f\xad\xcb\x90\xf9\x3a\x63\xc7\x37\x83\x4f\x5e\x2d\x4e\x73\x68\xe0\x2e\xc5\xf2\x10\x6b\xef\x93\x5e\x5e\x74\xc3\xe7\xd2\xd3\xd1\x6e\xbf\xfa\x13\xa8\x29\x49\x9d\xa4\x42\xf0\x17\x26\xd0\x7a\x33\x8f\xeb\x61\x2c\x3b\x6e\x51\x93\xb8", 138); *(uint8_t*)0x2000000157b1 = 9; *(uint8_t*)0x2000000157b2 = 5; *(uint8_t*)0x2000000157b3 = 1; *(uint8_t*)0x2000000157b4 = 0xc; *(uint16_t*)0x2000000157b5 = 0x10; *(uint8_t*)0x2000000157b7 = 6; *(uint8_t*)0x2000000157b8 = 0x73; *(uint8_t*)0x2000000157b9 = 2; *(uint8_t*)0x2000000157ba = 9; *(uint8_t*)0x2000000157bb = 5; *(uint8_t*)0x2000000157bc = 0xe; *(uint8_t*)0x2000000157bd = 1; *(uint16_t*)0x2000000157be = 0x40; *(uint8_t*)0x2000000157c0 = 0; *(uint8_t*)0x2000000157c1 = 0; *(uint8_t*)0x2000000157c2 = 0xe; *(uint8_t*)0x2000000157c3 = 7; *(uint8_t*)0x2000000157c4 = 0x25; *(uint8_t*)0x2000000157c5 = 1; *(uint8_t*)0x2000000157c6 = 8; *(uint8_t*)0x2000000157c7 = 8; *(uint16_t*)0x2000000157c8 = 0x9df1; *(uint8_t*)0x2000000157ca = 7; *(uint8_t*)0x2000000157cb = 0x25; *(uint8_t*)0x2000000157cc = 1; *(uint8_t*)0x2000000157cd = 4; *(uint8_t*)0x2000000157ce = 3; *(uint16_t*)0x2000000157cf = 0x84; *(uint8_t*)0x2000000157d1 = 9; *(uint8_t*)0x2000000157d2 = 5; *(uint8_t*)0x2000000157d3 = 7; *(uint8_t*)0x2000000157d4 = 0x10; *(uint16_t*)0x2000000157d5 = 8; *(uint8_t*)0x2000000157d7 = 0xd; *(uint8_t*)0x2000000157d8 = 6; *(uint8_t*)0x2000000157d9 = 6; *(uint8_t*)0x2000000157da = 0x9c; *(uint8_t*)0x2000000157db = 0x11; memcpy((void*)0x2000000157dc, "\x61\xc2\xc5\x81\xbc\xf0\xdc\x3a\x09\xec\x54\x65\xd8\xb3\x95\x93\xb5\x1c\xb5\x68\xad\x67\xbf\x21\x9f\x28\xa6\x37\xf8\xb8\xf3\xaa\xe7\xb6\xcf\x31\x06\x9d\xa5\x51\xc5\xd9\x0a\x29\x7a\xb0\xcf\xed\xa5\x43\xa0\xf7\x62\xc8\x18\x5b\xab\xc4\x3a\x4c\x9b\xb3\xb0\x95\xc0\xee\x13\x96\xf8\xb1\xfd\x62\x19\xb3\x16\x13\xb7\x56\x0d\x30\x9f\x17\x3c\x80\x67\x3f\xb0\x85\x29\xfc\x8f\x17\x52\x91\xf9\x98\x56\xaf\x19\x8c\xf4\x7a\x32\xc7\x6d\xf6\xbe\x44\x94\x93\xe5\xa6\x6e\xb4\x66\x4b\x84\x22\x6c\xa1\xe2\xc8\xf2\x02\x9a\xde\x7d\x75\x31\x6b\x10\x4a\x34\x80\xfb\xf7\xd4\x50\x9d\x74\x8c\x36\xf6\x59\xf8\xf5\x27\x43\xfd\x07\x7f\xc7\xdf\x42", 154); *(uint8_t*)0x200000015876 = 0x4e; *(uint8_t*)0x200000015877 = 4; memcpy((void*)0x200000015878, "\x57\xfa\xd1\x47\xfa\x12\xcd\x27\x89\x6e\x4e\x92\xba\x1a\xd4\x05\x8c\x8d\x43\xec\x21\x50\xd8\x73\x2f\xc5\xae\x10\x5a\x17\x4e\xd8\x39\x42\xdc\xb7\x9a\x05\xb1\x0f\xd4\x95\x7d\xbc\x1a\xc0\x27\xa2\xdf\x57\x28\xb2\xb2\xbb\x9b\x5b\xc5\x1f\x9a\x8c\x88\xe9\xfa\x85\x11\x38\xc7\xcd\xd7\x62\x66\x41\x91\x1c\xbe\x0c", 76); *(uint8_t*)0x2000000158c4 = 9; *(uint8_t*)0x2000000158c5 = 5; *(uint8_t*)0x2000000158c6 = 0; *(uint8_t*)0x2000000158c7 = 0xc; *(uint16_t*)0x2000000158c8 = 8; *(uint8_t*)0x2000000158ca = 8; *(uint8_t*)0x2000000158cb = 0x20; *(uint8_t*)0x2000000158cc = 0xc; *(uint8_t*)0x2000000158cd = 7; *(uint8_t*)0x2000000158ce = 0x25; *(uint8_t*)0x2000000158cf = 1; *(uint8_t*)0x2000000158d0 = 4; *(uint8_t*)0x2000000158d1 = 6; *(uint16_t*)0x2000000158d2 = 0x101; *(uint8_t*)0x2000000158d4 = 7; *(uint8_t*)0x2000000158d5 = 0x25; *(uint8_t*)0x2000000158d6 = 1; *(uint8_t*)0x2000000158d7 = 8; *(uint8_t*)0x2000000158d8 = 0xfd; *(uint16_t*)0x2000000158d9 = 2; *(uint8_t*)0x2000000158db = 9; *(uint8_t*)0x2000000158dc = 5; *(uint8_t*)0x2000000158dd = 0xb; *(uint8_t*)0x2000000158de = 0xc; *(uint16_t*)0x2000000158df = 0x10; *(uint8_t*)0x2000000158e1 = 0xf0; *(uint8_t*)0x2000000158e2 = 3; *(uint8_t*)0x2000000158e3 = 9; *(uint8_t*)0x2000000158e4 = 9; *(uint8_t*)0x2000000158e5 = 5; *(uint8_t*)0x2000000158e6 = 2; *(uint8_t*)0x2000000158e7 = 2; *(uint16_t*)0x2000000158e8 = 0x7b7; *(uint8_t*)0x2000000158ea = 9; *(uint8_t*)0x2000000158eb = 2; *(uint8_t*)0x2000000158ec = 0x78; *(uint8_t*)0x2000000158ed = 7; *(uint8_t*)0x2000000158ee = 0x25; *(uint8_t*)0x2000000158ef = 1; *(uint8_t*)0x2000000158f0 = 4; *(uint8_t*)0x2000000158f1 = 2; *(uint16_t*)0x2000000158f2 = 0x6e8; *(uint8_t*)0x2000000158f4 = 9; *(uint8_t*)0x2000000158f5 = 5; *(uint8_t*)0x2000000158f6 = 0xe; *(uint8_t*)0x2000000158f7 = 0; *(uint16_t*)0x2000000158f8 = 8; *(uint8_t*)0x2000000158fa = 0xb6; *(uint8_t*)0x2000000158fb = 0x47; *(uint8_t*)0x2000000158fc = 1; *(uint8_t*)0x2000000158fd = 0xea; *(uint8_t*)0x2000000158fe = 0xd; memcpy((void*)0x2000000158ff, "\xd7\xee\xf8\xad\xff\x59\x3f\xef\x60\x12\x57\xeb\x29\xf1\x12\x3c\x0f\x04\xcf\x50\xd2\xf0\x65\xa5\x2a\xb8\x35\xd4\x04\x54\xac\x46\xb6\x63\x87\x38\xe9\x75\x3c\x66\x06\x2b\x76\xd4\x57\xd6\xb3\x63\xf7\xb7\x63\x4f\xea\xac\x71\x9c\x3e\x90\x0c\xce\xb8\xd9\x69\x21\x0b\x57\x3a\x62\xd4\x51\x64\x98\xd5\x98\xa6\x1e\x6f\xa5\xbb\xd0\xfd\x38\x6f\x9f\x1d\x7a\xfe\xf4\xdd\xbe\x39\x49\x5d\x6e\x55\x5d\x24\x55\x5b\xf1\xbf\xfe\x21\xfc\x47\x2a\xb2\xa8\xd5\xd0\xf8\xa6\x11\xab\x5a\x46\xae\x9b\x23\xbb\x6a\x6b\x36\x39\x46\xda\xfb\xb2\xe7\x41\xd3\x4f\xe4\x56\xf5\x81\x63\x32\xd7\x2d\x43\x5f\xbd\x1f\xae\x47\x63\x32\x5d\xac\x58\xc2\xde\x0a\x67\x27\x7e\x2d\x74\xfe\xf5\xd8\xba\x6d\xe1\x7c\x31\xd5\xc7\xfb\x01\xa1\x3d\x3b\xf0\x0c\x31\x13\x41\x6b\x72\xb3\xe2\xe0\xb8\x0b\x4a\xb9\xcd\xa7\x7d\x2d\xe3\xed\x36\x8f\xab\x48\x41\xfd\x62\xac\xf6\x6e\x43\x21\x21\xb5\xf5\xd7\xc8\xc0\x36\x66\x0d\x7a\x35\x10\x33\x15\x5e\x3e\xef\x2f\xf2\x0f\x2a\xed\x82\x41\xd1\x76", 232); *(uint8_t*)0x2000000159e7 = 9; *(uint8_t*)0x2000000159e8 = 5; *(uint8_t*)0x2000000159e9 = 0xe; *(uint8_t*)0x2000000159ea = 3; *(uint16_t*)0x2000000159eb = 0x200; *(uint8_t*)0x2000000159ed = -1; *(uint8_t*)0x2000000159ee = 0x62; *(uint8_t*)0x2000000159ef = 5; *(uint8_t*)0x2000000159f0 = 0x55; *(uint8_t*)0x2000000159f1 = 0x23; memcpy((void*)0x2000000159f2, "\xd5\x22\xb5\x6c\x6d\xde\x6a\x69\x8a\x23\xe1\x0e\x4f\xc0\x79\x8f\x87\xc9\x46\xfa\x28\x48\xc7\x17\xa9\xa3\x31\x38\xfd\xb3\x47\x57\x93\xc1\xb4\xd1\x72\x2b\x3b\xcc\x36\x38\x4d\x25\x89\xa2\x7e\x5f\x22\xb2\x89\x72\x7e\x23\xf0\x39\xff\xdf\x2a\xb2\x5d\xa6\x2c\x09\x2e\xd0\x1c\xb1\x51\xb0\xad\x8b\xa7\x75\x8c\x32\xab\xd0\x7f\x79\x51\x4e\xba", 83); *(uint8_t*)0x200000015a45 = 0x96; *(uint8_t*)0x200000015a46 = 8; memcpy((void*)0x200000015a47, "\x70\xf4\xe5\xb8\x33\x74\xf7\xb0\xde\x44\xec\x45\x10\x5a\xc3\x14\x02\x14\x0e\x17\x62\x14\x64\x1e\x37\x97\xba\x0a\xea\x40\x13\xe3\xe7\xc2\x87\x1f\x78\x52\x8a\x25\x6a\x22\x49\xdc\xad\x68\x4f\xd5\x77\xa4\x28\xa1\x4f\x44\x6c\xe9\xd7\xde\x49\x36\x4a\xa1\x63\xc6\x8d\xd1\xe4\xe2\x0c\x0a\xa9\x8a\x26\x35\x47\xf0\x7d\xae\x9c\x3e\x45\xff\xec\x5b\xdc\xcf\xb9\x0b\x1a\xd9\x05\x4d\xa6\x28\x66\x62\x6b\xfb\xc3\x94\xa1\xe9\xae\xc6\xb3\x00\x42\x0a\x61\x67\xe6\xe6\xef\x43\x96\xdf\xfb\x6b\xfc\x18\xd3\xb2\x53\x77\x89\x27\x04\x23\x86\x75\x35\xf7\x5b\x14\x54\xcc\x3b\x8a\x6a\xef\x5b\x65\xb9\x77\x41\x39\xad\xcf", 148); *(uint8_t*)0x200000015adb = 9; *(uint8_t*)0x200000015adc = 5; *(uint8_t*)0x200000015add = 0xc; *(uint8_t*)0x200000015ade = 0x10; *(uint16_t*)0x200000015adf = 0x20; *(uint8_t*)0x200000015ae1 = 8; *(uint8_t*)0x200000015ae2 = 1; *(uint8_t*)0x200000015ae3 = 8; *(uint8_t*)0x200000015ae4 = 9; *(uint8_t*)0x200000015ae5 = 5; *(uint8_t*)0x200000015ae6 = 0xd; *(uint8_t*)0x200000015ae7 = 0x10; *(uint16_t*)0x200000015ae8 = 0x400; *(uint8_t*)0x200000015aea = 3; *(uint8_t*)0x200000015aeb = 0x6d; *(uint8_t*)0x200000015aec = 7; *(uint8_t*)0x200000015aed = 0x85; *(uint8_t*)0x200000015aee = 0xe; memcpy((void*)0x200000015aef, "\x1a\x54\xb4\xa0\x79\x76\xe1\x6c\xec\x50\x7f\x7c\xfe\x00\xc9\x35\x99\xf9\xfd\xef\xaf\x8b\xf8\x6c\xb9\xae\x60\xf5\xe7\x42\x6c\x78\xb3\xe0\x1c\xc8\xca\xb0\xaa\xf0\x9d\xeb\xba\xcd\x78\x5c\x9d\xe3\xbb\x89\x55\x1d\x0a\x24\x1f\x2d\x65\x83\x0f\x53\x64\x75\x49\x91\xfe\xea\xd8\x7f\xe8\xc8\xb9\x28\xac\x16\x85\x3a\xe9\x59\xea\xc2\x7b\x59\xcc\xc8\x6d\x22\x44\x2c\xa6\x29\xd1\x20\xb1\xa0\x9c\xf1\x41\x84\xa9\xc4\x87\x3f\x74\xae\x74\x82\x01\xf5\xf4\xe6\x49\xe3\x72\x4c\x7d\xdb\x89\xf4\x58\x47\x2b\x28\x5f\x9c\x10\xea\x40\x39\x3f\x30\x60", 131); *(uint8_t*)0x200000015b72 = 9; *(uint8_t*)0x200000015b73 = 5; *(uint8_t*)0x200000015b74 = 9; *(uint8_t*)0x200000015b75 = 0; *(uint16_t*)0x200000015b76 = 8; *(uint8_t*)0x200000015b78 = 0xa; *(uint8_t*)0x200000015b79 = 7; *(uint8_t*)0x200000015b7a = 2; *(uint8_t*)0x200000015b7b = 7; *(uint8_t*)0x200000015b7c = 0x25; *(uint8_t*)0x200000015b7d = 1; *(uint8_t*)0x200000015b7e = 0; *(uint8_t*)0x200000015b7f = 4; *(uint16_t*)0x200000015b80 = 0x4fb3; *(uint8_t*)0x200000015b82 = 9; *(uint8_t*)0x200000015b83 = 5; *(uint8_t*)0x200000015b84 = 7; *(uint8_t*)0x200000015b85 = 0x10; *(uint16_t*)0x200000015b86 = 0x3ff; *(uint8_t*)0x200000015b88 = 1; *(uint8_t*)0x200000015b89 = 0x88; *(uint8_t*)0x200000015b8a = 6; *(uint8_t*)0x200000015b8b = 9; *(uint8_t*)0x200000015b8c = 4; *(uint8_t*)0x200000015b8d = 0x10; *(uint8_t*)0x200000015b8e = 8; *(uint8_t*)0x200000015b8f = 0x10; *(uint8_t*)0x200000015b90 = -1; *(uint8_t*)0x200000015b91 = 0x5d; *(uint8_t*)0x200000015b92 = 0x81; *(uint8_t*)0x200000015b93 = 3; *(uint8_t*)0x200000015b94 = 0xb7; *(uint8_t*)0x200000015b95 = 0; memcpy((void*)0x200000015b96, "\xbe\xa8\xfd\xb5\x0e\x62\x4b\x76\x3d\xdd\xda\xf5\xed\x85\xd8\x17\x0c\xa8\x58\xcf\x74\xac\x67\x8e\xb5\x4d\x20\x45\xe5\xfb\xb2\x77\x21\x40\xe2\xcf\x18\x95\xcb\x69\x3a\x91\x4f\xfb\x89\x1c\xd2\xc9\x0d\x48\x27\xbc\xd3\x43\x59\xd7\x01\x07\x46\x2e\xad\x88\x9a\x6e\x4e\xd6\x96\x89\x35\xa8\x1a\x14\x7a\xc0\xcc\xc8\x1c\x38\xd6\x2d\x6a\x84\xcf\x50\x45\x52\xec\x37\xd6\x09\xb5\x47\x50\x18\xbd\xa1\x24\xc0\x9e\xa9\xf2\x13\x03\x86\x5f\xe4\x64\xab\xc3\x8c\xd8\x4a\xe4\x2d\xe3\x3e\x46\x91\x12\x7e\x2b\x85\x53\x83\x7d\x58\xcd\xa5\x1f\x11\xa0\x5a\x15\x38\xec\xff\x55\xe9\x0f\x34\xa1\xc5\x66\xc2\x34\xc0\x06\xd0\x0b\x50\xb4\xb2\x9e\x49\xb8\xd0\x90\xf5\xa2\x74\xae\x37\xe0\x3e\x49\x68\x2c\x44\xc2\xb1\xd9\xdb\x62\xf6\x32\x33\xf9\x67\x0c\xb2\xac", 181); *(uint8_t*)0x200000015c4b = 9; *(uint8_t*)0x200000015c4c = 5; *(uint8_t*)0x200000015c4d = 0xc; *(uint8_t*)0x200000015c4e = 0x10; *(uint16_t*)0x200000015c4f = 0x40; *(uint8_t*)0x200000015c51 = 9; *(uint8_t*)0x200000015c52 = 8; *(uint8_t*)0x200000015c53 = 2; *(uint8_t*)0x200000015c54 = 9; *(uint8_t*)0x200000015c55 = 5; *(uint8_t*)0x200000015c56 = 6; *(uint8_t*)0x200000015c57 = 2; *(uint16_t*)0x200000015c58 = 8; *(uint8_t*)0x200000015c5a = 3; *(uint8_t*)0x200000015c5b = 0x18; *(uint8_t*)0x200000015c5c = 0x1c; *(uint8_t*)0x200000015c5d = 0xf6; *(uint8_t*)0x200000015c5e = 0xc; memcpy((void*)0x200000015c5f, "\xd7\x72\x97\x11\x23\x6e\xb7\x89\x69\x91\xe6\xff\xe3\xdd\x76\x22\xe9\x6e\x2e\x7d\x17\x60\xab\x64\x52\x47\x2b\xba\xc1\xd0\x68\x61\xd9\xd4\x9e\x41\x00\x60\x6a\x22\x7d\x34\x2c\x61\x75\x94\x5a\xde\x9c\xc3\xf4\x6e\xc4\x62\x7f\x92\xca\xa5\xd7\x32\x27\xfa\xe7\xa3\x60\xd2\x5f\xac\x9e\x57\x44\x07\x3f\x0c\x05\x4c\x9a\x5b\x82\x58\xdd\x27\x9b\x73\x68\x76\x58\x4b\x90\x4d\x94\x3b\x23\xc2\x6d\x9e\x6b\xc2\xdd\x3b\x98\xf3\x62\x44\x15\x8c\x76\x0f\x0b\xf9\x75\x02\x91\x42\xb3\xf5\x8b\xb6\x3e\xc3\x76\xd7\xf5\xd9\x61\x18\x20\xd3\x80\xef\xd7\xde\x61\x63\xac\x8d\xc2\x71\x44\xe2\x1d\x92\xc9\x3f\xfe\xcc\x2d\x8c\x7b\x3b\xc5\xea\xd1\x81\x86\x3c\xd9\x6a\x0a\xbf\x28\x89\xeb\x10\xb6\x87\x91\x3f\xa8\x21\x4b\x89\xde\x11\xf5\x2b\x7d\x19\x36\xad\x9c\x1c\x45\xda\x86\xa1\x5e\x86\xb6\xc9\x06\x02\x91\xd8\x5b\x48\xeb\xc2\x34\x4d\xb8\xad\x8c\xc5\x2f\x79\xd4\xf0\x37\x7a\x89\x3b\x3d\xa6\x1c\xfc\x15\x13\xd2\xba\x95\x36\xd6\x19\x0d\xe8\x86\xa2\xd1\x8f\xf8\xab\x1f\x46\x3f\x15\x47\x1d\x7f\x96\xdc\x92\xd0\xac", 244); *(uint8_t*)0x200000015d53 = 9; *(uint8_t*)0x200000015d54 = 5; *(uint8_t*)0x200000015d55 = 7; *(uint8_t*)0x200000015d56 = 4; *(uint16_t*)0x200000015d57 = 0x20; *(uint8_t*)0x200000015d59 = 9; *(uint8_t*)0x200000015d5a = 2; *(uint8_t*)0x200000015d5b = 0x37; *(uint8_t*)0x200000015d5c = 9; *(uint8_t*)0x200000015d5d = 5; *(uint8_t*)0x200000015d5e = 0xf; *(uint8_t*)0x200000015d5f = 0x12; *(uint16_t*)0x200000015d60 = 8; *(uint8_t*)0x200000015d62 = 0xd; *(uint8_t*)0x200000015d63 = 6; *(uint8_t*)0x200000015d64 = 0xf; *(uint8_t*)0x200000015d65 = 0x40; *(uint8_t*)0x200000015d66 = 5; memcpy((void*)0x200000015d67, "\x71\xaf\xb2\x61\x7a\x61\xe7\x55\x29\xdd\xe0\xf3\x2f\xa6\xca\x4b\x85\x7a\x84\xb3\x12\x0b\x93\x61\x68\x64\x2c\x34\x04\x8f\x29\x2f\xc2\x7a\x3a\x8f\x1f\x74\x58\x0c\xdc\x36\xe9\xa4\x0b\x4f\xf6\x92\xf1\x32\x24\xb9\x14\xa8\x9f\xb7\x30\x85\x79\x3a\x5c\x22", 62); *(uint8_t*)0x200000015da5 = 9; *(uint8_t*)0x200000015da6 = 5; *(uint8_t*)0x200000015da7 = 0xd; *(uint8_t*)0x200000015da8 = 0xc; *(uint16_t*)0x200000015da9 = 0xf5f1; *(uint8_t*)0x200000015dab = 4; *(uint8_t*)0x200000015dac = 1; *(uint8_t*)0x200000015dad = 0; *(uint8_t*)0x200000015dae = 0x50; *(uint8_t*)0x200000015daf = 3; memcpy((void*)0x200000015db0, "\x17\xff\xd4\x73\xba\x28\xc3\x60\x59\x1f\x57\x1d\xc6\x0f\x13\x24\xd4\xa3\x4a\xb8\xd9\xd3\xc0\x68\x6c\x13\xa6\x1b\xda\x24\x64\xe1\x63\x54\x23\xeb\xf4\xed\x34\x03\x7b\xab\x62\xfd\x30\xa8\xdd\x0a\x89\xf1\xbc\xbf\xf3\xaf\x4f\x0c\x98\x9d\xdb\x6f\x03\x76\x0a\xe7\x6f\x63\xff\xdc\xbf\xbb\xfe\xe9\xa1\x35\x25\x73\x14\xaa", 78); *(uint8_t*)0x200000015dfe = 9; *(uint8_t*)0x200000015dff = 5; *(uint8_t*)0x200000015e00 = 6; *(uint8_t*)0x200000015e01 = 0; *(uint16_t*)0x200000015e02 = 8; *(uint8_t*)0x200000015e04 = 0x2d; *(uint8_t*)0x200000015e05 = 0x10; *(uint8_t*)0x200000015e06 = 0xba; *(uint8_t*)0x200000015e07 = 9; *(uint8_t*)0x200000015e08 = 5; *(uint8_t*)0x200000015e09 = 0xe; *(uint8_t*)0x200000015e0a = 0; *(uint16_t*)0x200000015e0b = 0x10; *(uint8_t*)0x200000015e0d = 8; *(uint8_t*)0x200000015e0e = 7; *(uint8_t*)0x200000015e0f = 0xac; *(uint8_t*)0x200000015e10 = 9; *(uint8_t*)0x200000015e11 = 5; *(uint8_t*)0x200000015e12 = 0xa; *(uint8_t*)0x200000015e13 = 8; *(uint16_t*)0x200000015e14 = 0x20; *(uint8_t*)0x200000015e16 = 9; *(uint8_t*)0x200000015e17 = 0x7c; *(uint8_t*)0x200000015e18 = 1; *(uint8_t*)0x200000015e19 = 7; *(uint8_t*)0x200000015e1a = 0x25; *(uint8_t*)0x200000015e1b = 1; *(uint8_t*)0x200000015e1c = 8; *(uint8_t*)0x200000015e1d = 9; *(uint16_t*)0x200000015e1e = 4; *(uint8_t*)0x200000015e20 = 9; *(uint8_t*)0x200000015e21 = 5; *(uint8_t*)0x200000015e22 = 0xb; *(uint8_t*)0x200000015e23 = 0x10; *(uint16_t*)0x200000015e24 = 0x3ff; *(uint8_t*)0x200000015e26 = 1; *(uint8_t*)0x200000015e27 = 4; *(uint8_t*)0x200000015e28 = 0xbd; *(uint8_t*)0x200000015e29 = 9; *(uint8_t*)0x200000015e2a = 5; *(uint8_t*)0x200000015e2b = 7; *(uint8_t*)0x200000015e2c = 3; *(uint16_t*)0x200000015e2d = 0x20; *(uint8_t*)0x200000015e2f = 6; *(uint8_t*)0x200000015e30 = 0xf; *(uint8_t*)0x200000015e31 = 0xe; *(uint8_t*)0x200000015e32 = 9; *(uint8_t*)0x200000015e33 = 5; *(uint8_t*)0x200000015e34 = 0xd; *(uint8_t*)0x200000015e35 = 0x10; *(uint16_t*)0x200000015e36 = 0x7f7; *(uint8_t*)0x200000015e38 = 4; *(uint8_t*)0x200000015e39 = 0x1c; *(uint8_t*)0x200000015e3a = 1; *(uint8_t*)0x200000015e3b = 9; *(uint8_t*)0x200000015e3c = 5; *(uint8_t*)0x200000015e3d = 0; *(uint8_t*)0x200000015e3e = 0; *(uint16_t*)0x200000015e3f = 0x5f33; *(uint8_t*)0x200000015e41 = 0x40; *(uint8_t*)0x200000015e42 = 6; *(uint8_t*)0x200000015e43 = 0x81; *(uint8_t*)0x200000015e44 = 0x54; *(uint8_t*)0x200000015e45 = 9; memcpy((void*)0x200000015e46, "\x22\xa0\x3d\x11\x7e\xdd\x7f\xf8\x02\xcd\xb5\x09\xb4\x9c\xf0\x7b\x18\x84\xa5\xd0\x6a\x28\x72\xff\xdd\x1f\x6a\x97\x4c\x05\x74\x87\x1d\x68\xb2\xfd\x80\xb9\xdd\xe5\x57\xda\x7e\xec\x4d\x7f\x27\x78\xa5\xc3\xa4\xbb\xef\x51\x9d\x15\x8a\x59\xf1\x52\xfe\x19\xf5\x98\xe4\x33\x60\xf8\xa2\x4a\xa9\x73\xc5\x6f\x46\xc4\xa6\x8a\x27\x3a\x1f\xc4", 82); *(uint8_t*)0x200000015e98 = 9; *(uint8_t*)0x200000015e99 = 5; *(uint8_t*)0x200000015e9a = 0xf; *(uint8_t*)0x200000015e9b = 0x10; *(uint16_t*)0x200000015e9c = 8; *(uint8_t*)0x200000015e9e = 5; *(uint8_t*)0x200000015e9f = 0x38; *(uint8_t*)0x200000015ea0 = 1; *(uint8_t*)0x200000015ea1 = 9; *(uint8_t*)0x200000015ea2 = 5; *(uint8_t*)0x200000015ea3 = 4; *(uint8_t*)0x200000015ea4 = 0x10; *(uint16_t*)0x200000015ea5 = 0x10; *(uint8_t*)0x200000015ea7 = 4; *(uint8_t*)0x200000015ea8 = 2; *(uint8_t*)0x200000015ea9 = 7; *(uint8_t*)0x200000015eaa = 0xda; *(uint8_t*)0x200000015eab = 0x26; memcpy((void*)0x200000015eac, "\x32\x16\x2d\x9c\xff\xd7\x54\x8d\xdc\x15\x24\xc6\x65\x1f\xa1\x12\xcb\x83\x99\xeb\x7d\xaa\x74\x6a\xf4\xa3\xf4\x58\x15\x9b\xd8\xa4\x87\xda\xde\x32\x17\xae\x32\x24\x61\x5d\x50\xba\x56\x43\x30\x19\x52\xfd\xd0\x82\xab\x52\xf6\x4e\xb3\x8b\xdd\xcf\x02\xb0\x67\x28\xa3\xbf\x4f\x73\xd3\xb7\x80\xa3\xa5\x80\x4b\xad\x04\xec\xc2\x27\x87\x69\x0f\x67\x25\x76\x74\xf7\x28\xb1\x02\x31\xba\x2d\xb8\x3c\xb4\xeb\x84\x1e\x55\x23\xeb\x43\xf3\x48\x2d\x3e\xc3\x3c\xb8\x18\x7b\x87\xaa\x08\xa2\x1e\x94\xe0\x39\x4a\x1e\xe8\xd8\xf0\xcc\x08\x89\x10\xab\xa4\xdb\xe5\xfe\xef\xc2\x45\x38\x0f\xf1\x44\x3e\x3a\x97\xbd\x4d\x5a\xdd\xd0\x1f\x11\x26\xd4\xb7\x0a\xbc\xbb\xe1\x40\x71\x6a\x1c\x66\xda\xc6\x1f\x66\x51\x4f\xce\xbe\x67\x64\x7b\x43\xbb\xd8\xe8\x48\x33\x3f\xf9\x95\x7e\xba\xac\xe9\xd0\x57\xb6\x27\xa6\x67\xe6\xf5\x1d\xae\xac\x30\x2b\x21\x29\xc2\x6d\x41\x5b\xc9\xa2\xee\x74\x95\xb3\x31\xb7\xda", 216); *(uint8_t*)0x200000015f84 = 7; *(uint8_t*)0x200000015f85 = 0x25; *(uint8_t*)0x200000015f86 = 1; *(uint8_t*)0x200000015f87 = 0; *(uint8_t*)0x200000015f88 = 7; *(uint16_t*)0x200000015f89 = 1; *(uint8_t*)0x200000015f8b = 9; *(uint8_t*)0x200000015f8c = 5; *(uint8_t*)0x200000015f8d = 3; *(uint8_t*)0x200000015f8e = 1; *(uint16_t*)0x200000015f8f = 0x40; *(uint8_t*)0x200000015f91 = 8; *(uint8_t*)0x200000015f92 = 7; *(uint8_t*)0x200000015f93 = 5; *(uint8_t*)0x200000015f94 = 9; *(uint8_t*)0x200000015f95 = 5; *(uint8_t*)0x200000015f96 = 0xb; *(uint8_t*)0x200000015f97 = 0x10; *(uint16_t*)0x200000015f98 = 0x40; *(uint8_t*)0x200000015f9a = 0xfe; *(uint8_t*)0x200000015f9b = 0; *(uint8_t*)0x200000015f9c = 0xd; *(uint8_t*)0x200000015f9d = 0xe1; *(uint8_t*)0x200000015f9e = 0x24; memcpy((void*)0x200000015f9f, "\x66\xc9\x68\xf6\x7f\x56\xd0\xab\x89\xd6\x81\x9c\x67\xd1\xd6\xc2\x15\xd2\xf3\xcf\x61\x5b\x37\x02\x8d\xb2\x69\xd9\x36\x08\xcd\xf0\x70\x41\x18\xe0\xdd\xbf\x97\x16\x6c\x27\xaf\xb5\x1a\x13\x2c\xd7\x0f\x0f\xa3\xb7\xad\x5e\xe3\xa4\x41\x02\x7a\x74\x12\x27\x81\xab\x0f\x1c\xe5\xfe\x7b\xd1\x15\x3c\x8f\xfc\xcd\x3e\xf1\x09\x21\x3f\x20\xd2\xba\xfd\x0e\x33\x1a\xbc\x5c\xd1\xfb\x54\x80\x9a\x06\xc8\xfa\x60\xa9\xf0\xfc\x8e\x11\x3f\x31\x8c\x3a\x7f\x7b\xc6\xfa\xbe\x19\x30\x94\xec\x49\x3d\x24\x6c\xbd\x70\x2b\xf0\x19\x79\x6a\x88\x72\xb3\xc4\x02\x34\xd8\xe9\x07\x31\xb2\xdf\xf8\x8a\x1f\x0c\x4f\x17\x86\xa1\x90\xeb\x16\x65\x1e\x3a\xc4\x5e\xdb\x14\xd9\xfb\x89\x86\x44\xbe\xd6\x15\x76\xbd\x7a\x9f\xd9\x0c\x52\x17\x21\x7f\x6b\x9a\xed\x19\xd4\xa2\x2b\xff\x48\x2d\x05\x8e\x60\x3d\x2a\x0c\xdc\x48\xb1\xb2\x71\xb7\x9b\x1e\x25\xd7\xfe\x6b\xb8\x20\x50\x6e\x48\x57\x9a\x78\xaf\x99\xe7\xe9\x42\x9b\xcd\x4b\x07\xbc\x01\x34", 223); *(uint8_t*)0x20000001607e = 0x40; *(uint8_t*)0x20000001607f = 5; memcpy((void*)0x200000016080, "\x8f\x82\xcc\x05\xdf\x67\x73\x41\x41\xe3\x56\xe9\x36\xa6\xe0\xa7\x24\x7a\xc2\x3b\x30\x90\x0c\x5f\xc4\x14\x8a\x14\x99\x0b\x50\x04\x68\x6d\xe6\xca\xce\x04\xad\xe3\x50\xf0\x4a\x3d\x07\x8c\x39\x10\xf7\xdb\xa4\x92\xaf\x85\xda\x64\x94\x32\xe2\x6a\x78\x54", 62); *(uint8_t*)0x2000000160be = 9; *(uint8_t*)0x2000000160bf = 4; *(uint8_t*)0x2000000160c0 = 0x88; *(uint8_t*)0x2000000160c1 = 1; *(uint8_t*)0x2000000160c2 = 8; *(uint8_t*)0x2000000160c3 = 0xeb; *(uint8_t*)0x2000000160c4 = 0x43; *(uint8_t*)0x2000000160c5 = 0x23; *(uint8_t*)0x2000000160c6 = 4; *(uint8_t*)0x2000000160c7 = 9; *(uint8_t*)0x2000000160c8 = 5; *(uint8_t*)0x2000000160c9 = 0xc; *(uint8_t*)0x2000000160ca = 0; *(uint16_t*)0x2000000160cb = 0x40; *(uint8_t*)0x2000000160cd = 8; *(uint8_t*)0x2000000160ce = 8; *(uint8_t*)0x2000000160cf = 5; *(uint8_t*)0x2000000160d0 = 9; *(uint8_t*)0x2000000160d1 = 5; *(uint8_t*)0x2000000160d2 = 0; *(uint8_t*)0x2000000160d3 = 0x10; *(uint16_t*)0x2000000160d4 = 0x20; *(uint8_t*)0x2000000160d6 = 0x9a; *(uint8_t*)0x2000000160d7 = 0x5f; *(uint8_t*)0x2000000160d8 = 7; *(uint8_t*)0x2000000160d9 = 7; *(uint8_t*)0x2000000160da = 0x25; *(uint8_t*)0x2000000160db = 1; *(uint8_t*)0x2000000160dc = 0; *(uint8_t*)0x2000000160dd = 0x81; *(uint16_t*)0x2000000160de = 4; *(uint8_t*)0x2000000160e0 = 7; *(uint8_t*)0x2000000160e1 = 0x25; *(uint8_t*)0x2000000160e2 = 1; *(uint8_t*)0x2000000160e3 = 0xc; *(uint8_t*)0x2000000160e4 = 0xf9; *(uint16_t*)0x2000000160e5 = 2; *(uint8_t*)0x2000000160e7 = 9; *(uint8_t*)0x2000000160e8 = 5; *(uint8_t*)0x2000000160e9 = 0xb; *(uint8_t*)0x2000000160ea = 0x10; *(uint16_t*)0x2000000160eb = 0x40; *(uint8_t*)0x2000000160ed = 7; *(uint8_t*)0x2000000160ee = 1; *(uint8_t*)0x2000000160ef = 2; *(uint8_t*)0x2000000160f0 = 7; *(uint8_t*)0x2000000160f1 = 0x25; *(uint8_t*)0x2000000160f2 = 1; *(uint8_t*)0x2000000160f3 = 4; *(uint8_t*)0x2000000160f4 = 6; *(uint16_t*)0x2000000160f5 = 1; *(uint8_t*)0x2000000160f7 = 7; *(uint8_t*)0x2000000160f8 = 0x25; *(uint8_t*)0x2000000160f9 = 1; *(uint8_t*)0x2000000160fa = 0xc; *(uint8_t*)0x2000000160fb = 0xd; *(uint16_t*)0x2000000160fc = 0x103; *(uint8_t*)0x2000000160fe = 9; *(uint8_t*)0x2000000160ff = 5; *(uint8_t*)0x200000016100 = 0xb; *(uint8_t*)0x200000016101 = 0xc; *(uint16_t*)0x200000016102 = 0x3ff; *(uint8_t*)0x200000016104 = 0xa9; *(uint8_t*)0x200000016105 = 1; *(uint8_t*)0x200000016106 = 6; *(uint8_t*)0x200000016107 = 0xfb; *(uint8_t*)0x200000016108 = 0x2c; memcpy((void*)0x200000016109, "\xdf\x60\xd2\x33\x06\x38\x67\xe6\x38\xf4\xac\x47\x4e\x68\x5f\xef\x8f\x86\x15\x57\xd0\xa3\x15\x66\xd5\x8b\xde\x1f\x04\xa1\x13\xf6\xcb\x64\xc9\x60\x56\xa8\x16\x85\xa6\xdf\xa2\x97\x8a\x60\xc2\xd9\x4e\x45\x0f\x66\x75\xe3\x8b\x44\xc9\x6b\xfb\xff\x6c\x5f\x37\x46\x60\x93\x46\x49\x74\x83\xdf\xc8\xac\x21\x27\x36\x2c\xdb\xda\xa0\x25\x39\x51\xa1\x82\x27\x21\x83\xf4\x56\xaa\xe2\xbd\x12\xb2\x92\xc6\x09\xe8\xe1\x4b\x4f\x8c\x18\x53\xe0\xd8\x7e\x0c\x31\x79\xc8\xbe\x7b\x07\x30\x72\x1b\xb3\x01\x59\x04\x08\x26\xf0\x93\x51\x0c\xe0\x22\x58\x76\x91\x62\x7b\x23\x6a\x66\x21\x56\x20\x41\x8d\xf3\x34\xd2\x8d\x1d\x14\xf0\xca\x3b\x9f\x4f\xcf\xf0\x6b\xa2\x49\xdd\x19\x50\x81\x98\x50\x3a\x2c\x2c\xd4\xf3\xab\xda\xdb\xd4\xf1\xac\xe4\xe6\x27\xbe\xc9\x72\x99\xa0\x02\x28\xe0\x9c\x06\x4e\x5f\x34\x2e\x00\xd8\xc8\xf2\xd5\xb1\xfb\x56\x48\x5e\x73\x6a\x87\xdc\xfe\x51\x0c\x21\x86\x32\x72\x91\x22\xa4\xeb\x5d\x5b\x5d\x81\xdf\x8b\xe5\x85\x27\x18\x3e\x48\xf7\x60\xb8\x5c\x59\x9f\x88\x13\xf8\x9d\x70\x6a\xf7\xb2\x2f\x77\xd6\x8d\xc1", 249); *(uint8_t*)0x200000016202 = 0x6b; *(uint8_t*)0x200000016203 = 4; memcpy((void*)0x200000016204, "\x07\xec\xe0\x65\x86\xe0\x15\x05\xf1\x26\xe0\xdb\x2e\xd1\xac\x18\xb5\x75\x49\xf0\x80\xd7\x41\xf3\x8b\x0c\xce\xc6\xba\x03\x4d\x09\x64\x29\x40\x56\x19\xd0\x1a\xf4\x35\xc8\x09\x2b\xe0\xe9\xc4\xa9\x3c\x1b\x64\x7e\x7c\x7f\x14\xf0\x5e\xff\xf3\x05\xd2\xb8\x5d\x51\xfe\xdf\xf7\x50\xb8\x7e\x59\x90\xd0\x28\xfd\x33\x86\x45\x02\x9b\xd9\xed\x95\xe0\x03\x05\xac\xce\x8b\x89\x9a\x78\x6d\xbf\x30\x89\x5b\xe0\x31\x48\xa7\xa1\xe3\xbf\x25", 105); *(uint8_t*)0x20000001626d = 9; *(uint8_t*)0x20000001626e = 5; *(uint8_t*)0x20000001626f = 6; *(uint8_t*)0x200000016270 = 8; *(uint16_t*)0x200000016271 = 0x400; *(uint8_t*)0x200000016273 = 3; *(uint8_t*)0x200000016274 = 5; *(uint8_t*)0x200000016275 = -1; *(uint8_t*)0x200000016276 = 9; *(uint8_t*)0x200000016277 = 5; *(uint8_t*)0x200000016278 = 0xa; *(uint8_t*)0x200000016279 = 0x10; *(uint16_t*)0x20000001627a = 0x200; *(uint8_t*)0x20000001627c = 6; *(uint8_t*)0x20000001627d = 0x14; *(uint8_t*)0x20000001627e = 6; *(uint8_t*)0x20000001627f = 7; *(uint8_t*)0x200000016280 = 0x25; *(uint8_t*)0x200000016281 = 1; *(uint8_t*)0x200000016282 = 0xc; *(uint8_t*)0x200000016283 = 9; *(uint16_t*)0x200000016284 = 4; *(uint8_t*)0x200000016286 = 9; *(uint8_t*)0x200000016287 = 5; *(uint8_t*)0x200000016288 = 5; *(uint8_t*)0x200000016289 = 8; *(uint16_t*)0x20000001628a = 0x210; *(uint8_t*)0x20000001628c = 0xe8; *(uint8_t*)0x20000001628d = 5; *(uint8_t*)0x20000001628e = 3; *(uint8_t*)0x20000001628f = 9; *(uint8_t*)0x200000016290 = 5; *(uint8_t*)0x200000016291 = 0xa; *(uint8_t*)0x200000016292 = 8; *(uint16_t*)0x200000016293 = 0x10; *(uint8_t*)0x200000016295 = 0x64; *(uint8_t*)0x200000016296 = 8; *(uint8_t*)0x200000016297 = 0xe; *(uint8_t*)0x200000016298 = 7; *(uint8_t*)0x200000016299 = 0x25; *(uint8_t*)0x20000001629a = 1; *(uint8_t*)0x20000001629b = 4; *(uint8_t*)0x20000001629c = 5; *(uint16_t*)0x20000001629d = 2; *(uint32_t*)0x200000016780 = 0xa; *(uint64_t*)0x200000016784 = 0x2000000162c0; *(uint8_t*)0x2000000162c0 = 0xa; *(uint8_t*)0x2000000162c1 = 6; *(uint16_t*)0x2000000162c2 = 0x201; *(uint8_t*)0x2000000162c4 = 3; *(uint8_t*)0x2000000162c5 = 8; *(uint8_t*)0x2000000162c6 = -1; *(uint8_t*)0x2000000162c7 = 0x20; *(uint8_t*)0x2000000162c8 = 0x10; *(uint8_t*)0x2000000162c9 = 0; *(uint32_t*)0x20000001678c = 0x28; *(uint64_t*)0x200000016790 = 0x200000016300; *(uint8_t*)0x200000016300 = 5; *(uint8_t*)0x200000016301 = 0xf; *(uint16_t*)0x200000016302 = 0x28; *(uint8_t*)0x200000016304 = 4; *(uint8_t*)0x200000016305 = 0xb; *(uint8_t*)0x200000016306 = 0x10; *(uint8_t*)0x200000016307 = 1; *(uint8_t*)0x200000016308 = 0xc; *(uint16_t*)0x200000016309 = 1; *(uint8_t*)0x20000001630b = 7; *(uint8_t*)0x20000001630c = 7; *(uint16_t*)0x20000001630d = 6; *(uint8_t*)0x20000001630f = -1; *(uint8_t*)0x200000016310 = 3; *(uint8_t*)0x200000016311 = 0x10; *(uint8_t*)0x200000016312 = 0xb; *(uint8_t*)0x200000016313 = 0xb; *(uint8_t*)0x200000016314 = 0x10; *(uint8_t*)0x200000016315 = 1; *(uint8_t*)0x200000016316 = 2; *(uint16_t*)0x200000016317 = 0x61; *(uint8_t*)0x200000016319 = -1; *(uint8_t*)0x20000001631a = 0xf; *(uint16_t*)0x20000001631b = 6; *(uint8_t*)0x20000001631d = 5; *(uint8_t*)0x20000001631e = 0xa; *(uint8_t*)0x20000001631f = 0x10; *(uint8_t*)0x200000016320 = 3; *(uint8_t*)0x200000016321 = 2; *(uint16_t*)0x200000016322 = 1; *(uint8_t*)0x200000016324 = 3; *(uint8_t*)0x200000016325 = 0xb; *(uint16_t*)0x200000016326 = 0x100; *(uint32_t*)0x200000016798 = 7; *(uint32_t*)0x20000001679c = 4; *(uint64_t*)0x2000000167a0 = 0x200000016340; *(uint8_t*)0x200000016340 = 4; *(uint8_t*)0x200000016341 = 3; *(uint16_t*)0x200000016342 = 0x457; *(uint32_t*)0x2000000167a8 = 0xff; *(uint64_t*)0x2000000167ac = 0x200000016380; *(uint8_t*)0x200000016380 = -1; *(uint8_t*)0x200000016381 = 3; memcpy((void*)0x200000016382, "\x85\xa7\x64\xd8\x29\x53\x29\x17\xb6\x64\x7a\x68\xa2\x49\xb2\x52\xf0\x1a\x99\xf8\x87\x67\xa2\xe9\xf1\x3a\xee\xfa\xb3\x9c\xf6\xa4\x05\x49\x7e\x32\x44\x29\x4b\x1b\xd4\x85\xc0\xec\x99\x33\x86\x40\xa5\x08\xfa\xbb\xf1\x1e\x0f\xd6\xa0\x3b\xcc\x9c\xeb\xaf\x83\x03\x7a\xa7\x73\x97\xcb\xdf\x09\x11\xc8\xdf\xb8\x42\xf6\x2f\x94\x76\x6a\xa4\x45\x92\x57\x73\xc4\xf7\xc6\x70\x1b\xe8\xa0\x56\x73\xaf\xe9\x5c\xf1\x9c\x27\x9a\xc6\x2f\xd2\x72\x0e\xd2\xda\xe6\x89\x37\x1c\x51\x51\xbf\x6b\x9e\x77\x27\xf8\xf4\x97\x09\x1c\x3a\xaa\x90\x2f\x81\xe4\x4c\x51\x73\xac\xf2\x21\x52\xfc\xbc\x4d\x72\xa7\x5e\x9a\xb4\xba\xdc\x67\x88\xb2\xfd\xbb\x7e\x34\xb2\x02\xe0\xe7\x1f\xeb\x1c\xc9\xb1\xca\x79\x1e\x92\x37\x4c\xfc\x63\xcc\x7d\xb5\x64\x85\x91\x77\x8b\xfc\x19\x48\xf9\xda\xd9\xb7\xfe\x74\xa5\x88\xdd\xc9\xad\x49\x99\x93\x06\x26\x66\xb3\xe0\xdf\x0a\xca\xa6\x78\x02\xad\x37\xa8\x6f\xcb\x41\x1a\x22\x30\xbd\xd4\x3f\xe8\x61\x0f\x29\xc1\x51\x79\xbf\x42\x9f\x81\x87\x6e\xe9\x0b\x7d\x35\xa2\x26\x3f\x91\xeb\x8d\x3c\x7c\x87\xc4\x66\x00\xb4\x52\x82\xee", 253); *(uint32_t*)0x2000000167b4 = 4; *(uint64_t*)0x2000000167b8 = 0x200000016480; *(uint8_t*)0x200000016480 = 4; *(uint8_t*)0x200000016481 = 3; *(uint16_t*)0x200000016482 = 0x8406; *(uint32_t*)0x2000000167c0 = 0x49; *(uint64_t*)0x2000000167c4 = 0x2000000164c0; *(uint8_t*)0x2000000164c0 = 0x49; *(uint8_t*)0x2000000164c1 = 3; memcpy((void*)0x2000000164c2, "\xcb\x9d\x5f\x1c\x5f\xbc\x94\x74\xd5\x9f\xfa\x54\xa9\x2b\xa7\xaf\xf9\x7b\x2f\x65\xab\xf4\x8a\xad\x8e\x2b\x09\xb6\x0a\x5d\xc2\x74\x4b\x25\x0f\xe7\x52\x90\x97\xbf\xbb\x2b\xcf\x99\xd0\x54\x8a\x03\x4f\xb7\xae\xca\xf8\xdd\x80\x84\x95\xbe\x13\x2e\x1b\x8c\x84\xab\xe5\x33\x75\xdc\xf5\x40\xd5", 71); *(uint32_t*)0x2000000167cc = 4; *(uint64_t*)0x2000000167d0 = 0x200000016540; *(uint8_t*)0x200000016540 = 4; *(uint8_t*)0x200000016541 = 3; *(uint16_t*)0x200000016542 = 0x407; *(uint32_t*)0x2000000167d8 = 0x102; *(uint64_t*)0x2000000167dc = 0x200000016580; *(uint8_t*)0x200000016580 = 2; *(uint8_t*)0x200000016581 = 3; memcpy((void*)0x200000016582, "\x04\xdd\xeb\x57\xb5\x07\x2b\x0d\xc9\xdc\x62\x4c\xf2\x79\x2d\xaa\xc5\x35\xb0\x25\x70\xdb\xb7\x01\xe1\xdb\x0e\x6c\x25\xd6\x80\xf0\x7b\x51\x7f\x65\x82\x12\x5b\xaa\x7a\x78\x49\xeb\x0b\x11\x13\x0e\x00\x24\xef\xe8\xa1\xc9\x51\x36\x3b\xf4\x7a\x68\xfb\x5b\xd9\xac\xf1\x85\xae\xa1\x62\x73\x81\xf5\x03\x43\xcb\x4b\xb8\xd7\x17\x51\x31\xf2\xae\x52\xa8\x42\xdb\x75\x39\x04\xd3\x05\x1a\x0a\xb0\x82\x60\x85\x60\xe8\xac\x66\xb8\x7d\xdd\xbb\x9f\xa3\x51\x4a\x31\xe5\x59\x51\x70\xe3\xd2\x1c\x01\x8b\x37\x85\x59\x92\xa2\xa4\xb3\x48\xde\x99\x46\x9b\x63\xf5\x43\x8e\x24\x0e\x23\xcf\xe0\xa2\x6d\x30\xa9\x1d\x95\x36\x91\xd7\x41\xb9\xd5\xd8\x5d\xab\x27\xd4\x0d\xa7\x1f\xc9\xd8\x67\x7b\x0d\xc3\xe1\xd6\x06\x0d\x0d\x98\xa7\x13\x00\xd3\x74\xe7\xbd\x55\x0f\x6a\x57\xb6\xfc\xd4\x44\x31\x3f\x37\x36\x7f\x5b\x55\xc2\x0f\x1a\x2d\x44\x86\x1e\x8a\x1a\x36\xbc\xdc\x76\x9f\xfc\x14\x6b\xb7\x1a\xb5\x84\x6d\xcb\x82\x31\x24\x7f\x16\x36\x48\x3d\xab\xb7\x10\xd0\x74\xfd\x2b\x80\x18\xd4\xc3\x56\xd1\x82\x5b\xb1\x7b\xf9\x63\x27\xe9\x6e\xe8\x67\x58\x32\x43\xe8\x25\x4e", 256); *(uint32_t*)0x2000000167e4 = 0x9e; *(uint64_t*)0x2000000167e8 = 0x2000000166c0; *(uint8_t*)0x2000000166c0 = 0x9e; *(uint8_t*)0x2000000166c1 = 3; memcpy((void*)0x2000000166c2, "\xef\x2a\x4e\x82\x9a\x0f\x6c\xdb\x32\xa4\x49\xbb\xa1\xd4\x8f\x5d\xfe\x86\x5e\x51\xf2\x28\x7e\x21\x77\x39\x1a\x43\xf9\xbb\xf1\xca\x78\xd5\x73\xf2\x00\xea\xe4\x0c\x60\xa2\x1d\xdc\x2a\xd4\x82\xdf\x2a\x85\xf2\x75\x59\x81\x5b\xb4\xeb\xca\x56\x05\x30\xb8\x65\x53\x45\x0e\xe3\x8e\xae\xb8\x71\x2f\x6b\x77\xc1\x4d\x47\xf8\x5d\x8b\xbf\x64\x1e\x1d\x9e\x09\xfa\x1e\x2b\xe5\xe9\x2c\x18\x7c\xe5\x6e\xf9\x94\x9a\xe1\xd8\x7c\xfb\xfe\x0e\xa1\xba\x9f\x9b\x2f\xf0\x18\x2d\x4b\x05\xce\x50\x68\x91\xc5\xa3\x47\xee\x33\xcc\xf9\xce\x7d\x86\xd7\xdd\xf2\xbf\x38\x57\x4d\x21\xd9\x65\x4b\xbe\x80\x65\x86\x80\xbe\xf5\x58\x9e\x2d\xb6\x07\x2d\x9f\xd0\xfd", 156); res = -1; errno = EFAULT; res = syz_usb_connect(/*speed=USB_SPEED_LOW*/1, /*dev_len=*/0xd9f, /*dev=*/0x200000015500, /*conn_descs=*/0x200000016780); fprintf(stderr, "### call=50 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[27] = res; break; case 51: *(uint8_t*)0x200000016800 = 0x12; *(uint8_t*)0x200000016801 = 1; *(uint16_t*)0x200000016802 = 0x200; *(uint8_t*)0x200000016804 = -1; *(uint8_t*)0x200000016805 = -1; *(uint8_t*)0x200000016806 = -1; *(uint8_t*)0x200000016807 = 0x40; *(uint16_t*)0x200000016808 = 0xcf3; *(uint16_t*)0x20000001680a = 0x9271; *(uint16_t*)0x20000001680c = 0x108; *(uint8_t*)0x20000001680e = 1; *(uint8_t*)0x20000001680f = 2; *(uint8_t*)0x200000016810 = 3; *(uint8_t*)0x200000016811 = 1; *(uint8_t*)0x200000016812 = 9; *(uint8_t*)0x200000016813 = 2; *(uint16_t*)0x200000016814 = 0x48; *(uint8_t*)0x200000016816 = 1; *(uint8_t*)0x200000016817 = 1; *(uint8_t*)0x200000016818 = 0; *(uint8_t*)0x200000016819 = 0x80; *(uint8_t*)0x20000001681a = 0xfa; *(uint8_t*)0x20000001681b = 9; *(uint8_t*)0x20000001681c = 4; *(uint8_t*)0x20000001681d = 0; *(uint8_t*)0x20000001681e = 0; *(uint8_t*)0x20000001681f = 6; *(uint8_t*)0x200000016820 = -1; *(uint8_t*)0x200000016821 = 0; *(uint8_t*)0x200000016822 = 0; *(uint8_t*)0x200000016823 = 0; *(uint8_t*)0x200000016824 = 9; *(uint8_t*)0x200000016825 = 5; *(uint8_t*)0x200000016826 = 1; *(uint8_t*)0x200000016827 = 2; *(uint16_t*)0x200000016828 = 0x200; *(uint8_t*)0x20000001682a = 0; *(uint8_t*)0x20000001682b = 0; *(uint8_t*)0x20000001682c = 0; *(uint8_t*)0x20000001682d = 9; *(uint8_t*)0x20000001682e = 5; *(uint8_t*)0x20000001682f = 0x82; *(uint8_t*)0x200000016830 = 2; *(uint16_t*)0x200000016831 = 0x200; *(uint8_t*)0x200000016833 = 0; *(uint8_t*)0x200000016834 = 0; *(uint8_t*)0x200000016835 = 0; *(uint8_t*)0x200000016836 = 9; *(uint8_t*)0x200000016837 = 5; *(uint8_t*)0x200000016838 = 0x83; *(uint8_t*)0x200000016839 = 3; *(uint16_t*)0x20000001683a = 0x40; *(uint8_t*)0x20000001683c = 1; *(uint8_t*)0x20000001683d = 0; *(uint8_t*)0x20000001683e = 0; *(uint8_t*)0x20000001683f = 9; *(uint8_t*)0x200000016840 = 5; *(uint8_t*)0x200000016841 = 4; *(uint8_t*)0x200000016842 = 3; *(uint16_t*)0x200000016843 = 0x40; *(uint8_t*)0x200000016845 = 1; *(uint8_t*)0x200000016846 = 0; *(uint8_t*)0x200000016847 = 0; *(uint8_t*)0x200000016848 = 9; *(uint8_t*)0x200000016849 = 5; *(uint8_t*)0x20000001684a = 5; *(uint8_t*)0x20000001684b = 2; *(uint16_t*)0x20000001684c = 0x200; *(uint8_t*)0x20000001684e = 0; *(uint8_t*)0x20000001684f = 0; *(uint8_t*)0x200000016850 = 0; *(uint8_t*)0x200000016851 = 9; *(uint8_t*)0x200000016852 = 5; *(uint8_t*)0x200000016853 = 6; *(uint8_t*)0x200000016854 = 2; *(uint16_t*)0x200000016855 = 0x200; *(uint8_t*)0x200000016857 = 0; *(uint8_t*)0x200000016858 = 0; *(uint8_t*)0x200000016859 = 0; res = -1; errno = EFAULT; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000016800, /*conn_descs=*/0); fprintf(stderr, "### call=51 errno=%u\n", res == -1 ? errno : 0); if (res != -1) r[28] = res; break; case 52: *(uint32_t*)0x200000016b40 = 0x2c; *(uint64_t*)0x200000016b44 = 0x200000016880; *(uint8_t*)0x200000016880 = 0x20; *(uint8_t*)0x200000016881 = 0xb; *(uint32_t*)0x200000016882 = 0xc8; *(uint8_t*)0x200000016886 = 0xc8; *(uint8_t*)0x200000016887 = 0x21; memcpy((void*)0x200000016888, "\x01\xf4\x8f\xe8\x31\xd8\xd1\x99\x24\x72\x17\x3e\xa8\x19\xa3\xa2\xad\xe9\x61\x21\x34\x13\x54\xe8\x5c\xa1\x98\xec\x1f\xcf\x85\x90\xc9\x39\xf7\x27\xaa\x0e\x85\x85\x6b\x35\x7c\x23\xbc\x06\x8f\x24\xa2\x2c\xc6\xb7\x1b\xd4\xad\xd3\xae\x66\x95\x5e\x3c\xeb\x2a\x8f\x15\x5c\x4f\xea\xf3\x6d\x9c\x48\x02\x96\x8a\x53\xb0\x86\xa4\xa5\x0d\xc3\x54\x75\xe7\x5c\x18\x51\xe7\xd4\x08\x54\x07\x74\xe8\x98\x21\x91\xe5\x06\x06\x99\x1f\x3f\x33\xfa\x70\x8e\xf6\xa9\x40\x41\x51\x10\x98\xb0\x26\x7e\x73\x7b\x9f\x39\x9f\xad\x65\xb7\xcc\x2e\xfa\x80\xea\xfc\x73\x4b\xd5\xab\x1f\xdc\x3d\xec\xc0\x26\xfa\x76\x75\xef\x45\xa1\xd1\x7f\xfe\x1c\x0b\x1e\x00\xb1\x02\x73\xd7\xc5\x7d\x18\x3c\x74\xa3\xd9\xb1\x47\x13\x22\xb5\x9a\x98\xce\xbd\x12\xd1\x6c\x28\x34\xb2\x26\xce\xca\xea\xf9\x60\xe3\xd9\x07\x76\xc2\x39\x23\xea\xe6\x8d\x1e", 198); *(uint64_t*)0x200000016b4c = 0x200000016980; *(uint8_t*)0x200000016980 = 0; *(uint8_t*)0x200000016981 = 3; *(uint32_t*)0x200000016982 = 4; *(uint8_t*)0x200000016986 = 4; *(uint8_t*)0x200000016987 = 3; *(uint16_t*)0x200000016988 = 0x280a; *(uint64_t*)0x200000016b54 = 0x2000000169c0; *(uint8_t*)0x2000000169c0 = 0; *(uint8_t*)0x2000000169c1 = 0xf; *(uint32_t*)0x2000000169c2 = 0xc8; *(uint8_t*)0x2000000169c6 = 5; *(uint8_t*)0x2000000169c7 = 0xf; *(uint16_t*)0x2000000169c8 = 0xc8; *(uint8_t*)0x2000000169ca = 5; *(uint8_t*)0x2000000169cb = 0x14; *(uint8_t*)0x2000000169cc = 0x10; *(uint8_t*)0x2000000169cd = 0xa; *(uint8_t*)0x2000000169ce = 3; STORE_BY_BITMASK(uint32_t, , 0x2000000169cf, 2, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000169cf, 9, 5, 27); *(uint16_t*)0x2000000169d3 = 0xf; *(uint16_t*)0x2000000169d5 = 0; *(uint32_t*)0x2000000169d7 = 0xc0cf; *(uint32_t*)0x2000000169db = 0xf; *(uint8_t*)0x2000000169df = 0x10; *(uint8_t*)0x2000000169e0 = 0x10; *(uint8_t*)0x2000000169e1 = 0xa; *(uint8_t*)0x2000000169e2 = 4; STORE_BY_BITMASK(uint32_t, , 0x2000000169e3, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000169e3, 0x30ec, 5, 27); *(uint16_t*)0x2000000169e7 = 0xf0f; *(uint16_t*)0x2000000169e9 = 0x82; *(uint32_t*)0x2000000169eb = 0xc00f; *(uint8_t*)0x2000000169ef = 7; *(uint8_t*)0x2000000169f0 = 0x10; *(uint8_t*)0x2000000169f1 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000169f2, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000169f3, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000169f3, 8, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000169f4, 0xf, 0, 16); *(uint8_t*)0x2000000169f6 = 0x8d; *(uint8_t*)0x2000000169f7 = 0x10; *(uint8_t*)0x2000000169f8 = 0xa; memcpy((void*)0x2000000169f9, "\x42\x2d\x46\xfc\x73\xf8\x4b\x4d\xd0\xc3\xd2\x4d\x79\xf2\x70\x97\x5a\x97\x8d\x73\x6a\x0a\xa3\xe5\x86\xae\x4e\x9a\x23\x24\x83\xcf\x25\x26\x97\x18\xcb\xb9\xdf\x73\x03\x62\xce\x6b\x7c\xf0\xe3\xd1\x00\x79\xc3\x28\xee\x2b\xe8\xf5\xff\xc2\x42\xa0\x7e\x20\xf7\xc3\xdb\x60\x7c\x73\xe2\xca\xc8\x2f\x1c\x73\xc8\xfc\xac\xeb\x15\x1e\x20\x22\xfe\x0c\x73\xad\x66\x19\xa4\xda\xce\x08\x65\x96\x99\xed\x76\x60\xd4\x52\x02\x74\x9c\xda\x47\xdf\xa1\xe0\xdb\x87\x66\x4d\x1e\xff\x73\xf0\x60\x6d\x30\xb7\x78\xcb\x88\x08\xdf\xa6\xb2\x4c\xc1\x8a\xdd\x57\x9f\x29\xe8\x1b\x12\xe3", 138); *(uint8_t*)0x200000016a83 = 0xb; *(uint8_t*)0x200000016a84 = 0x10; *(uint8_t*)0x200000016a85 = 1; *(uint8_t*)0x200000016a86 = 2; *(uint16_t*)0x200000016a87 = 0x48; *(uint8_t*)0x200000016a89 = 6; *(uint8_t*)0x200000016a8a = 0xf2; *(uint16_t*)0x200000016a8b = 0; *(uint8_t*)0x200000016a8d = 2; *(uint64_t*)0x200000016b5c = 0x200000016ac0; *(uint8_t*)0x200000016ac0 = 0x20; *(uint8_t*)0x200000016ac1 = 0x29; *(uint32_t*)0x200000016ac2 = 0xf; *(uint8_t*)0x200000016ac6 = 0xf; *(uint8_t*)0x200000016ac7 = 0x29; *(uint8_t*)0x200000016ac8 = 1; *(uint16_t*)0x200000016ac9 = 3; *(uint8_t*)0x200000016acb = 0xf6; *(uint8_t*)0x200000016acc = 5; memcpy((void*)0x200000016acd, "\xd7\xdb\x75\x8c", 4); memcpy((void*)0x200000016ad1, "\xcb\x02\x4e\x33", 4); *(uint64_t*)0x200000016b64 = 0x200000016b00; *(uint8_t*)0x200000016b00 = 0x20; *(uint8_t*)0x200000016b01 = 0x2a; *(uint32_t*)0x200000016b02 = 0xc; *(uint8_t*)0x200000016b06 = 0xc; *(uint8_t*)0x200000016b07 = 0x2a; *(uint8_t*)0x200000016b08 = 2; *(uint16_t*)0x200000016b09 = 2; *(uint8_t*)0x200000016b0b = 0x80; *(uint8_t*)0x200000016b0c = 5; *(uint8_t*)0x200000016b0d = 7; *(uint16_t*)0x200000016b0e = 7; *(uint16_t*)0x200000016b10 = 0xff24; *(uint32_t*)0x200000016f40 = 0x84; *(uint64_t*)0x200000016f44 = 0x200000016b80; *(uint8_t*)0x200000016b80 = 0x20; *(uint8_t*)0x200000016b81 = 0x13; *(uint32_t*)0x200000016b82 = 0x2a; memcpy((void*)0x200000016b86, "\xb3\x64\x4b\x33\xa4\x96\xf2\x18\x7a\x58\x63\xe6\x4c\x40\x7c\xec\xd2\xd6\xd1\x3a\xe2\x3e\xcf\x1c\x3c\x53\xf7\x8f\xf2\x17\xcf\xf0\x21\xe4\x71\x8c\xea\x7f\xbe\x4c\x3b\xa3", 42); *(uint64_t*)0x200000016f4c = 0xffffffff81000000; *(uint64_t*)0x200000016f54 = 0x200000016bc0; *(uint8_t*)0x200000016bc0 = 0; *(uint8_t*)0x200000016bc1 = 8; *(uint32_t*)0x200000016bc2 = 1; *(uint8_t*)0x200000016bc6 = 6; *(uint64_t*)0x200000016f5c = 0x200000016c00; *(uint8_t*)0x200000016c00 = 0x20; *(uint8_t*)0x200000016c01 = 0; *(uint32_t*)0x200000016c02 = 4; *(uint16_t*)0x200000016c06 = 2; *(uint16_t*)0x200000016c08 = 1; *(uint64_t*)0x200000016f64 = 0x200000016c40; *(uint8_t*)0x200000016c40 = 0x20; *(uint8_t*)0x200000016c41 = 0; *(uint32_t*)0x200000016c42 = 4; *(uint16_t*)0x200000016c46 = 0x40; *(uint16_t*)0x200000016c48 = 0x20; *(uint64_t*)0x200000016f6c = 0x200000016c80; *(uint8_t*)0x200000016c80 = 0x40; *(uint8_t*)0x200000016c81 = 7; *(uint32_t*)0x200000016c82 = 2; *(uint16_t*)0x200000016c86 = 2; *(uint64_t*)0x200000016f74 = 0x200000016cc0; *(uint8_t*)0x200000016cc0 = 0x40; *(uint8_t*)0x200000016cc1 = 9; *(uint32_t*)0x200000016cc2 = 1; *(uint8_t*)0x200000016cc6 = 3; *(uint64_t*)0x200000016f7c = 0x200000016d00; *(uint8_t*)0x200000016d00 = 0x40; *(uint8_t*)0x200000016d01 = 0xb; *(uint32_t*)0x200000016d02 = 2; memcpy((void*)0x200000016d06, "{*", 2); *(uint64_t*)0x200000016f84 = 0x200000016d40; *(uint8_t*)0x200000016d40 = 0x40; *(uint8_t*)0x200000016d41 = 0xf; *(uint32_t*)0x200000016d42 = 2; *(uint16_t*)0x200000016d46 = 9; *(uint64_t*)0x200000016f8c = 0x200000016d80; *(uint8_t*)0x200000016d80 = 0x40; *(uint8_t*)0x200000016d81 = 0x13; *(uint32_t*)0x200000016d82 = 6; *(uint8_t*)0x200000016d86 = 1; *(uint8_t*)0x200000016d87 = 0x80; *(uint8_t*)0x200000016d88 = 0xc2; *(uint8_t*)0x200000016d89 = 0; *(uint8_t*)0x200000016d8a = 0; *(uint8_t*)0x200000016d8b = 2; *(uint64_t*)0x200000016f94 = 0x200000016dc0; *(uint8_t*)0x200000016dc0 = 0x40; *(uint8_t*)0x200000016dc1 = 0x17; *(uint32_t*)0x200000016dc2 = 6; *(uint8_t*)0x200000016dc6 = 1; *(uint8_t*)0x200000016dc7 = 0x80; *(uint8_t*)0x200000016dc8 = 0xc2; *(uint8_t*)0x200000016dc9 = 0; *(uint8_t*)0x200000016dca = 0; *(uint8_t*)0x200000016dcb = 0xe; *(uint64_t*)0x200000016f9c = 0x200000016e00; *(uint8_t*)0x200000016e00 = 0x40; *(uint8_t*)0x200000016e01 = 0x19; *(uint32_t*)0x200000016e02 = 2; memcpy((void*)0x200000016e06, "\x1a\xc5", 2); *(uint64_t*)0x200000016fa4 = 0x200000016e40; *(uint8_t*)0x200000016e40 = 0x40; *(uint8_t*)0x200000016e41 = 0x1a; *(uint32_t*)0x200000016e42 = 2; *(uint16_t*)0x200000016e46 = 0x100; *(uint64_t*)0x200000016fac = 0x200000016e80; *(uint8_t*)0x200000016e80 = 0x40; *(uint8_t*)0x200000016e81 = 0x1c; *(uint32_t*)0x200000016e82 = 1; *(uint8_t*)0x200000016e86 = 7; *(uint64_t*)0x200000016fb4 = 0x200000016ec0; *(uint8_t*)0x200000016ec0 = 0x40; *(uint8_t*)0x200000016ec1 = 0x1e; *(uint32_t*)0x200000016ec2 = 1; *(uint8_t*)0x200000016ec6 = 0xc8; *(uint64_t*)0x200000016fbc = 0x200000016f00; *(uint8_t*)0x200000016f00 = 0x40; *(uint8_t*)0x200000016f01 = 0x21; *(uint32_t*)0x200000016f02 = 1; *(uint8_t*)0x200000016f06 = 0x4f; res = -1; errno = EFAULT; res = syz_usb_control_io(/*fd=*/r[28], /*descs=*/0x200000016b40, /*resps=*/0x200000016f40); fprintf(stderr, "### call=52 errno=%u\n", res == -1 ? errno : 0); break; case 53: res = -1; errno = EFAULT; res = syz_usb_disconnect(/*fd=*/r[27]); fprintf(stderr, "### call=53 errno=%u\n", res == -1 ? errno : 0); break; case 54: res = -1; errno = EFAULT; res = syz_usb_ep_read(/*fd=*/r[27], /*ep=*/0, /*len=*/4, /*data=*/0x200000017000); fprintf(stderr, "### call=54 errno=%u\n", res == -1 ? errno : 0); break; case 55: memcpy((void*)0x200000017040, "\xdd\x9c\x62\x25\x17\x5b\x3c\x37\xdc\x19\x63\xb4\xd0\xf4\x63\xd6\xe3\x82\xd9\x56\xed\xab\xd1\x31\xd4\x19\xff\x0b\x34\x34\x94\xa2\xc3\xc8\xbd\x5e\x32\x1a\x50\x6b\x68\xc9\x62\x1a\xb5\x44\xdc\x8b\xd1\x7c\x2f\x62\xf3\xc5\x6c\xae\xcb\x39\x08\xa6\x43\x0e\x4d\x9e\xaf\xd0\x2c\xa1\x3d\xfd\xcc\x2d\x07\xc5\x31\x31\x38\x62\xad\x42\x71\xec\xb0\x7f\x10\x14\x3f\x48\xff\x7e\x73\x8a\x4a\x77\x62\x3d\x0d\x4b\x89\x21\x08\x4f\x7c\x7a\x91\x14\x22\x06\x24\xe8\xf1\x22\x87\xc7\x36\x9f\x8b\x91\x93\xde\x6e\x3a\x67\xff\x4b\xf7\x59\x6f\xd6\xc1\x07\xe4\x77\xfc\x1d\xf6\x7c\x16\xfe\xc9\x51\xa2\x12\xd9\x60\xcd\x48\xe3\xa1\x75\x8e\x8e\xc8\xe7", 154); res = -1; errno = EFAULT; res = syz_usb_ep_write(/*fd=*/r[28], /*ep=*/4, /*len=*/0x9a, /*data=*/0x200000017040); fprintf(stderr, "### call=55 errno=%u\n", res == -1 ? errno : 0); break; case 56: res = -1; errno = EFAULT; res = syz_usbip_server_init(/*speed=USB_SPEED_HIGH*/3); fprintf(stderr, "### call=56 errno=%u\n", res == -1 ? errno : 0); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :6171:17: error: '__NR_socketcall' undeclared (first use in this function) :6171:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor1634247706 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/27 (1.36s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = syz_open_dev$admmidi(&(0x7f0000000000), 0x302d694, 0x32400) (fail_nth: 1) ioctl$SNDRV_RAWMIDI_IOCTL_PVERSION(r0, 0x80045700, &(0x7f0000000040)) (async) r1 = openat$hpet(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) (rerun: 4) ioctl$TIOCSIG(r1, 0x40045436, 0x17) getsockopt$inet6_tcp_TCP_REPAIR_WINDOW(r1, 0x6, 0x1d, &(0x7f00000000c0), &(0x7f0000000100)=0x14) syz_clone3(&(0x7f0000000340)={0x8800000, &(0x7f0000000140), &(0x7f0000000180)=0x0, &(0x7f00000001c0), {}, &(0x7f0000000200)=""/114, 0x72, &(0x7f0000000280)=""/109, &(0x7f0000000300)=[0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0], 0x8, {r1}}, 0x58) kcmp(r2, 0x0, 0x2, r0, 0xffffffffffffffff) getsockopt$inet_sctp6_SCTP_RTOINFO(r1, 0x84, 0x0, &(0x7f00000003c0)={0x0, 0x4, 0x0, 0x8}, &(0x7f0000000400)=0x10) getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r1, 0x84, 0x22, &(0x7f0000000440)={0x6, 0x8207, 0x96d, 0x10, r3}, &(0x7f0000000480)=0x10) ioctl$CEC_ADAP_G_CAPS(0xffffffffffffffff, 0xc04c6100, &(0x7f0000000500)) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@ctrl_frame=@pspoll={{}, @random=0x8000, @random="63448edb2fb0"}, 0x10) syz_80211_join_ibss(&(0x7f0000000080)='wlan0\x00', &(0x7f00000000c0)=@default_ap_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_kernel_create_files_as\x00') r4 = syz_clone(0x2080000, &(0x7f0000000140)="2803837cbcf37bce72c1a73b909c68fe5bf7a6363cdc90c00dc6013b35da02a66a0591667154a5567c0e5ee6933d6da8bfedac5d278a291efa3020ba15e390eb38da76261c3aeff9eea8abeace", 0x4d, &(0x7f00000001c0), &(0x7f0000000200), &(0x7f0000000240)="6a0b56ff4b8fac28773ca137652b5b0fd803a0413c282037f721cb96ecf2bb1a616dc3d56eeea26f6b16f4562d17c6d8b8838f1844b585ebcc0b562f0557b2c7e9f0dda1ce4cc61d") r5 = socketcall$auto_SYS_SOCKETPAIR(0x8, &(0x7f0000000480)=0xc2e0) syz_clone3(&(0x7f00000004c0)={0x18000000, &(0x7f00000002c0)=0xffffffffffffffff, &(0x7f0000000300)=0x0, &(0x7f0000000340)=0x0, {0x9}, &(0x7f0000000380)=""/41, 0x29, &(0x7f00000003c0)=""/107, &(0x7f0000000440)=[r4, r4, r4], 0x3, {r5}}, 0x58) syz_create_resource$binfmt(&(0x7f0000000540)='./file0\x00') syz_emit_ethernet(0x63, &(0x7f0000000580)={@remote, @link_local, @val={@void, {0x8100, 0x6, 0x0, 0x2}}, {@x25={0x805, {0x0, 0x0, 0x27, "ed9d0de7c64477f8a5d951f792474cf5075158244f9b1731f0f24acbf5389ee283a5851cd5cf33761e5cea7eddd7b163070852dce6e12da0688ac4ee0a17dcca77143e90d7e7935dc9bf2e32db4a"}}}}, &(0x7f0000000600)={0x1, 0x2, [0x9b6, 0xffa, 0x777, 0x5fe]}) syz_emit_vhci(&(0x7f0000000640)=@HCI_EVENT_PKT={0x4, @hci_ev_clock_offset={{0x1c, 0x5}, {0x80, 0xc8, 0x2}}}, 0x8) syz_extract_tcp_res(&(0x7f0000000680), 0x10001, 0xffff0001) r9 = openat$fuse(0xffffffffffffff9c, &(0x7f00000006c0), 0x2, 0x0) getsockopt$inet_IP_XFRM_POLICY(r5, 0x0, 0x11, &(0x7f0000002a00)={{{@in6=@local, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast1}, 0x0, @in=@empty}}, &(0x7f0000002b00)=0xe8) ioctl$auto_KVM_HAS_DEVICE_ATTR(r5, 0x4018aee3, &(0x7f0000002b40)={0x5, 0xee00, 0x1, 0x5}) ioctl$auto_EXT4_IOC_GROUP_ADD(r5, 0x40286608, &(0x7f0000002c00)={0xee00, 0x0, 0x8, 0x1, 0x6, 0x5}) getsockopt$inet6_IPV6_XFRM_POLICY(r5, 0x29, 0x23, &(0x7f0000002e00)={{{@in6=@private2, @in=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@dev}, 0x0, @in6=@ipv4={""/10, ""/2, @multicast2}}}, &(0x7f0000002f00)=0xe8) shmctl$auto(0x2, 0x6, &(0x7f0000004040)={{0x8, 0x0, 0xffffffffffffffff, 0x2, 0x10, 0x4, 0x7}, 0x7f, 0xbb, 0xf, 0x4, @raw=0x800, @raw=0x2, 0x5, 0x0, &(0x7f0000002f40)="a0fc0337faea631f704d04b5a594dd3a87e2747c38740f4357e5cb221bf4405795c29906227d364e0446ebf77d111ab6668106a002140a81071b6d28cfabb37aea4e26c4657db31916f17181ef2fbba8cf194a98c435a1007c270cd6eff5c6424537197a130202f28ce2586be0ceff0db47a35351218f49a4599a98e93fd6fa6be92176782d29ccfc900c767f4de102c3a7779577ff36f427dcaed1e8dd389650fbe9cc0cab5b4390e805ec30ad6411cff6065a8a57610ab7c610132a2a1bf37c871d06a9d78cc27688f4befa7bd112a69df64b551e3", &(0x7f0000003040)="64b9520eb174939ec87643a2fdaffea4527bbfd51b07ac9467169d3c7baa5dc65b8a38d950c858ff99237e6ec06b4656a52acb76c755c1cff1c0a65e3d1632fabd9e1b381852b6fcfc058744856a80a29fb4dbdd715b3cd08e15a53405d0fd2ff7eac836338c4eca0456ff78cc5712332146b671bc42861cd8bb43200985a362f39f15bd437f06458b867d4bea2227493250d83fb46f7297b8f8c27351ccbec4ffd07175a7c5e2319e94210d4af5061e743f050f2ea538a3ed9d0359f5a7546c3d0113e255268cd0483ab186f9c5550202a9fa3fa0c4a2a5805241819cf9c345cecc6b77dd7c299750b67ff8cb5d9a6b0d3d9816dbeb6fdbc5ea9fae4a25e19b48e510ddb5d4d1271ba0c4a083d04cc509b40f1a849195f3bc3e9f63b7cc7473ffc740cf1a979bd1d7e9317f6fc77a62e5acab36c4a063069cfb207dcc7af70b77a743b362d9d9fae0dbc680923a0e3454026b6da9579f352afef7abbca7bfc14aef0fb3d1305506b97940ea127ffed13eeea6cae0be96f5be7385e8e9ba4f00fdc51859d825192718dcf23e0b6da413aff854ba5221ba8d27ff02b6c0f9667f2ffe72f434f4c7085a52fee5f0871bc20aebc8ef87c17c49b2a434242154770e3ae268d5bae11f22f2146169d7a9c16b5daf83031111ce5ce992d275bb9bc5d1290f7fea356607e8dd9acc55849eeb502827374c45dc89dd1186ec9210bff8e005b7cb2c134a922d6ddc512281e6f5aa9b104d04bcc6000b9f95f74393f312c990f7d29dee0ef7a4b158fe69196b0683f35e8b4ba65bb49b313d92d6f67f72f7c3e7de4dd884d72c786d66bdf598a15f9ac296ea70740343d94591186448ae73eea6101de13df667ab6ea1f55aba4c113d0ac42bba7ec5bd1d56b6bc947045595c76c8f69339bd2f193de246533010f42ac93ce0af99f40ae8bf3a30543d6861b2ca306c0c081db792af448820409c05330bdbe44f70c5561dff8704b5eeb712acd321fb7bd58c809fb11d017c34879854f153241741fdf8de35356bee7a0cb40a726cc783175759e266ddbc98e3e5f822024e3359a7fec0e09f0d1e214262ea209a9ddf12280e28723393368817de6d200ac6f9d14cee80cb713547cad55333acaff3a32b48964845501bf108e8f515728b36726290b478f7f3da9a62ddb1d44f5ed569c7cff30451b1355d3491eb80345cfdb938475f9d16181cb1e3d733ea45aba04cbe419b1fe39de514e8b00db827fec195ae7731b2a64ad258c1cf2d4cd97dd9dec3564f9ca74ed625830ed32b0507ad8c97f63f5a2b39bbaec04b3b889b6d7c9fb98993d5e5ae40cd6b6372bc631d37dac4ab3d48b5895b0030e002e7f443bead14a5777ecf5ee99983b3c0f500539d02ba11cb4bf3259906bbcc34855e6d4b2c49316816d4d17340d8938dbbad5f2cbfe83da57f59e51c9eb6ff6215f794f6822820b05912df85fea53c046dd6e88924a18e71c0cda658b58aff26194f88df81daf06ee0942cda0df18b41b0e230b305b4f9a47fdb18c6d68cceba1f24f2756bd96a799112c3485e394d2dd9fc87ab1b4651ad058a3e44461d2c72f038ff881104cb75cc79683a9d97d881cffb92b05c12bf4d3ab4dbe17908fb799eaffa9cafa4a61ce20aa4b3ebc3c75220aa65c9803a77f181da3924cca5f6059612e45486106f22b8c891f7b14662abd64b3258ed13bdcd6d1a77c6a41519d66063743a1918bb13e9b7577fb6bb7df23ff1b96e782bda6394d4861a7e0ac80d1c6cc84a303b7841e589d66bed37ccc05f4e9b4dfbc53d3b50d50e02c87d41f53f86decb39c706f5372e9d6e3dde53059620d27845f3ed77cd5899e33aed5c4fb140f8e405fa2e0e1172eaa7d4e912987a0aa3acf7c2d8e94d16c998c987fd404b234ef7361d0c5387e6b9d55fb972c7dc217226ce13d82a59311fe269a09c384e739a66be4354791f381e74cc5dfb9a92fbfff8595df24b403eafb00473eb0b2e7fee36dba4a908938bcfcce961fd10ec29e56dfe40591e13d5e53f16c8759ca27f80ce904f2d7c43321097595e907639f20f9e8dce700c39d0e442da887a4df082eb7e172fafdcb00b008caf5523d1fe5f240ae991496db93389af4185e9c9ccbdcb9731ce7a770ae2abac9d8cddf313231a55e1277bd36c1e44842b3872555ccdcb3a0684591321ff15dc6d2ceffd585dbeb990e4054fabc18a9e9f1de13bfad9de7f8deb6b6c472c423367eead525004defa9e17c67902360bf163a01e98f6e755cff6282aeebd1e8a09715c15b9edaa500de074c28bad6d03578c5e1c87be7117f54eefc3313c38b61d88a6a50a0f36fdbf084cb41447c690d3ffcc8314e91ada81d34accd3e06d19bca28fb49bed5e32f4ebd54929e4ab51a659b81c1c35df9e514769b9eb31d71d437864f54e992a2b9b15e2fd3207817756b486d081af397b21a258443d86a20a82dab3094a4883324791d67cea918bec7994abcec180f8fbd4ae90ad2c785de7747308d80a7331864bd1a9bffb514407785193927405f778a166514a339bfe16f5cb8ee349a08e25b94dc351c72e98c6baf186025060cd98d7d14bf8ee060240405a1c10202cb34857ab674eff41cd46c03d2ffccabf194e0f351658ab02d9a1f92830617de69135509534647bc4cc205287b251553fcc7689d5e669f9ba4bdb4036e064b2a791ea5de93c66918ad61cf10be4f5564a071b02b9365bc587316e65bd1264fe1f8dc7d244ab3319e9a905e244a0d000bf3c566811f729d10f9d81b060cb7ff93da8056d641f93121c50b987e4149d44c23491e9de6a5c1d6b26f644b3b020627caf32d47f95a4857b36530ff5c5be38ca37b90dec3bde10756158d6db91bcbbea6665fa1408aec0025d9dfe3de8a57b8af300179bff26032e61db60d6e20acb671595056fd65e84038040f07d46dbd4cb8c0d3ce9fda002d22e24750f145801af85d782681bb9b1228fb281c543e5dcdef84b7a2626de59e1ec79e44d1a230fedda6e3037b0e9c4ca475dcd319b86bd4ab2cc3cd5ee47857adaa88e7e77afaab3fd85076edb3615ba44e97b5e181b5e8c8611784854a8aebdcc0983e0b837455a2901b91980b05efc9223d206dcaa5be6745cbdfb6f9af13873b3773f5a59beaa0f4a36ddd383d63e12f50e0f7c533e6a559e545d2851d04bd36e412d891eac7bbff39936937fa3e4fbfaf51037c50a7d5730051e4c6984f394f3f59faa61ac96fc2ba4e33564c2bbc607b18ef8aef19b88b7ac63cef3e0971fa1156233373fa5b58f16fa99312d84a6b790e7a663ba05e237385eb413e4260e021ba387912357fed39f1366e7318ebea7b921ded5d9f9ab5a86121648310f0904258a9e4d590d65431d23e622309de964cb77df8f2807667bd58181e485c2e03c295c15e5274c706c1a0027b6751e40959a1581c710774bd5575367c93c17fb8444976e384711d4debce09754e97b048d47b3dd82f75fa93937d0722cb2379e8b4b02675991ed1bc5f1f15fea5fbe59c63a2991af998a21991f1d46cd3d211a532cee732ffbcf55b28790c4badba768c57a2623df69b396c2accf925806d55261b7087435e497452975b15266522ef97637956faa20e8ec653c9c0c0773603d77677d0ef1ec99a0f61cccf7e1103051a7852a0077f973369f6d8056b79c537aea6b410709df6937b6b7ce03398e1a7a1ef8e062bf5b5a110bc0daf2765c92e695834add9ac03f5ea56f8ec1d64a8fad07410e3019d84c0e7cdf1c49e95091794a3aad82abf63e9c6cebabdf05e80503d1ba7037e9b0b35aad5517a02988a343b6a4af6d8277964fcd3e720c19ebcbca7c4a877c4b17405d4e04e2bff036d6f5e8da62d6ec70d1cdd970e8ba36f7fa956cbde78925a443b9579be039e5653966e745b1d93c62970f2907fb535c88820b95b24409d1bb81e0cdfbdc397278a8b1eba6325e693a93b550dc2d7ff05598f8246794b2d01b58f30324e44c439ec6e170b692ef2d552f332242101fe24586564b87e4d04c5c4137f453451dc82ce49f93d50e49acf2b966d0d500fff99b984d70faa2061187369a3dd50337872c230e6fbda2420e565886b6eef53eb532239a98237bf8cf3549f60b083d81a16e6a30c26a74456fbf8ddc2476784e776df7490a31e1113cb0d876d5ca9fbfc32cf6081f7542015b41ae86f9c0bbfed2b8474bfcd78284467c22f1d6df54bb3e28f5cff007e9d5d5597c837a72eb04ef8d1f3ac060b9f1fff3d74da35bf1cc3ff9d836bfc8d2ccb07214afd357c296ae04a5ce01fdc779e9b4ae6d677c6fc48f7383064f2d217d51e390609dad933022ed7c35f89e83b555c8e3ccec204e593228f3244427cfed43bd371ee5f584ceab01f88d1c99474189b876c9534089dd5d0460da833afb14cb1cb1f4bf8517fff86f94a919b9f8eeb360887b139f675905ceeefa05786fd7eaa8cc6010ee286989b6269a45052d4c62f742bdc252fbfdb2166f9b0215316ce569d53f12d7ff1e92d2bf11b6ed6aec3fe3f62c49a4cd2febcae8e1b44b38eaf1a6e78f2da3cdd94edea7150000d7015cb652ba46d3b2315b649edccf47b51d4585dbc76064a12b05ced6fd11fe3703ad2267f96297bcd455810769746ee264e73d9043384e3af7b445fda9f12fffbc7d63cdc105ebf8ec1f52475c73b06b4af080037babda8888b05b3d0051d7aa6c949140df65806c8366f8e3640f5a7470262696bd3cd4db85502cbd5fe22bb0f59287768fb9c52e6933e568e0d3ce7283a420c89fd04e93e565df0ff68cc743cdcf4dfc7ff09cbe8a77a020804f4c1761284616d958401f57af9dc71362992b3ff3439ccf85f43b6c0850989650d8f55ba1922a6500d272dd42386cbb23e6e67ec926a1ca9357f4c84b767152e6c43617def94ac6014aa3c6ca841859dc57524a722741246530da550671ec17d2a342e557b43c08a93c1267637fff37ff4a4085528e7ce6d09de642996fff98688544a7c23bff8b6fdbe533424ccb119a567f1f15c0b4650ed80efe24ab4d1c1e33305afd2ceac682c0eacaa5669e4434f634b1c61271d95b0095c7b1a62a2d073aad80c51015bb5150845c118633a3c4c94b7463fe7339182ea01a7e28637c27b5f86068a7374ae77c5cdd6dd9b469dd9a475c37528e2f1c40132359e9e65e23ad4595b160ad9a2d83cce078f4d6181fd3026c2a0b1302faa69a5180a2c20b3a32876efc2a6281c409c2e66e00deb53098197f13185b7da589b0cfe2a312f0f61efab29a7b1b614faa57ed37e01f8b0cdfb2ea7867745d6669a4a895b97e1ed24c2f3cf23e8851138d9a640c2c0b321d00f0a4dd9a72fe5ba43ac47dd31a014d31b725ee28cd8fbed0bc78145980b586d371848bb96748303d0ad1fe2a2e7f5dd34070c6fc50e109dbb15cddcbc04e1cf6358d1050e6319a34f1452f44436d8cea137a37a1dad13efc2b9a9587a43c2c3f3d5aa32c0978520d24dadd18efa812a72d33b2f441ac885226555f7cd254ab277175c435683c36df697c2fb536271948e538dd3bce3909a5c8c37e97ea3736cd1ada26f13f121a990633d95b59e67393432993c0c84fd6d52beb7e3d02a437eb281af573ba1c47f373f6ccd6e0b183a21cbe9fdbb82ccc396f16aff1999fb839ebcaff97fa0bfd0d34cf8e57606fd82341db318e40cd9e85c154465dcce1b7fd8b22808f0e0d454ef9a2b5a4c35c0a125b9237070072d1cd827cfdea8e3de833b0814c8ff260e6b39807ef86ac677abdeb507dd57f6993d303d55517840bd7af1db3980821"}) shmctl$auto_IPC_STAT(0x10000, 0x2, &(0x7f00000042c0)={{0x2, 0x0, 0x0, 0x3, 0x44, 0x7, 0xff00}, 0x80, 0xe5, 0x0, 0x8, @inferred=r7, @inferred=r4, 0x800, 0x0, &(0x7f0000004180)="b8472da763b7f233e5d2387c998ed4355657", &(0x7f00000041c0)="10f121593543ac483ee5d9fc0093e203b927b44bb534a8711a28df30c87570f25d8dd643467a2c9e531e8a4aa6e033f571b9feeae8b65d093f915628885d3f028c3f4447632b36f22e16c1fcb5e7bd6992c089df961fee65da52263c865431c8324d25205427653902000ee5f231b03df00cf5b4ff9f8779d331a8b511c4ddf3ba9b68b48133a4cd4f26e7376650cba610c62a68f4810220009706a85a063103dc90df67137a34a2dc60eacd868a66d7f68e69c04cc195fdc8081c4be4148603242caf94670f9e25557ef9ada0f23c5961fc07fe58c78bff013f8344dd9611e2314963bf51df6c984c56b9af"}) shmctl$auto_SHM_LOCK(0xfa95, 0xb, &(0x7f0000004540)={{0x9732, 0xee01, 0xee01, 0x5, 0x4, 0xffffffff, 0x5}, 0x80000000, 0x9, 0x5, 0x8001, @inferred=r7, @raw=0x2, 0xffc, 0x0, &(0x7f0000004440)="aeb6d5073afaa31c2e2b2c269112dfff493937392207d13fcd1a8ebaa997fd976ccf817f4290a89565f45f54382b313d3498e2a676fb908ee4d892131f01b83dedd09498c8c2c56df4ef1c8232320b42d583cc6061c92cc06c764fb0d446a8b9a5f1903c9b2b2ba45c1ece47cd249f201b457ee03c79fbe26feea6dec142689ae21b9ced8439f10a2e3b657a1e3ab73854c1338b6db905248ae4bcee973d068e9bd49bf4f9e8d0177c72612bce4ef6b4d76c093996de65", &(0x7f0000004500)="24a7291c4abc17ba4acde1c6fbdb58896ad27dad256440207ff6a5e48ff2a6185f2c"}) syz_fuse_handle_req(r9, &(0x7f0000000700)="2bce1778fec9a1286bf6aba53c3ac40286ad6aa7112d6f2fcabfd2ba713eaadc8139e14f618070126ac3a38ad9cd7b5c94b1783b2611520729353d56fc5bd5cbd4f11d01359ca9eb2e0c4cc66095846c2b10d41eb84677f1c352bd90ebfa66123a7a19f45caea84f12e77657933246c44a209a4b9f155687e2a4fd902f57ea49085faa760119406827db2e6ade2029f8201de47e97b133853ae73214a796e4818d39cf10a8e6a6f11a88e082c9aa25857a67a32f35bc8f867f044d0f329953dc0602249d83197e0ef5c983b9d556bd527a6a599f52a211f9c7113edcc0e93fc18e79ed69fb2a7fde97c9c35e31e35f077137c8fd8bec401814fb99816d1ee5a5e7edc210c610970daf8aea89acbb754082d8f68eb4a0010653c70684a8dd7c002ba7e461c8dcc45c2286da3427351418cb24a94d6556d69e2a319b5c0e69e6bf111a9c45467c41575fdbfc2646dafda3179b0fcacc149b45ef10dc13f5fce2e4a2c22c2ae992bc6bd51323e724e466c736db1d3457ee0f7de147661dbadc942bf0df2f089e980381ae888ab022fb545c0343c4087f2c1b6ae0cd21d0fd6565790958c93a6759a5754b700a6f53abbca7d22cddcdd709b279d111d6ce1fd791ebcaf260480986b321ceccf955618bbea2781d331490cde5734793ab075f5a729321aee177fc3c20efd0797446e512c625a3bc1a56f4c01889f574933b726f7437ee049491bcb91f1c63a0b175e2ce567507dd354bf26b08059ac229046a6e75d3d321ee63c5abc1a7409e207e6fc51679df37bc7ba339cbce32d45a9609068851b0a7f581aaed7e995c36779d07c357e5d976f6deee4f3684f97e7c619d3ccc28722f130d936d3c073b9bb5194eb9ff69910c6a3d5858c2862ba8ce9425cec1e801182a7fb5c7017a4185d13feb353829dc681a5619f0a02db6ebde860cf7c6294d2145f9a5291849762d93816682d19189dd768280df4a68c80801f66ababdf722ec213a7b7f58c46148686900669bdb0c643d005d600d95c5cb5d28ac4cd4c7022294352ed1350c4e75fe8927895392b0062c78292fc15ad7038d1bddc994535e73ccc33c9ab23311d6f65de598f5ee9f9134ca4e4b409f21b0b0e40f36aa5c782b7bb864707afdce1e7cfe5a27c1ef3d2dc14105d6a489b87e7ae167ae87a5f3cda0b8a622176297f5328b79690df98979a4806dea069395f5b8e5bcec683fd39b86bcef865de60fe407291d127c4f0068bec8ae95738fce42205ef7cbba2a10766e32191cb4e50c06dcf6ca3ae78c0caa658fd58b652cabdde1dfa9d1f54a4479ad61d25a47ff08b3122560099bdec55deb110e406e08595340887e49677454b60860153c4b1f7cebef25dad082f4d3402078298bfd390bc766234595918cbb3b6cdb9961e1bb1d4f7c7f2401a8d80ac62b14624a3b16d97046fcef8d025deb794094d2cea50ccbe272e1c79a7167803c40a4ccee138444e7a415347783bfe0ffda3d50016d0f6b1b06126fcdd9237aac400b8549e4c1917a25db59cdbae29d1ea5bd7d25c575022dc55ff32ed42a610e239479beab0dd62a30a4fbeda0fcfe1d0b613a8d066933466a9ab31262701d08e77928f88cf8a838e9729893e55070efcc83736f3cb32eefc08f240d449a61cdf2116ce4eae7b9669ce6fc528b9834012b0f7c5425c262237ae8a301b6cfc03a579cb109df417d8514af612d320d0ed96b7f7e4a48aaa30f6c8f427db2f981bef360b9d8c277c84a8015f49bb8840dfdbfd5402a053fbedc0751587ebf6df4d69285cc398e98a7fcd68876eb2bf6f94fc0d03d7a93b1446cf2ac7ec11f8c3b62fcc0741c376d15ccd8dc9c85929453a177bc2424b374ccad51a57bd05290241e00389e5d9733dac843b25f4394db450fe16fdcbb56333790044d65ad606ae8ca97ceec3f809d789049a3298881339d2ed1602f2bf2bde3cc87163cf1dc3f8e32e859ac7b2d271ae42a7ad05e6fda9b98c14be9a3f65b16253743995982237d3130d15a18f8f532a8d0273eabb3386702859833844781dcebf2164f0a4b1411d88299fa82e7bab71a0836d50b418a6a47f747220fefee2685af32c2de7c3375cca11914f2da17ecc46e635afda8c36feff10c7d6ebdcf7da4414b4fdb28c42f738c9561a656b01ca0bcb0224ec803e6a23864e01438974bba22369212caf053e560cf11ac83ec0485f570f6e536744243c211fdc03cb35904f1b3ad1e7965d4731aa048215dbe3b33d0963b0d5c0ecc90fa99997f19b583574868b4081c9ea2712343b918d22fa37e8df4db670a4be4295f699c924c4b7feb71103d9aef0270ded29d4f42af37a487e2bc8dc0b0bd3f6870385a1a8a984220f79a47a981e987dca44695ce6487d53c019010543b204222efaef7208dfa23f808c45613d514468b97fe57df911eac0c90ed04f00649321c3abd2701ec1a0122b4bb48377b5e9251c0203faf0898260ff747c5a82eed234250158851a50906ac5492719f970a9062005ef1675576351a8b3d9dda735cc65b8209e98668b8d497885fb1d91d893e3e3fe96dbf56b61c606a8463c41fd8c9be64df1a595627fc711438eea8dfb73235a47be9c03704feda19e54f65a2876294495aca4d611c9b43842915fa7a51e45e16c7d22817c1b159e0bf53dffe16ed634161be4cc9169c952b0bb5fbf445aee0e9d386d300611857c70e95cf2e42a3e79bf7c202b77ce4f52d5e8ddf50d5db3fa10e95f24d656186d356dedc85c6f8684b8102eb019c18da8a663d70be24ead9f1dced78bd068a6c9b324dd747734318ebc62a4a9c74eb3422ccdee02f947c1a76e738542806ff2c9c851ab71217f7539da9c3350a1fbd5e5390a048ccac1f5413ab2d8147d7b2d7d4933e24d7ff0d16fa34e238e931622730da47e8ee853549f57d8cd0411fd3ddcd5d6bf36388d0368662f95dae7d3bcb932d62e0f895a56bd879d1f57043eb6ad46e35976c4fa6244221e9a68fb5a93f2568c1772ad1faef2aab0021fe7dbc57f3a777ddfe61f41cc3f7db0bbf637bd48f72d11dd052fb4e32520d4139ce9b920621f1eb6f378871f1e794c38759650a0a742c0e3403b6be88e31920c0f3afb58c686beaee1d65d6d83b8eafa7d0bcaaef875efa7a27371cac0599d41ba51aa5ce65ce48bca24d4a438e6e3ac33cf1fc7cd8cc3cd9b75116b53a09d98141fccdf0b08d8f9d6efded52d101c3ed6b27f6c6e42f9ba199f39c9a337728bde05bbeee63e4dc680ecf0f020bcbbb7b6ad0ba9b2aa614391e8aa41552137356953ef21535ca4e3220a26f061c7e78eb424288981695e651f6da9057c61102f5d58d331358d691ce1bd7f68160cb76fe77f03ffd460ecda1fdb1a78333893f1dc5d0357dc24335d3f12d7df9133169d9d21445b6a58195663da0330631b732c1dcc3e658f237f0f69a11602d4cac6468353fafcbf4cad1a3a26d2deddba7ccc886347ff059dacf969698001853307a3c5b3634dea162e63bd27b7c9dab63a67059299d6942675d10688a797d6b5163eab83b45b18460c28d6a83371eca626e9bdb94b90a11a7fb7f7d9fec0d773cc0566636292c7d90de6479ae9ffce8c34e284ff2fb4da4c0b4629a023f1e9c1e79c5d6bae6252cd4a30153e8c1ebf08389c206d66bece902ed877c36756b3f9cafe841ca61bff315fae3af3a18563f71a77eeb6fde0db2cea7fe494a78391afc1b21b233e0c4b4a1a23eee6feba1aee1124eb04ec4d23b6ae5ccaf13acdb656c72707fed010fc4ab31ba093a22fa85e47389acafe2a22298e51d36732695008e65affda75613bbd22f869b05e9dafe411da8549f141e018b362049c6af4ed782378172c55ae7b1d005a19086c2ab19742ff7f9b329dc567f614730ef3e7478b62209ec2db90f3a6037af0cb7bdcc8bad8b32864a4167a370d0f916dc751fb28ee9c800e59e2e3720dbff363b28cf2698fdb3061bc39197677efbca4f86da8a976a1fe5f9e183ab9f3bdc9ab6ae44b8713a1ee07b894bf37490464f9d2c4f5a2a46c6b3035343b926dca5d993ecb074191df0e50fbb114c82b369e19d8ce958025e12a6e135c33c4e7040f2e5e4abb143bafb7c712144a99109b00dfd72f66d6a5d7d1e6aeaef794fa404575328feefd9c208ae710236da12de525c78403e78fdcfb5cb3448f93809eadbf8c6caeca702833a3d30bbafe94ca14b5e91864aa575409498939c5b2cce2d33d1f14ae3d7169ffd51a7421d2be6a4f6ce0d7fd5dd834e020c3e69cf5debe69ee863f5702bab78feccd285ab472b56d1c06ce40a79ef15c072361636317413726643c950c67e576ffd80d5f80807b6729736547b00a0d458e93bf964f47da3507747ec323d3108c449826224ea09afa36613331a961c5cf259252d0dacb502fbc987bbf6b1c8c6225a6c0e65ebb5a55945c5a064ec346f84270e3b38a12ae72c17809975ada72bad05a12fda83f1b00a42310481ca2a0990b663964e194c925c99cee86279f62c64548a57d3f167d6213accbe679a9fc204d21031f64bd5f68e8c75cf80af207cba25aa42fbc7df0734257000e5e9c223366d1df46f508b8a8fba4933352cb7c3f0e25d66d8c5129bdc467dcdaf4f4a871fea52b707c85ca1ad30f00804ba500cfbb2eee18c6842091c120ff9f5fe915a75a623e5407e77b2f2d7aa46e24c96986a60865517c267945d391692a1d3feffc935576787c90da846f959e26eef2f98ce0b13174fe456c5d33fb6bb65e8603af4f102929d8422b8bb5a24e0bec7214ee23d9b8dd07e7daf18d83fa66d849b91c708f99b4685c7b5dc956d95c7fceae7759feaa0d2a01f26b17b9e5a230c18c610a7e724db79becd4ac0f176bcf20449e90c3fae89c3a993e2f9c51e428dc0bddf67a7cd11f9ce0dafb4277c3281b88fa7138d217d79fe3ed72b195f27820e33229c5a6d7f493720f9190a1cb229a3bea0a78f629d00593c988c2d3fa09f8935e25bcd4ce0276a16f2306f7cbc8912523591ed88921aa7aefe26712f81028906d730fbe81995521e02e3ddfca0f881cb98a661d2cf8d1fc310845df4ec588c2b30fdfce181e6ef9a654e83fa69b773fb51717774936e6d037754782fbff13d32a50c75e2753bcaf4ae373526e610605f07c677aedac8daf379283f2e59aedde2c01953d1be4591ef165ca1906debdc0b8e47def1a34d3c3a4c12eae89668d143d1b0984f945044709df868d0975514dc1093090b0fe42962345ef40b0dd84ff7a20f394d5b3fc5a55d69b4bbd00b53e3174c760cb9c79f275275558c6967f03cb7b54ec6c2a8602a5557c48e0cceaebc38c4cb35f171fa42622b1e8be6dd323375033ede7bea93b6d667758fb997ccee896cb3a03e47fe8b51bfefd7165b4b162546c2e4d46710353b73f6f1dea17e442b8272f6aff99c864372e4c3e5631bb739b59ad1235a18af7d59b79320a41b7c0e8d64d5a79481cce1e31b334ab33e92e6a4297f3def0f1b34675c7de910fe38e494ee014bb844e707bd302b24786bd6062bacb82d527acdca236f217bf0474742476e6a9325d9ee282dee43636beba541e6af65bab1f58233a6f558d8c6019f4ee4c8e833ea1618b053b3cdb8f88f09ce1225a68f319de5bc583eb3d22f2732343e9c0acbd8efde7d9c0f22406b9d1beb10e7bc92807c7bbdc00b1d88534e65dba2562167e2cf12a6f4b1e89b2495be631fe9a7afaf3e440254a2da7eeb261b40b4b2c8a2257d75b09b85b81d7954ac55313ac4990c54ae40793c2158cfebf329b267405dd2a5e76154d21d74edd4a1e086f0f240e71996a04e8f96ec8822bc5fc91838d17d97b03cab995833aad9fed8dbd944fc11ab74fc515fd8bc5c067424d32dbb99e49e0d42a597dd807317d669df7c08979dd647cae4b9d123a644037c68fd7b454d158b5128185b7a071b77453e29ef5183c03f3dac2758fad6673d17b95a42d428b56dd7acd6b44a15f8a6acc4c73d23fddfc44fe57a9add195796cf45c0006f6a24160dfb879862b011e74b880f5a4f5dc8053a1f2c7d0e1d772c62ca028b09cebac88ea7a8a1855996201674f2eb71ac526c0a0ec4493daf01a5516d2bf88bd81172a2f75fafb3cde2c92b7a020e0767cbdadf655755c3715c6bf9cc3df38c3834a7249505a689480ca3a978792ae9befdfb3f25e3dfec22a90d66acbce1633a297cc2bed975731fbc97c09da8942265336d17b13a52efff98626a8b7b188cfb9dfd33eb28763408732bbae7b80122a91ad9813897757effb84358dbd62b0133241ab9afa79e353f5e7db9163921d65efc93e408bc38ff95842905a913d084d24fa22359df710b39694de240389831e344e9d5332ac0c5484edc3a9ac612f668e4e78180109e1249ef5dc27cfded52ea37ef3a7d1d0288a9f7532fb9f3a380294cf03329628fe8fac3b8121130bc3dff51ed6f8300806786f9e505de5d25d687c402c0bedb7d41cdb9cfb87714ba2928bececbe1aa32dfda001707c784cee7f6464877ef8798c1608c487ce088d07308b4f1672fb28efad8aee845ff99e00db8d0a4eff10e7e0482e10d2d4f536b90a17f2cd0649958619a3bfc4c72654ab9a0dae3099d6958cc43acee94a4501524e0a9dd76700d81461ffc9cde222715d4c8917c2e53560b6353a098c948ce16131bcac5694846942657fbbd47d14f0b9e6e0e383e7d60efe2d9935c04dfee10e22f474cf382329cce12ae8d210ffbd17dd0f1868f6c10aa34dc1fb7bbb7a25db0cdb0afcb3a523445564c6bc6c0f8433a6775881852d9970aa4203c9258a944274168899d5a815d665037da716d5304e4f26c289a46384b965f2ca5aacc1c8123b54c14e83a59b99799648814797784254e3fccca53790ce3f0c24ba01722d42baffc8168a36c95b5388def137e6c929e2ed1429910d138e791f8c45c37ea0b8d5f25dbb2b43a4c2e0527327a5847df44a214222330144d26446366764f816db2847bba4860f22dca28aea5bad298dc4e5888ce737b1696c952c2a515574d10d4d2c3d0a21232422d0d600745862a31513c978c8442bebab3e3efbc5bf0657270d1db26e979cf50ef7a3cfee880f77a0b802c7b371bf966a5413d6874d9111e7b98a972be26e28fa9ec1f779391e3a491d5e8695f73d88773a3d40682ffe1cea237fa5a91d48bd82d8ecd25e6a6292d1777e38be37ccc8d96cf9d191ba90585e728dc415bc406fd94e53c674071df12ea089dcd94f9d96b0386f726051267c96e5c3d7949e85502b5da43f10493baa2fd77a02faaca33558f78f09f00433ba991ef1b40c5999039bee177fda3ba5dc0925162e59a8e327c19e7d4e0aa8f1371070271e003ce63f427265b6a2dfb1d6864f8cdf2a9d0f8b38e57712b8543a20be5024aeffd250a106e783a08a5ae385ac9a576b3c1b09036c50f1a8d5699f1bad3d16968f11e9b1f54efdf3c2ec03a1f124ab5e5c453d19b939b68d0a339951b5bb55da3eb459c3f86a1de1b8b9cefe6e60d14d8c6143145e24a85e9c062a8f6bf5c9a51b2a507ffdf6f601cd7d10a7f3cb16f38d7f2c46eb2c1ebd205d5b60c5d5ec3d60e15189b9f445cbf29177b8355d8af6bad6c6e3adab39df71ee2cf90df9ab86808e62d1ec24ff2bde6fd56a231e4e556cc227f5fa6d617d549aed8e2e366013d8a2c2899a5c752620d54471f9cfe17b687fee42799eb8621cabf3b8176df654b20f348c9167d70e959221338bf47cf3b347ddb46e4ea71fc8250cf4818607a35951665aeec1b4684a9f2d54039b644e3ffcf5ef2a2673d97408fb9c5b9ee802867fcfcbf3ced4295e59e78365de8f38d98066bc163b755568bb02eeca38e04fe45b7809cc4424023a23b15e374e383d01e02dc66924847f372d8adc3b8aaddb6eaf9575f524251ca6fea93fa3357e81e94715fbbe3ce2bbc0c3d447a5118d859b1a743b3e8eebfd352fc50c28c89d9fbf2087cbedcddadd1993a35f71bff4b6e9190fb1826fa2b308901876165c70417dce16ea0c1975574bdc7ccf8d92b3e772b57fbadee74fcfe7b73dbef59c7f2e5ba57b9be6843e06d0c13da2f487840737a8dfc790cd553c693a9d1268a13acfa44fa5e4b4f0da376fcc0ec8294fdc01823897f912127db76903df2cdbfb9902400c86bf526ddbb47c8e49b673055f70a7d90081cd31964e0519d504c171cd41ab7997916a711cdec24f80f8039cec9f65bfbfa93e7bf228351a81892e57180aece3e6b0ff3366dc6664447fae5bed381f629134adfcc51eca2ab3276682e5d9f677b301d6e6dcfa86461a567cb9cbfda3d2f91b3abc20a5a7d465d57c507fe9cad8343d64f51be630ce818ab78e92cc5408f48025fbbf8396d88201c042fd71182c3d5dd62ace3ec9231f847bdff19b7bce4e04d1022b32d46c74709aa4963166aefc5ad6ed94701d4327f394e1c9d01fbd3f25903c5020a8487963008f8e4eedfe9c8d62ca9cd72a96239b1c0427cb4e17118219b42cb897353621d667a538d3ba3e9266738fd2524681fd633c1f71a51286210bc793fc89c0f043866480b7e0862b7a108593b2e9f8d1fc62b7c67f50dff638f9318fa260f3730cec7080afd743641de7d59bca4d321f031f35fa616c433ed572a39bb17b93c8581b12aa1d251541bb5b21c63917c5b70ec65e957c59c643a6c0ab002b546dd970350be2a57e1a8f0f46b0119950aab3301e5ca0543532e1f08199075609f22cb8c8ffcba4bc81df5da4ba7ae6b111b4cd9c6e2e6c20ada232820b47753d6262c2b9ea61ead281ba0c31c3bdfc06b8a42982282a215beada3ae9b2ead9afd24f50bc2281890097791cf37b1969b45ba7eb1305366767eda01efd057da567431c49e79c55a58954f12dab8f1b688513f4c3c49a5f27ee53750d89b633779980058789d26a6b1720be7ca549de74bdb763f4db1a6bb860b05dbc4775b20ced871b4a9d9d877abef6c4bb39d368ef7e7fbbac5cb88212d87f3c7620659cf4ce1c6eeb0ea8384a6df2f291334e58084fc55a3b6d7a8351f625a71eece16fcb52fcca888093a040f5f157ae27dd79d26ae555dd0d219b58553db3bd8b48d856b3e233d19726578d382be3d123f8656dba5e61db14b627eb074db68d5a69c9351174492b50824824d3d3af79295f05cdbb47c8ef7c85d815bdcbacf4b8627965c07c8e1079f201e50980284f2005a92ba8215d06ef5efed591f5279f18a2fea042466d783e10864e93a54b8649bb4436d886c78819e927c163c769c22fd6c1ffc509849f685acbc5c6eabe4bfb2e2650bab1739a6953b27a1846464ea8f56a76cd371a7474595949b6fd4db076d44ceca31122274ec568c581d088ee7f568c0024a491920401f165dd1711a2f9b037ef4b4019d2272e19ed5cf4140e58d74ae1d93018d09fee3263e8119fc7a4809459c434e93d304702f110fc3a40dfa78fdac5edf2425d8dc1629bc95bab9327032598c2f553078187c3d076f15674cfb9e0f182b68cedcec34cf0490901af10a2d10ac8731f79e60ea1eb178a6014297a5a3b84b80deb5f3b56204cdaf3a4ca0bca0083acac6d2a563717eb70b9d8275bb31dd4da25f6aaf3bb576152cc598399bfc1f703f9d65c7ca6fc45d7cd81912071a94b4981728bd3fa532dd3ab95edc2c8a8792316b7828c17a0a115a80ee5f7c632fa123fcceaecb311915349c9b26f2ed275223d79bac0c137671c3ac5f489b42fbf5b19b3a46ae22a72fe347d8abf11142968562c6329dfb942249b593d37d17f40d793a48189210e0b60b958375c08993d34e3eb0ba6932435cde73d568d81e0df7f76dab7c1c1f7e5b764144896fe5a819a4f0aefa099e1d84f8c11202bc141f7ae03fb4fdbf5b6c30834a4dcc7f9a64bbe14076110b9729767e5f31edbf5ddc540f3a31a36f4a332b5a24d9e0be54f8161b52f76b78083e40a663c8d20bfbc446533c2c4b78e630bbc94a24d9516018faffedc2e85fb091deead3612c8ab241b12647c2e71407a9bbef11c975edbb9722ab6174a9191c5f0128c1e0f4393353689ad18b96785a7d8e045adb801afe79000f18ecbc07ea839306becb862b1753fed504df009546672fd65e60a2b523ae7477502db75deb994452e0b3f7a841a98b8c0b0e828f0ca679e1fb97f8df292e2db30f756fba177545a09beb2be193fb3a1a94d34456d9071e634bb8a43309302f6ce4c338d439270c426baa048bb92ec139e50fc457db0f37b494c591f67115bc9c522152d28f9cad1610bffcea139bf2c5e0239d4f8db125f0c668768a02ab702814ab61b57e0dd839549cd78c1d331d3cf42e0e94359df9f9d8d4fa2b982a1977cc55a888805646231545c2e96a8b80c9dbdaf7b7644021f8dbdd8f3c373a72a9c5a8ad05c67f50bd32a96e19a606170061542a0b1ee90e3c75619d95416e1d2f6c76ef08f611882c87d096b2f84c1b5f79c728727e00b0589ff867824b88939c3acba96f59a3e308ef7068bd4ad8478b9f0d6d5c90c8d3fdb1bce0822fd4dbf60433d0fd9a1d00fad05b135b0fca522982bd41a1d32ca9e13cc2de1809e51e12b540df58cc4bcacbc39453e62effe1cba62a725b7b690a531a169b16cd4fb4230018adbfebfd58ec476742a8ea7e8ff7e56ab463b345a84299867f857de6ea30759a8dd093e98f99c62f409597f9a3ddd490c88133d9831a7ddd0bbc3536d80deaee38acb1ba95ba0cda910f4b120a592bc91504f4b0d99171e2c45d4e256dc03fede68ee1dabf8029c99dec198c4aaddb6817f839f1da74971267c212bd2269f8cccd32495e8f7204486d985987c25a5cb7efd639b1dbd2506022f6caf24b09226227d8035cea83b9cb821ac3fdaeda5f22dfb1191593f4d1655e23546c84a8ff482789bc92f194dda5f614d6986eac829bab2b7a29225bd5517612d40fda6a153fc52b24663368adc2edf56b07bb22f1b5d526bffb21282c654a7795a27631f95d885df4c0bceb0712bfddc058dcbf3283a8b96664df548340466bd717329e6d5425cbd8f9e6442ec4671381b8017e04baf166d7b14ddb516a624ac5c76587a00c6502a9401ceec48269c4ebf670bd1caf4613bce86e297f9dd0022408af5c7a7e9ca4a1a2c7ea506dccd7f840eb4de4dd3c734006cb85e9a0539f988ab45f593d1d9606122a2f106e9f84f52ff91797076103d042586846ff7305c273fe8eaf053f6f2c7fd4f118134a8c824bbb27e3191a8b192555c6614908ba5436a673830c27a63169d3c69d3f7e052a6b6de6fd2a544572cbce67f67a3b3783f4c8db2271a4a13c0355a92c6b036e5ef06f53323db1432bd5bed2601544387dfea3f5ed9b252fc9a20411999423944fdc2d163f66ba1826c7bd6da8e895efb19b4fe0f2038142d7665fafaf979c56352940b55caef5f8f881db23060ddd71f99fcab6bfe412beb2a17d106fa450914aa7920cb21267e16cb4943605609836149f1970d5ca6f311014d5b691c145ba81b4ff94c72fe150ea49e56070cff34abee37061e871aecf5dcf9f91b52a36eb993c6789f021be5170892ca80d1c2ad5bbce3ce406cfb412bd66fd6442d70ebe18cdcc2958c509341f0510", 0x2000, &(0x7f0000004700)={&(0x7f0000002700)={0x50, 0xfffffffffffffff5, 0x6, {0x7, 0x2d, 0x2, 0x400000c, 0x7, 0x6b, 0x80, 0x3, 0x0, 0x0, 0x1, 0x4}}, &(0x7f0000002780)={0x18, 0xfffffffffffffffe, 0x4, {0x5}}, &(0x7f00000027c0)={0x18, 0x0, 0x8, {0x101}}, &(0x7f0000002800)={0x18, 0xfffffffffffffffe, 0x4, {0x50bf}}, &(0x7f0000002840)={0x18, 0x0, 0x3, {0xffff}}, &(0x7f0000002880)={0x28, 0x0, 0x6, {{0xfffffffffffffff7, 0x0, 0x0, r4}}}, &(0x7f00000028c0)={0x60, 0x0, 0xa2, {{0xfffffffffffffffb, 0x0, 0x2867, 0xd7f, 0x2, 0x28, 0xafb, 0x7}}}, &(0x7f0000002940)={0x18, 0x0, 0x0, {0xb}}, &(0x7f0000002980)={0x13, 0x0, 0x80000000, {'&,\x00'}}, &(0x7f00000029c0)={0x20, 0x0, 0x41f}, &(0x7f0000002b80)={0x78, 0xfffffffffffffff5, 0x5, {0x0, 0x30, 0x0, {0x0, 0x0, 0x9cb, 0x6, 0x45ff, 0x8, 0x7fffffff, 0xffffffff, 0x2, 0x8000, 0xffff0001, r10, r11, 0xb, 0x7}}}, &(0x7f0000002c40)={0x90, 0xffffffffffffffda, 0xfffffffffffffc00, {0x3, 0x0, 0x6, 0x4, 0x7, 0x6, {0x6, 0x5d, 0x8, 0x0, 0xfffffffffffffffc, 0x1, 0x3, 0x8, 0x8, 0xa000, 0x2, 0xee01, r12, 0x6, 0x7}}}, &(0x7f0000002d00)={0xc8, 0xfffffffffffffffe, 0x1, [{0x6, 0x5, 0x5, 0xffffffff, '\xaa\xaa\xaa\xaa\xaa'}, {0x2, 0xffffffffffffffff, 0x6, 0x7, '\xff\xff\xff\xff\xff\xff'}, {0x5, 0x5, 0x6, 0xc828, '\x02\x02\x02\x02\x02\x02'}, {0x3, 0xa, 0x1f, 0x2, 'bpf_lsm_kernel_create_files_as\x00'}, {0x5, 0x100, 0x5, 0x9, '\xaa\xaa\xaa\xaa\xaa'}]}, &(0x7f00000040c0)={0xb0, 0x0, 0xffffffffffff51c6, [{{0x0, 0x1, 0x7fffffff, 0x4, 0x80, 0xe, {0x5, 0x6, 0x9, 0x0, 0x80, 0x3, 0x7, 0xffffff01, 0x5, 0x6000, 0x5, r13, r14, 0x9, 0x4}}, {0x1, 0x7fffffff, 0x6, 0x7, '\x02\x02\x02\x02\x02\x02'}}]}, &(0x7f0000004340)={0xa0, 0xfffffffffffffffe, 0x4f4, {{0x0, 0x3, 0x58be8e49, 0x88, 0x80, 0x2, {0x0, 0x7, 0x8000000000000000, 0x6, 0x2, 0x0, 0x81, 0xb, 0xfff, 0x8000, 0xc093, r15, 0x0, 0xffffffff, 0x9e9}}, {0x0, 0x4}}}, &(0x7f0000004400)={0x20, 0xfffffffffffffffe, 0x4, {0x1000, 0x4, 0x7, 0x3}}, &(0x7f00000045c0)={0x130, 0x0, 0x6, {0x7, 0xf, 0x0, '\x00', {0x4, 0xfffffffb, 0xc3f, 0xc6, r17, 0xee01, 0x1000, '\x00', 0xc42b, 0xfffffffffffffffb, 0x8, 0xfffffffffffff3f4, {0x7, 0x9}, {0x893b, 0xc160}, {0x3, 0x6a48}, {0x40, 0x6}, 0x5, 0x0, 0x9, 0x3}}}}) r19 = pidfd_getfd(r6, r9, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f00000047c0), r19) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r20 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x70d3, &(0x7f0000004800)={0x0, 0x87d1, 0x200, 0x3, 0x92, 0x0, r19}, &(0x7f0000004880)=0x0, &(0x7f00000048c0)=0x0) syz_io_uring_submit(r21, r22, &(0x7f0000004980)=@IORING_OP_OPENAT2={0x1c, 0x40, 0x0, r20, &(0x7f0000004900)={0x8000, 0x190, 0x10}, &(0x7f0000004940)='./file0\x00', 0x18, 0x0, 0x23456}) syz_kfuzztest_run(&(0x7f00000049c0)='*(z,\x00', &(0x7f0000004a00)="f77ef6bf4c19c04aa57c4c2ff92ee1460ebf0e57595cc355aa22679547ef84499ef99d9bdd691a9a0ee19fba5fee97d9a92bb7ae3d754a98456cdbfd27da20f977f4bf4630c3ca421a6acf8d9f81d293d3a0b02327e406323e773c64b865c2c7a10236fbbbb9c9eac5d14f18752a0389a5815964041b844f71455ea12ddc9dcfb6e900a3665758cba3c7", 0x8a, &(0x7f0000004ac0)="a58109a5e0dab93137d420471cbb19fc28b13363208467ace8722160a2bd5fa04e7573442cee6621bbaf3e0c408199fa9834f59a314bc375b4a23459d2020312ab4194c9fd9c5864c82edc3367a0f8cdb8a0ff39b96fe339e352c903af49c77365b3acb2eb431c8d988b517dfc639532eed4ae0b4ed9c64d53b29a18fbad20223062a257aa5e183089cbfdaa0c46a4b8ab8dab0990adb18eb03e5c0d4d72ae0de6f67dc96de9940f710684bcfc0bd26cde3ea3fce39ee9d71faf2324cc661626b1b6cf4189a0eef57977918a8b3e2c135549e367e4a7d2527e24cb424d663f00266d3996d6fe636e1a9d035a54ff46778c6b0d18c4acc3e5b23a5566323e1e0a256661d688b18da8298963f74441acd2b82ba472242de35402df8f05bdf0d54b383787dae5ae1d143d21df935fd0305a61f83cc42a45ba77a5317948705b59fbbc921815cd56984c44f89d8075bb7bc5afdad2beaee82b73df1eb95bb0389c04a3fcf33dd342b8353fff76a627d69c5a76bc39bc57c99732ea8830e692bc09bef94da07faf89d6302deb5111ae54523c2c16a35019d120b871e797a9a9f12e2d3b73e6ef1e7b9a4e8048e36b3ee1721b98743a96cab0c508a6a534058b341f4d917fbbff140b8c5b51b8b42c605ea4d2b0a935c501d5b9ae3f1ff3deba846c0d596308f1bf3e0496a7284732d79555c34ac567d731b4677e09287ea315b3eedd503596c4c601210d7ef8a6316359183e039d5b211db87457ea44f43384e3c37e668ccb54964b12ea874057cb6a75559812d939bed5a168e7ff02f22facd5fa33e3067996282f603fc71676d7ea9e38f7ca727b18b933adf118e8bf652cf36e2147b97fb298671a62480065d517c935c5b5d76014c13aefa1a7606018648676eacfe90065aabdeb53e1289471682cb6a1f3efe7d1ca73fe8ad262442414b266fe7dc1dfa1ec7135e9e64e1bfe49a1bfe7ce3bada05f01b47ea14a4c92b50654d7ce442725dae73d5e93f722316920670e213f8b09d9da58df0eecd0b0d98081d5355300e0231a0543793dca00255f3d189b046c999f70cdb5d4043594a486a23cb9c78fd4c0c6c3d9858de57bafe71fcc1cf3327a63b0d841bca21c72977a80c9f4d3dee4c10baeeecf7ccf8071b1f618c749f3b0fc699d910e5282a431a9767c064c7010bc390f8285035c462ef24c879ef11f3e42eb1513791c7da91608a95e5e2b4803c946dcd77b7ce004a6d8c6274ceb2ca3e07cbb1c41d70522c6ed156dfc3db146c3df4f2cc286f4bfe994e1d7e20cae2bab653590845b7105ccc12773330b05b52763bf42826fe3badf907716d8507f8e8a17e51507a0a9cb37e6a663e4c17880e21736f37d17f173685161cb9407007eef711927e6c3ddb5ed72df605cc1bf3b92af0a86ca60fe7f042cbdaeebd9a419b144d2772b10e673f1538c798b82f48a143abf4dfdb76f747517a13ab1f35e598586cf6a7fba9371b0ce35b14cd7f34685ef0c2afa71ce7dd13b4c31732a98dfba7bb9ed0dc35a8905debe4f7bd03bb2ee00ff45b955845a3a876dc0426d23a2c524b819aa04a671fa1cd09dbd35b6e63f64f9930b1f4ee1032e46adfbb94c65bc3d9ec61b6faf65e76a572cb3173fc3eff366435d99a370971c85274736fb87e72bc74e2eb4b6a195e4c7c4de5ca2d65b0ba4fca7fb335ba405b8f1e5ae24bee8d554d82a42d50fad4db1bed0570218f5a47a2e156d76c0956cab5c3a44d63abbd2b8dd54dd3055fade3c31b5946daa3cdac4fb507b3445e2a414d35044938aae903adde90f8412316b2a3b6fca7a908be62eb8c5460f3015b13b5ab43822538cc9b860984a4a257bc9ef6f7fd9193840c3e46361a1ebfc9117dd57f0d7e1cc21ddcf1b17ca21a8fe52108184730abcf9c0be332ad8c37fe842f65a54e869db23bbb6d44aefea29e1ddc32788d242e46989fe3ea6908056591ae9ed91efaf199618a6b6362892e55b83f83b80da9e0e716a2c6e42eaef2016de831f76a7c73c2c8d847595e03dd51a0e998b74b846b8c1f7ad4c528bfbe594e26b66b6fd9ae5c2701f1e1924a449634d64171d2eb2ed04c5accf540b477ce77474fda9fdfbe294b1c1bc051b8f3cadaadaa79aec8a99190afe7b64499d19e9dcb61f3d63c01810726b4956c28101070a1747de55f9baed6ed3bd4dccc963a2a882028bef5805a871fb35586e124616bc141f1c2db9056ac2bd367789beb277dc9583777f5708a95aebca263f57d96f70783919b012737c2c64997b154a26d5bb01fc5a288dbb01cc37e943114cb4d375bc82dc48737e15e209b48cb9645f408218751ae62cc86a38f37df83a0130248ecb35c484353408a343a02704a56321a7b46b6518ba59892b5839319d74f4ffd52efff0b25ab63d2bd33dcb193b785c87cedbf9985b0cdc7a105850f8fcf601647f299b6ce3da49bb042a3d6705a877a9fa60d16a946f2ba38bc73f03702fe63fa12814e9c0ebd6fbf41e55a88b275933d221dd957472c4e0592d2f1bea33feb1a1947ce0391b23b46e1244891d2507c0fcfdf60213e2904246fe0022db77b15466525a8e074ea9229f11a2ce2fa8b3c2184e64f26774d723a01213a7deb991b30e4a18e42a94e26e553c465b85397e8344c87dac3ac004b6094da9ff287b9100f770c7d5b919a22f84fc30534162660ecf71bbff9bff48ce42a1fed6dfdf2930f2974e341f6d8b4e9c551ee437934702e6bc0da5515712d7be5a6b49ada3b6322939df6fd5b319475e8312f41c5d37f52f82e7598d7d71f3001d2db5431c5520ae57ae3c7cc495dab8b7e8d04e5610eb5111184a857af2f0723a52cf4c602c6fe47a3b6f7805d95712ceb22e24860d6a5e17cfdc25ec795a7089ff927da535f2be46da244e3569712dabb82b007e156a17579217c5fb8b43d28836e9d280726cd7192ba8f018a73c129b09479ec3eb2651104f56719cff6adea42c320bdd528d6ab33bef8c807fd69e055bb1c1c89547d34badd8fc3a064eb7abfec85d8d4396cb221d7767282ed873561a7263cb241303825f1fda618a9e64dd6a4299581e7a2eec9e750506c20504ba2abd8856bcbeb36a17a63cc8c77619c29476bda703bf3bff6c2019cd8376713970b56f825fb72e83626c2bd6805031a2945ea9efd2f4780ccb5bd8a3607ba78cd79115849f6d95c93eda04e6fd8857b1f2ea0073e5db2116964e7f8d1d35909a3ef8336e07e0db4a93f5c902303191436b2623235b3c694eca299262184d983ba33a0bda2c04ceb8df35302ab079ca7ea4b52102e39593b2c375f10fb7906d10ef3c9149296dcca884c0181bbc3304519f797685038c4e66f90f414797f389334db759641025af4848af615061d903ce2146e4bf7936dc4f2be7f420ef7561fb341bed654e3f93c1253159f76a75d67378f5e9151f8b665d10676e848329b007ac9aea4c1b37c893df05e9dc2a631818620976190acb08cc4e413b1f371cb2601e1aaf3c2a4787b9aba6e11e838cc41a39983101825627f5591b85ce06044c61f5d6c00ffea265340c675a2171a31da662b7713eb49204e4fd5d478f3599dd76952a7d4875cb972fbce7a59165db90fce3ec9ce9a0311abab969a9e24a8eb5a33887835b198bbf51a857a70455186bc5f0e65660fadb5c7cf45bfac5046931b24ff30b32ed35a6abfd48efe4ff29cac0e03c9cbdb90ee70718fdc5f172ce01b680c30084ef62a41d421efcbba1077d88c6cb5d8f57cf6c896d96e5cac28f85bcfa21c5f929908d6e66f1e28063c1fd98e5079b60d12559bf6a164901337d10e0bb16b9d43b719bb6b482036eee61cedc39b7773dda85ea04826b8669b3c86873ca24d10b61dd16b6a54b7c416deec8b0287ca8f3d2f66aa53012cf10f6f7e2de8c9d63551485d98715337d106d6ae2b7a48f2ede892d8f04a9116d1d27765d4863ea0d2efd68fc1b8a39260e064e5c72ec53d18107b1ca044fd5b42808d71400b1526efba0ceb57c27e53f29327b314901e177564f92988aac81fa0780fda44257056bf6cd90a49a56f942f84d5b1a239d5067f00d0f4c3cfa7cd60c1a90c409b813aaa49e94587bfce1fff62303116ddda4e75bc058b06f46d58014083a4321c3d1a6899425874bbf9dc195448c0d29711c23a88fbd4351e457009a10d1d2ecd47651c5cd9dcede7f8231063437cfb05a319bbd6189d794c6f5c99b6278941c94931c876289ce33b3e3bce842b69689b9aee44a423d2d429d996c6bb6ceeafccb15e1f63366b790d68a093a85cd6b5bd476b283e17be3eaef83b701391d728e518edc491652c06e0a93ee98803f8fc051d90418f905344b5dc6585e2ab9ae7b8c9c8ffcc98f6a76ab30f337b5cdf14e99e353f152c8c30e98acb4452d7edd261fc1f176f9b5c6a4f207a26caa9da306f9c9441f88d274a2f89d8978922bd2af4d1a98ddbca53e08239f0e3ce8aa8ca7f554fd4ad5b84f12e4a6c44a85d8a649f461ff01e77faa59c6eed9d62c73ff34081a31a065f0a17ca7ba63c5fe753f5c1d7d4e11de3568409ad43bffc4da91b22970340ad4b5a5e7dc4574a4d436ee50745ab58b1f06a61ab3c2b16ba2df015be8f1237356cf133bca98ae7f78c87391ab7fa80edbd0ac93348019cf2db466cf046775b21c8d2522a6208b3db796ad26728e4bedf47c31976cf2f1a66207f9ac46c8cbb6cf005642d991fca160e9b259e422e565f510bcd996da07c64cf369d7f7348f61f234349b887a41ea2f98ab7eebfd3968762c50d84116bd21b0103581b54ea07ba388b96fb66024c9e208e506f107f7418884edffdb1fac8fc6ef9dbe021e9c9f8f86a98dded8c81713fcab3efa63509d188a3576f824cff6c5b622a82b6cb74e937f0957dbc0f55ad3d0b6573a7310fe31098bf875eab3b1211999ddac846e5c202a7262bc70e1568f88e349c6d315d39f2c30a2c9db3b97a7e6a3cbf45bb675e3cf75edf033d7b9a5e600c52c8e7bb899de1ad3d98b2ef30b85f1e5adce2837cb1e2190eb341a29a000a03b46552d4350eb6ca5a5d826c074874708580e4bac76cc11f88d368d531ff7248d3f624f2e409d330a2696793f58f7736c08c86d28a3225359730346be9437f035ecd92bc2c8aac40b2592b4c6b79af380f49d811ae459173f5cf917f63f229e87109198b6cd64f6c303a4f8a40972c837e0f51ff047bdcf4bc5347dd748756b295a921b652ef9fd55bed20f7ee4054b45214e54a366dc98ce23ac69fd75a3dc41691de2b0035924fb5e7d2d9ff777d7b0207e9398d1a6ab8496fe6245dcf3c8e6f745622a015e339602caadc9001c30d89ec31deb8cef3e15488d26c1704e30982cf45c9df58e293cdbca0a032da51a08df5d2fe0a93a5ac28d3d512d684be20f62fbdf066d345ebb642733de0331b2c9ac7a6001f8f6d248ea197cfbf662d7bb620d996ab31de7c4bb3ea1303321530c7f63d6a6fd53d9fea3d515f107cb881eecb0d749f84fb687d98cd27372fb06f49d628c4750edcc6b2bb1cf6c5d65c1650e3f8b759716f183314e9f7afe38cfe54fdc4768b624a7d054ff45588ebcccac5ac65b150103976625cdfacacab24c635eeaf40d99639585cfffbc3f16908336425ab7cbd0b6b4dae4e0ce1a0dab2592900a988638bdc9da5b824710a7dd7ec9b818c01b1cbfa687a4428d293579b2cb0593e5f1b1abeb116ecbe1c0c6ac5a2b3cee613676c16537391883ec7792f75b04e342ef1dffe504fdd124ded4e4fc547cef5c60ea3433cfac40ee734602288f94d1570031df971b2c457dc366e77b799dc14e002d29999c2426b124e1992dcc1618837d3a290ad7f892f8461634e67f9afa1b6f841827b289d1c82177f9b035ed14e7a2671adfa1bbf3b6737413364c49caa5dc32bc927143527144f3a46d19735aec0242a80e7ebabfa1bf7222c60e489f0a8706ea2ecd66ce3f9d500129d475c7eefe38545d0a696c8c8f01bae8393c89adbcb85e6eba1884c674d9091078d4c3759b25e7f511d4fbd70d3dac32352328c066ea2f81cc7f5427508270145ebfd80807d9ec0a6cbb2219d69ea0a30d5e20f914ebae00a9e37e49c6c611f17c799192c7120f8f89e3a316f98f54d36078e794464941fa43822a701b55ac941dd30f882d0795b9c9ce0e86cb670fe920d4f6fb595e657599e6da0f7de097c0193cbbacdaef6c3ee2294ae7217311315ac073b6780b6365e6a1039526eb313cc5dcc9dac4aadfdab4efdbff316d59091231cd1a54d6c6d644c8efd2baa527dde2c7aacb9dd305047d8bc04d67a7cb60d0270cc4a01f2a6dc9bd5bf0d5e0c52f45721e4508dbdfe9d1a37cc04769d82015844d10e74defdb36973ce0fe8a08ae859bc8d1fda984c99a6be8f024d99b6f1fb85f390cb2166b275f7376d5460c9181116b91778a91ffd5ccc4acb50d4e1d6e241aed090b7053303ab6ede389eb0302f7522e92778034d0a9a0bd5f56494734d7315d627dc7e9746ab1be23a4b4e6646b116ecd04131c56c6ca3a18f8d3754c35932ba5ecad1d5e0b5c37bc4519dbeeb4b9e7ad044a76e364c89bd52a3bc2fd089ef1229b55a378faad365fb36a6d363e0263d378f06862b7c6e16a0ae886b9b5392ac4f9ddaf86f5de4e463396e99de388cd4c346de1038a46b339a121a07aa415aaf8c76ca129a33ce42e00d59776e9ab89ffc92a01665bb5a10709c644ca3f8d8eca20029173a36b9d3741190e0d296cef78012d90962a4db05412c154f84f41a503ba3cf60decdc2ce4c947b4e379a4627cb5c09525e60133e8f80d1bd9201cf39762b95f66a40c62fcb7362293361319265d687bbd9cc645ee9e7125408ba40ee6f1e63b4d546f14976967c21cf74dcd824a73d9bd7041befbcfd6ea0a8d2b7758fc85e09baaee1bbc890d3134253e9b0491f719d8812532d65ce926390fadcdd25b05f45a61ae8e61e61bb83c8f9b6504312bde871b10a6c5b487cae61dd249ad157234ea8d28e136169f0559c93d67315ab3a67d947ca9b5551cb6be93dfe22bb1aa07c7dd99c493d0623bdd3650f09965054ecb738b5d5740322f57ea9f2494622f10a369f1dc8d38468b21931a5138a9fbb7814ea39d0b914a2c3fda44c1c63ed8725986fc07567befa41ca21adf7909beb981ce3944d4af2917dcef3e4581a6238a5280d7d613ad28528df86625ce764b8b03e26454cbd5d74ba7e047fa6715399f12f97cc5d0f74cf6c1085da2b86bba80a6354493ee32d9877a7c315a7f99b59a3831e61704086158fb751ea302eafc5bad6057a4280ba67c564f1347a775e428548e6e09bbc160eb1e8b3e40455390d59dfa1f0de5ab2e4f8f6decfde3cc1ba04938d9344b7a9beb36f78ba04dc031c9fab5c741da098cec3aedf4e253df7711b2d9cc38efcf310b6a777b8de675288d6c90786eeecf935f437b27738cee097d4978a9eb10c1ad686d5a4d739c85cb92c7694a5ce675beff415abede4b165881ad5f9ce9d0a17ae710c8a890f53420dbfc9f3935a8771b6a48324c13a6e5aae85dbeb26845a9469f0187793d0faba88ae60822dfdfd9f2f2921b863046d108be2f6f809c95e5e3e57413cfc0fc94a6d0c95faad1d7914c454502ae615cf562c86c8362285c35e7bc011fdeae0f402fdb813964ce1012243a791868b505bb4a62ffb9c2545b5e2d39b2696839a510f0a1c41ad45da72de7a077c39a24312b8edd290d0fb6774c6d4a47dd3a6f4856a6d9108af7d5042164a578616ee49dd3a1cc74e8d083cae83bc1117889f9744bf95092d70ca295d8f66a1a18454ee9ec6982ef1a1ed9550a87cfeedfe12ca5b7cd9099591f6f9f978c938640a4fb880fb9b61ff04b8073857b18c87ec2f038febdd6162909523fed57387bf0aad4429f3ce8b99663cd060bb2f9a09922e579ab34765be81b0aa877d99d8aa0ab0ea03ebc4cf3d8e4af1725651386ad6dbfda41888a0dd20c8b2de01123bfb8d496fed4070056c666004cc73568e760e2276a1baee496a5c836d8854dc3ac3f645f5433ca815b580f787c3864b232df3d372c50474e45640d8e2933aad519fa64cf4fdfaf029b41dfa454f423a8a8d4655290ecab35136ea1fde850d3e7c67937b909fdf0de0af7a2fcde657a601b970471cf992e4e2ccc8df88f7064911024c0306f59734ddf01e0c864f5c314f658588aa179c1077d0f2804858359173cdaddc4f9c15816c8738e6aea3a83c28a12e1f1bbb9d9b46be631268aff72b605bd6115d0af106fb0e362f82170f8c2b0f67d91496a2da8783105529c996af674c80daed482297dee05d32bcc55e046f7d81348946cd183b63e34ca25d624a66e448bb8d532c335eaaabcdc2ca8c822eb6849cacb1fb0039f90fc0f7868327e9b3474880c15030ca2490e0de01e254e4a257d730bfdbdb1897e37ef516e2af7cdb9108308350f77bdc500a3740d181ee8e9ba6064f6af79624512b736a03969ab5735c247f2b417b87597fd33cf0cd406a42747f938d871186fc6b20e02a0f379834d0a2c1afb2d07ef20e857bcaa16fb795e66405ffa3867b35e88f54b953ad8907d89b62f56eb148cc5a051f2cda1f4774a251b9f9a69a1c048928c4fe0fc24f9f77ec55d864e9c3b6afb0ec5c1832e8eb6d560c900a347bd85f7d017da13daf645667db3ed1dc3970b5a5c246858d556f5b266a212c2d70e7473c359e967879bd39c574d22f17402bfa850a0eeed253035c4b79209d95ff3fcfbca84e14412953c8c690708699a035d021a2a61d317bd19ed34418b5ff4bd53b685b9bcb0eff6341eb2c749b1896e2d4f14b782b0a43b78eac491bf1c49c9512d848630d7d7bd80b9356bf60540c8465f7f6b0920ca8d7e9fdef6d64bbd81ac6f838193b8146b047c7ac4b934ca28e742eb73b4d3d2b6bb795a74684192157e4a1b0192c3115f49ae45f06296794757b27c19f33e0f3ee30d756164695ab589aef025da931b2c3153220b7ea56043bc27f806affb93296ac617f3abb21a2a34f96c7257d1a8efbf252ed417dfa42886eaed942cd06c3281e6df3fba6a2cec9b90ddb63ca533b21aef73bfb8db3666785fad461b7479688d8f5530018dd8a52849a8c256f4aa86460574c702b9bdc1ec1e6bc246913b8f2686f697b0809b9f55fa9b8521d69b246cee705ebf7964c8e9200b6600b488033fc88a834b00efbe385326395df0f530f34d1d88c6a9c605a67ed64da81b4021874bd8e66f96953cd8bec7b1eaa4543f158bb4e1027895cb8e8c8ea9cfddde92de0f79387543b2021739b1156b828ce23ac3ae6aeb250692b9f25733207aadcbc0aea4f46ac4dc8cfe8d53b5839e9544002bff2a791ddff2b3bc7efdfae13842732a8bfb7d971526f6ca2998f9287fe03397e01321b3a13a128bb61689534b06550085290c7f9202b07b3583ce0461e9bb3716362bcff7f28ced83aa57311c7dd7368f0e285a9b7ef805ae8d43406d70e753ecdb7f9ec942a0370f69468583615ca7cf746b497642b8bd3545d5218880f6a439e4b57318a6f9b11f04def62c91d7d39082209687d93bad79f4cd874f5b9f9615ad75bf02ae6689f4142683212bf4abdf2662259dc3007002b791bbb17caef153e14f0999f33ef3e9288401626e2d4acc4040f735e88214454a59bfd412b090d6c3e9ffb1e0512cf033c60fbd04ccff556e8735ee57bf3e78870bf8382d85f51a9afaaa8d23eb7ef95cd64d2c14e4df21d675379e8b62373d11b60e4c3cbfeeef453048bffc69e13dde6bccdf3a598e0c4954b3c91f842e8d48da9ab294b49bf1e7c085c6eab52d9529c2dd4244f731997ba0858480a17d125e3e735d4dd1fa420db3889e57a6f00b5d88d669d837fe46978e99c8fd3c0daa663aee7442868a7be6530f72fd2da551611641530967d5e3f44fe15fb437d6675ba911a947804a92495d57fc0038e9f4956846f0ddeaf5c7173a4d642bf70f4c4a09d00a67306873e2e01fe789e16c334949cc4bd802a5890361eba8efedda780afe2026ce5d9da88bb9a5c01f098d7a45fee1c213db3b1421c4d8bdea3477654e24bc40b152e9871b174e3a94d6968b21a24c1abf795edb89308fe666e1b22fe4002b8c419f98c1244e0a032d18f0e10def94a12b4b38266489e34ad7361af7a860f8ae19fe08f8f76e5b458212dc62aec387667342598f5bac9c12c57808e218c85822436ff75b12998078373d1f7a0c4076b5d0785df6c0a5c8af9422cf89058607b69c701712684a30d4db89f32334ba86f5ca420cb38765e612237962292066772b0f407d0c0ec346d4eca1bb80bf8cc68f807d0f59baa4f9d5f505e67737d5d6b7d730d6d146b604900563067893d08c31660fffdcde2c57619f4717b1086bd14c417c3c893e777a92a2a00cde56012bb1fda1ee20c922417efccc828247cd4e3d62aaf1e889e0c7862474288c8bd145e7345c3110e941b5113b05d84d1cdc54c8c8b1cc3f2b93ca822559cbdbb4e5629ab98b6cd9021c84f385415d3b3acdc4a751bb22fc0f643bc39c03264dbeb81dfc7b1953767f2c5db305c18a636ea6fcb5eb685cf38a0539bffd437265b966f46c062291cdd14a380bda6e7b31301b8db274be67a2260865c5187660aef5d16642102a7c61671b13505909173cfdcf6c1aaa6633f4730d2cd0c8500e8cebfea8bb2241daf9ad9447c67569b31abf33e914617bbf1d0c4342507be61144ff0d3eafeed6776d60e07f02cc120e6db38245ceb8f08ae630ed9e548e459878c84abedab3176030d820d72eca7808688868aa72324834377e201f42b6e5c017eb8ebe2c2758720823d645f37d33c072955cdcad179dcf14f008283ff3a7382296e9272ccb6d3ad0a1163cb970ffd1d5dad50b31f75733f792a7dca4fd13bca3391c90d7828cd044c0e72225f7146875717af9ce4e65a06f8ecd67f1899b4cab06bac1bc2e4944e62419ec9fa1b0735666e4f2360b9fe3b51cdc4d6523cb4f8820c5bcb8feade4cc2c09533cfb326e090eed808040182373cfc2619662356cc5ff8535df5d03f68fa01020f149d13327554320ec2b199cec922d0d7f0495e3bf5a35e9ba8cbe717fc2d5f2d7724b7016cb07c3db1f06e9dfb890b45a8cc036422739771011c4a4124b1600c2cdf16fb9df3f76ce1b31236ef41ef4c3d085f9c8f44ef82bf042a1eedb77f515489c5cf7ecc245965dfd29b9bf27664a5684ac5343228e42bc1779ad40476ac8860a59418d683568a907f678471ba9df5a7ddd28d7058609d3e577fc1ad425d8707f9503718859f28273755924876d469a1fa1f447b7612d2b80768ab044dfa3f662e969885a82896dfb88707aee9c11f96c8c273cc87facc17778e5d1a1d0d2a781068a56e56c0d7421aaf33167cdef4022802cc12ceafc99948fa2a02c766758ed98da6cfb3a2148b9f78095dad01e35bb36ed8d49af270ebce76d37ca39e7ee7fc614dbe7e85d78f4619888289b0a4dd2f965e8314ad4069b6750fbcce00e64a3fc33119453227645b8182078e6c813db7e5ab787fb990ff52ad1033ce56a2c849fb8fbde6259a6af5fae321ec771fb59e15c052b71336cd46b8a993e2a335c64f25fd588f1463247fea99bdf9cf90e1f83218c4c43e97f0938cf991e4a735763e565918177b951071df51c3a17dbbe319681912fb4814bf47c9830697aeb7a5a923750236479cafa956692d983d24b2e848052af874df7a8cb2987b7a80c10cb4266fc47fa7603f56f0b8cae45cde5632540a7e6bdee9a44656adb538dc504a898f2a6bafb396239031e70081eff03a5999f942db7696a8da01c99817a71cea8129cd27f7fbbc6f171034a84305cb33e08e7d9979fe70b5dc18da2db64973dbcdb085368b18aed290f36135d634343d068fcb94774b0266cd45928406930994702d39dd87326b2ace2bdfe10bbe9ff1044faeee498ef18182f228424f53abd6b70ac64c907913956b4241a4d98b6f392a61a984d98020bd7594ac09ca269eb7dd86261021b5f1aa3772cee8de11bf8512cdab489ad67fbf2f6f86c124f5f781b288344d7c6117e75ad3bc097b4d17026aed559de65219044a8d5aefda109dca57011e888183055ee2112453096028aeef3196b8350ce5c7af28ae0b187b64c7b6796c801d93f620f9e8af2499a27e5a59ddfa907e826bad8c3b46250ac1561ec0e21fa17b72565f3fe1b0a369273de5bd04e65512b41333ed743a51a57d8debac85ecc46a41408b551f2f46fcba4babde89d353e654a1f7cccb06389c4bb30dcabd5f7f468bd6a1eed6933f85e9eebd0348f1c4dff82e39a1a198837f8aa69c6251fe1d64211e379b1b84a1f2f430db7d158ddae9d0d2da1a7aff1fb5cfd59f0c6b8afec6f0e48c4ef7ac2a764b54469d78fea5d9b2b5445747b69d4f70e9f980928b816e354175ba1291733844ab959772eafb60a32e6eaff4779eacb11356385845e4a2598688eee44b54af6b0285fc7fc5e2b7297398ebdba3190a3ee656f54849be33da2d679700ec4f78d45e7e3fdf9c67d822434dea8cef46d34148277dced030e80b3214f3e568de522f744e66c61d08165aecd311d86d3b343a33e20c1cd965fc72f37a34a63f1eae73d3b03fa704589353f586e202c458234cf4d52af8e583077c784229b3db98189c760c97b3f02af5ed34b0b3a87ebad6a2d47fe6c060f9c08c573549e649eb894ace871adfeb681bd4e6ea5065393afb66cffe8c025c18f398a373dd8ba0c543f9fcec2ec7fff239d967b1c1d17ba2bd7fefc473c75685e844ed73703738c25bef71ee392f70d5105fb6c477e254d0c6e42b62906dcf7b74744899a0f199512a0bea3dc7d1ed1f64d316fc1d8aee157b3e22d00c129fe798a8d3bb1baac4812ab9c3f914a080e484b3894cc72dc2113570660106741d08c8f0199e2196866a83fa53b304d36cc682f11f7c925ed532feffe9db4f855eae8b1ba9cee4463b669b5cd91323a2d51e72e24aa292d2a1579a034b9a39ac3711ec9974ff6f91375e0a91975ea3259964156329f47d6fe8d6596ebb46feb7557bad5c3c7492745bd7e214888174cd1573bde3b044b98437ff6917366b1d07a445b95c604c098fbc25f53712ae786f56326d9580704ee3b44d1106f7b7997e37367e108b46886511019cac3ce31d759c267e067e8f2518bab84cf27bd430274ce4f62e9741effc8447d4f7bf98881e48b94c575e6304a0015f10ff9ae6a942d0a410595f55e3b9a55460cf84b0590ab869aa4dfd2b02d248040214a3549b9031ef29c639335f68910a65e105fd83e16f7dbbf76eb9829935231ba7409c1b4ac81f20097a0e60eda384adf185e64b056805c80eb485aa975f35a571b3de5b7d6108e89049d1a37f121a3be8818b69c6141f342fd75f7c5ed80aaf42b9152d8356716f47781de9e63e4af5ddad120d1bbf7bc68a2f4e5cffaf80021606949e4e2311f6a15df4eae8a2d6733cd77612115047a9aed3524edde7df72ea1c3d976df25dbed5e7ba341a7bcce987039f7b99a93d13b2c14eeef72ff7b4611c13b37e6f6ca2d54bc8756ef444030b7996b42b8f58c9ed18f7b719378fbe94f64baad4273c51efcb2beeb57545490debc9bea9450a8d781b21376f6c62c440940887af80a0ae87c17d624b9493e37402dc741c65524ed09aa115b43967ee8153966b435ce3f204811fab2bea5f2ef5e5186df86a2ce2370597894ef31ec2c0c19208daed00be9bc9c0306f1889ef797ac87eec61e5cc61ed110f6590578a91f987ff86deed1f4dce08f5f2b96c0502f5cdf88a59d9628ec41a7ccf192d3aefa8ec975bba4a877059138488664adcdb393a47735ca5f43153e0c79c403ce9bec7012259333cd11e9e42e3863be2711a48bf5330c207c0d8da651a1ce0c53b94ddf246d1054689502763b34acf020c4ce280e0c8f22d406319f54cad6e6d5b3976969e687138a52a292277634f2cb6c1337ebaf11684d1e2601a0f92f2864c40c57547e5efc32b08cea3964860f90f0133a17e13c60ea71d16e6861cf3e1865f584303b0f16b80e6128aada9fc0e6fae29dba4a3fc993b406795bfac7afb5ec9ec8e6b4eac7a86418ce9513ea353ee47811aacc144975eabc6dc9278631a9e92ce0668b0db8bbbf5a54c79906ff638809f7d696ef49ae47e0740922b15c503559f0118b0a979e2ec8d25081043c72ec0c5f3e20f6182594bf5f3aae3be1bcc90b994a7a88c35363e12f76fe9a67c256b4a30d73668676cb87e1aa1cb90eb253a2f6642b9a2315f48f6b44b5857e692d8a6db0e064cdbd0b8ae746352cad11812e180df03eae8de9e5804edff73d19a22af88a7fea01ae7888c77f06f42c216d30edadcad5ec56ab99c94248b6fdc1d5fe0411ee122f375ec47bd9ab630255a2b14e71fed7068d3e2d58c558a5106fd0ff61c6e9309bb5899ddc993d529baa355e9c4bfdbd04e88f67c564b34f1c4093a83ab27a05929f29162b448bda177a4725008ca3d61e31f10192918371c568e917f3212de031a5c5696caf0b2f85e778c26fac0c642e69f759da27c8c7a44cae86e0d0972ed8ba0e87416740b3f0687f052dededf00101e230c3662c36dad8537592871199e48a7235f125cf031311e1ee339b7a62387b52ac1640d5b2795ee2af827f09c8314b013536373548592d64bc54e36c850c44c39dc230cc99da7bc514d29043bb9ef2a227f1f912e2c6d906123c1d1db2b813985db6ffe2c41b3dc5f82620b9eb51f9e351eb6a115409b70eb5227122437bc53ad500af869b84c624cbbf5a0020ac0cbfde82229b3e7bc3063969474efdbbee571cc553ce2f1e08be6c494c5c660a220e9107be93dbb4e04cebfcb8107737432b144f90cb9b6b078d813de2c803c09003606af461c18a2b5e6d472f3144984007ed13474ecc167fca167cb9ebd6f7e37070b4d5ef787d90eb776d94ba5fd63cd3dc1c555176f1d5e090aff9013665ecbe4ffaebed5ddfc40434dc1e94c954a3e5c6fc8a2ccf679c1ad8c5c98bc3107f5bc7b639f23203aeb8d3c00d89a0675f14d486b83b72bb453ac3fb74da84aba00322d7716cae55a3865e5f4d18070e02d3d19df09479a41c8da91fb084a429849a7907d2b9f0776fe0bb5d51bbdd0045894e96a1f090be36417c6603d5ef01864f221b36dc34ad05f43dd8b099afad95f23f2c611ad9581deefec4e8314fab34761f9bcb47fa508b38ab19142148bcb6bcd8d35074919d89de51fdebcb40ae9608a7edfbf3cdf00db9dbf33bbace91ffbd5c25c29a71305a2abf343160ccf922dee487519aea764bde66617977f0be874a35d468240bb81038252ae8994dff0053fe21a82f68f039fae01c52cf1f6857ee51e17d5cb2c6c8dbf8560afec66f1a0d527507bab2b7df5e8984d12eba2d07d836ee7e01967fb23599a3583b625a75e7553bc66b2cda3a4b67b0e864dc868dd1c78904a74686a91919e670e7fc918037c4f76df3a78b860bc0459a12bc207c30b1badd85324f5a1e623b661aec28027bc086ccea49bd22f39560d289e233c4231252e8cfb6af721ac7cd1b6b37a14fbde4393e44e1b25e302b1ce29bea6344912d1f7e90633816845fccd3ff7242a008a743e5a47d48ab3e01c21f2e4606e96b08567496789315d87936f45c66db50de407fc101153536949306822e1bba513ea3375581b8f235b827b3bde08213cd1852f36744d9ec05fc35de3b5fd1912b14a38eed439a6f7dbb37c3e55690af6cb75945423ee6dd24362327874e960677072199c4d3d03181f6db4370a7269d9d778d0cddf67e266a29a22d5eb7129f2d5204ab8c3c5d01bbcbfa60b11fcac944ddccb27661860a8addf6377a3a3b9f7747334f233c5a44a55ed08ad05d233c7c43e6eaac0f89e0082ddf70c406814c3dd60178c23ea58ff7e6ee0a3a57358337e7fb83be96255a35d17914e6237a3a74215bd4ceb8e9fd3f0850dca086c46efdbd99ffd86f07d219d1e2b087b000b8ccef9e49337563b48a27a505970f30cd550b873e32a8447d8853b129d0a40afbcd900aa29a9a59332435587b38d2da503171da6f7f50d2442ae1d23cd4069c38d0a6eca268f9e162ca56f920aa7b0e6799d2029e82ba34a82959ae737db3e7906dc8dd1bdfb36e4107e36a54875348b9e45b8e7233ae4a1c0fe85755ba6166ade7d34bf631e9af8f5f90548ac7acb613f32c74addaf42d97fc9be84d30d18821b796be490f28274fe68233003641a956acc9bc3a09d5f43aa22fe3a2b98a8b2a15b23265ec438e3b15a1d137ac2761f7349311c8e4ee18dfda5f96d66e16ddc255fe70ff2a051ccf744fb7eafbe2b5fb713918c8c776436f09004deaef5da7409fae7876850bbf62f17c0d48ca74d902338c756a337d3286a72087788f7a42f4f1675d6f0ee957b7984f21cd95074559b8b2ca49e67b4cb7634f513a1722351ee15e9059ffe289e8c989ada53b47483d4077e9d146e5428da1cc19194ff182f7d2a2287635fa4e4a81a290a3cfe38f376eae489e1df5e9a5d59beaec83a30e9af78893e4f3eca07fd4379b15353c7534c639c7b33a0ad5b58b956e8fea983ee12896bb61f07564ab52345ecda4c181f4d810db0088f6054b8609aabb4fcd48205dce63810eda0775307d72544adf2828a2a3bf105b6a6af965b8ce30eebec78f49383e9e0542f0d3aad5bf48f639e022a021b1e661b10fa7ac6a86322537822c42a4883b0522bae9ced98b1e4812992384859925860eecc78fd0ecd14f4cc117d9350537a8d80c2a6c952ac2cfc4fd7adbedea1c0634438d88126307f01042ba7a13869802d0798cc0b42cf2c1db9132dc7b5e69c807b5a2baab3a35563cff152cdec01c47aa9accb546d2b0287fbed70359e15b1f7a78d79d32cb6047d9de5dc87850e23976280dda2e1622be5df43f0bd2f71234c631cb60a6736f1cd27545dab2db2fad1b6ca00b85b6180bf8ffd8b32a353d1c251e8d0401a7dc818b51efbdb52cbbb4f7370d2ff05d320e97862c7ceb40972f58f6175e88d22db6b18d0ffbee99f0f90bfaca89b94296dda5d2babcbee5189332d9ec6f9223f0197e5a98b85e6bc00e8801f52ae06bbc73cf8d2ff6ffdf9211f95d5c18b27c44a9d33dafd6b6ea8568154a0168610898f9b143f5aaebfdea26c0b7e789036c99d9ac8652794bed15212203b8dc3ffc5fe9a50cb3f493dc4e0e463f828d0d9f1b50681c30e155f1e3748769a61ec7f305aa303f32a1a149f399793041ed3cbe612b6a73b03f61c9ef4477311026bfff61678d33970f92c2375e862e8c5d2c682d45f47cd59d9c2bf7f5bdaefa550d4cafb6650fb5bdc3842215efa90e6d259e05098df0d27adca16a386b6f9f2f94a477bf10c3bf9d06544ab19d9d0da819dde1d61d317db510cf3483d0d7cb4ff99e076a2be55348c2a1d3fbcfc0855ff8492d2e1b87fa50771fd68ef7dd2c20ce5fc7b19b7333a8945ef4b614d487ffd49bba89bbf0eafd5980ee6d196f8dda8b07c723d1fce05295c646f0d20eb0ba3792f657c0408d2ee889022c169461bd494b62d2b9ce26742a324ec630cab022637122976bd24e587ccee270c82f0e5c182ce82eea8ba0b67b7a78f2604ff9770b9943516b471867a6d9f1cca6a49dd717ff8d2528e54f9d297dcf248805b9228ac6f072a947aeab962ac407d712ee40891f2a09d6265950fc05f4ffab6068a59043a3ebb67a3b947ee0cbccafbc5e543fd6c685c864f32c5b37c1e4b0420dd1fbf4ec519e6e8b38ede98dc0daab773bbf3c9c3eca5d3d50ad2204fab49c3772c369bad9df71c00624f24eef6770cc0a151154252ef33a2585b53cfcac85e22dc8aae052038a31e9d55013ebee2204775d07aa5210e86cd63ef1b0466431cd16adb9bd78b0e1f8ceeb86c052ea9c986afdcd6f9c297afd4b14011c34060203f4e13965e12d518785dfea41d7c726f4918d20e5f1249bc84e380fe0dbce2548c1d85cd6bc6c996257a101e28d3d62b75b7fa492f49561f1046590ffb2838e2da043b1d83aac7b5e9b8a3f9ef22740e1f91fe9b0957e5d3b4187e4380a47599ffce0a56f92260708ae42df7a7c69517f2f9995edd32ae81bddde727945fdf1a99b13a00131f978a354f54b7c3816c168ccd15d5c7985357e1dfa254713ef6608a4a4ed8190baa0fad97ba418c2a9aff145bf721f1fe9952e848a46073e9876ddf1a91b1be116016e17c6f0eda76c4bb577d24069f116c327383e1f01b189fbca1d553eddc8848e9d7ca67274811e2f80c6b4b523e95e0429bb6fbf818f1270fc90b32afc8b2324cb746bea8f14123323d253a8eb005561fa1be4d4a155ab4e26c92d48aaa0e10f9822cf267cfa4b5bffd4c89f80a7b84cebf71de8f1b49ced1cefed76fc5235228fd98d68bd1646e54c77eca6839209d3f088cdd806cfbcd863456b41801b68cdb5b8106955013a56b5b829c8d3591ec6bd8328bad2dacb62c98ac8dde7591b4350c2b7cf3e20e99ac8c19aa1c52a164815cdd1c56f053dd0e4f293c1cf06c133e11448bf2c1f26dda792c3cef658b714f1f7de70a3c42211558289625ed699242aac645613b7faf7cb1cc76fa0e346092dca4f88d59ee9791db16bbe92085fa1fb1521cbe0db5c00378a5af17ca725c1de4a9fab6d291d55a2432f6f8f035a1e0a4eadbeaee9ffdf7b11a2074f2b7f5e495029a7e63c9af460ec7c34fbef8b874ad06bf7c08f78b0c683d0d89bba894de6d6147f6de02b1872ad8d86183189b11ad67dde3adc51355819bc5d1225cd326ea3daaa9cc4184ad92db15188b1e39058cf730eafcdf6b169f1655032a5b7311beec7f145232683178e15ff8440f2801e5e840a48103d82be492e5bd17dba0c47b653b781c1af173a0c7273db72a674e3a00d70b897451fc903dc43574e64fc7569f881ca7379c6da873732611d5fbfc234d758ec0c16a141ef17763689beb502081ede9b11a9a492debdc9a09a5cea5e2316cbc0eb5f5246ee0fc838173eddbff63a68dfcf4265a5db77db823748209a5aefb86d17d90f9b61b64f8e789888a29595b5fc475fddd1242dbde9662cee751041174e5387506b332de62511b2b3bf89ef6ca8498b42ce1cc1aea01f4827ca8c4989008b10acdf2662b06f7635b26c8a95ff6d4d4c4dc60b44b9e8364a98a7d98e6abfaff73c1c2dd69c52dd12deac3ca415645b1c1c7b963a0ff113b44f54ea1444eb907f2657df2e95a73d8cdd783c4676bfe5fe5a71abbf2aae079f49e6d51e10cdc8a7fb8e26b2f605e54596fdb178133f746fa96435455d5fbf1b19b585d34e8205c92e7e03500b8b80e41c42eaeea933b76fdf2c0accffd051cc0f77b9d85cfe84ab71662c7f83f3b6e272b82fe886d0febb4345d9afdfcff94a1ff107b6678805ade9f768aa6e33394b391779ca937c90282e9124c41425289cc23507eba96df73e2af99993cea1306f59b8c59816b538cca401d7f2bfee84b3aec9e054d048054ac2cd280d3e55c5e027716938b7b31ee1b2f00f95f1b3ca9540011a4844e86d2cc75f681394e4679493e9d18075a659a458299961d18cde645dae173364a4dc0be39f4b6fd5ca7b619b26686a812417a9f1d3e46646c730eea7b4f61a8152101a56732e09d2507b3a0eedc180bbd4e61280283f783aa8e9759d6670bf28e13526d89aca86780216f137077d761972a988e1bd9303d44b7e00027bc7f537ba703a2d285b659e7c8a5d14c5ca705a1eae9ce67dd99f5bf5992bc612c5a0a01d161d8547211c072d33f6bf88ea8980da01cb87712e9a0c8b93f80e6deed1b6a092326a1da99bfa9de4dd9fcb53e586ba169cd008b7623468fd1bcd7ccf915902158a139311a02ad62c6272a50349349f8a6aef9d44038f759ee57b816122a5ce8c2d7c14a65f24694c5338d596d0458c484afeeb8c25fdfa10560aa42ae8cfc82eaa108b567f86e33e9123e69d84dcad2f1fd9ff60f90ff413a22b2870f16b0d35c388183595d5bdfce35b314af588ce9e5ee061b8e8f1089b14e1e77b2b3f6acb232fadffdccb18bac721d90a852384fe51a16fd4da788bb76645211cc162a9f1d0dfc1eb29aa11d85b783ec23db41db8caacd9e88614a51cd444eae3db3e22c5a92b0d30cfa5403a2f28778bd9df158cc082bb8c7e7bc6484dab455c390b85a4304a8bc23a268c6faf3bf85c98056d0f715e74eaa86c4b6af45458a3b0e40b658702fd883a55eb4b6fd3fd65556157bd58d0ec42f06f23214c537a5b6bd1394c74615748b337c8c1d7fdf44bf49e35f7bbbea1d8ba854c060f883fc03f3d3dcb7244977f5ac62e696a0ecf3c419e0794d3abe77d156e0b97ed5a043b6dcde1f7f2ec010d9e4fd5d53a13956027a489eee7b497ad2649a0523de4767a8fdef6fb66bd49744ccd599d2efeb267f0d2990f234cc80fd069a97d1875390d6e2aff8fe2f1eddeaaa4f3ed528cae8c9ee67953e3a3c32732f0db007f106f584390c5370e3edbe2bad78fdf2ac2056a9faf243546d26b856b788eb5d7969837b3ba153c655b4c41048192b77f5528bc75abb50d85eddd8e9686a48d722b03ed945276a83d9abada8825f6a97eba1fc9fdcf92a74b05db9ce32fee161182999d06727875439ff109491da219e0d53e03dc46d205d4e690f2543fcac1cf45ebc60194306761d8683dd2586929a5dadc2547f953d99b7bfcf9b4c2c44937e7de619643b392a866bc88a8eb9b6d0a925e4d6f0d574be68f31059d14edbb50bb75b705f531b66bfc5af6d29095f38a127b46c01b2640f952496e7246ddafa8d3289b36b800431fafa24795b4a73ba1ff13bde91b5a1f69e151e6ee9eb795197bfc9ff7ab1b3ddbfbd959fcefedbe5bb15b64e1122f231870f7c3d4c372a4c1123d30aa097b4764f4d14851833355d7b1a01e5a37b867ddd53026ba9038f8fda171ea1f1f9d85ed47d90739a85e0006b0ed40a2b10b4154178240ee2e42cbed699efa0720943cd35836ab42246a1e3f890d727d1cff39f7fe2c70851065f0c52631770f62ea024f60a8ca18e0ae7afcc8a184cb6fa4a2c6d6c311a91ec25e7efd7e8d09525fdbdb9904364ea00d331c354d33c2ee010c6294a9acf7cc0ce7c184eec91fa95accad3dd7e43d66d5c5b8440769563bedec750cd4157b1e96a57bcad3ba84fde6998591d2a435a0af48be7810693a3e4dd4ef072db8b5a14b9496a53b818bcb124c0b6beff036c373f1a9afdb2344819903f173a800a29d412aa3d22bea42d70e95e061e543902e60a1a2747a2e0344189f942c03a2b1fb004bcb11bf0e495ac79b58cab4dacaad7d8b84ab2e0fd199728029b16e0bf714a8dd10750931d167e819802ffa3c177e0e6d8df2d43daa2c55db0e3edea123d0da42b4d8c0c12c92586594444030f217c8e545eee3a723c57070f02def3f50bc6d21a6ffb635d74117e23d80b14c36a0c741189dc77b5c9cfaaae1b736e8663db61fb5b6d354a53b6344ac549ef3ca9ae5edbdff88ca10f1ae2fb33d2f2b230827a50aa40a09fe87a34ec4dd49a76de5483b7f58ef1ab4d8d78214818a8667f9e9e72f9cd9a6adeed0f63aac8fd5a3510e5627f5f3ab8ee216f9dc3c718c04237ec3ac1f67e119753704ff4c6a7b913890cc3d1e18ec06691808e72ad057896ede0974cb10b0e70388384f377499575836a24bdecfa92aa379307caab1a27882439707814b25bbedd64d7b030a6bfbe5d3048e6cd9ea43008a018a77f3ce008a22d07fcb237e462674bacfe0862f255625b2f455f61bf9e5fa363ac46afac12a0fc687b6d802c6c04a5db7ca3428e7afbd73d1934058e6e2836cf9bfc19f7b796bb5aab698cf9cf1d9cd031862780cd05cf6a9c3285070a5745b43d8c52303308aab14ef77982dfbf4fd8f5b08480cd283246eab28d678a22a692588eef2c63044c739fde5f96d13b4b21b19b8d926752d061c7dd09c94aefa338be45987a2b038d0db15be1254e9afc337b321aef2dae93708b388bd1c0661ad11d461e69927dd0c9710d89de9ed029d99b9ce06f739b69d8184354aef35d8783f7cef2a3aa3edcd4786605a743def859c6c9ae766eb73ed46e2a58fa655f0c8c12404ad083d0f76d6ba561cc152956b636fba83fc612bc544f9f926c35fc508e7d382372b26a2f0c3b3633f76c0805201ef9e35a83fb69371b5c6aa9b3840740e26d62c3d908ccde8dac511bfcffc039bf3fcd91e89e6f9a77ef342fbf2cce80ce2ba8648e61210ce698455e3c90a099f8409b73acc15cf99f7969a5d9d6ce52a7f9b590579f3292324e1ff18908467ead6d425938e715c640179429668be956a52011e16dd94e2bcefd176d7f8f3a68729d72322889ef6cf64e0cf040318620167df45b71a80f3db12bc8645c055268a5b7ccfcbe2635d64862b8c75c070171f234035ffe120e6395a2be238c02b1324cf52937b49f915c23a31ef3c8b36cbc20df99f0be4af200cadc4be04de5af0152b9f95e5980a4c94efa65d86d95a7d9533c643f2db6a9f9054aae02a4b9715405b6cda9062c8edcf925c8ee3eff1fdfdb29117b8ecd6bd15bcdb82977286bc771991d11110941b3ac2c5091249d1867a8ec1fd63415966c4cbfd3a686fac9cc89212dfdc6d980665c5857d3add0045cd0a7fcae14a929c8672f95c5aa8fb24af5fa88208c2ecc5bc647cc8e29bfd7e27ab76509efe431c13fdd015336f36c1adccca0def73d33ea6e540421b4c54377f4c4ddb53ac33b2e547fc0dcaf801a8be09afeb183a3eee9f04e935296f297aae794d42ff0fa99d5a4a80989f29738c30d7fd66ab2de83d6409f7c09133f3b6f77e56f443b419d42a814d86d8ec4f6e7fe3bbeb7af41cb7d4956be1c5668c6bc5761139bcc3a4a15d6d8c904a8877f336643abe7da978ec24c59e991502c4d7912f86a77d7d2f10742fecd1cbd3758d69989af8032bd91ca0ba4c82d7883a47e07bc6990e21876bd590df875ba7b434f53512be5e8e069e5fbef1c09a2e78946f4bc93d067f5e5bbac905fb3ebb3001346c40270998de04524d1c94959b1c0a4a858be5139590d5a082763b98de9f9871238494d985f8eb9a063fcb08005742a4675312f40183a2a72a3a230c2655f4bc880388a7697ccca97be15aab36de2c275963b4650c636112800401c6aed61351839fe1d0716c0e9ed48c16015dbfdede31f614443f10a52d357fcfb884da7adfcea1787de1aae9380b505189f14e50d55f297306fae7f7ca911cb0a11b8c17c64146dd1b1f20092788f90151bba09717769a3aa09e8fb2474fa8d7594115e8a6e4c201f07692f14ba61e295c029e379a6337a6ddb24ce5ca6479516131784f727f10ac32186e1b5a7cee6560b5244a68bc79049ac92e97f20a9f1c0c3243b8efdc25599fce6d2dee1658e8eb2fb82db4c683f814df56f3c02dcfb4061b579423db569cf6a7b1ca97658b8884696419273320e7d533ebbcb69841a73bb49c1fd4b64730808c08e9672ca774010c6b23fe3b52e5d23a06023ea3d83c03a75a8d8bd0dc6c7752d120c68e48e69dc32cfebfc7d33de0138d7f0b6eeac085381f6daba83fe587177db68a6d789b1b0cbc59c72caaf525b0948f3034181a4a8a9a0c5a854b41ad44e987fbb3c7451fca963b90148445edc4bc7b53a821992bc547d06f14dd456788dbf4bb3e0f390a4df70d67fdd906b60a4abd72982df615ab711e1b564fb29af96a217b35453fb7ed9c3ec684b9cd6fd6bacb88e60c39eed8a95baea27af6ad12b5525d91a3b41ed009d5e87683a2d7cedfe25ddae724bb60bd22c54ebe8724edfcf6ad0cafa63c4163370fea7565bd7e12875b77ece62f399e594e3af27f75dbd14b7ba859dbd6b4480c6b9ef34dafdee8c2b36d28e52f320e9f8f3f635b7eb03e584f5b376dd81fb1a41316b6ef01072772a33ccae1c43c5c9e22435badc3d8ff28864a39f2c0dc7ac3d5feba33e70aba25e0c49084c1710078e1cbb5525fa17c3e0b128fc45028b6c266bd3ab04e11a6fb07ffb58ef4f6dee7bf2ff554b759d35b50e0be22f7eaa3250265282185772e08293b0dc8bee4c8d7db097556e860f482c8c3e9b6e864fb477d45c955ac82f034b397e6e75a4404637f0c61d4ed90dfe15382e85ef48e6fc1d248dc1b943dc4fca20568fdf634b9b0baaa7874186ac02a887b0344275a985785fdf59b3a71d3c75b275d10d8b591d6b72096a77e2b996d0349dc4d9c54830616c73e8c48a472c4551ac4660e196d38e890f7931c1d0cd6d90c551315e85fc3661338773bd4a4ff861f0f3e892fb4d58069b3ad97b2d1bfd72ec44e4a295684d1422b30e1ae95b5c1c7f275a75dfc4f7a1c2e3bc0f0f42252883992912c95ffb334b1878c65a4bbe1e34f926babb642924229b1021f326c8a50e5525121f49dae936dd56844d9dec93aa1435a16574ecd414bb039032db875a2d729d47a3d8f0386fe9b067cf025b7e1dd3341827055ccc88677999609ece87add06b2f07f957703524e99aa0c3389741b14233b5eded5af8e44a47031803ab23f734aed4121ad93b12e7f632733c2b57219ef9879b4aed4af9094a4924efda16615fe74f3585a70ed067d38f722541082ca2546b032a991beec9efdf6d055f9cfe33717ee55af6b33cf61fbff69b1c1301173d20a2511249b5c6438cb510b36c54c7fec67c3bff5cf712baa3a2c36c415f488e883a4bec4c2a10cb3fa105d1aa3c829ef6967ee6d6add1aa9b3a88f7a6e69c4a0cc253f17902f37cbbef417195127b21d4fc95848312bb82992d5a95431aa8eaebf16e10a4030ad676d5f29032c611fd5da2d4c887433bbf3280d7d0626989ad5f31f5bb8d85e3d83bafc3747a52e5cf844d6130679d5893f9211eb9d09d1fc90d83fc56c5809a86c055c14489712ffc6606144fed013bbd2795bbc477afd5712c41d2a23ea998f73e5f0f6ac6c5a7debdff6f978295c1385d946e5e388c05903d77264bb45db975d1a4aa53d6e76599507827b86ac522a63f999d5bef7c517f1c8a80027e04c39222588e5b405576b0c2a902207c0d5cd38ff267969479d0111c21fe4559c4d9cc5173d761211b2490cef996cfd500a457f774f2a2180b1e2962851f8e50086fb27808cb4e58d835124633238778ecb04dcca45142657da5766f2cf330cf5c8de8ae869036da37cd3e43291590c3a22df431d2e271c78d3bf1c2554497ac43523af157b96b799b8c52fd5a7530c4065c4e23f9be087d911d9123ad6193db87bf4bbac1c62d1ef5af2f12e86d23342c14e814bce96b58bf22957152ea290ae0916e88beffd93704f7895a2c8a329bef11680989dd1d3e0aedced41acbf80efc3f21c71c2c1c2e93ab1d9984f76b70ade85a391a4bfc05192b2b773dd3209ca50c35be3344b143142b25912763cb1555faf6155e83e57cdf5f0e4c0d865d297547a6087fcc7df7e4512f4691c90d25b1a8693e76b4ef8dd37f8f93e982a2beaef083c4fcd49f904b7c9d1ecd8bd2cb56282fa90314ee4f601565c497557d4d3f304cf2dd67bd973d7c6bf2ab1c4027d207218b71f2e19622c655689f1551bad47d5d9537a48cbe5a2c3288413c2b458deded658a4f604205d58915514bee43c783082d656b431af8b2e29db931f4a6871a587905571937c7e08b2080f901364f029bbe175d1c317abc8048461b717c36afd3ff608f6242c0b256cb5fe817b87fc75d07cd0e477023ca620c454b339557802842e5d60ca94e6cb89185ebccfc1b34b8a00a5ec56d350581318b8dc021d85223cb6a07bc512885577763c99274ae4d295514b94aab14ae0d0dbb9508e2eaada54a66de04fa0d848ea67ced8d6adf278a0de8ca8bd6f36ccff7cba1ed67e145201d5258b40bf1ca99279ecff9d78ee85a88276e5533c620e80ed6c7c17a9a12b03f5a740c37774e889de0e0761501ae589562d3240cbac3855eff6eea626f2c64d297e9cc97dc739ec7a7cf9c33b54055e630c8a84887281bcc48e8b4caf4054fac8ea7d0c0b06f220f80f9f141346fb8df194c314104f623b44621bcb35443346ea09914a96d6c7ed59cedc7c4ce71912bb8dbf8fdcf13bfa13080ac1e04bdeb46c5c57be88db4fe1f7dd916bb44a34afa1902f502587d7f910eb91fe910f359759975a7748fda76d42bb488b0c346ead2bb433ec158b1ef83f1a65581861656a32221f74598e38217c9b39405221c74b16682fc98a52b1e139de85e3b4329609449d4dfa4f21ee40dcaec4e827416f3636203abc837275bb08b69e55fd274fda90c1cdb3482c47ce59523e136b2302b300bc86bf088a6952a56fe1627cd6aecdf5a5260f78c4a677ed1a21d8952e2e161a7378a181479825c437a8ae26bd4e9690b1f18086decfcb311b625f40b31082d143c4f0e4d2c61cd2bd111d35855fb2ad1fae254175a6ec2c997ec8120b1e87c132d477ec5aff4b011b82355a2bbe72b7b191e0ed3583900fd1ed473a11ceb50b218e064ab7042b751628fadc59d1c5041224abce2e3ae008a0fef5efbacb160c2b5a712310012ccff9d20bf50a7465b621d860f73af8d3f6c195ec548d31e13a179a21b0ffaffd762fd48fb955a6f5a97632c4af55dbca3ff6ad479600bd96ae31f3204aa83407f8b8b1e16e497e26d6b1e64d45d8e9ecf7a2dde939cfbca025246b7ffe29fc2388aae16dbe4577a920e00c27975174d0207e458e55f4778c5a9e62954645c322310cf09fece830043ba6b437be2ad91212c3d5219dab65d10c76052ee3945fbc37ae320b016cb7052911063c65cc5ba42bd91f62371a0fb6dfdf5f79d179cb96e21b40a4bbd95847055efc523e264679c8fbdfbd89608a227e413619536ef2481e9b1e9c888e0c96a0882e9a0d3cd8fd3a152b3b41d8e7c25ac72734fb31697e42246c33392201b5209e75f148ebfe5bfaac751ff30e1c2ff276b1b55232350bdc0183763833429e3e92d522fd00e1a6db089b89d9ed044886d9c6574b874eebb5d0f53f57cb97172d09a93c1ef21676c24143be15dcf7a9da0a9dfcd864d029065dfaf64a9f3aefc34598c40d374a79bfc1ea338f85918e1150aa97794932aeafa662fac1ecfdbc2aa798b1b73485a0d1f5f518e05c1f6625756237a934e5e1c8b018d349ed85f592d9294e5a2a62b90f76c29e2e031fb7c2b0d00fc6ce1f01140c3c9b38e5e8055b05eed83d78f1b8b004f3d5d3eaef72bb7e007d99d74b0bb171aa057bd8f61bd370c2bcf8223a236380fa5e509811ddd96479126cd358aabb4b3260c1a18a94e108ed69aaa11e9518c0ed7e3e57aac3e8f515624b473700777ce1d04bb181d4e184579eead6c344ddc948bd8806e84dc0cc9920d9022b56bd040278e3aab3085baa8495858567578cb3c6e4f923e2a342877acc4d201ee570954c39c88942aecbb26a9536d037c6ea9c494f837b8075075d6749c4bc34c0a99351a488367a3b04431459ec541372a55dedf8fa7f82aced1ec8e35aec3c7e5982d764625e82f5180cc2a80f9320dd83a69952a3058dab1afe582877574eea63f0e480e4a6ac3f97cfd767603b9f3f80599a928fb07242a3bd9b351d019a22c5a1a3e0be03ee2a196fb5bea872ea5ecf879347b0e0a90291d99ea55058df72d2968bfcca089e3aeee0a1dedfc8788384daad697ad0576a744182bfe2753800b15864a858979faf21e447548892c100fb563a6b30d6d3ff16179eaa0cdd1ee1e0fc66d14c949c88d6ee66a75cb200656be83f4450ca6c0dd082df80c6ee04a97bf9e70007fbd80342b879c2b84c7b1891e6b53f47e5b935247c67bdc86cdc14c86e138282c61abf08dc80644aa56210c8441d2a928c7e0114cb9b60e13b40c9439a9c45c49296b0b5965ae7d67062ffbf9d41ed4159085d00b6089b0ce0bc273a7e9ce3f2ddf551f1b3c3665fc2d10dac4e2474057634bd8f416750b093ea4ee6e2545c7e8d6c9cea3c6f526aa3a26c18bbb9843cdd6a13a07ba65ff28e54b30ee85adc3436d63bdcbb27f9d0b311eee89435baffeabf61eabeef68adfeca8c90c075e64f63d6b2706219bf37d32ee804a42e3893470a5a2e2262e02cd49d7371a65bb54326f1a770d8d497cc47018262db5bb76a5d7176ed4f00d37ab55cbbb09d4800e5db5f4e15bdeb8922e4841c6a69782658b1bfc1f8571ac40aef4cf29573b600f1c8ba9bb97b1a52938bb1badd102c9b886b13da8ca1fc5a6775fb2014cbbd00d44595d9ab996020e64993cd7d0a7e9668a736d9383063a807f455d3940cd60a778308d40f6b4b3f6c44a6a7c384ce205f7253fcaf58fc872294827aa0fdf2acaa80b13901a39b54a5c4068fabd3db4edb01395abab31fc93ea622fbefef1f1be3bfd3821f6324b5f2136bd859a73bfde1c2e1f03a35e39e511e9d75dfcd141961ac295731c12650a34c3d4ae62a520597c1a6796f0c9837c1d1f6f489a885ec3c817223c9e4e00b5316326cfa04ed0c96ec2982800f7e24efacb9d318eed725bf09985f568e2edf9cf339e0955e07c3d13c46d390977dceff5ae53574cf11d0bdf761e0a63faba357cbef4848cfdee7d6c4c8d0b25726272fb16d91b644e2782f24f3e9c8f248590c67da670854100eca4152665c8a19270feaf30fc7640a859141aa7891b1f31bf4820de7b9494c1eef30b82d51772813ab49586e15d60651e679325bd92fbd462d85a44bbfbe2784392881c5049c047d8fe58d492948189fe172b1eff1159af539a1a5e29930dc6075ec1cd33828fe3095af3aa657f58b2ddbd714d2a3fd9b4361222b4ac303421a8f956ab8999812d6e48e9b232d3a87d192035d90b5df5e02da633e0eaf432dc1c9a695129e6f43d399a7c9415455e022426c28063da8084fd7019ba2674da9d70f7f6a821e46f6dcdd6680c9a10b455626a7eeb736aa57b4a22d42eadaa207a517c8528f030920d778f43e61eea485220dc76c39a987eef36f3134cf6c11fb4cd6a19be039c8c6c30f69228b045054f5e92a8f682448143b0c94065d783f8b62365002a3cfac75fd0b4074a35b704a3de7aacb72a86ccabb9f5d03357f41728fbcf954befdd68a24bc29a5b9177cbefcc9ce022d5f64bdeac623b30a53a8de8047174be91f54bda1ea8f753aee703a53e47dc02c3f84676b743c56fd2b2516ea9f2fd4c32ba085bdd7e39ccc47b6b0ec9a41ce6b5c35ecb79bea1d47f7088963d2cc5e1744d5a89da8fc5f2dfecf5e10809d28b575c32536e6057f22e98f53c2e5245c633c2147596e75777b707c670a8339d69c4444979a291bb167f4f410dc17cc215ec3cee119869821cc925f8e432689eb1b73e31473eeab613966dbb11b0f3749ec4828abde9f28044dbe4437ba556e01f16f68a763b7484ab8ea0b14263130fe1f00a1171396f1ca7a2c8a0f495a9731a9e37b50cdc9fa88bd723a572002b07a7ec9cf93fa6d0deeb97962baa2b4b0e31cb14630968c9690ad0d278a893d1c345eb7788ccdd4b9337a6f5d2d70c1f28fdd9a1270b124f7772e843b8e2a849caa11a3689813b4ccab6cd43276fc64d28aadf3e8e7b3437c2f5c8a6f3ae9151c07d30860b27c9d2934478f10a86bd583bb4f2ddecbe23f4edff95ddb2fd4fc9d7061dd74f4bbe620acd61874bd2e9af9f70061d764a87c9abf3b7eb296f7a0edf17034571b7c28c43edfa27bc5a3e0745dd73e22d0bc7dc4a7d110bf2158e9bc9c8a8bb7b6ad1ab7ecb68f47fef387383e8794507783e03bca6c9b671b4739c0f11f38664485ca3712ebc32f613ace20e734ca5755b940d9dba51d342f2611ac2734b20353c8c1075c7661f85c65e86fe92405b8c2032ba1dd5bca75af90434f911de577093fffae2195fe621c74b3cd8558a7cbb49861da17abb9fbc064c1c4955f8910107bf2989bd29fce7976d4500f537d6e233770b8022bae47c133f5b89088847d0ca3dde83547d8496c04b718496637c54b79a0503487f06e91f082216cdba4ea80b572b488cd69982e1352bdc9b0e544e068f73d1dd7fc2e5f5c5d6ebc22a0e6953c8b196607f12e9e31386e584ea5210eb666460b36e82bdf986f3f8ca1ade7bf79b9dcf1a6a06fd0a2f51271124db1ee9cb39adad646e20ae318e49b7aa8dbaae5f857b63ae802719e80105d3663cf006da07c9e06e0d40c7907f07fab03ab70dc5262a56e04ac7756b0fcc89b18c67642732341c25212136b9d325b324cb197612b30ee9b9f022f04ff454000858ddac08749670ba112884ea4b2ed85fabede4b892c554336c9451bfcf36d78dbd9ddd9767b550d0cf7ef7c264fced822116991445e717c8d69e975e3d9d541ceb413983a6d96426e62d2a921ec7600dfc3931f32d3cba4e51dde53e212fe07ee159ca4ade9e30d09f7c2b3b0fccf6d187d589535a3aaf209732ac42fe81cb00a889ad8b9bb75f1772c18b44d3f4261af589eabdf9b8e9b469096b41b2b8eb98078c9ffc798d64f81d043cd3f66744e86416cd4bc5f71f24a0311a4dd0fe4fc510d832680b89334ec7ff9118b7281928d7e4b2932de5b4082a677eded64c7bdcdd467eda1fa33b62e260461124d865452cf7491f960dad10a51069ba3dbb9f083c434789cf69c8902bb4969c5f0647967ca12a5f899352b3b024c576f8ce6b7dc50781f2465d1737765f056c72428207c2fa19fe1d3f2b706685cd7eb1073d491e414953322ba3cf13cf92dc474f6bab9d8f313475b0394a48bd78677a6451ecc945bf4fa497e859fa682a01778728717fe908e3d48bc82db826d9703bf504ddb3cb5c84d38ce5839caa6207dbf71a12d172c77c1ee024d3be331d0cc96a67927fad13efc14227e0ad78119d6880733a4002e3cb350653fe7b0e4958b0817599367aa6411da366d21aa606f139a3285e3e74a0f40e6bf85638bb03280e4c027b39b35b2703e15436c613ee72c7a0674a48d4d20ca92a0d425ffc8fa74835fd405406b282bd33620b314351e7f3e5562cc2daa2dcf5231858c7359c97a2226c8486738b22197a015ff487b5448ef37ea634d2cca81cad4d61fefbca05390bf40e7f27115c3229644c919d4fa094642bf85294640c521bd5a3e2141f97205757c4894997b5daf67a4a62dda7b38652c3fdcabdfe520508db54ee4c17f9385f14e61f5d707099356c979cafe94e6d298735f45cdfa27beb45cc223408afa53003f5541b066e5573171b00d8d53bc4396853dba190411c8b8089ce92b632bd48ff54840a5dc25965d6e37aa6395925a752fd7ebfce007bccc40e14c6f8f58304a3d0e7dbf03cbb5d836b17c3ffe71c2456f7f5147154dffda5cd403165913bb3486ed6e8c15b8a1e221a468cd0761e8d2e615721528879dc68124c5b9122e643ba77050542ae563871e048585e53bfbb4b34694916a917cd822bb773569b80fad04beca3bcdc4b58003fc2451ceeddae5110f5c836b759df3a096d0b577d5c337c584baa1e33661abbf15888a07e9d77edc465a39911492daa3a7f3854a081f1c099055ca034bf2c3051a3e3b89a3bba56d7d0394b8dafc4a5d32d6a2e9a459a72a5874da011ce1fba698bc5004fef10eb9174955f8c2e8ebd6fd879304fa0261631999ae144e904d58af1f8942dc9e5ca7f4d9cfe325e21839f1a5416754e3a8516c8cb44918d614060a876dec4ec9d178553af480f2ce021419e34c0c94183c6d69518f4429707ee433551cece21aeed9871baa3f661ee0c9d188fe58107842664dbfd62703be0be82b8434ccac61ea1e8eba609411a4e8eba9b5b706cafc22684f7c4702a8a6c04584f95f62e4be8452920ceb06606589a502c41ec5524daeeb527b84af3eabbea7b4cbef34b62a2503f32ee7713668e637336e51042a109fc7447f0c5a29b5a8daeb2347cd393f097f57bc1f4cce1fc8e2f4d7df8e1962fc8d60ef1857db7040147606d0ab30e6192c549eb49f22d93b3ac7dab5c309746d564db0c4b2a7298d9204d703cc6926423e0ef97fcf64dc459b3c709e1cc8cdecbd9ccbe0d9767bab9204ef39273aed5607963a86db08cd32d7294a1167404f0827b905a0d9d72440b221a637094f2b9d7a278356a10ce2791bcd5fb948c0711036192df7d0d5c48d1874351d90b385a81952499fdee3d0feec349b148cfdf69ef89b4ebe2b49eadb9a67e9b329c8106ca2ba96919501820294489a53721d194571c01e21a3a742862d0dcfcc80ad2533c35d68a40b4c052ce26c6ddd1e99f1d195534858ccd4bd86ebbdb9548d00dec3e65cd5e99dd701d86452208d00dde644c74a928ae4014e22c40646a5cd68ff740ce9e45a8df5cf11d7e42b7ea56f67ac9de7f581eb01ce9951c251e19e9a8750b4b08742d94582cc348589220beb8630d293d8fccac127e160da78f942d86e3b6ac03084bbd5c0d8dd69a6d9dd81e118ae7b703ba2bd0373cb93794f10584e0920700efe62c2c3fa3d3ab5ab310bb08eb714d597a531593a283a56a195e61d190410e9101cb3eefd7ebdb59c72735bd614a50693b8b5f8d60974a2886355ce6ef33290cfb0fa4cfef47db3f54742057dd6f449dabb06806736e96587368d0cf2cc8d6b5d88c2880c58b60c28dcf8ef8b8183348fa7c958ed5867a13a897f830f6050b4dc6971bda930a175bf1e8922471362a3d8924497465c5db18371bf6138d7d43599eb498bf42589250bf81a17eac6876d939939b377c5a2d36034d0946b9fccce67b753e705ccc014560bae394f9433bce16b8eed5cb857cd575b4bf406878fb325cbe98a0ad637b90613a4d4fb9c59d9885f2c16d44fe43a5209c49b0e6c4d300f5d7cf93d3aa5483c5884c6a457d035c1a68c4f55ff153d8115584def9cb093a5fc8176f57699d9736a63d3dbb5cff0c286985e81026ef6ddd660ca636c4e2ce29b85e7cf0053850ac8b35ef628f9d26aa7d43aff1f9bb4bd4573df7fa4594aebe69d7f9b3495a2ad47a79d430cf9853c334c4fa0808dd39cdb61a009decb23137377c84422f37b2d37801d7cabae0ee026534d57111a549f872ef6c401a9f438da15462b8ff7b124a18b04d3f9f5f5d9412dd0b902f455a5b91e4eda472e2c79e09e6595e3327ff1fa25a22abfe7249b3b75d9d3c28514a156ea721fab6a1d5ab86c6651aed8e4ce344290bc50191a9827190c4e111cdd866f1218e0e580b4677e2f3dedb97b62dfc1707038f562ce1b112b154a008c87e7d7e0d57a54de120e06285984db8837486d9b88208375ad5e672362d6cfee921b4bd99f3d9ce654ac9746713ceba947d45fb77879dedd89cfa09ef8b36279a3966216bc7e6737f8352d6acf7839d547e6c8f60197937af1ef1c40d7a8d68b37389465c1a253f509a1ef224ace5d352a45103638b4aee55edbc86b4ed1b8c57bde8305ef11ae3b7dbfda735141d5c5109ce18cabccb84b84af3f5a7c7d15f47ee7b2ad7dd16165537e9cca3a286f0e1c329ea9aacf5e7cbed343388cbdfc846c09717d35037a73c48e0df81e0a743845332b783185824e43b09e4fb3c3af605c568d967a679086b305e1b20e31d83627d5a186fcdf6853134da031a6038f8ddc96b056db1005c4c9866ef831e20a14e29395102f6aae11bf7e9df48511dba8e0939362a20faf369a7848f12e390d89f5a6c020d43b97756fb4d9ae1bc02025fb5099fac5e5c60eece74b99dc3259abb6fb1a28bb134f9cf89ec17cc0ce8d76575c3e16e59e48271fee7193354e41affea19b6840767244b7903a4ea44d3c541301a6db9aa403dbc7f961b03b4e253ecf4392e1fc170b81a62594157271dd89825510c10c502603366b4dbef6b112b7a2c68f50f189cbe6a187caec6abab643abf8943eb2889a818f314b0b7dafb178b2a4898efae1b18953ebe25a503024c9d7cc61213d332f76871dc6e57b42ba6185fde1926a745c8660f433b16c10262ddce1f4ef61440e94ccf4ec05c68a350f7fd6bc53809af8296005fc48ccf4681eb6387d0830dad5cb6b78ea044633e9c07714d5231ff329cacec19254403f55eb1064b9d900babb4bdcede3169bd43c8205bdc10a33bb48952afd1361e3dcbee0928ddcefa310f262abffc71a009b57c5bec4f8c7376813f5858712d46a053dd4cb4a7b3ba6dc5cc6f14fd6ab8a8ff6842972b91f5478818caa679859639ec8c8d4315a4e60634e03b7d38f638dab4724704a4b1158a0ca18f353ab2567cc3c4af0372b50f2457fd58791aa15bac8f0e089bb2fccf3616df85d579d99dd36742c5636aa79a0a81d2f482d5e349c25f53466b8590deef67eb326c67843629037394937ab5f63cbd9b005fcbe6ddadc1e42607a8a9ebebfc0cc67102d78c3c30fa219f054f256fb0ebcb86dfd1b53412cad52e1b1af8db229187c0ac79ec7f694451705aa508baf79dccfb074a08518757dc1b1ebb6b9690dcf987c1e89192b611819b5139c1a387f111b99f64443eef1a174289e0b5a5121b1e049f34c2bdc44375852269ad6e79fad6ecd78400d788f337a8c6a4f763d51cc7acafdf26cabb4f2d4c26d7f041a876e74f600758cbc497fc3ef5a1562af0047a278504f321b219e81af6130b0a0c7ea0664e6e173a87c3bec8c9f6bc7648a3765c2e04e62f71d03e12f97c971f63c34f2be07d8e702744370e818a690ab2ac354dc43d0a57aae77897679665d14f9b51e74856ef47548d9ffd8879ce92fb17b37d0e82927901fc93bf4b83c26584150fdb31caa28753bc146a37f4ed3088461a79ac84d4b770b0379b303efe3bd29b03642ef42e182571943f99715c4e836dad10262e0b1ac46525eb5a04cfac7fddac48482e5144f3be1eed50994371262df1617e1c339ab0da7daf130cee62f1d8d29cb4d3a80159dbb4c2d76468dffb16e6f0121b97f63639f9833656b0a31882eb95de199c7a82eb9af95cca03a4cb0b16c8757e4524b9ddc0ca0defe255411ab47699351ea8ae0e06279769899c3964c71183850e7b17c488567c74547242b7b863c6d6add597b46769a4eeb41f383e79c8b186b77afca4875cb377809dfafe197e440d07cec9f1fc2d588d206282cec08ca99ec3b31bf38102a297ae26804390ce1e5a3f21771a9856ac0ac9d94519fa79b4cf9e09ca292f8f01c1ff6f038cd8f05ce647240ac71bcd3c1f1e561705077ae8551d218bba050ee59fbe09d983bd690703cbccfefa6cce9535f0cbb9365eaf1fd46a823f254d143c85f9045cf1a4d1432350465585f888ba1be810f479a97f1691530145bb5c0f77d01f607dc801ee3a2a7d1f5e1245183e91ed4170121abd7e7fac429c1476fc332e7d9ba5ecb4a63cc9bd343ec1104abab38504706f1f53bb5bf2e2fc2393389144d7f3871051aea5846c976e4f7d4f0b73d8299f0a545842eda16924b5008e31a5306c961f7dd9d00a428c02f8e37d0e199270a27515ae73472eb9d8b20ce24053873cd123250efac0c95b86cabc4b096f0df6c9f69fbec30489b0f1b53d81c3331a2dac9435eaf7334fb55e0127b1097adcb21b38da9d2d674de21b836e836391f05de168fc4fc1d79c61af1bb79d88b422a9219d00bbfb997cddc992a9a85257ab84e0b9118069c25bbe4e539f850919b6815a776b515627eac1069d2138c7a847cabbf7edc86334a98882d9eaf580c42ea2ce1ad8381c35353184740d9f2d0e4e6d2f1c5a62ebdfb4aff0ab01d78586afa3b9975e32c270547e0eac603357a92686ed42fbc437535d4cbea0e67a9d0a24d30a6e0063ca3d7a92c167c2b3a5bc16f0bc7a903261df582444cfbe6d584549fb67ace7e358252f0c69d3c2e16ce07ee39b66ebaee381efdcc7eee9a45bc9ffb0a1a834a894093be1200f2128cf5de140ae726a569570ea1175592ed2708752425c165cf761bebe4c59e55deb288a18c7a034b71e9a352617d417a0b7008404732cb1f5a5de959ab865301e6a3526dab2ecc25b2f162abaf3e851e945a31c30e09edb32c65ff7dc25d76dd2a146f888ba0e2367c8479d5be598125a6d57e60e6ecfc362c61d8066254297e8c0854ecdf8268b83ef3be802342be14292d51dca07937dcb6a374651e3c54dbf3e5d8e8b0c956e78916612c6aa0407352a5f4fca1af086c212659a6493081ab05e5abc6a929b1c5c3a9e375cc8b5067ff145830d9702c7381ea21e21e448cbbbf19bc5d0efe82c5324bd15596ddd7a2e7da4f1e4ef42baba96fad664ebf06b178ae923cd76d0f346ea3cf090aa209d4e2cac9787804af2daad3436ea0ed675e75087a0e3e861d9e03cf1b43ac1354d525bf4cb0abb4cb5e32a55c8ff0ed9e109e10a97c0d5a651c0e066a7e11173218b17c9331d94a98c812e23afebbcb915e3bc88cd49dd74d4b63a099fbd2a270f1edc1c23ba93f2d8b0952f958f7768f6a5be0f4843ffd7cc0334adb9f21540fa356174b7f7ff9537477f78b8b5cbc6d59994fa7092aac0b50e253c9304904754c2b848141fe57400bfcec940e3cd4735300cd2970a8612de4f35571f12e77cf3004112795f38bd7344686fd378e14cb2a59d0f93f02ca35d3a13ee66be128f5aa341883b699a87365f15950183681a4dbd7626cb78c2324e7ee1fa5823239cd6d5b4851e06c7e4d1670117b7935211f340e3e8b398440aeb253c8c9c6b3ece94e33fa5c1ac5b9559bd485220b09494f82ecf4c63be96122864c6ac4595c6edb38555bafa58627ddb0a64f9a2890110a44a4a75ba83cc1713d316af0dc15105d7f85433db0fa5f3c1cc27f8b7dc170f84fa476624eb5ad8a9f74aca45bd638f19adb63203cb60a1cd61e1ca386267455f546a985f6ae4b1e0566daa33acae1db01b4cb13b513186038b5e2d08b8ec0e1a0619b0c0de1e08ebc9076c25367bef919287e2d105da4985a45cb5bd34557f55b3958fe07185b4315280406207a4c28f557abac99b93aa6ec7615a405a83603e8900c013380ef8ffd7c5285bbb976f5f680cc5e0d67948f450e47c5efb3b3e4d252060efa0a1e4310bf5487480586881f49676e64a9b1b3309d75aae70a3fa8a967f0576b18477e87e6a5dbb9e8e1eb365c3c12152f140cccf6fad11218622053e7e8978712955c4b537558a5ca9ae6ed0f6d20d3adebee1c1174d990c97c6fd387ff527c3717fd3fecddc2379015461e0ef1270d03810bbd44d03c9548744990ab84df2e961b272bdd889bb59e588d0772dadb5e41461331e7a0d85e065c4016ca40a0b18c6163c3d84edea32efeb2cf6123d6b64d0f6b980f89ceb9caf62854fa1d026c0dd965cba5216b7d2755fa4c7384d77d006bd0bb0db39063dde7a6c244feb5d745c48a893f3f46ee091e832f6d114dff8bc0fb8be91060c28f2ccaf6c3aa3d066e9579829a7f39f36682e4e8e47a9c0186e1528a97bc8c155cd0b1e2ef43a6712fdf84546e84e18c1000e9dcc1eaa7f0138bad6fe137be123a8cbcc399c8f49f3854fcfbec9b7d034be5cf7b9b39c804065fabcc5dceef8ec6e9cff42b9aa7a4135c9e42e4da3b8c7db3cba3cde41917368cb3d2c50ee9cc81e0983312d52c116e260758270929980323ad9eeb5b29655674cbcd7a77b12cc6a89d31afcd831720b283449cd87cee6f63dcc55908f19a10c97e264264cc9f14264d5646c3728b63d8aee045b4e4a4f2bc9103b81b5ab97729b083e849a891f27d4a41f6f97a85c81f703695b1ee5a45b8e95a8d58b4c8efa5fc3f6c10cbd4aeebbee4ca7a1e2fdf197d8b01ab64c8808846f374f1ba9aab06f0be4ef6537f4b5cde1d41e281b45dc9f77b8e9ddd066285c5088d9bdd5fabd6ccfa6a138989c214e87ae9c21e28e0a3892ac267f3778930833d90f7d65c33c8990b43b18a30b730b82282a933d22249706a21e516f4144e08195c9aff5056c68c3cb78fc246cb255c3293254f325fb4149977a1c8d1ae6c17f47024ea5c267bf2fd52f91c42fa2477958683e33cfbb2c01f42d21c7cc7ac96ac9fcfa030030ecf95b97569466adf3663c4ab8428b10e096a03059c5db55b445c486dd0750c6e95f3b081492d193b4c3d879849f1d59e558d0c84fe46e97f85bd1bd158bbcbdb5058d66e10f4b785ceb39a2e0940295369d58e4ab3f9d360ba1f08a1306b3e4ab28d14d0652ebfa8dd4011775dc77410d296e0b9747ad446a851a1185f82202d84052e1f01baed09470a0742722224365f0c3ab00293a84643568b36c2a9e9db2f723b232982a3532647e8cdfe45f2ac4b348a7ca5f1b29b199c9c1eabb9b475d30727adfb73c5c631f75c030c2e30da1afbc0991bd246b5011e1c3b1663bd0d24f6d135b3025e6b30b0bd64c323b02376de98cffc6727ca9f12ce4f88e99ca67f1eed3260e26596a1c1464674b38da151b470f501e6f936820448dec3bbb564e0ce79ecd21d3d4d8f5732747e3f9c14c7bdfcda194d50c6da3898b1fe9f65a06bcf04bdb0c5ef86b0358a9ee8786e4f20ed30535c8057934a28bb8bc81909a779ac3a5ae9c82021b700e37b2c9443ed2af742f97458ea50ac965c6b31d5f12494bbdf884a66f81f879e4b1c9e28a191631ab71c7a4672d663d563bb0b62c82176cb1c0685b07e662b0dd0aa66a1c36666311e9feba90be9479b38a268a94ce26b992bdefcf04d90b85a7e1ed30883acf162a504b35ef88bcfbf933962b804fcd5850e4a23dee62f2febe03a63f6074637e75dc4ac3c33e2a8c0a794c0f7ec4a2eb99023ffb398dfec22bc0221ab320c11a004042775316eb0fd5c4697ca7a19de0943323bcd0c566816299810236fc9fe576f41be808a5442ff7b1cd1a4ba8f1119b6191c1371c75c61bb7bedf95226c0aea22139777285324f052acfec873de5da629a99c75f8ef70ed33fb47a2712127cb2d6b79e23657dff6eb4f13903d9e0db788b268d94368d332ea55c067346b2a13fdecf34e57ddca370a3d86a03f2e93a88c71031cb418afe036cfc35b532f60416d0005811398633af0015a5ec75f47a0183cdaa52e92a5813966adcba1e784c539f58d136f6e25a73dda0f33507b11f82a7bea1673f96d702065c87ee6408103610ddcb252a85bb22a2e34cd136b9720a8747508f5929908da6d9b2a3377fb9363514b24fb17c884067bcd6200614394eff78ec3c62660c006874c7a595149fa25f0582830e7484523ffbcd3094c0d08d22441debba0400633f4081c7306eaae9b38044dd11da2ab0436589a0d244aee003049f0e1347799679de5c8ed8f155cf648093fde2933fec97fb69df07e18b6984f4f4ecb2bcaf74ecf38d4eca96ddb692d977546e6f26e52d45c2a7de16b75fefa3beba96b36741591b46ba24df1a8de44768c41569458acb8605dd2edf305f00982079c93a6aaedc955992166c367476dcb8fbfe7f86c4446b5b014fda58d49e0651f0be952d76110541849921683cfced3178cb15f9920d6825a865302516bbc15c32503855658844a6b33767d712f631523ad7f56233f55025950fd0aa9732266243070bfaa7136f3f821169ba3d015d71770b22fa46632079c47a1a23e9c53eecb1b3f955bfb5350214687b1d943a5e77ff937aac9424362ccbf6eafecde9661924ca33962cd2ef9796b27248b20779360ebe11a3bf2d4459756ce235880b318dea65f9bcd7fcba6a33de5f50cc27047e492eb138cc4591ae1c5fe34cf6d3a64b3eb0d02ba2d22698e8678cb8d899671544ede6b8921145a2849fff42b427aca7f7bb243d853e46ae18efab9107179ebb86f7c8a81ea015983273f2e4c29a0470ef8832ae2c214adea2b3f01936a3d2eccfcd6105d04e7b09346ed3aa304c2db87202c918658f431d579f6946f51613d395b984e7567b2d301ca8b2685bdfa0833c643008f89dd20a440e5b244af0035d5925617ed84707a5473431eb61fca3c5b10de22400a2eb0eddcd8a5134c7916316366e1bf8a3020739cedb85a4dc8aeed1282407526dd7da644baf2034e29bb6caa05374fde9a9109eabebc0482bf4b59875cb120b34f5e9ee8a0b85948e8db59b5fea4bfcd3caebfff3aeec731045ef384e2e15770dc759df8a09cc007717845c18db806f075cc76a2d156dbbdd3876298b677c31716dd37b76f4cfa635bba9898afb11d480a825b6f97b1515fb0b8b6e42a63d95122d6462c951a9779b1158de5eae17db71e3f2bdb86a4f09da628d828234a35eec94352e1388618f78b5f1cddb4753e4ec94204c36cfc9468d378d9ccf2333c3ebd4c04788de26de37989c82bbebf44c64f9d45a1e662fc25141f41bee53d890de898b3e699d6de74e2e1b90c606753168c893730df2a00cf624c3b34f8cd4a43c4ab63ea0a6ed7cd52fc5c6c68a57fda3936cea35f547535a45debdd69bfa886d282b22086529c2a69c6bc0bb6f11762badba6309aef54ad27a3e6895b4a90131d6df547a114326d2874483b2fac339ae3a934fc989d7b666903b4e90af08535e9ff279dd76c874341347343a2e26aa76cae3405eab7ddad8c3a60f8347d30d8feadc041549473d197955b91f7b738327c04ac34516477c1de75009ae8951ea020acc5a497043e970f0a67a693ac7b4a48e19d52d553d893b1fadadf219cc922a9aac10f8c7d7e0e549bd84657842d3d9830733396da1c1e2a88724b469171697439c884a379dd3943d10c27df424260ce8bdf91113cdba1507a01e59de6c0474852032dd54e8b620c9ba7c3736e34fd16c665ef10902cd1c596b2af6ce83f5d0add77b4559403756b79e041f5573418f12706053f4c726666b4d79a3df6fb4613a8a87ee5ae2bddc369175d7b1ac4d033910ad2f00b61fb1c1586da8ba4d3011899edeffe9bdba511d5bdca105adf1fc6e3d9d659ebef369e9acbc004d395a9f5fb96d4be3400b688d5f05f9ce43a7d87bead0b202bd588209b2a3e835f3804a809fd5cd1216bf93a14469e42ff95846c974fa6fb62b2021e71a31e1e66b3821780a90cafdfc7345e5a937a803ee4d3a5051a68b0dddd3ec70b7002ba20d54003de6d185e2e43cd33b87e6d3cc4589fa890054f39a40783522c092f7205310bb4216d08273a2467006d57c66adc3599995d25702a79a75eeae658aa06af9cf2492b4ee3c18e73965b8dc2615ea1ae7efa407f5e2751b91794bd28c57f7e652ca1a50d9fdc0dc165482fc13801910d77cf4ae987a8e67d8e19fe9e002ab55e997b977b0541c7c8c4e76871ef700b8f0c47e73d3d4473c17ff30da32779b8d1b1a289046038e606590d5aa672c11c3650859c3c31b412e1385a7f5f4b9a3cf757eb8cf64e2f6298fdfc68d659eab6fa1baddd0695ea5c97d50cfefd518ec8357f739435170382b6033691b54600890e20205b8683c47d7d436ebf42c7e7c117d38175467f0d24af74d412ad77b9f2535154a012be7cc5f01242345356f24b64793c6e34ac53683b169db9c29ccbed4f79fd4174426bffcde651db4c796333fedf446a5ca1fd98780bfab32cb02e23dd2532bc6ee5cddd9cae2ecdd90902d01b22b8b2d522d8049b0cf890d4f807b1ef23a871362edcb7bf11df5a056f2ed1d855d9d268bed624587a29c1c2116e6fa2756fd1869b956e999e5baa07ded7bf5899e9bf9b92c157e93ce9d34fa87ebdd1c2d8a88e33acbb4c7d0dd4f4e469bc6249f93e1b11efeff0a49171dcca566f0d3ae8e66fe659816db503833351febdc802b58bcd0531c5f1a9aacab91dac6dd7fc534d6a8ef2f2b9549e0261ba19a633041bc73044c7c52406195f0edfbc223eaf922e70769ad2bcd00ffe5130c6e1f70b5b520ce3efd8cf2a2688d2965697cfc1108c15301f157a598830d7e0f38f6f66fa965e141233242c30f555dca8480793e45ec30d7fcac73f077ab5e6e10363e1039fc4bd1401aad0669d2b15dd5b6fb3c2ce020ed6ef87ed28f1c056fd48bd934515896d69011ebf8f2710603b546b61b2ff4283287d833360826bc8c10b51eb90aec5481a1904f52c2e0b6680863e52ea691db2f48a7f7dfa12a8cf26d3da8377e6486a417e10849cdf1cf67577343184d2b5b4085d6e1a933f81f77fb50878d263eba1be1246552d8572b36d8dca0fe9e2c90178f335e4a75de232d67e1f7a7557bda375094bc6af447522d64ff6b89057f8e467a90d8e7578aaa91cb37a1a2c886c9fd933d0a938d6483bf7c10da4e861e7e73077bddc1923da616e8c073355559318b2d518b0fb4d76d86a01af9fb2812a12819f7692db73bd4d9dc02b89192acdc0322f3fab51b4e27fd94454c891165e41830423ed14b9f42d6131d4ac22076a5577020615a6fb9e8c444cb2bae4b957f55d36e7708acba083a42a33bfcc0fa1302ba0897df69d3289fc9e3094a7ff849325b6c723c305271e369ba8e705bf9be5b78f97681edf1ab07106077304be151512008fefdea23e3bc84ddd0e03fd919be860d797dc6550f067122a685a58ff810057b0a1ff35545a62b617b3cf85859a5962302fb7f6f660e0a840f823039b6a5ec186599b9428deef3899ffe6bb69e8d4584daef04243011819ee52f08c7eb62146e8e43c7c3836f9cfc3b330a56719ad32215896d23176cf46886a80cfe4961b7c29b6b35d07907e9d05cb66e2c5e1e7b5959ff1ea53696fdc6fbda789a16892eeff4f99a2f5b951d04fb01a9dfa4e1a422e5a75e7504ab530f2e5283747897af16b9e468edc921ba3a3bd4132dd7a2881531865e0a858cbabce180e9f1d20faf2ef90e8bc74139d608f34246cac9894d0872db0fe2b0469a64f7ba507be62d54f7cc069df2617f93ea94c888e1b7e1630b00f16ff12699033bf800d4680ca196ba4381a383e11fbb90dbb071fa109aa054cdcc00a9be4d0a118f21cdd487a14c8e02a4260b62d44cb3bb8de6b6decd86f461328b89a9e56137a1ed2ac6f72464262e0de7239b2b61082c0b6ec2e2cd8679c0669bf3f95c4c3cfbda5f9b6d01ce316d8a6890507f4eec10dc24e73599f5732d8fb388fede07545a6135fd72d8ae5340b189c83602cd9e68c4614297a9c73983825d1eeed7a6f852811f2853ab5d82e477e4048ced6cc74583abb5ffa5e83a256dbcd574693cb43663e7b555f19af242e9c232e3618e724d732dc5f5f402a9e3145db2c5d57e229104a72be2f9cc8cd9be7a51b8c364e4271731f6d2574db5523bbf86b6a54abe98e05e08378a50db14adab782b693c3e38b9fae76ac7a92d99ac54cc22ab02c4da5ba9bb2d6c061290fe1f718d27079881ea1b8c2f009bc30fef95d1137334c3e3076e3708fed585f24c566e462ec23217e0c743847e32dda3f562f6290d4d078ed29b67d3e8489199b3bce09a25bdc779f332b9400424d02decface9f5b035d6e4015da8c21b15a0de7d24176f267a653c518d48ab85d884345d5b9dab8a1b3ce718b4da4ac17557d4a45e18d8ad4e12b5dd890c226ce720b529bfc708055f2705282f516b76884a65b3e36dd5e3a996aa49045d3d04af3f1608ff8c8e128894cc60d434e24e4f7a37e43b848e3d97a233be44b0d871cb13337347efd0bd39236aa8ba98d816d069aba2989a871e08693ac0d36aabf9f816172b73104e5261dbf21aaccf71af5a23c24749506f8b3f607212672447a7479ee9fe0cfb8278cff53d16601ba84f767c9ade2f650a65dc98c6ce825196c0ad677623d7d08496abb32ec48d4e41b38765e47784316e59e29b800cdac01733c165d995d7a2da4364de947c8ba5a8d92277453f75da3eb0ebfea55f6f4a81316138d98707c26d82909947d8b10f8eede8c962a6971e43bc0cdbf3d336e1a2b26d8bc193d3f3ddac7d0bc8bf8469191583bfd74e3ec7bbe6d65ce9439b78f0b2b961459e33c15e5b394faa0a1031e81248ba57a29c5fb967f904dad09a5ec165e6779009c3290eedb2cfb436337f76a090129183cc06c6ad31916e2608b4f75bc937456909ef3e42616ea7a61632744b2e26b23a49a9292577491ece6a0c1fac4d8b799d73a6b851a45faae4c096c11064e3868f198931c0bb31684c73958083a4aa38934989c9b65f6a9eb741faf69471e8323db69e64488a3742dd4b39b8e48d223b2149aee19aa788561bbfa180786cd147d0beaa1353cb83804d3f8baf651a2170a240ad0d7aff2c6598dfff27e990960e307b6aae80a41ea5bc1108e2acc8281f821937f32434fa05aa4065663bcbf8c78f9d865fba140c4ee44394ab6618528f74282477f1bdca5e46fc6d94166397de69a592e7c8c065913742cbb7c0967d07a33047d9c4a4e01d9faae52046bdbb2bee22abc65cf068ad3d3265ec6dc1553c514ad41c15c436b98d77642b8fa63eeb38d6efd2d7d90ba7ac034337238a342fa1c6d7bbb1ca43a9f3035c4a5f16757fb521f1d45ff3e81defa599088c33a866ce7efa466af415ea22e54bbc60ed404cd12dc0a7d21f8a3b6211edf4feba8913a54df4f0c6148c41ffacbce903085f797481a93a20fb199abd400758d81746df44cc4112e3490899e058e7cb25e1a4ff90175b12ea03b5eae7ea66bfc54106c9d600f0015a43d2d322fa52bc7a12acaf93c38781d5bfc4f6d07a57a937a1a59eaf2277c9c498a878ca89fc7dcded6d91f54e66e563f06319cd818daf054f3d2ed62c13257862084e5246d1b99089f9239eb18403e6a098c354815d978dd27f4f0fe1f0483358c92821a65b7b601d98936b1906bae272bd8a45067826e4e0ebdd1efa253b0c178315c7ddfb658fddd1d6cc01703fb4b6a5244451d4b220d6a67f42de30df871fb81e416f2c39a8aec52c22d5359777fc624be2d7eca7859832b956c05c130930b7304194863913156cb36d5e772a780f334abbfbbc59269e71fced1b39faee80a60e5b440117bdbb9dc5f8de0e01de14b1551d85e96b6fc02a383929e1016254a27d2ce2e10b21bd7344707465488b8186b01e6ca347499c4ddde942b522395e05d0a681fad00618e9765d5945db954818e5b846395187ef5e1fe2a25be1d48055fbe9bcb9673f9b4d6d9a40daa3d99707c45f6b298e71c8a98b4cc6b4a838e0a64303c9f799638699feec8641ba6c3f97ad6bc641c193c29d1ccb9f910878acc0f486a29a8e9a7ccf4582b1e1fe0b71b8ca688395cc0bfce5851713eb34d4a4d444cf29721b7fec0294a1fe949ddfffbcf550b75b89fafddb2676f6e14b6bbeb5ffc357037c5db4736b80369323ec14e8634394dba9c347451e8a351a28e4bbb9265e18460b7fac0e272edeff89eed69e85a3f45c9d4b56225c34e3146905f40ed44a69325a58a01cfb6609c1b320fc80048f1ad7dfb5aac1288275653b6d07d3765cdb45b64f9905c25f828ce61d42f8c310addac2e74ce83e429e6c29249de2094e90015f432ceeee273db535f59a7b4de6506c7ea84665236e9a4224e7ac6a3abeb227a3911e683d5ec4588a680dd786bd6b632f3b092549215440064314b8523768341faf0154925b228504f8ebb69e760451afddc79ba57195d76a5003b01b013a4d264605108446ab17d1d57d6838c62cc10ffdef3b02769246c7e69917ee9bac22bba79391463f7db1c3be1948faf63b7df86d39818265a5719f4b7f2ab0413efa5b87952e112ffa74ceef99dffd8822da76e2162b51055fae76a996e4dff4c02df53c108245217a8a9c65683fe1bc2710b7e29b6963cbb21cdaf3d83cd1a91543faf5226e2e77099fdd4a90528f7209347c44c195f2dd897d6b66b341540721c5988e7502e10c40a04a4dd5e30f8f380b612f6d651818184f278a98079830d75b8e2c2b8ae5a7d3d2dda66e6c889761f9613fdefc418013e691e87dde8e18b83b6948248f8292672fe54e6bfa709870c9cbfefd114734b70459955ee7a04b2f7b814b1b3535e64c39a0f157d81f863ac8beeeef806d5afb4350b28bc07bf2bdb6249697ee1798b85ca3078e3683b4dd7dc68e44a05ce5d0763a608f0ddfad90ba08652c8f143447937d1104398343d6faf6586d2a45250b3f5973c3deaf26fa4e4a52e4bacd4f99ed7e76668c3597404a28f31746f94c12c5f65b1b57f338cf936e7c55f6e9aa5ee608efdc4b706674bf07423a30e8538122849903c6a0a7b814a41852f8b4c1dd136c31f548f54853bf10fea0d147d420b9b63e4cba3d68b18254114c68cb21e9cb60241aac96a308b70138fd441d5b0d1f3fe589e4b963ed18490a45914bd40cfa03d4e130ff3be37b12b63052c2210e90447330654900a9c00cf8edeb4884f9fd09f4009cddf0b7ae23d7a04ea3d02871215d5b8286d1adde59dd572cef31b375ab5e9a128de765ece13dbbd11f7be8ceafb7cfd07debf8ed1cc7e2d70b8f6ad57f16272d83e3ff3087d000c1f0aa1ba1e380c12f4abd810d40fb78f160e03ced14c6ebfca4dbe80a3c398df7216f8661d4179e4527e1ba0be1bc846d76670dd6740fa4165e3eb6b7f0980de86c9f2bfe31780a9c8cbf60d046ac604b60e2d850021e79014ec3722f06ca33a3fe047043bd0326d54db57658fb3170f602b25ecd1f1e7e3e6654897974ef8ab0248d3eb4bf4860ec45abe703ac33971bbb16eaea69d0480956c298596d1a90487ed5517850c726354820f18c0997c9116f12c148de2a663fe4810c1aff6a5e05f350c42187920b98dda54c35da5f6285e687b306278fb9e429f8db1f1e38c998acf318456e293d182b3612df2505bd4e63769bce1d0bb23078eeb5b4ec09d92a1bb293c47ace0dc768b35f807ba31546a84ce3bca34b58e0a575763ffc308bd64c5c339daf909767ff62820c90c427a58fe9bc2979525e1209f56f708a266ce14356ed3847031d73c3eee8cf1d2d27122cb432a90f35b19dd053ba6738a3c6b5606c2221c3d5fd28283911cc71eb74f0e397f1feca139f6c6c8e0f9f5c12786a42157845183a76716725f7e7e5dae6645a736337a49b83e152ca6afe45d6748f7f4c496f736d96e8b10ee74c71c003550a4be8bdaa56101b7d9bd0027aaa6900e58fcc77772ad493a8a613603c3bc32927dd2c2455923e924bd66c5d7ec7937fe0f3a6f2eba16463480711142963da156cb9ed2c1a4f5a3c541eb1358565687f6f6206e0414d610b4122beb2adc9f521af15af9db87b6adbc8205183582bf1c916d0ce050a0ecdefc24353d00d435d6b07ffd1eeec39b3154f654f733a5c95371168b86be13932cc0df2d27c487d0d6860be3c5c5e7e209157b32f709f2def27bc38662629d054fc4b51510b62a1a53795ad5936e8afc2a1f410334df60fd2a66079f9c6065868b75e2699f15bd07ffec14ffbfc54cc40c4a01dede88fe3b34303867194afbf3810a0b3aaa1aab621d572479c5b8dfc7ed5bc233dee16b56401698a9fa5c0d12b5dd0e3f4db43eba06bc3445ceb95e5594af8221f884fb6ebf7a65691eb7cb67e844e32ea088105e35e96cbee00c323bacb35e0607e3ec9ac48eabe223de34074925d459abadd5e76c79220aae51aa78d558c5d3dbe2d0bcfe8727337372fc414388104662bd2baa1e840d9d6e594c3e2f7e89d626208d6ec0a5e203530081951de4b62347488f79af8bdbd26c5679379abbab3a7ce861197292af472a71a5c459944b7439b13b4649764aff5096182c10a71c1815d3bfe77e183c93af8d78007c204862cd4022da552901ca37328546a62acbda72427c8b1c345be78330f623004b388dcfb05a6f5e007362f70da614d08645b2ad355716b8231946950218b14971ecdffafc99bb657995b7959b9503d97ebe08340edbc45e2714b9975161c56b070e00a0553261b466b198e4686f097c14ea9212feef595529ad03b617e6a1c6bca1d3cd23e321eb694d37bdc83f36bf23e3d581555366f6c575ea8221fff4b25fb9fbd69e9f024e7c5aea79cc96e66501eed51d4f3763a92dbe7ccc296f9373afef9b18bd5d2ec48c44b5c5f7f5255a5fcfca7c9d9f176fa5ab4ad6812c8aebace697645887b33463eda823b1285380db9a63aabb7057d8b7832a50f083f72834dd5a19e9099598fd155a827228a95572754096720a754c6cb488884bc5b2078558f39ef9135312271720ad6b13ff397c7d2f97c28f4ceb2286d5c59512f6d8859c5668d74faa8f13f9adb520ff42d18a7521bf5bfac4216d193217fa222178bbe75d1ef215dab17326d47fe3166e0f6de5ed889e906791edcecae3df5bf113884e95adbd600cb07aa372bb95ded3fd88ef7fb5397a243783134794cadbf514ce633089bf1059222b0b43a4e07694a33480b180d10d5e7db4e678a144337e2a482f8e5d2dad6c4c15ec9f89ff641c46d2b5f77e045722bd706e6893faff3f4a2eb87a7751850b9092b05a9b81f901e2b180c1793515863b5b97601b20f26bdb9021fc20d6668fdbe555f2839c2fb275b10b047ba757ca3b7a01695a0407468e0b96bc8825ebba00273f21de02825f6db3c0d5db001285e5c16f4292532f6c9484f1b6e1d208d9c33621d66bddc1229df59eb12a27bfcec3cca6a83a2d217b6219ec4262e13650ed233750649d41c94c449659a09a7e320e0c5baa04750717b948fbb59ee30eef68054fc5d78af32b77593afccb04d31930c9c13874d3462845ea68ea7b4ef4e09dcd3aa8e32acdb473d2d6973f64846f8137e5a29505a6e29bb2342107b333c2c52f4dcae0114eb09215db428d4d870396f918a2b66fa02ad8e7a6831b6225428c0aa82b31d330be622d0439d0cab77cd1067c327b9b76ab619cac5660183863039545102db106586cc9663f4c57390fbc9a61211bf330a362644c23c1d9d61c567f30c661502961a55ed5135a273c5a60ac7115a20b8c6e0c544a252d63b446e8d36a93f4baa6af482ee89b72522ae090466072c7efd4e9577a50b89b33bd58cbd926281a63d776eed85982b46c5782bca2abbf9c2a4f494ea5373453b3ed9059262d081518754094367893772e2ffa11eeda145aea80ccb114afa3d41baf632c29777759731618b2ba0b27467612154db70052a3054b46705b30f48a543e36e2a80b6485ac73b650819fbdc0981ac5af93f930a93c026139e1ab88ffed59377d396cd43794439db3c8675cbc95865dc59f523cf60cc9458dc55d8ef9e124daa7dc4a2113f22f19dfe24e2c286e76b517ea0ee654602f30a09c58c46df9c48625a939eb217f0f7675175bcb2718fb938dc5e7c3c0608f73905ed94c64e033cdec10070d979b0d6f1f8c15c45a42eaefa27f3485b3e72681406a2b0971d9e106c5e538e40ff6a2499b627ecb5ff2fef9d3cd42812c22a965828495e2a89f2657aafbc389c21e8abdfc0f7a13346538d352c968c05b45850ac585ed5a667f07f33033c546f11c0d1dc150c6d9cb94e9722fd3d1b1a57aef79319ffc6d087cc60039840865f0e5cf978a06b5d18f08864d433d5310d98cc32dff4b373ea1ce8783caff58d1bb9c687abb74de768dd3078a013f72e0a87ebc88871bb3e3aab075242a00473566c4c13c17645d9df37e50a6128c7edf26bad4cacc140355df5b313be464b4eef7a211c2467cdee511f4fc5b803e4bef5ac1aae85e1c9b772d4d5a879e35f11997f11ff1a09598aa171c5c05d3694382a80d466e0ccce376dd92a6ee85e7906137ba3f934aa6a97761abe99ea0270754d73f9a04aee8853fa4350f55780393a3d156844fc35897ef0ae4f987041b1166954f8d96114734a777e8ac21a7bd5c5c7b02f5cd38ad2160ac9060973a91a58c36c60564981209620d88ecb44b56fcec157cf1dd518b22b0da5fff82a3e444a48f3f2f1e3cc23a08847c99e074704669294ecd576378deae6cd1c99871a513b3bc3b68198e6b18b2913c3733b378b6cb54bf966f429342f959bdc6c3db2a53eb3bb20a31974858e7f232b4324e1ef0048b9a71244c6cd2c3edfa20e1cfde955e2bf9044ba4f105ded26b2c7a95ec1283849e5f5eb1c578580cb3aa2026f072e7256136adb7fe23918b3cf703e11d8a5674d72726505bf90be55447bed894cde5c266ebe02fa26b167125320e47da1229d4e7b6101c0ab3ad58a0c99c1a60c7540460c914ad9da5fccf3eb1e6970b29a801a2bead23270c8eea61d84ea0db431043a183353864b693398d96267d7375b483d810a1c717dd68540c82bf828ed7290fbee27362e66ecb4f00b7a97e676e06c319fd2b2db6d56f6ebd50eba9dd30a1aeae5892dd51d2442e73c4facb36eb05d0c9592a6a5544e3467aaf6707852a5b464438c80f3e004b761fbe0047e39043d10b4995384c19e8f0797ff770a12fc9914fc7707083aa7392757debe027b051fb9374bfbf826892b2d9f52dba07cdbb024126e77a65a8230982d8d5216e26d9abe79d4e11149b160fdbe2098f60fdb11049a2f33a53b1d86716902c238d83c587d429315c0e887c0a6e81b24c93ca6deb7fd0142cb781e0fbb32767d20c7a5e4624526aaa4547bc192b43854fda8ed1b64810cb79079de920904f5e35313d7acb8334cedce1dc173e222c374d85c74df41edcbe894d57829e6461fbc21532a87f930ea6cbfad678af4987bcc58fcd035550b00e73615e4c581adef7a90639aba3a37c913ffeb17ed58e0bfe8b71c321ccd62ef13c73b7526c322ffabd04713fd83722895432efdaaa76a162e48b881f830029865773559e648959f368b60a58185ea62be84f3116445c0def90f4db6d8c64ac032bd734f9cfea0da8a670d3227a99b0687bbd5f01e1cf45b300745a628bb61835976afc8d49c40e31288065894c816eee600d179fd387f85f0bb9ebaebf8c1fcd2361ec5ae837e9169e5f164e0b4add81daa50f8e94a5d44e5845f49fc07dd10a68cdd6d2f8102f25a2da3103a9dd6e60267212833d684e28f20316ffe1b663647147f84e3d7130731160ae9b35aa2ef8c83cfbaf2268007c5c896a360948a8bb4370f6a6b6612f1fc8ef38cfa514fdd33580f048ad31697fd2ec177d4d27d8b4f6f591eb0c6cb48972012647f9dc77f6091adc0c5feef2b188942d81febaaa8470c2fd3edb621f1fc953924b38802c563c2ce2c35bb57503d09858b90671f0847dbb94608a0956d9267bfaab36e58f17586fbb7b747e51152ed1cc1966b262c0a77b08d521a0cf8d9790b82b6dd54b5082b152ec06c8bb7ed3574af7d813f2de720a80a9145173d886bb0ae641334cde508bf49f34dd65a31e6c1a188f323258e782c819106c7bf5bd7e1ea0865dcbe31f04e4e6aedb1abf869f8b424d4cd1a9b4d74b7999cd9572b575c89ed30ae8c072f9c403bcbe237d06dbce991b05bf5ab04a1df6634acfd289d6e8b05b5cb252008a2d0fd2fae67ffa56c0ef17b6e077dad36911d9fd909fb00f66e20182f6b496d30dd00d38a3020e394f1b66d69a0043609c7b70c0e9b4c7ba3dac140c60767e463bad88631ee5af9757e89be88e9fb89a783bde3aac1e0a0a44fc5c820330822f3969ef9508e24bea9dc68165d7cb8a10c227aea4780e19a010a451893cb6f29656b34bc202b4191faf3b2c965ba3c3d750b77560bc2335ddaf63557f3fdb2ea421c505224103cd6228964aed3677b68485c38942860b14f18e95b2409bae164684aae856207b6a17e1aa569f93634d1b922daabc0c423feb28d7c4bb3b32b6cb761f01912ca12ba023882af2d80b215f54ac3aa6d4c2dc1d2ad9e4f88799ffc0d8b19b379827177d75a82e2d661b20d75c2620011f89592b5a6acd861706e9ed56a779272583a3c60f479864e667fc8e214a413eacb563bdd584c594ce633d3f10bee3713d453e32f147f5bdc7a4e775ecf20eb883e6d4e866fcfd99bcc41fa8e3266d48b97f0a218892233536fa25141a46d5a41f7ae4713297a2f95ce0e6661d2116a05601a346210f5ffc0dad79efd531156be2cb07ab6be8bc58ed98cfa69bab6ceb638dbc8d97b6d44603bd96c204acce5cfb677fc80e5f7cd9058fe77100fa41da58b4dde00bf5481400422a1e1ba54ab8e4b80c22434e80a2f016149f0899f6663bdf9a89e201ebb69aad3c37748b71756ab35c358765bb77d1289716fe89899f49f22ef736b90b17516e1cc8d9e91e172d56a6361dfc06fa10852005be0b013bc0a528e56da8b69e30cbde3567f0750f99daf96c64e35280245861c092de0865bcb2913156f08a84ef7ead5a357408b244c61b26e34da3a80fc82e1485beecf5377d3d95d77eb3dd11979789b9bc24fde7698f7103891419eacdcd32e5287e79a72db4338c986d3df9a04182e18ee200551ebce1f3351bc0728cf3b59d5d95345092625e9406d14bf8a53348e279e518096d98018af438d87686ecd02bf442d73e46511c8e8fc553a58f9faa99ae9fbae97154ed855c7e85caf2d980d267684c6dfdd7bc5e6fe5db46b4ed64567df9b38a71bd49ec38802b91c8515efc7aadb278381685ccd253f2ef88ad1cd987cb10ab5de4bd8de8faa6c567b5a072c2403e92976e87e1749b995d5da1b23369c70d7e009151bd3163f1d1e69755546882a1b0c57b1cf48fd62a8c46b8b56ccc84dd2799d0bb0a3be9121eef3f860cd1aba1da5c4491cf117a09c330a08b3aa5c00c7f91a898ffa405cae4fb84ee3033e44a808b309eb89ceefa81e65bef7d27672b2e0aea89b8522c3ba136df5241c4ff20469351ad28e8f2e3645a01e0a8ac15181b247ac95b91a08d0f184d166f4fc19f98148f2193ad2a6fd39c9a06160198615123b884b3318821348cf5bdccb04ff6bc8cb876fde4588c3244e2aeb2e8d24b1775a942a41ac7d274155b8910c3685d4146fe5400c17e83e8288a560acbd6a819f80024e548ac5881d6faad171b6223c5883defb2d5fcfae9ef86d046bc7a24f69fb9b1d661178caf72fda94b29cf03ed188a7452a9e8fe9f0d1e0ce0c6ddec550dfa0281b007a752235cb63ef66ccdd05591067516523a813ab7186f2be8d8f88092628ed50b8b8fe3355e963ce181b2a7761640b6433596c330ebdea5437d2579f795810a1d1353e2a7eecd868c23debf3b417a43d71bba4e9114c64a7743e762ba34fbcb9002ac936e869f95a24d9558b952470f6fb124a7a107d2934da909278593aba7c7143ca0cf802f957a3f8e0557451c216f82c1750fd74baeb0a414786eabab18a5cb1826f9800c471c23dd7ad43d497565c078a75e3d02f6dc72cbd9488849389af509d5f8b64a4ca215ef6b148fb4ab9b52e72181945cb6d64b951976c34c315bc7edc2705838ae09e821ce5b1821bb3d5d409dd6542745dd5a74aa6276add2d479c6f16c1b868d7856256c93c6d4d4a2f630ff40363e0a07182bb4131eee6fbd18a236da2adaaf6a7b70660874d7296f69e9309668c75e4a5f8144f93348a4a8141c2d1885546047f343a096eb255735a9590b9714bb5263b3bcae7a467c6356f50af9d49ee572ec529f2bf3894675d554334c1ea92c5fa121de3ef1b9f74cd953aca996d23ab6decd343ac53e2f99a249fb988f4ca796c0a849798f0f97495c10b9a0c8509c4bcff637662696949efc09251a06a22c22603847584330cfea0375d8c5bdce8dc49574865afbdb3673a76d91a4dc0eb7e3adf438a8f0c8c03dcccfdedddf4d44abac93d84d8f73a7a4bd8d0bd07122410bf9215dca11ff32e98eb1739b26e71890a21ea173ff62382c56bda1514776e65d36924e2590790e812d24cd2aac5752a02dcca068a4c5f4eb69a707280721e755d3601a2a18ded5eeb61fdbe7dae292976137780bb94cdc30a247223a39f94b324d9d013da3189c2cff87cdb6c2d60b271f33094db4ef5dcf9ed72fc21244c9cd4be4d3328e815f5101643868abb4e50de054c95554316f3a827016dd9474787d3403472ccf47484cacf52ba3865dd233b99e6884bb09536e65175f4ab58e9b138fb659f29a216225a1a89c94a0a537ce70f69001aa8b3f3e9c271d7acc8f61da6d9f9b0beda683fe87e40e61240ba431223cf98fed0ce930bf8e44edb42afcf54fc10c46f93b8c4d70d5b305507e6a5e2ed79b32085b7598a90659d2d929def4026ef7e9fc489bd22160929a0892c3897226fe63b54424aad314454ebe080e29ecc3e6172cf0f64fb2566a77813fd0f03df52f7542399a134cf6bdb23b01276ff2d6e2db82661fb1aa69388e55c087c3897309940477ed3e222f860eec00e012404ae81c6ca35f1ae7400e0aececf33348bb4adba665abcfbaea95ced173132f6d6298c2899cd6184f9e9d2f62e9d5c07177a3de17f59e7ef60600c3b741af36e7764ce2cb376ca9646f1134e89a0187662fe24c7be0973779d4f5bb3dcd05d8ef4e3481bba1d7199149d1b34c074640a8a2d9614a1d3f2547837c9dadcba164da6cb5899f85554640792f0d3e5076cbec862732dd8dda895695efbaa77ca0ca967630df62d746780e82cc16a066ed736889c9f3c533bc4340b3046ea8bf75707daaceee2c7582f179b1f1259b03b4bbbcc510768bd494b4ddbe27db9ac24aca119bc04175752328c5bf91e4995392c98d934ae13ebb92756e4bbb80053c1dbd56d7989a0d13f81a62f05a33653ea10edee1b38ce2608ec8c2ef69152bd442c79463e563ba7c5461ef96d170b0640a7566e56e510e66cc795f71d9d728ae1b235e72b546f7b3219d05c4bcc39ac269cf69f1c301d228060b8093322378b1684c6c396271cedb32989cb13da07022dae62db8a489b32bdc5989a7266528c5857a43f0cea8a8926aec1a732603fb80ff5b0342f17092f2f4ba5e9fc4e49bd96405824578c2543fb27c32f3299060de4b11c12678da6aa215e2a02cfc99a602405b130495b699483143274e1429794df198ad773abcfa16a6417fbe9fa64f97f8037dc80b0ab21821058990c4775a052079a1adcdc89deb0ecd2f1e916b0d77489438857c462ad98eb4d601e6c313c8c590e3543b4ddf31bdcc2fa83e193c74688dd1c5f8df7cd9b0401f2c67ea55fbc47fbcc3d8289d548fa058ac480d71d8d4fc4c48c1f1b82e1777e298002e97af72a4966807b9bee4f244cd8bd2a8c37ad5a91a520e30a43142ee4c8e9d1f106ce5b108b71508d67aabed8332800f1383514748c57b2d2689432bf826d7894ffe86f7f2e7cee69d461060f21b37de45abb6e7d15025bca8ff9b582a6fd4ac7f9d61cb356592f4a3ec762c5027af675d65b73a5ff5a8337c42bba72b71df49a0ed42e9feec65dfd4d96d79c7a4ecc2f51bb2cc056300d941505de6bbafcbddf7c663e48aa5fbe9978ca1789b794b6bf4fad0b7efd18c30a0e3641c4ffb3531d1fbebb11e01784279e61dce68db708f838839433ab24268c36123367d20cdd91cf0302452e23b83b3118d8dff460701ada0c6d61b7d054e9dc07d5460ea91e16103a26290962affac4aa486c29e18056ab56dc87c2f0215ccb7ff553427bf38e76488b38bcedef19033fa05ddb5a4c9f352337914ed1acf852adc9a8355a231741ef9b82db7178a93f302a39dd1feff376a21e469a72dc59abfe41624aeded1a0af7a20d89551f8e4af0b1ceb5d934c5ee7e9cd0497d660d0d58513de8ec71f89384ce4f3047f5c5e599c444f52d7080f266785d9cc950d723ec588edeea7e743f477b50ef6d493cb350bbb867f9367b65ccbe52a03674f284a08d36bc50aab4a3f0c91dd68acf6d2b5c605484b94dc331257feb5b3b8128aab2a441d7c04eadc7521e6ba756e3d7e69a3a2f41cc71d7115f4adec5eeced9cd516171ec3bd6106ce196783e946a23aab8dac73f2559f59a998dae80cdc54d83aff7a88a9622bce3045511cb77de14789832efe7340fbac4ff25a7883ad5bca41741a3144a0f9c5b8d2f03ded15b72415cb3447cb621409481b4501eea8cfb8ab6ae53b9d0095aea90fb84c7160ecaa8d04b2a2f757a24c75599472e7c6f629279d57ab897ca4b84398f1841aa0acdb7cc208455e9ddba3db8095aa6e31a5e5a284946b26db2706951d5a6ca7b33354839fb8a424cced92f9db490534b27c93678e362b5a2c12041827004abcf80b3c9f7659fb1b2c671002796b86869b29388d5df277289535c976fb56ea1a938cebf824f2e9093ffa058e41264abb4eb08edb505e51c0f9bfe3d4f97e52e84884793d4db290692fb25cd68509390f1ae6869ec8dca8a824279a455ab7db604e563bf6096755f838e5b4087380035f2041426ac0014fcc4c5decdc74453cb407616c57ce736039464e998b8fee6d423bb377a16a2b1fd8adc418abaaabdb2bee541a5c312d8454a36b4b1c718ce74e862da4a9e239da612f3f07d529e46251d85629242c7b0d4f5370f7ecbdacdf9ee925d7b717455ee78f11f99c94ad4cc2f8c598e845226669251292287987019a6d4df23999c46783f66d9c0d1ab4df572c972c9e837993bfa68bfaeee52c98211dc9e0c1b254e7c23bb6a05de76d7005e2fa82d4d2ac444f31a45b31fbd4237f2805cbb18111e091f182ee7d43501c1e4e1ae69997d7dde527b01bafb92482ba3870ce8211b9779a1479f168676371e606ec9c4da411283c845839f2440f6b9373d901653a26e45ae2145ad6ef2ef5729d9eabe50cb51d17eabd72e08a61a428a1a336836eed361e9a4d1cb2f312d7b3e5765f054edd1d7477076db18592b8b880c78f1ad6b9d6e680729b906d8e44652fcdb628d7e0ac1b5ddc8ffa2fa26710aca2989d3e5dc0ad481829c9dcfa99f5560e3aa2ec5f11c1fc995a14e2959cf492b07002cd80c066ffd4bca1e0c5f8628717daf7eb3cbbbe2542e3f5a18c9ba54d56bec9f52f0310635fcf92df6a4738cdf845a3caf7b3859edf9220f291dba1aac89c07693dd220763739798b687cd6b27d896a692536ad7e847ccac64984cf9ae18174d0c23109f82cc943b004e07ac6741045dc0cd4a302257b6bd4eeea0d0f3e7af93f1b3abe724ece35482f2afe205ed2265824302454e8a29bfc39e943232b7afb435e7517d6ce926c5fdd49ecac1be18435ff5665d0f724a2bc2d22f19a6c1428e2f686419b124cc76861f3070ebcbd99812cb10ecb357a0e1171ee64a67237762927adf9784ab9033f6b566f7218fa67109f9607fce2a4b8b74a3cd5a9ceafa4ce0b38be85144505c0bdc18a49ad0ca23051d563d14af02e2ec8147e8f2bc0bd30c69debfe2c170dda04de73fc777aea45027e56805a4b8c3fbf09315da5b05de928df4397977b26ce3e54d36643b0e229cfa6f832085fb3008c03e924a5b6232fd0a82c1b1b91967fa5a1b166c67f05ee6481d895f21aae704825fd44a635c29ac3ce0f5aa28262d845f4cd0891134ca5846a6b62ce7fc90a6bae5304eb0f533838b522a74365e6ec1957375d09c511d221439dc8f17d4b90e298815d7b9df23dac9a6adfc2608c062d1328de36b9b8390b330a99d50590d7d3f566e11022f7c066869422260b693c06e38b025157442b473e97b7eb2b4365e494f813a99c695447bd3155199597ca8ffe224b08d3fe81eb80afc5f2c5ca9778754251d8c7e35b063855d66cdb5ebd722d444c4654989edde1fbc78d2647b041148a159414b94805b0c76eaa242886d8b45f3f98489cbcfaeadbdcf2ac5ebc6b32e684d7467e63e935a6cdefaa3f78f8ee8a00ff9da25feb8fce6fff1033231a4aef0725907534f174e5386484fa18b781f3f6894affba4d496deeecc374f4b3e69f95a5997c8978a4e0a29c470b32864261d08d5679796ee633a6230d2b2f71e9f219df7e95d4042b3cc991352e50715c5ef56dc07afe11509d905b2d357bf03b2366582ff9d473c9a559670a4dbf02d215c5b3367a1bf08adb7cc5c208a2264906b67d4d9ba2a15f146549578b20aed14013f42dd268aaad8e2979bb51c5ed81988e6030b6f5082d1cc212ba2e2c8b8084ff0e72490f0d14048a507beccfabd6d4b683bd7dbf4bd65a45809166b207b187a310fb2558df0caca91362dc72c3ae5d2def3c16a8f4b96fef21f76d1b7ef57c93917976d0384d06f0bd1dd8088d777eb6c1bccd68fcd68efa860cea38018e46668210d678b248f53f83f0c4b922e8de99a6e734289991e1046a1291b249874de24687c24b3070d7e8024f47973570660787b0854a229b014e38ba8dd1d12250b899e46df956ddc02ee440a577756fa0052a305b3dcd21aa4013be057a6fbd43b579a5d57d3edf2c74d83114b96e55d601d5076eb3d113311ee1abae22fa5ea7107b8e20bce63e2806e395e86db9302fbcb1e66a7f03158d508a06c17fd81560cf48196ac12813c7f1c7a2920121f26194210632af96a2372a96bab8f2b237d9260ec7e9c5fee28d4571c3f74a47ffc4303f794f6d161061c63eab2d6b71e6fa6601edbe0228a47e62b5ec8fe591c147545b74d57c098e2373cc1cda4a35d1c3c40a5a5baa4af89d1c21cdbc2c4d8ba4db7b3c58db287ab79f63ac779d6e812776e143a32e12746ed3b1c8cffde5300b2428c5eaac80d63dc69242c83f86bf7166a42a0f70daf00a005f6cdea71cc02a75490f185f6e3b1524b3de595df869652a502aeaa9873a10960387b3b8610e53e84ef62f4d211f81c8bbe4639bfcd02664574f80dd9904b9552c0ddb1f0bec77868f116325e82208b93b11e559ca17259c7c2be47ccfa0a6e87dc081b2bafb7cb9fe41eede8bce6c2ffb156294d436b814ca9b222339711efcec9e5dde3cb9ee5773a96a8a241247d69cfce4a51c8713b85d11e2fa1ba53adb8290701aed0a755b97b7e2c6304566911de3181a6515c056c7a484e3910d1974eeb9eb862109884781881aa681a43e1dad8780c4ded42fb4d6a19437e8d523ca01401e3a4bccaf17b3f8eb98e7826490ca1ee44df361c39c9e9f9623fa86c7fbe46a4a55b70576332372930c4768eb910d4aa4df356327ac851f87cba7637b991577987b46d7020c118452833a683f7aa9953afc3faff0997011415fbdf8088418027b990b62d7ae15dd99a2789b53f20fb9dfac425ba5116bfc0bb903a851ecfae1895bc86a1d50ccd869b29d7ae0b9a6833bf16ffeb0f65ed4be2cbdb742456010cfd1eaab378d1b394ff3366b9000a79bc0573ce4ca6ae5946650c94c192b6c84699ed64b44c59fc890e510a8f6c4e2430f482f4ed9bd7501790bd9f7362e34afe53a0dc6aae15dfa531b85c837af2ea7ac9ebdfb2f960e6a4d18890ee9afe1a4d2c7c4a2046e2d260fab484a9b62752fac90214633b10472fb143c66e41a7d5904750f3ab61f10731c9fb11df99417bfb57f277ac9808d7e1ddd05e4840c5fca77f16bda3ea2e8defbb0455e03df458c1407fd6e4ee34fb5b264f8a83cf1437992202c4bd4195f5abdc136fabf9bc6e04202587cc87cd8254e7393839cb35fed61fc6c6cd1ee20845b79f418cd04cb533e82c42e956d7bb781f1ecad11e440593c9cffc2e6ffec8d21e04c3f80fd29c4abcba1110f8fdc9c16e9f8f0c0bc0e82bbcb43b46b597b48b94e73d106553d51de33b5fce8c0f183446085b690738464f6ca44ab07d8fe63df04d9462632449644b970c5db757d7f1d8d8da3c5244d8b85e958ac52a34079f5712bd1e586abc64aee4fd75a62800f202a5082261ef2e549999a96a1ca69e7382b59a3f702fe96746a8bcf917ec39556adaccb91e84d0345d789b0c14b09a7249e8143023294e08e55c69a8e15447d15e4856929051f64c760d4ad8501db3a4d9ae65d39060f27c78582f0e772b9f57eb748fef6a3061136f908cfafebee6b3295dc7e15aafe03cd975f9318560ea75002dc70b2e27c64cf8459c63aa7f1cd3abb5a2b28bb797b557c4cf05c56102deddfd954c39800a55db62e79bf256d763e8f854ce3d075ed2efd27e8c6d6558602bcf7c4be0036c6ada79ed34db5995b36e2da666f36f7bf5565c8f5a265acbd909cbb1c8b874214682e64a852f6aecc7354f81da36cc00de2c2cd22163837a7c9bebe44fc520a1564213a939dfa2b11f531d246460861022e78e7745316cbe2f212238fd22bb1e3d0813136b0ee7816b0db76e47ac08ff9a103d2b946d0b656bfaead6af2e3d766a853f8cb09bc3b53295d2e21cb9e34cbf4e8a6075e8973d74e8a01cb78b660149dd6c0380ff8e6d59430d542920d62bb915d74d2503d6a0b49377a618a757476f538719e36013409579661e04ff86f916cccf3a7aa895da4323364961c6b340c9b82c7200abbb1cdef23da98ef8a7942a8b633f7f6984abbead113210042bdd6e99b69f8d7e65bb1fff7d5c4c98a54754871d53440c86c1a4c228fec4bb090335c5528aff48ef3ce9ddcdb3c1ab44ceee0093f74382f93c5b66c45b9d9b2ef7bd92677397c9181f1f53d90c49939a4e9481a1d22548e7d6f727be762bacb6c58cc7224ef4c5279abe6cc5849c216c2f69d41460cab2e6e96a43d7f3b08c74b15e2f9af245c8749acc8eb7f93f19eaa2255f82a532d8acc5c7d7ae0553fbe847d658f7e47d2c770ac02a72df9cd764cd47e29a552b6d28d3c8340fb672adf10a8921a0e361d59e48eaaca7a7c931e5603cbbbd3ffb37a7f4aeeddff8ae56e5c37f1407a78a986c4aa3e19919e9c2c93fb921e72ae93c3b030853722d03cf59baf3cb086e3e3e4047d51c64f28ccfe468a6d492f824ee68eabb4dc6788a745ee23faa23810dc3196a7d6a64eb7a7c42ce6afa846840604bbe0ad77319fd41a59aaa40e83ff99a5a5d1543bb828894f9f1e79000f3d0fd21883aeed024ec5d0ff5190e7ed6ad7ede9b3524de15799b28bc2bd9568c654f9100a47a2e8e4d1042b2a2401ea990359fbe1ea9c5a23a8c9d52ed8b01cc65c942e136a862f7be5fbb30f438f8bc84d599bc18d4fc1275da1c1b3f64d03d25e9daa63bf2537ff257f591c55af5f56402fe83d18f9257527bad9b2ac65d35407d4b0a43c58356c606b85fe56c387ddbbefcda8a71cffcb29193a51209748d8021d5d123540e50954fc4131d2535681a6799944605b79b4de9fb12c0db182d6204df04db4cb28da9e41753cc3dee7658483efe54115bcb68017d65af0ed4ae29939d6c8da3b3c6b23dbd1c86877c9513fb8d2aa04870f212a4d5d0261d8067997e4618fa3675db86b472589bae3f9e6246b83187a84b2cbd8194548c2651b2e32430835d6e1392c0729e5e718e5455c5548c7ade623de02991ef30b34647622c8961eb14d305634d59844af5550e99858de852451fb4bc9b589e5fb2960b1e056cac90d3c75b17cf2caf98e261a3c4f24d848902f186ff916e776f65e9cbc0a84afc58d7b97352e3d73d0bcac5b8930dc5180788fbceb260a0a8ddaf68116b467874c4a2388713f8aae969fe09fdf1aa072ca5fba6239b27fa1d1bf5a77a50d5334b61c855bc2a494ef4844471be8a02f04dc9b182e48bcf8f44440f897de9bdf03cdddc340a0a225dc4fc89b6a65f3685ee414e26bd9d998b7d764e6da265c15efe857e226574c16c5fd9ab2e7bce95e9c61b356f39029b7b2d293d2e96548ccb21637f4e10c5911c73d3feafa76f760c8eadedc2599e0f1330f95905e694b601028742518c3b31df3c8981ab7640fc86e6873ec0659e08375b7beaf648ef96b7061341153491199b5da75e217cb88ce407e1b5a1ecc4b2e7e8db7238ee1914834e2903317fc40fe42129af84835bf647f90af2ad6bbdef712a2a96cc822e6c40a65ebffbf37d022be19d16a8249640e0349da99e4afcfe04b618dece4713eb74ad58984f1625e32d9bd266fb9cee63d3c71ce16abd1ea5f6ea1f4a91b70ef74e0a919f34e9ba8277df39b047f759a8bacac75fac20ccabb5f2e6f60e3436711c5711955c7742dd6d9e8a9b83d5cccd5ae3448b25cdb35ecc8f20a4c34bddc374ee9167f7fcd2f6a2cee9672ba4eeacbbc98574db1988c71e8212e2d35dd0f303691c4191990bdbcc3fb770d59b0a90433bb2dfb3539ed007bf529702031fcf429fe0bda4abfc427a9fe71a1a94bb264ee88dbb8c31f222adffd9ddbfe46feccd67655fd944bd4751466a59d69ea36d910e2c9b4111a955ff14d46ff6e6afe568231dedf800a90773cc1f8f956617ac44a2eb6e64b88ed5a07b943321c63a02ed711854f4b60a299dad987a82933961600db05a2f4eb7846a8d01cc22bc4529502c9ed664cd90f5d2f2a4d50334b4c41f45838d5de74a6b2b558ea1d1b34dc21d7f7d0fd6c01967852ff0e0f40fee4dadb242b7b8e7af4cea79842215e4baf008ccbbaa475006f25340c392534d4ede113ea0245c73bc624af6de72d50562eee999a5b98ee53bd69c1b1bd999328456e154b7430f2f228749328e25233b5c598ec8b9e5352814fb3fd15a7112c0a8f9855dd55ff6b747777f93cd15a07f118657a267dbdc51d30e9681fe89851f5a6c7b6b4527a97753d0784a9f60406b54b47028407e177c43888278968fe637e336cbef51ee438608d052efa715c874fccea267e400a305c22a2357d9c5afda431e0adf26ca41c978f202792fc1589ba7ccbf9900e1c9e35e9ba5843c864f8eb28d226b2f3c3212ad02100d8971672190f56a6e058f70daf9764cb86c36d677f42e06bb291b4ac3be2e1dadfecf2807eb62eb065a91dddedaccd8cce08fcef4488ec725be165765f60ddc628b555952449cd8a2ddd50e06f6244184b7266a2eae1db9a0e951ea4b80f1d973011a1ddfa3a0adf2ea03ba520c9025c3de01faeff8b74cd343efa2e886d18a50861dcce0941de826c5cd4cd9adfa4658faf8ca8f1bdd5fdd2742f55528f190b974c1d756126dd587bce6c0a54310103fcb750b4b0b97e032f7f3c1a64c5b37e51fa88305f735c6acad068a4fd8836049f9b1ba83ab3bb7301370429538601a0d2599aa1fb71085703f000f0f00ca386cc2f6600c0948caec2451f373494db089f4337cff642ab03059174ceb2a20ce3f8d2ed77ecde59855dc6a380fa0a9f1e0fb9dfd007ae1af1f101dd154ed5bdba618715261795b60ab5079d085634559da89134c141da8ab660c12d3e85bd90081478e8a0e2653d26c303bcc58721189d02688e9b7f0cb8d26a0c011f3b31611ca63f519fc1d5152f0aaa2fb599ee719b9f5e3e6a5e00173f87d9b3fb9eada124df2d95b0bceb55c984b1230f93bf8e114dbdffe2d7df566f596a628212bc50cac930df46bbcf3b28ccabc05f33c8c529e54fea057949a50aa183d2be6a17c3c825622793c0f8c93ac0ca3cdc1b748273d6f9a20cc09f2ee1f1bffd215a3def20886bab9047c227bda97d87752df8914d7dd0361b4b089611b5a4bce46fbdbb65709ea7b6026201a121eacad55bb8d0065555593d44d604d8c567f6ffa29d3f1cbb69b68402e85c0d5d951e74a46ffc4fb77711d0a3e28e4718d2a6d2f2118d98660d8920e914013caa24e3580ea7bd689f2aea02af380c1d7eba106c5ceced9e6070d00edd5f776a631fb83d021c0b410999c0cf55f0867ad828881d62677b3fa39c4d83f24b737220ed4f125b7c74cad934c3baf98a7583a6d5919271d7d7da84b360eac3b27a6505770f1b92305481dc6a0eda80c5ae69c90851e0283525020904fde991ed16da489bb25b2c82bdcb2a013130d49e7a35969497d7bbbfda112262a294ca959c005620144fb17448866da6e10cb6241ba38b1588dba72ffb8d04cd84e6d4ca0bc590f2be21aa223b0d5ff9ce06295fcdcb728a8ec85d92bc6fa270fd93f0ff4a0610c9904986a43d1275560ab2f50b3f5ffd5e860e8047f5c97e1d77d2643090508c3809da67ce192cdc9edc7f62941807ce1ff296fa1b8ab53b8da2d7e009be69e4213a0b76fb0bfd573f41d8bcf751686c41340713bfd76dc91ec0d7650cfa3c827631de51b70424d1d75d8f5e7c02d3344e2bd4d0eb848842c2d5a61f37b03986639a19b48974d943124edff77c84e57107974a4cf44cfac12d09cfaf96f5b914f9bdeacf9ad1c561486f5beaa92c9eb3fb975009cea69df9c0b2ed1c2a67ffe6b9a32b964ad127cf224479732005f66bb8a3270b013e12b74cec9cdcf24de84f4c74bca46c58e1dceed2fe2f79d4ad4963b129396deb616f878c8efff2998d96ae66aa3ddf059369457dbd321fe13bc50debeb8675c5c57e20e652741cc9e9dd84d3b30711947299b438c3dafa4146f4491c799822338acb8355dfe2633639f199f44e4ecb21e00a94cae6aee4e283d0db21dda8b618c6660ec344c11904aefe8bb5d977100e8ee4dbef63b9f353130e284923efde506b315af747a360b8adf718a63a7b8d5423b32dc484df2c552ff396cff605a228d54913202c3f6ee7e8042a4499675735569481fd5ec03610cee19c161f524ada7461afcb61a75d1b4d8b030ef3cc7d9880d2bd7aac7892ad0ed4784c15036d2456db2f0c082cee850a6d7ad435575f821a7cc5276d628b5c17f0a02d9df2ca6f62e6dad864ec46531c49fbbfdeabf6391563a0b8612d79272f222d85226918f128f50cd94753cf1f375cda5c9c5fcffc326c5f2d9d7790bf55ff665f7ae3029f983f1e9b0d8de6c0d239b36ac79bd43093839a8a7e3fb02fa8c47f6152e00b3bc4510728bbe5f8ebf24d6125a781e5c88e1c71c0b84f0179020c849936206cd98cac5bad53934a44e04b1803b0f2090b2c090eda5adcbb6787cce9aea155064290b05504a58e9d9539512ea246f1119f80148bebdd2490d7542a393258583ec4ff745458626abb729244137b67d7566fab4cbf3e2adda931509bb7d7dede5106db43a7639ae428cb33716e91019f784768682a0f0484b0d3f61104c52029a45a43488595d70357457010ad8bfc37c38fd0ab5536c20d18e40718e04cc8ac529432d6168ed48b95790ee9c6581b6d3b3fc14a3a864d6858c58af0ff02689d9de1b47f58fc0a8fc5780ea1742204e73be47c87121cca8662930a36eadca33487359f1a0f298971d83ec5562b2a9f32e69ea409cfc55bdac633b0ff384cab1d47ab47ae03c435d518ea5686e038a048b5df7241e51e884ed590392968919bd32593d6af5eeebdbd12f55820c138fd6c77e74d247b3cb28a70216615720c4bfd09d7068fd7cfadf7293fd6dfdf13a96867cda9db64b71255bece80bb8e376b4628c1a0064406e28a9656286941f1536c3375b908072c42c63a58bfca416497a4c84d917b89574f736c99d821569e2c785ffaefc545e4560d1425260d27cddd471137f17f76b7dd2029666f0a27d3194644d366f051c3066639a34d8636db5b8991911bf15743b23bed633305c4355ac820b85e7aa6c65e95ebdc68afcf1214ce569ecb575f760810da7edd05f5c8889a6e9d9940d2705702990860f3dc4d93b7230e94b1e317192bfafe8f8b5cd5ab7b1a7917a6dca13cc5956deabde65b1ba3e84e1f91dcf2ac6f0fa7c9ec942f2d7003b8167139dd2d6eedbab9d882131808a73c39554d3621aa75636ec73a1a8e30c697f4784f901eae702b4c5a7916341642f4790589b84b5c9a9f1999be3e29745154cbafe19ee29df11e231217e3475aafc3260f0dacbae05c74a9ed6c8856a84449611c67677be04ac0c31253aef76a3d5f6f431ea74f117fa76a3a888fa533b7bd84b0bea1948751790127e106b26a4c20160d53eba82f316c15bb17387bd3d0f9fa45005bc7630ee47538cae45ffe236400e4107dc9b5da5ced163acc49d85e2749208d218421f4e197be52bd75db2ea073b0cfa6fcec7ba7f2274cf7bacff7e459ce37317f72f084ee8f8dc573495dcef970a2e630013da40f5fdfea42578864d532aea7790e0319ddb4c93764b4a6a3d3269ac34f05acb211e4022245ffa64c46081ba910e8de2662a714e637d5dc0d46f83d85653799c7b22c931a5ee9f5b5365f23110721edd3c8812a5a124e0828042a9d9e5cf4934a3ee44a1550bf41fce8a14bbf372b01c3891cfab88560804bd838eb145ea51f219fa325fc175f38e63ad4fb30fd0ddf0062f871f3d5cdf557c3c8b6a02c2bdd7ae243193572e6df06281e3996b2e288f0375720afdc44206175839c50cf33fce705cbd6f65dbff9122946c8668bdedb016914e418145b104fa7c0d76b42ad8864ebbf916b03baae9591c473d60d3590c92e2803a7804c6012d5b011e96c6dd5248ab2c4e78e9402bc49a036017c1cdea653de71f4b998f553bb34a9b6b7538de01fd27d52d2d2523fe3a596f1c6e90e0da6ed3296d9690d3afe291f34d40ae76eb1bf7cbf61514ff3b32399794afba583849887aebe463814461251d08116c9b6c05db158ca15071e993e08ca0c49af4d23c1f7631df7fb7b5236d76d6aac8e6f8ac33688e94bf875c428c90ac2cfd16c7b19b959125953b2ebc38c478d97adf89921379a682622c107a466983e1d4a018dfa27608f21a9051535cbf4760f5631dea4df7758208d827dddeb18301af4c0f9597ace619b1e695647ee17770b85453bf2a3894ccb1894ff65616cf29327898ccdc544d64fdac5a3e4b01b063ea1a68546607e7b51465b58d60cd94c7b514a5c559724e6b1f802a0591e00b75679cbbc8eabbacc17c03f7449562dd8ac34249e7290f22d0173c5efb34c92de42910034f2e5ed65d04e6709355a9ea7c58fd5fe3f85f009bf204864560aca7a879fb5e26483c90647ab0d46f4bacbdf8430a76b8a94150d70b8db44340157d0b9fbc03225e33d63c44441836ddfe85649d2f1179fa96d5ec5583f6d01ad2e415b9683980f331843080e89110fd593687a6b767ac47b49e9704f26eba543c28dd26889e5d8107720d11e92a761f5021f77d2df4ed85c65d7d86c65bb68f149be503b93641e56922d9981593d5178eb25570be83dace578564123db5db6058d98d00d09cda503372ab65602e3dd7b63fd8e2fd8fda5f53dc29cb2bcdff527db0d49625716334bf5e3dfc4224968c0a9de9258e2e0a0a6bf16dd6667ff4cb598da611120e330de93acdc96048a638959c76e0bbf2938996639c6e324181b1fc70c7ce91988c32613840b7b6ae89b5886e7592ef39353583c62fb9a6742efab711e6c65507ae8dc66e85fb09c81db26c741dfc6a2ae64bcbca671ff426ba3a2b4f23db884b0945e0bbfadb90c62077bf729e7df1b1c20bdf15f7b1d549c63e056aa31312bd32c1d455ff18fe865f4704f0b3c1f8b4add3b2d6f1b4d70c97ece5faeade75da3846145b0cf4d308e8472b41990bcb7ac1e7868eb814c6d1dca980583d250a50974474e9f79032a80c34f44abe3d19a04f4059359d4bc6b38afd1f27254c00e7cdd1c4e5e501e2f99ca0d58f5010a5bb19101ad9001491a69378038b464d793d4832af28a2e7266cc61b9a82c01ea9deea974b5e386a239e93a7e8f986915900589b615b780213bfa24f56b425dc7456e1fe70dc57d0e1bc3069b0fdc6024ea813e0e2554223b0fb1991d841e539104c30adb0a685c24a04fcd6d0409d2dffb949352218df4d80978c64249798213b6c4368468cae0f61d636cd1f57fc99cc27f9feac4380a896449562ebfdbdbd89cb567422ab617ccd41d674c400907fc51b12e1a9ef2b35dd1dea86625a9819ffffc4cf2bf0a090fbb323bb2b410b01355c6e036bb70fa0b5d7df25d0180ee48cb6a84be30beee9fefcfc386dc16146cb772146b2665786763cd2db1f06a44340ee6d942f426cab6d9988a14cca830956e7907232f47125b866ce223a58fc04c1440bafc8134ad0acf1dd2ef5279390bb842f1e19f6b39898616649d7c1ec8421236fbc779b1693c0030220002b5a4b5de78ba14caec8a9f578483b07aa13543048b28fe2403bb8a3a5c6632f7e52f737534a19e87e7fe60ae03d9273573159208332ef98be87018f024978d4ec6629c9b79ea490973464adfb9bbf2b84fadbc3015d8dc4dbfd372cc54f4c84d2c402c538592ce2a8966b44daf432f8d1fd0a9abb66debc10ff2f6c874815c596361064f935b57b26cc31571c2ad33dc9cefcb307684d295368e4fa8c15d490833b11a1bf787ca1d214ed705e33f139218369fb694ae42da41b2e830e29b8d609e51a2d793471ef2c474fb445d0b3f2d5c65e8418cf16f0fb0937f785005e8a678df65558987089cfa38d78a926c179a354bd40fac48843a7427a5c135e85710d1ded6beef534925cad099d5cb3e7af503bfff666f7a68a5cc36a4098e04bb65de79c81888b51b88537521579b150e5ef9d0cd621ea956820e8a384ae98269c09e88a59892ea43b10b0aac13141903cfac8da80bbb60f70f8681620ee655cbcf1973983e6f24fe3070fbe323657179e7a0bd44ef5d619d3686ae06041b1d483960ffcb3d3e088e78b6e8fb6e8fb7cad6db7617ca8618c3229263e179de93a3b3a538b14bd060480ba0bff298fff01d25e40c4ecf8339b18035ee22f46c2f801c9a158750e5af4d358e9f83c7d849c136e23d509e24850729fbd32f2d7f10c04fdd70bbae22c2ade00abbf1fd6aae066894c1aad0d947b7c78a9a27a74e19492dafa1024724186ee9b3db8b72efe7d9c15405edbd97324870f080aa3260df0a2326992d796d93a9b0b727bd10ebb1aa4b252b8e08d2843750355d443f2a8a688898048810530048c2bb97104fae86fe8888e09bdc935a64f51a480bdc35151cb874616c21c6d02be49925d9e69196cf6d045c7823666d4902ebfa353f8997695e1714337990fbe98435e75c0ade4353bc4ef208ff6b389477e9cfd820061c059139781291b5cf213769dc429a34d04cf2606168c724acae08df128b468dc73d4965105fd46252633ae7e93cd2389cbca0ec43c03ebed0705d278468f84835a22497e88de4f97b3774ec1145f2dab3ec5c3ea9a03232f458e36e5964b25bb4b7391aafdda257a465d915629f0ae761ab62634e5896f566f2b09c9c0b6d0e7c477812f7dc8004b6250ce4ebc4073d9f0d67890edbba6bdda25a43369f0e15d358232b8b801790db2131880de8d7ac41259dd36c143559d83bbdea615946370697cf665f9f8b2fdd7f2ec5b41dd61ab00b207873c8db9b2e75f71b3d2f68eb4dfcaee6cd7400d981f59d770d51d15598f6622ee4765222e77ef70e6e31468c4704f145f48a9beaafe9a08195e2ed3a09ebb21ee183cef2addfa7b8cbea29ef00a06565f89fd8ec23dc1e03c236f1b706aede07aaffbc35ff89eae9edee57ef81d51ca0b881ff474d49264523f3f7af130b7e9bafb313fcbc9ec9d7ce8a23857d669294eff470937afff9a361f263a378d99b45697e61db08249ac838570c39687e4678eb9f3d45429b814f1f63e4b6cfb329b5639500050cdf21e014184418fdeeead744bdfd7d18bead1635340abc1c3cede4d65b5a5f47a3abcbafb537f0f56fd43ed5b3384dc8c1ee9875d4482d11c7ebd5541c37bd774e6faf6fe67db625d331b9a5ed366e45de2c1ed84e1a19959821d974d6478510d12bfbbc4c7c5bbd208e67b6f5ca526ba93a8f1fbde0cd8bcf8dd2e0d01ef54fa404e88c72180257c260148a02499f1d9278cd92b27cbfbf6da4c2de1c06453525c8193801bf892065c5f33a2390b81e84bfd146f8cc9b423e230ea8b7ed37dbc432f51e44f913b5a444f6ad4169e31df307a61a69bff3d26fc6f4fdb7191d4183de0c2fa7802ae0c23faba43de1b43f430b84040a90a8f5096a8a382a5d0db6a0c305b817ac1a59f44b1243488e7c3d80cc322506f2f7045a2c937876eff2d5fc2d077ae88fbe7455569cc278b2fec421b80e6bb99c989c57d323976ca99f40785d8aa3e3e2c57489dae2b2d421eee284325b7477231cc38d5d40945f5813119f2263bde664ee72b9c3ad5a8b6622a6415a38e393f8bd815af4fb7ceb4ea28d28939be965f5e6645b36ec726c00fb747d6ab805638cc90d773ad3dc669e771414adb6fcfa9dcabb6e537237dff6883bd39dd56b0a57587f8393aa698c46783616932d038c84139f3483179943a29d217b45c8d80b7f03ff67c3267a7c3316c2c5acd3914359bf9438d5bf93d6a33cfa5f86a142215f87d9becaeaab6173e03d292cf9725cf9117d12a9230b3871aa56dde5e7f9afc6c026d88ffac657444b1b07579bbc488c6f5e97ee1c88e90a6af2cf9f8ef9dd8b08980f9bbf1b2353bb235fe9f16677f20516e2cfbec3d4b2eb3bc1c87dee889ab2789e3f3e78b2da2dcd03644773b88f210bad65a1fe92dc71d2bfb55798c7a3802a5f9d9908b4ebaec5520d09ee1a84ee2c5699c9aeb53916647bc0096f329206ad50308b08aa2a7749e42dda9f8319b29d3f30e0c113d5e3564132860517143362dd48c7487e64065a67ce5922e76614790eea4a9f34dfb22170a6b2eae3590fe32c0764e7b738f1422664d23af10ed6c55f7b4e29c31b50a93b933f860e03192c39fab3dc9a1bd962c279bfa302aa80ec9fb1040d3b1a9265fcfb73f13ef73c4fa12151dbf9704c6f89d3042bf3c27c646bcf3d3b2f3b623f22ad71047c3c5edf248becd4a1064beed0dbcf357a086bcbd7bb40fdfcd792ff2fe3edfbf620e80e816c08e921e1688cffc780959aa2f3a6c3b18386072f17ad9936894e66b0947b3841dd18ed84b26dffc62f3f278617d681fb5f12bbb2b0cf7e6178c28ab32145ff7930365754798ec20664ec52f707908733e25f29980cfc7c3fa152c3a0dc3ffa80c53f1927e78278a5f06c690586ec268aa253aea10b48b49fb2ed1ba4e76e6d096736edd66cdab50c8f18e0c9be6a1a187ad0e7b3ad6facde6935c7bb1c4dff3358b5c73b306557f18f3924d8bf877fab3292d22257ac0098e4c9fa5b2a0380491b9154b450a8f829feff76529671d3b8ba957d9691c8b551ab0faaf6c2e3289149b96f46fe28ecf63fb55e3bd097b4e41fc277de00ab74721df09501e12a95c266a171dd15bc2c29564af4089efab7a478405acc384571e6c02f5b5ac8cc36be77daca524a1f0534f3d2dad60e2b6a54cac6225876820d8ec00ccb301f27724116836577d60fb96fc7f0b58fca0415be3c04e943903b573ff4ed860570a6cfc6ab953a57651060c4b359e1e5ab8aa49c7e571c8bf9a638d03db810ea30e58ac093563f5c675e56bd8ecd7209d13d0837b71c6f033ae89bbe7cc1aae7770e9ba52124fb5ffd929c877eed4e79585b7edff46b8aab917198ddf6a74d573b9ccf47f3b1f7d97cbe7a59bbcb2f0ed438eecae94f7006d5c14eaa14e2598536c37837a071cd6ed9b72c878b9d1e81bb215e76ba0cd4bff039bb2b7c4db87768099268c1b9de5041c3243315209b15ee81dc99cfa2bb034211b89f1a944131583f1b087f72b0a63bc1187511b4f2d8bf339b73faa6162d926dcd77396f0e39b533b657296bcd6e46475dddc33a1436fbf7e2b23e135bf87705f3a76bbd119d9d4c711da75de651cf8f02d8d48f8f7aac3457534cb2c45204ff46ea12190a7661e3cb82b56cdccff9f96c6710653f28c1b2e1ead24e09ef2be6bfce7f1880944fd1b7386e0f70e992fdef00abcfb9b277ff417e054bbc075b79d23dd9418d2bb952db441f0e92712e0a17884a60acd3446127719aa1520321305e2c47d670177d42415500d726dde18bceddc2f4ab17f050dbf20888257bdd859696bd52583acfbb55b62b82470425472b4b64a02677fee8b4c4fb93dc36fc415b08fd0f7bc5186ecaf82b24560cab3a3bb79f91e7d8a22bf8d59efd09426ef012c485bcaab4bbe7c5e42c69ed15557e630c2c97aaded06a18d51aa04ace19bbb97bce583cf66191b94953b0f070b5a32e49f160c5af9855f1ea5e02291f974175c30830e95846e2f3ce2e16050f7109343abcecf018a1cb389549d7c5525106872c74db955e4f33f3f86e38c5dfffe45686bf35a84b986590f33d57530125ea3ce3ed31d4295847c5ed1340a22218bc3e8597bb2739b55eee5a9c3c998b1866da55415a4bddb9cf22bac8dafdba6178eeecf9b9e04154857af97170da61c67d4a4a9f6ddb23258cf6fd1703e7220d7a0d14830cccb0954d9b4921b62dd976bd2522f2b2f86113ce2fa875f26d58f5779b16d42c1d4ffd0738b4489c2b2ccefae55099f8171d9b1b6398476b6be2fa9b789e62a33e66d61a5d7ff10029dd4e10aae05ae40e12e862d2d98ff9f18b923eefce9b696e2a773e2a89ec0fb332816d4349de32911eefb35d715c0fa865e0b0b78777fa08a88ce256ed754443977c3f806da9ca26a54c5823610116460c99afe44a678912915532e6320bc9303ce4f28cc144d1d246970a83385124a9229027c211727dac815eaf9a119fd892a7215fa6509fa232881c80e0a3c6780b928485ceeaba80830d8f9abaf408d1c929a120466e057a4d30130bbee808e25a6d5eb57ef51a581f5322670afb48d40b439ce0b8e756113785037192ba57b4285be38d4670829f863dc33a3fca49c8f58f8953a3e2ed44439b923e5c398b6e790cb79cd8a844450f086e770e6c206ce74968903136f0bbde0d212bd1890239054f257a5b0f81805b0dfa9d27ce6d6b2feecded46ecde172e8699423656ad431c5f6dbd24e2dac50b3449e789fb6e66521756f3753c4422afc49051c7825763599916e04bac0554a9f710642e3e024ce560c7532bb2a3a38073220e7c3ae2fb39e6e0133b7d210a806a9b88f4e13a7b43406405ebca415cd6f363517ec828a5e704b05599623d8fbbd4545516297b8bca5d990bb243c550ded2418292282cceb1c80ef7a706a3aec6e695a3fffc3f5ce37f579b986c27ee81789ae8541d3bebf624ffda6650a27d4aece4f1cb2ef7f13f40c2bde287cbce7c400ce5f508a44782560778409d9cce8698210c38ceaa66d03f8a02e777152068359464742570088ef5c475a5b542bd6c735bbc75f33f30127b0c4a9c4ec179e16fdb2a459dc0dac4256568041a19fc672c8dd2f67ef2d870ea59520dbedbf1e3a64fad80d167da484cb2ce92d7e0828886deeed1b9838140a8a9c0c1a69113679159e23dbd37f3d7779eb721c71b11cef8b14d976849952ebb54245c19b0b228701ef9f951f1e3e024f11b8d63c44a0562d6ba3ff30d6c3c644331c3422d6335072c77b71740c197640d7d5619cdd8e2330527b59ef15d0b96ba9ab8ebd775f45df018db5021e87f73a719ac0be9d36fe02735f9f4f6ce921883a52b05f2d505676cc49492a70284c3c590a89c074edb0cdbc6dafdda6e7123774ee64618eafe99a4dff441b004d32ef408f701cf35748b9c9e60bdf97c4c2bd57c5cfcc67a426fe5ed77cca7678bf50852bb1fed48b7a4aa1bf58f65b6694e79094af25f5d97f96aea0c82ed6be5288632fa5203eaf9521e5e19a13e4f24b1dde4058393be8faab1b077d3f288d0662205cf4226ec21622f81b0aa2867e1a565e4a400de4a98683ae8a445ac65f59b78790636dfbbe77258a8f568b743fa37186658d185740e95b39d3d9756660553458fdec896d65a456b5ab5b96326215fb73830fabd4d4b0442816197992a44eca9f618daf658e090e6e4fa16cc6529e37992e4ed67bfc6d331a6fd2299ded2436e1d086895ada95abd83ee0f1d72601dcf77d36eede5201c8f6eee07cc8b36801b1f5489f4ded0943da3dc349d93832bca8d741eef51ad0f73f1bc9ca8f0a04b053bcdff7a11662660b11c6ebee6a74eb3ebd986ed6a88c48a9f2399d6e80d70c6b9a7e7c0e5f6b805a3b8b6e8bdab6f2a6da910736c208db7938489aacd44e82782994740ff32eb6626a3b7030404ddb1bf5491bc085bfc8c741e7184ec8c470d6affbefc4576263a3166961e1c504eee8637e228c261361fd87a5d420090ad06aa3e39540efaed838556c019970faf1306356fdcfd68b428a818edac3b9dbf16d9ff4b0b8b45fd52d9eaab2dc8e59810050fc88d1ec8ff89e035ebf9ad891aff06f6a9376d229c8d71990b8ed6431674316035cccbb4d5d1749a2fd1b5d66d9b2591a046cf192544440ce064d821f11ad40b2cffe83cc1ac18f4fd1c1c072a4576985ef15f31d5446de6b36a3a0824f13041bfd48079d3ebf543c37142aa6dde5b87e1d4c977638a649dfd07480c85beacffbfd1be7e9a98fae468bbbbeca077216e7946e7f7bd2c17507e05f6f81965837f60c1836e18d8def34b1e8ffa0c2f6cde41da73ad051781038428ed3a0550585c5e1b933ee11046b353020344d681e9d83bcd21158095387ab8ac66b16d920b2dd1f8e4b8ac9dfb594949eafd31b5e3495c5cfd5f9736d95341548ee003a4bad9dd95a4f480e5f61f961122645e11173cef83749121a77f48ed2ff3e4a28158d87c1d4602d53aca09f071942a88a653f9f70c27102030872dfe56f3148ea6cc1f4eee92d45ba7a5dca60aa9c4cbe832ae0184df7922a6a72fc062460081bd2964001db833637b428f7f913d7d7641fa98d76d7eda3656da056135d15f7ae5b2ca75c6f5e606d1796b69893ec828a41236f39da152bb3e742e82fc3ee7b62dec3f5ecbf4f66baee9b3f86ea642fd543283f97128aacec9f54cb132c6ddadf709f2ccac623737a53b1bda6d355e01bff73f1c43124c4484c8fd9c11ad736e442bfa4ca7edafcc1319c22485f04fd8ef2b536dd02bcf1fd241b25c4d4dc7aef109750665b8f9ec0c554bd82de1d5ee6da379d6220cca2eb14c8d3db2617152e448f964b2e5abb0f921dc8bedbfa1ea4cbf922c8a1733865a918b228881443d8fdbc3d5f575dc39c94974da3af4b22b68a5172bda348f27359151096ef041d4d1f8fb3b204ddf0302dc93286dec600088b4d29c6d3f55c1d5154d1e56d454f2a7a22f65a22253abaaf10ad6160c3ffb9f76531045e01b2a4bde5ad042ab30e3fcaf3e35dcd963ffd432724b9f03692c2cc64a31bdfdca3bd8949c1e3377ca332e96f15879eafb95c40db9bdf3dd34bc097feac69523c6c29c423923227abb1cadbeb710dbc2ace43e6831b858fd4eeb8fb2a540349faadce46397c71a7e0ab45c6e8b15f03f43a8fdc68dd0ec475af71acf4b4f7a13bd116e10da73c668e72646ca02946961eddb7565a08f40f738f23bbd84c686c76540e873da89f19e2c33f57a918a1043c4d182b4dad50c86b2f921d93820d3550d12121c8ac9681bf757e64283add0ceb4751d5428632bd24f52eb0de77eafb16e86824bc9c21b518fe1596030f0e27015908cde06bfb3805dfa46a1993c8cb2428433d8ef60c92a9be5c7bfc542a3193bc2cf2784647906761816aab0c31556fc09a603f3d5919f85275591c668eaf161467d68142e5bb0ed0c2ec76d5fd653205270c96eef8f5357196fd3f4b1bb7b2a983c07acc261eba25f2fe3b255b22e7dea596deb2df73fb47bd7cf1070342b0a59c6975c066d5d7b5ee7e068fd3d9a0e0d9d4978bf97caf551000d9cf8b2b14b624d89ea47a92469a61e85e646a6b6a571a37302b13db3657c1d360a2bb336937859aa98607a41771c5f48e762b6e062971334102823d334a40396df9dd8cc4119675df5b8ab3d0965fb5f18a6ba9afd66c1ab91dbc49c25349be57299635b6168a85fd6b682bd3bdca1eb8dbb0816f7702117008e40f7beedd509778eb168eb0bcea8b229547c55048bdfeb9f76324070542130f255badb471011e6d110f459ffe53a2b60c2f2a00ddb272d34a83fb2365bca876b03afa395ae5d2c0f812affcb437a9f84fccf4ff790c2e43991d7a5757696d7ee6e92ce9e0e6e198f2f152e521dccb88a31616be1412100ce6dff66e3ee62b68f7d3891a9f5d938e1e73930d21b56076b9ccb86fed1ebd3311b7874e7a586ac0dc164411765d595c208539ae3dad52c5aaf8b9ff52ec2763eca5e1377dbf172b3de84f6d38beb5dd8a1fa885f5da105fd707dca4f744fe659b096deaf2941d1bb2093634f2ffdf38207a77673cc613bd2d2fc8f61f21fabf960c89b4adc82e9c855aff1315633769efecce87a24fced0c14f3f1e0c60e2a4ae3be7bfe2858721a454bd33c460e8dbb6e2aa85ec47c845cc5a40dc755f78f96827f7bdc4baefc47b251d4f96e0c170fa5bdcf3e1461893bec60a9e937489ab9c2c3af32a333da69af97b516b755048753cc99759cfafb51f4e4aae449bf322ee52b1ed55510a14a29b689c072088aeac0cf45e34b039111406a44bf7162380f35088ba09b8a4697bff4e5f6d1c69c8fad4610b1ef51490ef964c370fb182b47f1863ef451c5022399630776c43f33ab69d5b7d90f38f7e01059e3ddb3f4e89a73af0726a9d5609dc765cfcb5d1047980bfbf82b3914897adf8a3982d516439a38ac1819e6ce1379863878ac97fc4b5f2ff441f5f574e3630acccc51793e952c7e6063fcae352410e04997f577a6ab021725d8e25c1d101d584eb0ce9b5fb547566c906a0a555749f8ead9a9acc791f2f1e4e7233b21657f05ee2d75e4fbc71f269d2ef05615f0c933ab4d7ff3afd64b21adcf7ddb555d2ee6059c41f6a2f57bba943ded97cced510bd02cbbf52f9142223e2b030f8171643ccac365e89f3d322a7205a0aed36e94c1e300f31c9d71b93935d4ce1b3a0e42670eeb76b9b6002e6753bb8747c73fb7a0c702d2df14a75a5d1fd85bc0094f348505454998c50ea1aacfb8a63bc5c77418a103d8b6ecd6d0d4a481237db141fd684e64a0b63142631180e39eb1e5224bdf21a29f576ad84ceed390f3ef1228c204252da76f0e3b15bd426b1ce66727c1e700a0583cd716362607c0c09db433948dab990b445d005c98f6d401242dd831b0bc9edfcc8fe1bceeccdf5ccc45272a45884bcbc957c0f1bb8d2fc3a625eabb2ff61f83a95a99c6ec0e1752ec432205bc248b148d1dfaba0a9cacf8d54d6fa27ab941e350835d64a562f2026a1b29b2f5199782b384c514c19d1a76b20cc824b510c3317100afe3eff9b01a02380e5bf46bcd373bb756337ce8687702f5a4beda1d25a2ccbe3d53fb00c957814318349b4bab4c9211428c867bf42e6c625379eb0ec5b75122b0ce70efb304a9ccd708df5d60753aeefb0bd95f451cadc34900f24e45366753c1efa92131d2effaf41bafa3919db783b2c9d22cc7e1b8f236c2260c9bf2e7a3b9a4ea751b7b55dd47381bcadd544c25728ae62e2d6a96fd51fafa5c76f61b8bf50b5891210e16aea7b8bbea3e73f61029196907e6c62bdfbead62be35e2c714b6f0e5fc8224378988f487fb4799c23e8718274f0ac6881153024e541a02bb392012dfe27f0815e56ac7f02b88dc4205cbb4d036cdfc58c164219ccec2444a4477b7f8a9c15698178bce12e386a82d3920d5811eea072ff302410642ebc1e7120278e14c6643cc5f238ac4765e1b45c239f7e838ee60246e942405c807a17b235465cbb17f03afddc69043ae73ae578f55da41759062d7186199ecdf507d12aba73441ad2e6057bc05b00fddc4feec6781284364a978992eb195e2b27571b15fdd10e9ab8888eb0826bcc76b5534b7f5446474a31b57411c525fda1fa2934022f6462f6851aa1bd7fbba495efd2c275def068c3b2fd3f438f987d95e8a96dece5c18ecf9fad5d953a2c3d38f66a4f0022a74335119698b5f4a6ff428538470d975ae1fe80fa87abba6e1ade85f5e5fbb96b808b4e4a435ee171b838e0a556c23c1b980af93994280ebaaaae79a8b9b0b353344276c687b82d2bbc432672f02c7000ce49870d74a52f8bf66925778dfe1cd0c148d443c903c019e440659ae9fa326de59db3a597b4d208a3d9c4bba2641371603e528311078027ba007e0e5ae077244d3f290939ae6735604ba178c3469df241da9243055fb7bdfcd348091bc29bb7c290cbc2abcb1634de18efe0882f3eb638bddd9f4ea3f8211ca8d23a65767c4b45427a7c424182531bc3a94dc823b2ecfa57484ff6e64d8ed098e94647fe84d9828bd0d1ecee854a92a6bfb411991982f44b3dbb3c71015c8cf6f824d47aaa715e94ecd6e46d3986639d27ca0a9e2635cdc4c52a6a5ccb6a03e24de7aea55c7ee492ac3fa52dda7d306c2010165953c2ac16775be79002e4e68dfca61a052fb1b2fc74ca4f203765ab60ccb296d8adf275bef5ff9e99d554713809412b2fff3adef94965921fb04f2c9cce39bb36a57f61426d7921be06fbd5900e095fe9ef930bfc53cc0489b46145f26af0e1ecfdcf362bef9c0869d277999ef7bfe9e37e1c17084ecf19079863f562b50c653f520a3b5176ce09950d66816e830792bd759b6150ae189d2b0d0c6c03e3b7a36ac41052ae58a7edd85b111100db8a68829706f7cd3d5dcbb7314e8cbce8c80cc011090fdd136a74d807d375b9fddaca0f6a181dacc3bc7bceeccdc3424a339428c0e1bb805a60e8b99337285dc65bdc29f2893c42ef76d7da18700fe3b5006d8d95c532a78fdb7334c6481319058dfcfc2ad2924bc3d4f111bc301ddce84ba64cac72e6d4830d8033d736b830a913c02e338ff106b97d9b48f7f023073dff4cd48b7fc61d338cb4839168881d4224fbf7524d8a6a7c01a13068a19a5f38c7ca034d13d582b2db8421b570b47c656b2d51edbc18cd39643127f5c8e0bf0685bdf6b44f64eb4c07d2e9117ca45afdaef6979d37a7eef70e82ebada130561a257bb63ed5c9c3d3cf101d42c70cda123ea81a9f115f8bb78256450dbb6cb2899ed10684e8e18a1042ad83653e21c4c5f48aa887d399cb9fcf259b1ce5fc659a860a08c5a2c5fb3c126073fff976a57cbfba1074063435fcacb27b0caf0ac19b8e8f8f06fce07482d65d2568f908e93a0d0ef257285103797cc9f88f58eed2cd1717167f1f2dd006f055f27e392705f1ccb650bdfb07d3ab777ab9ba3ac3dffab3b1e663f154c62113da66b2fbd270eedc94a9437012625ce8ba9f00c1c4a83d588e5fca0e5401c66391a4155f3f86f552ccf9b4f0004a4cf1fbbb9760d1812f0c43cb54637b0ebcd7fe167c7700ea0031a5bd318338be50ee2783384e097284b8e59c170e8a156828bc99e773314e6f7a1f5b493ac21d9fe858d48e98b977caf42b95e9d54d4f17bffc28cca75a647263825f129bf12049394a45e75aa0e6c12b23ecb2b3251099a95422f19e447f6d3d337f9437037403c93d6d705c0d5a5d201a8e30d6b48cddea751d9c1dbfd65c04112695feca2dc25e9d9e73e5a5e1b146dd2ffb66f5647dfe44c1dbf502ecad9726812e9ccbf19c72cf32b0418b714995f58742798b624494210de0d2888a3bd6ddb47f9034344d08fde2d6b2ef97815c6a3a6e7617924dc02d70d713daca363a44a9325c4a17d6b7754dd4232c27c2ab9f796cabc49347cd35d2e25f918aa4ef2a775b556a248c5820e606af7e3ed95d06313cf7a07c3b0571b8ebb05b4b9770a047d9916906270959253b71d26a16297d5c6f2ebd84f9140a0e4543052ed2f8561952029286a358d7f1e1ad6650ea206a469e87874d281c226bc29bb5ae95c7c2c1145aa22c2f2c84f1d431f46e94d8e372456e0ae74323e680348d361f89054aa99f90526c1f243f72d908d039753d0a960f7788da707fd1f2cc95ba7be64bef54f395329533938951b7c85aad62a79ffc33f487f803fcf6bf2c26e6f82103a6698d76bf780ef70f3dacfba41418bb55e4a16014c71a9a2e56ebefac29a4804ec152bf89810f07b8acd9c5e697e14d40c3c8502c51182ca9e3870b392de488fc5d74748f700ab286e00db63f8c3e56d59e68a01b9b4866ced3d1e9106d1b7df659a14f59fd54f5a4727ab068889425c07a463da32f69b8bd7e747b08c7bcd323324c7f790a76f4dfa16f26d4242b16b3aa7ccd115f5ea17f5468f29766829fed9bd9d735d82b4faf5aa9dc0e4a577b53d9cfae701a54ebb67c75057053d8a4243cad178b9acf9c087518fdf50103b4ab347eecdf6a1c1b5d0c2a236d429cf78c2d21f0a7d213bac5b95d7d8c8ba71a28a21828b5cc3e87c67afffc37c7daa627343347789bc1316a670b298144283b81e73042039d627404ab5b6cc2001839d1fbe36b8de715a838a24c81d15d6071b04a285823f78f53d99491ecb2842f17de6f508441c8d3e75f6a35027c72c3ea003ed6ffd6c4043bc067c286406b531c0b553eacd468943659a586c17091b975b854dfb8e197bd72768b86458a9eb2e8cef2c6904579e6ef069191a0a2db735c5c8fee1102c0c7acc7c1f0f0b17913559e0f0fe6f19da77f878603d72170c398d11a838a5370edad089b0b0527a5cb07b33d7b38a49713be10f1ee477f867d5600936b6a9c74bed99a4db81e1cd7f959cdfd37116382b2f40d4eb980744772f73e1aa4a93dcfee36268845131c124369db4d0cca54d4f8c3899aace46adca0ce186ca23e2ebbbfb7b19ee441490a4962e5117782ae12c191f6dda42b96473d22cfe1636c460e56e7ab0548070db7a95fd6b3df5aed579b08b5815cfc8a153bcf141253d88c55b5ca968b811c0aad767a439db58677d5bb13696d6376aa6926b8f0acb54363fef2c29d358532eb252208471b146949f0af762f40417ced7bec03ac9752f2e16da680d29d9ccade97546fb9c0f46d911d735e9cc578308cefcfe8f406af2b7239f47643696f24443cfeb9f27259ed77a876822f734b739dbbcb9b72096b1e581e5fd12c957ce71f3c69a0885d02d46503798e7b09749c4247fead044aca5860b2242258763140f706e7509317f1ea81691f9d80d054535d639da733aaeb7cd4a9b0af300ea02d384380d50ac5842dd8fe47b82cda8ce9424ccee49763fe46ecca3e1e9e10f1017e333eb94ff1d20b3e59b92ca10872c482a4c1d1f1fedc95272bef6173a58d94c464cb52f34759dc644d972031a1b5025022e8f85173efb913ea59cfbec4da2586b29308a4d418432a79972b64d9c756905b96e2426f634860c944791ab13cf4010c83ca630d2ba4cbb55505eb0790194d927164ae80c0db21954943c66f5bc89beffbdb3e22a3838406704e1bda3aefb5fdb2a71ed23b4b75352aed0db5c8d60250a49a9e4899b0983efd5662be361fb28288b620666e05953cb031407c0a2605559d8cbc0421cbe61831aba85c5d62c1baafb86b1692456b6f0628289bd57bf9187b40d4aed39013f857d1912e561fa3b5998168662010a287c7e205e4e8a9c13ba68ce1de8561d9afce4b5d57917558e13a7cd3f4ab1fdb2c8fdfa4f61b8ed6d60ead1efeb9216a1fef78fc2099e8716522d3cfa575888823f558bf15e30e1ca995ce19c9069ddbd57c409d52f0706cb3e562fa18405e4181614230acd0c51e39bb7d9621ca50affbd209fa67bdb7193cdb97dcc6e5a7fa717feb917c13aab6c41cb4f2541738b0dca8b2b129e5f631c2a8fc77f366078286c90d83910d1604e805f9c2333b853c14bb4a3d5f22a641fe545121e14b7b1e3ecfcfe3ff8914a716f2428724c3ff13188b5d06c8ac9715d54e81836b2f9405ea8e8515177091afc064922ac4f409fdd1e1359b640f6337c4a3fd4a3fcd3bbe63c984671e15654c1d6621de7b3a95241c1642fb7a713ae1bfe8aac7bc26f613fdd226b19e98987c3041cd84d5ef2c78faba10b0094968f2747d42480a7b8ddb2acf2f87ac4dd22bf23a2da943c35e76dfec22234c0f254adb8e3d32181ff35809f41a619e646ea3ab7d2554cc237eb80aae024aa3616369d00bbd6c62b6e17c9f5d45bf780c721bd49fceef369349f58191a19d468e73dd9fcc6e38e20d3b131a9c67778b4f6cb8d4db5dd09036908119b23de74af79d71abca4869357b9c5e808dc60b6a4323b2d5b8b75e4d8607207334bad78418d6b7287b90d3480ff5946c5c41cc5291487701a08cb436fea3aa7638aa5f4ff7369f526783746600794f28befeeb543a11c3ec5f3245e3e0557abbca2c42ad2dd7f7d4d386884c70dfc1e45d56cef5a086808f3c94bef9881d0e45a98a731ef16a432be8bce4172b4a8b8f12d2ac858542816db541f11baa9f8632fc604dedbbf197c573a293c96465e64eb1e2071be5c060f168700bb789e993264551620303bd5fee285129ffec0eab47ea52f856224839787d2abc159421016c18597649607de74eb86f7454bf2b7dfada50c780449b1d636de6374f7fd9109f5b39ba67fbbc209e37c57610ee7811e26be2dab80005d72d19506a23861b88208a883dc9216c608e7d858e33f58088a05ec626eb3edf9ac3ed7de4ea80b0c23d1f0d6ba248c31b200e28702a3e713a7383bc3b6c660c2e955c39b6afeb4c9e0a72fc4e1e0a8c00183d8123815f0e943a7bae2bcbb1d4eeea175abb5c4b93e85d41542f6b8cb65bdf10c00fee8d8e079ccacea1f3a0912ab7ce1381d821191c7cb4be46bbf8cd07256b0f81be4758f35fb7537e5353080efde7521dde5e9881fc91bd6c7846c77049ac303c32ad9de7754d06e00a9b8feda1abad27192c550955589a6c41cf14bca6cac53527a37f4bc08b9005b42b9c70216c51b337b335fb5a1cfd9cd6b59f76ab90affe4732c7e304b9ccc82ed6af679dc39c91998fa682cfe4a6864c1b79e5e2da85c3211502aae5764a004a3b3d41005d5cbc118deb022a51fc1ca56f0c6f5732266fe215a3cb6e949698bb1ef1a7e67ddeb8b6bacf9aeca16b073309d7a7f8edb56f223c39dd2bd08e669131bd51b8cf9bdeb9988f71d8e553324492790d6a7aea92bb41dff044af0da6b0b403c80c5bc4f6fe92380440372a0e993a4ff3923b327992517041db7ba01280cdbca96667a0f37213c204cd7bfa009c2b4adce2846f9e9eae207cdf5350b30d0ec746bcee5b29b44fbbe3910fc015d164deabc65e8fc44253a7e42c38051fe184408271f8bbe0efc739a24820d97db1a5b351f3c3f02b17ad9984bd4c140972a71680ef1bac678830d5fe38562bcfcbdc268d8feeed8c7da82aee6d12ed0ca88454f2631d86ab6742167eb34eec9360c8227bf96fc1b17b3d0bd5ec8b297c61407c6fdd3d6965dfcb363326a85f0e84773f9fdfbbe3efa72edca1f6cf8c230738e104c15947e8f54dc46a67a40e4787fda23bcf4e4dcfc43a213fd09f1c4e61143d4ceae85fd5237c141d1f521abfff83cf23c624dbef356fccbb880c729664a568d54fcbe1d264deef7ab4d7b9be1d0ccdc4e6e78b324270a7fc806ba7c5c2711a34f43d3fcbda22968dce2372cc3fb35aa6578cee49b7425758be5fa1c3c6729f9669d9d067e56b7024a8ea7eb118be8b65ed817a7a2838ba8959ab9f3cc0c9b4b13945e1ce89b02f86166aa89c504a27503d1f57df0516284b4b4f36265b5bc9d8393d15f6b8d2a18046f78f2ecbcd410bbd2842be4ed69dd70a534490befd3843e85b12f964a12855e2ea18002200c728007d3ba098a7be3afce3608dd533eecd536c4d8d7f4da1ac96ad45c84e811ec3df571c78fdf7f8b9d0a1a45882c53eb2891bfa6f5dbf4c5b81ccbbc1ad6d73847f014841eac73782a1b5ead5cef12bb5a1a4ed82a9f4faa96cf303a5904c5d51b3053b141eaeac0b4b333e4affda6e869472c634dad1f270e1d39dec683b7e84afdedffb1daa22eb3ccbda3380437b67022c83dcdbef46978fe85e4b0e066621c1ac5372b955ad5b9048fd0f7ec567f1cd8e74ec8dfa4d87f553ac3b581ba69735a8d4707cba2d0ee9671db59b2790d43e88390c2ec109b94b1b55179b39f79026c8f1685a50c6cdb84c0770b30c4fc2f4690922757878d607d3d10646725f2c07e8863a96fe35e5a206f39aa74891a643acd4b3e16e95e69118b33c5a0bb16ebc40f8cb25aa3c1ecf83a9fe5c937381e165f273bb0476bbf8cd351510a53138124acd75ac598528d6bb492d1229dd50c1d867181d20fa6e2b00b46f5cfe910b61958484b176a6f168e9161ade81411eab0aee2051d30903af597ab648a2062dc4e2428a6efc01d3100e120ef09578596d0fa3f36721b7423d477bd9c74f77418bde1bb94ca8aadea4027ec2e066ebb5fdb37eb841a8d0522349f71a0c4c9a4ed958b0c76d35e6dde3ad296eac72409ad47574bea30337fb226c335d78f5cdf8612cd1e04e7619c808ecdf2b9a2ac0616a0720d6c3ca856fa8370d202f3e622d547ee3316b3ff1d271970091d00b338871f9b70feac6844c404a9343e4cea8cec59b7be9da09b9d125d73f0e8823d3fa9bd247a1add73a73064ea265bbad9f30aa3424314a48eb710f4d5df40258e9299335443226d4bf7812febb7b2de941ddddfd88ffbfcb5bf7518b8e99933bcbe477bf1303c263133d9ebeb1549bfd552065c783ec284a9ce9b553a20d7b77548f49cf519049ab5783afdbcfcf6c7429e76ab5419ebaaea468f8181d3adaf30528e67950b5be474207c1a7a81f0f3db8aecb28d79d56fda42b955194f6e47ad33ec19f8d8b996fb6d8b1818981aa2af6e069a4608258c5ee64b70c9fb3a0e45cc014e4f9addf951da9a06727dd22005c921dcd79ea3c711615b8a5368be587203fabc96b712bb8b7f7361dd268bd76a26931566a23ba17c56db36e003e6b75a2e756fe979aaad3b304ec8afeda488fb40ab38d3a920264a4f2bf1dbf55620b6093a9b36699b9c32ee344d043a4766184f102196feb205cba518f069952b3bf8f857aa2b16a6e55a1fd0004b7e8a5549a8825708a48bdfe71d2c138bd0de81f7f3686584b3ee09ef695a6fa68c2a2bcbf76da1734fde9ded42e4ee908e1e939c4ebcfc1dd5ebfb50ccf79bc877a396bfe76be7afe123c5538baf0e7c286a0505c63b9b9493960500153751017dd98eaa898110429ec87ab32d6d6d3908a27128463f01da7d7a410182bbc32e667031835e8ae20ae46467a73b1ac2f2a18341dc64a558c75cb831cd3496fbfcf42d88fd609886c90d8a71286aba45f8c7edafe0176eea6050d36f202f7c9e6bb7924396e040428eee610c4abbbe1cba688f508f11e01d4640e6c87c45d29cc3dde93d428b5028ce4c1d9bb95907a557223bfa9e9f6eac9195aa1b4990a9c125a7e116c8e5510f69c8b741836d7c43f13400c894f366a7d22281ff871782173ae78ab8740296aaa999587cc0005d2f4ee7b1b9be642ac1e496bc29946f72cfa6426cb3b07a2e948c18d2a1bac5e5b08562aa5f5407635c18ec0754f92d769a23c5e73f570c23b3d9561840d39b6a7271d9354ed79e26762946397df3ed2b2a692fcfe5109ef1941bc527658891033d97db15a08311c51fee65c8d98723569444e3945fcbc81632d19dcb9373868aaf4a6a3cdabbe97a915f83a386deb483d3dd126a9d1ee7b2b4f386dd32566ca0469aa6c6d80f982f90dd6be7b3e6e5c231998d88951ab0eeb8bcea07f82ad8cf260482365c413d48e7dfe108a91b2cbbe4cbe2f9a52132b4d54fcd36277225c68ac40b5e3b443d543b891476f271d2352b3095bcfb083f2c3a51f248cb4eb3085d0c910741c1ae9dcc1445358a6bf44e626a954dc909ce85c1bf979b88cfac5fdb65d27e65ab08245aab32fe2dc08ac6312e0fb7f408d75e6b01a3ccee722540016b0247df32bf72a767c76008a92e0b11fe9c05004545409ac608e327c0d7dcbbb887c36c33cc9a0e6906c177327f2ccbb43a72d588eef87501112a1b643731d2bcaee89a250663abc668a3cca8abd78c2d23f9e6643df9bc3028fd56b34b21bcdb808492e35de98c316dc7deb4112fcead0ad74937997a397442d38eef00a7b4d31dce64f9bf09b514741bd42dc0d3cb1b310a34bddac411f46a523113d571b4acb991dabd8f1d1525223c5656efc43241574ff51c847fe329ea20c1ae30eef094c0e64c0de95d727a37bbc510214fcb3bf6ce4acc12d76c1931e0efe47399a584a590ec68787b17566ab2e518786e858246e8474afd178e236274819a3dceb7652fd74ce86e7f318d82a25306f43c7be9f6babbe2c96a1b41bf442008065d59f8b055c364700624308332789632a682fe243a74e6626127273ca87c3d172fb12e5f9ac7ddeb4b106108652448dbd15598a4ed3fa649b93c02dea87768131d49656272d1848ab4230369a5f043df758aecab659430d5f1045259d3506fb84ec7aac3ab5b5bfcb9689f3c1b5bb24695ec97687c992d10f2db52e0088e5bb7701e36570bc51d376b249597f030e597a84fc61756b0c17043109b035592c2f6355ed8072f5e8d4c155c4f119e07a67062887d1d5601fcfba1195c8230e69de048544e7153108815f9b64d21dafb1c9f5865887d4bb11e1d4dcae48c91240adf033391e1822c849f38a0a29955e653d069ff4d222ae08c14a8d024d64ef1060e52490cf0377b6a7f957e61764aaf155669c8ef46795f92e931c6bccb0b0125f60d0c557c89e67c0bbd0c5a2569690603495ec1e653a39f3b574cb42df7d84989dd3c57df8420ff18f0210462e652a573251ce56b62b816c4257a2be69165c7209a2e12af189961cbe35b0b14d105cf9c8403021d98344a5372ba79ca588092e418519b8002a2a090bbb843f6adb13933439e422f3d6f0317f49b4c92eda47c065383cf4ba9390dabfd757e63e20aa4f2c5e369b05166f80785899e22a08d074e2535a64b814fc105b1b68e77565da771ac638558a611ea4c27ed209f52eed08e53041e1a5709403c3273ed21e3e714cf12448ae0d69fb10482628bc35b031642c0fdc0346e38cae9872308df9c5f1256da8d40db3a048e42ebafb041662e23affced6e7f32e2d70d0087306fb1237a937b90523dc3d4e3939ae06fcea703a6d5bbae8d99323b121e6de5cf5781fdcd8604c632129b66e9693431e04982ef5803cd1ecc3b2fc6281de955fd5e5f28986ea298524d23fefcc2f30b97b3900e1dff4eb2629de4761f9564d3c3dfeea05c633ab1f689bfa8eb5acdbd97ec6d15c4577ca900b401c2fab73bf704f2833183f1903f2f35dfda0efeaf50cf51b352c3f3b970a6150bac63b27024c6ba7d53d49d3abd9e23e4af60b3e004969706b215188fe2bb911ec4495570bc8511cf378578dd1a1c74ca1979834cce7742b4a6de492eea4cba3e63ebc661d17329ca017479cb3d1a16356b336b03e3a538c63a3f5aaa28ff94ecc31987f838d08b3c82ce7b14846bb930510025d8e514c194bb037dc70c72d56a48731c333d7ac4b4fbd410d408d1b879bf50baee91bb1d48880c20cf11b76a8e06e57fe895a82bf99746c1cbbc64469bc1b059e3a621095f841ea57af815dc34a00ab9cf4d30001c9712665d0f98b64083b177e21901bab8382a39a091917aa9bec1dc7bd11f7d3e1289ea746215636c17871f3267de96584b521e1fa3ef47ce41a6f25aba64a05783ee47f6bb8d3f495500d56ceaef1e3a0f38edefd53da0c6853f1c6c24fa434840e558b6d212f90121db3df0bd4f73b54b3ed9fcad65c5aed7c476f9cb31594d5899a32d979b9e20376b715000f314b7d24f99af72899c65f671e522925bfc966dabecbe3081a5a5d610417519d8237a0d102180329ec3c2708d3298c506f7a9a88b15c251ed48741c4cf67ebe00d5c8cb3d950d943c40f043a9d7ddf671577c5bdee7ad10edf26e1c48d12e99d70e5a1c4642af393c972872cfb1e11315d22dda189a36cd35d9b01733a4993f1cd704c36dcd15eba9cbf252a21e5cb17183b886be2e00d3a32ce09328f60e5c1aa26c97155608419e4429943571752fc53ebef0baf5b672f01346ca0499fdf16df5af75823dfa595872b569eb65a930caddbe9673729ee55efc49b2df0dda031167590d976202b78614bcfcd91735f5afd2a5393dcf192be245a0bdd673c6c81de5ab104c5214d3ada64a84e9dc9616ba71678b6f8a564d956e4bc6aa52e9b92961aeab853bcf7ac1a069ee2b81fdfa2aa85aff86ee3c9ca769dd3bf4da010f08bb9e87f2b9000e0b2cac60e3aec7f2e8cbd63d4509d228ab71ab24afacba832f3791bcb68910ada4d9b588a4410aff25149028975bc71bf36ce82897a796f5d5a98e3057dfa7a8a3a021243467e11303d1d3d9d342d6e6a3238a420d90b018cfb90bc4a68e40b73d3133c613118cb6871339b359e0136d873905daee1817963824c3dd9634edcb4f24b35083d4e72ef28a8cc1dbe04d930f99f567e0cd7fabea8315e8d013042f6008bb0a8e5adefa814f79e2f70cc4171af32c431b0b7e148b071df7575d720973b08646b0312e2a6874689a58430ea112f6fc4b5a56c78534f5809f785e6094ee5bf38be21676e4fd71a193033b0de273c2c1452c1c3e4c6de0f499d9839ba1625640a1b2eea532695613372b1f519bac2c6318d133aebb079f9e26d7f47b5cc410681d09d23f167fc5a43da874b9915249afc5c9195ae2229f21a14a178e66deb6dd765b306d9ded7e511945193194f118bc6e1ab326e2e8cc9c116ee1d6122793663319ea8721704c15eaac549e2ea9ac4e7b9841ab63c5e12f80f5081a4f04b0abd58bcf2c2c6965fedc77cc0222a4003ce7f51c130306f74ef98ff1cbf65e02ec98863d7ff02ea309d417d0e6a75c409be4019db6f99ceee78e39ff4d625b448761b4913b43524af7d7ec0dd0631cb97a8be0ad239c2017e9ead8529c6713c760e7b104869162f38cf4111644be90370dd298bc1a874b567e39f606f394f62fbe9b5c6111ed1f12193168f2af7ee60214171578b6c2181566608a3ff2fe42f7b04cf4674a682c6e2b0db02e4210ca10d7126ff38b68782e702a7978ee7a31bc37db46c714858a7d9fa88f86b435cfbbf2d1505d4075588b0543d246283cc09d789f1ce2a60faebf09e11a41098184d3b716e0d46eb6580208cb74bc0142075f35f2bca241d077560ac7dbbd240ebbedd9437c22c401d6f79656bc1f75a5c2c625714fd73016d4d9d0223c65d76e19e944f92936554eaa3a68b062588824d98f07aef58d533e0dd6a1406f4c6dd59b611e7679cc27736816288d0cd9d92088d00afe5fc7dc1527acd9c5cb25e5ac01092e40b530af711478db5c071546a4c74c429c2c77b69bd7c5397645ba1d0d872273daa6db759df53c0a718fdafb222e6d49c44843a31f3780b0bea398e005f53e430ba2bcec7f5ead0ea36c10c2306cbd9cb928e5d788da1ac27366875a623df30263f7851481657e16782b2a27168c105da4bff690a9cb6cc2306324e1d56823b649d3ca9eadae4ce5e0d6969dce92ecf0c0e81feaed7bfd3fb13f2d4e548cb724ff0b1685646f99f754df6a2302c498633573eabfb2802710dc70edb366be7f343f2476ba19e371ea3e041278ff01801c5de4b057c59bbf251404018631d1270a9ff0a0f0191f3d5797498a9b71854736a945a6f990d967f29f5a0ffc7e20c5b8001b73cbe20d75a668b6961b44aeeda1b57e3520de141e4cf32deebda2e562304339e3715389be537276931d78510f83286be11ec8e8ec14f67f603e18dca9f929726be0c337216b88113f00f4cd5526f40f294d4f72eaa120bab0cf536779903576436d22df5953b87a591b5092fc8e5fc5097233947fb07e6bdaa80e18a028721d76b9a8be32cc4c70552223cd1970abb11d33cb1cda59950e18a767df6aff5fb37488621bec27b9292ea88010c4926bc61f9c0fe20e4187da939ff2beb66ab492b45f183d856be322992a7404361e5122cb8568d8ec53057f0d94fcd2b897fd315267afc7a38a99d105448d900619c7423271686f290433546d98565e5f8bb3cc0aa8cf8870bdaebfcfb4bf45453608d74b8aa0bcdd98e2cd8e04352df3e6cbebd384ca197cceaf4bb5139731ec1126d08d217e292bffc3bee368b9d96f85fdf5935587df107a20d05880c6e8e6a758f14e81077011e636adf6ec01fdfb96db24be9a62c74e47a9360055969fa916bcac2dde45e719cf99729766a27306d7353a3ba7686f9ef0405966fdd77c616470b6c196f0286ef16fe5505b1762102413679e9c91782b7ec6a6d04813257b2427458afd627cdd608d408391e67412278af0daa1018ef8876db102a92c031b5a2aab225d2b84ffb6ce07046e9398ba80f21bc07934b4becc299b1cdc27e9c379801c1c3fe3ac0755cac61f59d044b50525dec796e001677ee39d77705cefc294ff9d8cbc28f7984c2e9b7335723e79855b7e92646d11a61c9cf5468d06b54950ca7c42991f893e91d2b1d1e7e4bf3b8c02c7c0a640bb80c2484d5a55ee001019cba3ee242feed1b0d42fcdd7a18ba1e7c2ccbd318f7d17799dccc93a9bee9fb11410449daf8014417498f4a33af9d0ec4f9f1e8068033b8b452c8f10b8b2f62f431658048f5484956fa0977fd980758bd6dc9785ce1293f702afe545286d8804333cb5ed0f7c1a4b38777523b08db5b09a6bb3addcbbd095dae75cd424e30271ed94630d36803f77f2485a11c2cc2b8e78a164ca1c5d514c262429273bac0865320f4f8b950f0e54db424284bb91e8232df4a47e5bcfd4c17ef96f9f6a94d720cb457ad778ef43ee58773d6a2e125a7727b3fda4faae627c6fc7c6e73aa95dcaa72604fa3d5965ac9caa8a4260bf4d47821de3f261c214d762d8f55f77ead902ce343829166ac0b316b6e5b1b34d8bc3e6d64bbdac9fac806fa4e48c1ce6c1a9bf0e565ded6d15fa472bd1fe688ed56b9ce8940fb62c4ec48d29ab8bd4260bf7bddcc09caa9402fe4a299548ea2738f324d66bdfe3a0cea466c7215d68c028ce7d255e9ef6dff9caa4f99ce74324036328f2d717b55dc3c48239cc0cc359a3725dc849f894f58b6908714eff472aba37ab283ccb7dd5707fd15845328d23309b45393755f28b4fc031777f418a4cd11ccdd0ace104c08dd4faab8b56aa37b51068b8f107fb392f6201028b55137dbc6211a6e67b657176b0a05a20696d496d852249102829f96431837335597ff4294fe667a039aefc268f47b986b22c2338cd639e5cc79e6917df9e8132c6a42df0fee096cb192a7ee8a4508e2642a176e28b60729373b444ecda1ce2da57cb966c1d285173c36f9489b1f08db9d8b4b2dfa0e7de81b499f4bd21765f10904b10b30dbf7e8301572b564b4ca57e8349fa41039712fa9aceb450a3d4339fc2e909a8eb9a3a56ed1b0d5996966e3437d6e2d518746d8f8697ca9f375d76dc06059446f2117b48b2fcd081d196988106b13e5afd4e042ccc20016adf2069d81fb303af0778dcbe05688682527017bca7ae1250055882bdbb5d1f0cc54c70cf3be35fe8507b1b65cec2cbce09495ed7af3816eea9f775b31dfba5e968f9fb6ce23598d8e52687142d867a468b55ad9b7106885a5b5f35f33548bd5001d18a3d4244144666c2081db896732a96d80d219c5b7c4ebb435a6d44086d6c411b8ef85455fbed093e5d168d2217c05ba1e2ca1401286013442c4bb01cd440255c7bd0199701f961bdcad1e376adcc20f96cbe887a24128242f8a7996b18de6d01325632d0d5bd27dae2d0a63a7a34c047b9bfbba9abb267f9f097435a3108a0c2686d9cc6ab4e7100097c45b3e58e2c610802b02d108b04cfd218f346ffcfccfa2be06b2ee9327ed4bae40f6cefa6d0a741c740e0dbd12c2cd77ab4e56150264b0cffffcbb27679f73099731921e38eff187c939587d14518c514fac44e35d77a975d1fdaf34e9ad2334131f26c24bbc13f2df90666341d1f5edd07b8d53b7703d4ef25bdd7a4272c0c17f7f6d5914bad5de0e77afa25af1eb30f18f1c6d52c996463351917de5f612ad6d3b57e1e0d9c3cf7659ec28110534f864087864844ced73b49082b77477be465faac436388dee32dfc3dd0cf5dff1991704c8e8d6aa22b3263b66b23f3180d11d21854bc2ffb2775f7a8b3601e9a6e5685eb265450a222118a5115c8dab86db406d8e4e2f82e7c41214ea54b355082bd153a7106048b72984dc0e01e4b8252d36f1e9c4a1b7179ae2a656fedc990cf54b2c4bd927b034604b04989c76c6782c496c23ef8e7958044d5e2a0caeae787b7303db8594005db1f8127dc7ae3c1617710ca451fcb6ffc9d0e5d34f19d9ffeff61325d4b4524995fe0fdb66dacf9de64458d3a28ab8fc07c9d370edcfda9e9c87416039adebb7c99c447624ba0cb8382d2e4c0cf1e8a70139c4c08c1d5d51548d2789fe71708081f2cfd76a8a897677c0cbacd129df1694941d26387d77d6f1aadb7fd4434121c267211843691651dd228e377256578c3c88ddf0426664e86511a3f8595d7bdf37ccaf396bc9e7cb0fc789cac81f6326c3612b3b2290d07041dd0da180a3f74ff96d82348060900216534c3069100704afb1372d36260432aec3f88fd0a4c4ec7ab7f002397c8ac60758f2df97dda34c302ad5bfcf0c15dfec61fc7cadfba50021d0a813012caf464cd6a16cce4ba49078c4c92b3e049b6d955bd0f99121af65067cbf88fb2c557840e6b50d92ef387ebd93fbbcee39a83749249a6de6174b88ec04850ad88d42e425de196fa9299f637102e4b19a86365df7d462019974ab6e790ee909ba3930916473a3e9d5aa856350126933193c807746e34e2f5451672e08e0718778ab3e3946611834948f192f204a06c363355457535c3eeb8a3bfc9dcf9e2a5bd648891255907995e923114b5581a8d74a60fed02f184ffe5f14fce6eb63f3d2bfaa4f16dffca143ea0e922a1fcd3a9f3a506239191b1c25071332ca3adb17e95c77b6e55fc0494442d0574c3bf54326042313602e661b5824920fc454e54c224d7a92e11059e04aac30e3691246cafcd66624cb17907db1dd0702de2554d2db0fe639b8a49735a59b58393a57acd3be6584394ac36d328e354323a8b9c23c9833b4a1d480b55889ec6f6f4fc64a2e91a98705ce5739a9aef3b977515b9370bc5fc69c5ddef488c40e5064653f6ed2381384292087879988ae37f41b515ffdc01de8da66cb9fc6f0ba1d5d6ef7ec616f575349dac097d141d27036e2bb74b02b7d6fed9c7481a84bdd72e2fdd7946eb6793399ed9f7d2a780769b3933e25691351d3d766a0fab511283e2b818af89a2c40277130c1ab6c85872b20548140d57e0840a23f5ba7428e8b6e9f7f5318cb5a5fc1601c06f3c892a1cebf9f08eb2eaeeffbee2337b820e36797c8d33570106eb31deae4ce2e0b70ee9370dcd6a48b4b6d66684b2e53d0e6c1d41bb28f6c7219010418d88c9d17065a6044b3e247af1d2ae04a40a3b64cca6be89f53c39f81fb9449849e368d220675916f81206e5d3fbe58dd4294f89667eaa849f02624ceaec0eb2431a9bfee29e5adc57") r23 = syz_kvm_add_vcpu$x86(0x0, &(0x7f0000014f40)={0x0, &(0x7f0000014ac0)=[@nested_amd_invlpga={0x17d, 0x20, {0x25000, 0x5591}}, @cpuid={0x64, 0x18, {0x8, 0x57}}, @nested_create_vm={0x12d, 0x18, 0x3}, @cpuid={0x64, 0x18, {0x0, 0x2}}, @in_dx={0x69, 0x20, {0xc003, 0x1}}, @cpuid={0x64, 0x18, {0x10, 0xc}}, @nested_create_vm={0x12d, 0x18}, @nested_load_code={0x12e, 0x7e, {0x1, "362e363e66430f57a90098000066baf80cb8288fc686ef66bafc0cedb971030000b8c7000000ba000000000f30420f01c866b878000f00d0400f01c566ba430066ed401d03000000c744240000000000c7442402493a5664c7442406000000000f011c240f32"}}, @cpuid={0x64, 0x18, {0xf, 0x4}}, @nested_load_code={0x12e, 0x60, {0x0, "c421f8107af00fe7649a4f47fb0f01ca460f08b9800000c00f3235008000000f300f01cb400f01cbc74424008d000000c744240207000000c7442406000000000f011c240f524b00"}}, @uexit={0x0, 0x18, 0x2}, @nested_create_vm={0x12d, 0x18, 0x3}, @nested_amd_clgi={0x17f, 0x10}, @uexit={0x0, 0x18, 0x4}, @nested_vmlaunch={0x12f, 0x18, 0x2}, @nested_load_code={0x12e, 0x56, {0x3, "0f01df0fa866baf80cb882caa98fef66bafc0c66ed670f01ca0ffdca460f01b3904e000066ba200066b8b7ea66ef0f0132c4e161eb5800b9810500000f32"}}, @nested_amd_inject_event={0x180, 0x38, {0x1, 0x17, 0x4, 0x4}}, @nested_amd_vmsave={0x183, 0x18, 0x3}, @wrmsr={0x65, 0x20, {0x32c, 0x10}}, @wr_drn={0x68, 0x20, {0x7, 0x2}}, @code={0xa, 0x56, {"f341af66b83e008ed0c4e13573fae7660f74a60000000047dbc1450f0866410f3882941f0e5839ba470f795500c4015651af4104000066baf80cb8e27ff48def66bafc0cec"}}, @nested_create_vm={0x12d, 0x18, 0x3}, @enable_nested={0x12c, 0x18}, @nested_load_code={0x12e, 0x6f, {0x3, "f3410f221766baf80cb8618ea184ef66bafc0cb000ee36640f2139c46241403266ba430066b80b0066ef66ba4300ec400f23383e0fc732c7442400ac000000c7442402907c03e6ff2c24b805000000b9970000000f01d9"}}, @in_dx={0x69, 0x20, {0xc3e5, 0x2}}, @set_irq_handler={0xc8, 0x20, {0xa1, 0x2}}, @wrmsr={0x65, 0x20, {0x12f, 0x2}}, @enable_nested={0x12c, 0x18}], 0x471}) r24 = mmap$KVM_VCPU(&(0x7f0000fff000/0x1000)=nil, 0x0, 0x1000008, 0x2, r23, 0x0) syz_kvm_assert_syzos_kvm_exit$x86(r24, 0x2) syz_kvm_assert_syzos_uexit$x86(r20, r24, 0x10) syz_kvm_setup_cpu$ppc64(r20, r5, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000015140)=[{0x0, &(0x7f0000014f80)="04eaa0ef0000603c0000636004006378000063640401636014c2803cd1c0846004008478830a8464be018460273ba03c003ca5600400a5782772a5649d4fa5607c62c03cdfa5c6600400c6787811c66430b5c660f2d6e03caccae7600400e7785198e764fb3be760020000440000e03f0000ff630400ff7b0000ff670048ff63607bff1b0000603c000063600400637800006364fcf463607609803c6cdf8460040084787cb584645d858460f3c8a03c8498a5600400a578a16ba5647c44a560020000440000203e000031620400317a00003166980031620000403f00005a6304005a7b00005a67e5135a63aafef97d0000803c00008460040084780000846400808460dc39007c0000403d00004a6104004a7900004a6571994a61a75fc07f0000603c00006360040063780000636408ef636009c6803c1c64846004008478b4f7846466cc84600380a03c458fa5600400a578cf35a5647597a560ae5ac03c1931c6600400c678a96dc6646f30c660220000440000003c000000600400007800000064120000602401007c0000e03f0100ff630400ff7b0000ff670000ff63a7ffa07e", 0x1a4}], 0x1, 0x0, &(0x7f0000015180)=[@featur2={0x1, 0x1}], 0x1) syz_kvm_setup_syzos_vm$x86(r5, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(r21, 0x114, &(0x7f00000151c0)=0x1, 0x0, 0x4) ioctl$NS_GET_OWNER_UID(r5, 0xb704, &(0x7f0000015280)=0x0) syz_mount_image$adfs(&(0x7f0000015200), &(0x7f0000015240)='./file0\x00', 0x40884, &(0x7f00000152c0)={[{@gid={'gid', 0x3d, r16}}, {@uid={'uid', 0x3d, r17}}, {@uid={'uid', 0x3d, r13}}, {@othmask={'othmask', 0x3d, 0x7}}, {@ftsuffix={'ftsuffix', 0x3d, 0x100}}, {@othmask={'othmask', 0x3d, 0x8}}], [{@fowner_lt={'fowner<', r25}}, {@func={'func', 0x3d, 'FIRMWARE_CHECK'}}, {@smackfsdef={'smackfsdef', 0x3d, '\x00'}}, {@hash}]}, 0x0, 0x1c, &(0x7f00000153c0)="$eJxqm+Dw14DJSO1/e8m97d/2AAIAAP//OKcIHw==") syz_open_dev$I2C(&(0x7f0000015400), 0xe, 0x420200) syz_open_procfs(r18, &(0x7f0000015440)='net/mcfilter6\x00') syz_open_pts(0xffffffffffffffff, 0x0) syz_pidfd_open(r8, 0x0) r26 = pkey_alloc(0x0, 0x1) syz_pkey_set(r26, 0x2) syz_read_part_table(0x53, &(0x7f0000015480)="$eJwAQwC8/xqlOy2XIlZYZGJIETVblKDS140J0glR3zwsGkmIykjUUmHMRz5PZfZ25OmzjN5Kq6BcIOpvN6UpQpfiwqdtflUtytgBAAD//9ZjH6U=") syz_socket_connect_nvme_tcp() r27 = syz_usb_connect(0x1, 0xd9f, &(0x7f0000015500)={{0x12, 0x1, 0x310, 0x99, 0x45, 0xdf, 0xff, 0x19d2, 0xfff8, 0xcd35, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xd8d, 0x4, 0xc, 0xd4, 0xb0, 0x8, "", [{{0x9, 0x4, 0x5, 0xe, 0x6, 0xff, 0xff, 0xff, 0x5, [@uac_as={[@format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x82, 0x97, 0x9, 0x9}, @as_header={0x7, 0x24, 0x1, 0x91, 0x10, 0x1}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x64, 0x5, 0x5, 0x9}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x9, 0x1, 0x1, 0x18}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x5, 0x100, 0x0, 0x1f}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x200, 0x2, 0x6, 0x6}]}, @uac_as={[@format_type_i_ext={0x9, 0x24, 0x2, 0x1, 0x0, 0x9, 0x4, 0x1, 0xdc}, @format_type_ii_discrete={0xb, 0x24, 0x2, 0x2, 0x5, 0x9, 0x6, "42e9"}, @format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x2, 0xaecb, 0x0, "e0ff89cc39b242b2b0"}, @as_header={0x7, 0x24, 0x1, 0xc, 0x2, 0x2}]}], [{{0x9, 0x5, 0x1, 0x1d, 0x20, 0x5, 0x9, 0xf}}, {{0x9, 0x5, 0x4, 0x10, 0x10, 0x5, 0x7, 0x1, [@generic={0x49, 0x1, "bedbdc40b657915aeea36befa743bbf476bbcc3a55777437fd0c0862a5591f0b8091626c6564a62b6995d0b1ac34995d442de50d21f30da08f64d3bb0e86086e62968216d8cbfe"}, @generic={0xc, 0xe, "1cca42d0d4c12478dbc7"}]}}, {{0x9, 0x5, 0xc, 0xd, 0x10, 0x4, 0xef, 0xd}}, {{0x9, 0x5, 0x0, 0x2, 0x40, 0x1, 0x92, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0xf, 0x9}, @generic={0x9c, 0x24, "9462e78d67a7938309f893388b585f99ed3cae5aeb241e37eacc73fb040b917d697587fd8885dcc892bfee22871988c70188e9e84546a796e56ea48370dfca689aaa0ffd0841c7e28cbcecbc3beeb254d902498dde373f5e920932acdf3222a561174a85ce36d5f5c709829a0429f48de3266211e3532235cacb3a64fff3e30182cd027ea660bce24cc197bf358f77953c964de4530416907fa1"}]}}, {{0x9, 0x5, 0x6, 0x0, 0x400, 0x4, 0x0, 0x6}}, {{0x9, 0x5, 0x1f, 0xc, 0x20, 0x8, 0x80, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x40, 0xfff}, @generic={0x4a, 0x9, "13df6f0c723d233880c0869f46c9399e148ef0d987297635b6bf6f369cbf8f07b34b9376ff57dcbdf27465eb5153fb8dd7ca2fab2737dd515edef1c966915e0676db831f2b918d82"}]}}]}}, {{0x9, 0x4, 0xe4, 0xb, 0xd, 0xff, 0xde, 0x55, 0x3, [@uac_control={{0xa, 0x24, 0x1, 0x3, 0xa}}], [{{0x9, 0x5, 0x1, 0x3, 0x20, 0x1, 0x66, 0x7, [@generic={0x8c, 0x23, "c344bd7f690e1122d6524ccd0257c1185e61c3ab3ccb366ef9037a58035418728d9aab96717e220d7220fb964b7e928d75ef45859131159097fa85b2d24eeb7fc590e048eb1ba830ac343bfd9a3c32dfc93fadcb90f93a63c737834f5e2d4e7368e02ec5f2106bef935e5e74c3e7d2d3d16ebffa13a829499da442f01726d07a338feb612c3b6e5193b8"}]}}, {{0x9, 0x5, 0x1, 0xc, 0x10, 0x6, 0x73, 0x2}}, {{0x9, 0x5, 0xe, 0x1, 0x40, 0x0, 0x0, 0xe, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0x8, 0x9df1}, @uac_iso={0x7, 0x25, 0x1, 0x4, 0x3, 0x84}]}}, {{0x9, 0x5, 0x7, 0x10, 0x8, 0xd, 0x6, 0x6, [@generic={0x9c, 0x11, "61c2c581bcf0dc3a09ec5465d8b39593b51cb568ad67bf219f28a637f8b8f3aae7b6cf31069da551c5d90a297ab0cfeda543a0f762c8185babc43a4c9bb3b095c0ee1396f8b1fd6219b31613b7560d309f173c80673fb08529fc8f175291f99856af198cf47a32c76df6be449493e5a66eb4664b84226ca1e2c8f2029ade7d75316b104a3480fbf7d4509d748c36f659f8f52743fd077fc7df42"}, @generic={0x4e, 0x4, "57fad147fa12cd27896e4e92ba1ad4058c8d43ec2150d8732fc5ae105a174ed83942dcb79a05b10fd4957dbc1ac027a2df5728b2b2bb9b5bc51f9a8c88e9fa851138c7cdd7626641911cbe0c"}]}}, {{0x9, 0x5, 0x0, 0xc, 0x8, 0x8, 0x20, 0xc, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x6, 0x101}, @uac_iso={0x7, 0x25, 0x1, 0x8, 0xfd, 0x2}]}}, {{0x9, 0x5, 0xb, 0xc, 0x10, 0xf0, 0x3, 0x9}}, {{0x9, 0x5, 0x2, 0x2, 0x7b7, 0x9, 0x2, 0x78, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x2, 0x6e8}]}}, {{0x9, 0x5, 0xe, 0x0, 0x8, 0xb6, 0x47, 0x1, [@generic={0xea, 0xd, "d7eef8adff593fef601257eb29f1123c0f04cf50d2f065a52ab835d40454ac46b6638738e9753c66062b76d457d6b363f7b7634feaac719c3e900cceb8d969210b573a62d4516498d598a61e6fa5bbd0fd386f9f1d7afef4ddbe39495d6e555d24555bf1bffe21fc472ab2a8d5d0f8a611ab5a46ae9b23bb6a6b363946dafbb2e741d34fe456f5816332d72d435fbd1fae4763325dac58c2de0a67277e2d74fef5d8ba6de17c31d5c7fb01a13d3bf00c3113416b72b3e2e0b80b4ab9cda77d2de3ed368fab4841fd62acf66e432121b5f5d7c8c036660d7a351033155e3eef2ff20f2aed8241d176"}]}}, {{0x9, 0x5, 0xe, 0x3, 0x200, 0xff, 0x62, 0x5, [@generic={0x55, 0x23, "d522b56c6dde6a698a23e10e4fc0798f87c946fa2848c717a9a33138fdb3475793c1b4d1722b3bcc36384d2589a27e5f22b289727e23f039ffdf2ab25da62c092ed01cb151b0ad8ba7758c32abd07f79514eba"}, @generic={0x96, 0x8, "70f4e5b83374f7b0de44ec45105ac31402140e176214641e3797ba0aea4013e3e7c2871f78528a256a2249dcad684fd577a428a14f446ce9d7de49364aa163c68dd1e4e20c0aa98a263547f07dae9c3e45ffec5bdccfb90b1ad9054da62866626bfbc394a1e9aec6b300420a6167e6e6ef4396dffb6bfc18d3b2537789270423867535f75b1454cc3b8a6aef5b65b9774139adcf"}]}}, {{0x9, 0x5, 0xc, 0x10, 0x20, 0x8, 0x1, 0x8}}, {{0x9, 0x5, 0xd, 0x10, 0x400, 0x3, 0x6d, 0x7, [@generic={0x85, 0xe, "1a54b4a07976e16cec507f7cfe00c93599f9fdefaf8bf86cb9ae60f5e7426c78b3e01cc8cab0aaf09debbacd785c9de3bb89551d0a241f2d65830f5364754991feead87fe8c8b928ac16853ae959eac27b59ccc86d22442ca629d120b1a09cf14184a9c4873f74ae748201f5f4e649e3724c7ddb89f458472b285f9c10ea40393f3060"}]}}, {{0x9, 0x5, 0x9, 0x0, 0x8, 0xa, 0x7, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x4, 0x4fb3}]}}, {{0x9, 0x5, 0x7, 0x10, 0x3ff, 0x1, 0x88, 0x6}}]}}, {{0x9, 0x4, 0x10, 0x8, 0x10, 0xff, 0x5d, 0x81, 0x3, [@generic={0xb7, 0x0, "bea8fdb50e624b763ddddaf5ed85d8170ca858cf74ac678eb54d2045e5fbb2772140e2cf1895cb693a914ffb891cd2c90d4827bcd34359d70107462ead889a6e4ed6968935a81a147ac0ccc81c38d62d6a84cf504552ec37d609b5475018bda124c09ea9f21303865fe464abc38cd84ae42de33e4691127e2b8553837d58cda51f11a05a1538ecff55e90f34a1c566c234c006d00b50b4b29e49b8d090f5a274ae37e03e49682c44c2b1d9db62f63233f9670cb2ac"}], [{{0x9, 0x5, 0xc, 0x10, 0x40, 0x9, 0x8, 0x2}}, {{0x9, 0x5, 0x6, 0x2, 0x8, 0x3, 0x18, 0x1c, [@generic={0xf6, 0xc, "d7729711236eb7896991e6ffe3dd7622e96e2e7d1760ab6452472bbac1d06861d9d49e4100606a227d342c6175945ade9cc3f46ec4627f92caa5d73227fae7a360d25fac9e5744073f0c054c9a5b8258dd279b736876584b904d943b23c26d9e6bc2dd3b98f36244158c760f0bf975029142b3f58bb63ec376d7f5d9611820d380efd7de6163ac8dc27144e21d92c93ffecc2d8c7b3bc5ead181863cd96a0abf2889eb10b687913fa8214b89de11f52b7d1936ad9c1c45da86a15e86b6c9060291d85b48ebc2344db8ad8cc52f79d4f0377a893b3da61cfc1513d2ba9536d6190de886a2d18ff8ab1f463f15471d7f96dc92d0ac"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x20, 0x9, 0x2, 0x37}}, {{0x9, 0x5, 0xf, 0x12, 0x8, 0xd, 0x6, 0xf, [@generic={0x40, 0x5, "71afb2617a61e75529dde0f32fa6ca4b857a84b3120b936168642c34048f292fc27a3a8f1f74580cdc36e9a40b4ff692f13224b914a89fb73085793a5c22"}]}}, {{0x9, 0x5, 0xd, 0xc, 0x36fb25d4600df5f1, 0x4, 0x1, 0x0, [@generic={0x50, 0x3, "17ffd473ba28c360591f571dc60f1324d4a34ab8d9d3c0686c13a61bda2464e1635423ebf4ed34037bab62fd30a8dd0a89f1bcbff3af4f0c989ddb6f03760ae76f63ffdcbfbbfee9a135257314aa"}]}}, {{0x9, 0x5, 0x6, 0x0, 0x8, 0x2d, 0x10, 0xba}}, {{0x9, 0x5, 0xe, 0x0, 0x10, 0x8, 0x7, 0xac}}, {{0x9, 0x5, 0xa, 0x8, 0x20, 0x9, 0x7c, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0x9, 0x4}]}}, {{0x9, 0x5, 0xb, 0x10, 0x3ff, 0x1, 0x4, 0xbd}}, {{0x9, 0x5, 0x7, 0x3, 0x20, 0x6, 0xf, 0xe}}, {{0x9, 0x5, 0xd, 0x10, 0x7f7, 0x4, 0x1c, 0x1}}, {{0x9, 0x5, 0x0, 0x0, 0xaead6ee2ff2b5f33, 0x40, 0x6, 0x81, [@generic={0x54, 0x9, "22a03d117edd7ff802cdb509b49cf07b1884a5d06a2872ffdd1f6a974c0574871d68b2fd80b9dde557da7eec4d7f2778a5c3a4bbef519d158a59f152fe19f598e43360f8a24aa973c56f46c4a68a273a1fc4"}]}}, {{0x9, 0x5, 0xf, 0x10, 0x8, 0x5, 0x38, 0x1}}, {{0x9, 0x5, 0x4, 0x10, 0x10, 0x4, 0x2, 0x7, [@generic={0xda, 0x26, "32162d9cffd7548ddc1524c6651fa112cb8399eb7daa746af4a3f458159bd8a487dade3217ae3224615d50ba5643301952fdd082ab52f64eb38bddcf02b06728a3bf4f73d3b780a3a5804bad04ecc22787690f67257674f728b10231ba2db83cb4eb841e5523eb43f3482d3ec33cb8187b87aa08a21e94e0394a1ee8d8f0cc088910aba4dbe5feefc245380ff1443e3a97bd4d5addd01f1126d4b70abcbbe140716a1c66dac61f66514fcebe67647b43bbd8e848333ff9957ebaace9d057b627a667e6f51daeac302b2129c26d415bc9a2ee7495b331b7da"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x7, 0x1}]}}, {{0x9, 0x5, 0x3, 0x1, 0x40, 0x8, 0x7, 0x5}}, {{0x9, 0x5, 0xb, 0x10, 0x40, 0xfe, 0x0, 0xd, [@generic={0xe1, 0x24, "66c968f67f56d0ab89d6819c67d1d6c215d2f3cf615b37028db269d93608cdf0704118e0ddbf97166c27afb51a132cd70f0fa3b7ad5ee3a441027a74122781ab0f1ce5fe7bd1153c8ffccd3ef109213f20d2bafd0e331abc5cd1fb54809a06c8fa60a9f0fc8e113f318c3a7f7bc6fabe193094ec493d246cbd702bf019796a8872b3c40234d8e90731b2dff88a1f0c4f1786a190eb16651e3ac45edb14d9fb898644bed61576bd7a9fd90c5217217f6b9aed19d4a22bff482d058e603d2a0cdc48b1b271b79b1e25d7fe6bb820506e48579a78af99e7e9429bcd4b07bc0134"}, @generic={0x40, 0x5, "8f82cc05df67734141e356e936a6e0a7247ac23b30900c5fc4148a14990b5004686de6cace04ade350f04a3d078c3910f7dba492af85da649432e26a7854"}]}}]}}, {{0x9, 0x4, 0x88, 0x1, 0x8, 0xeb, 0x43, 0x23, 0x4, [], [{{0x9, 0x5, 0xc, 0x0, 0x40, 0x8, 0x8, 0x5}}, {{0x9, 0x5, 0x0, 0x10, 0x20, 0x9a, 0x5f, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x81, 0x4}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0xf9, 0x2}]}}, {{0x9, 0x5, 0xb, 0x10, 0x40, 0x7, 0x1, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x6, 0x1}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0xd, 0x103}]}}, {{0x9, 0x5, 0xb, 0xc, 0x3ff, 0xa9, 0x1, 0x6, [@generic={0xfb, 0x2c, "df60d233063867e638f4ac474e685fef8f861557d0a31566d58bde1f04a113f6cb64c96056a81685a6dfa2978a60c2d94e450f6675e38b44c96bfbff6c5f3746609346497483dfc8ac2127362cdbdaa0253951a182272183f456aae2bd12b292c609e8e14b4f8c1853e0d87e0c3179c8be7b0730721bb30159040826f093510ce022587691627b236a66215620418df334d28d1d14f0ca3b9f4fcff06ba249dd19508198503a2c2cd4f3abdadbd4f1ace4e627bec97299a00228e09c064e5f342e00d8c8f2d5b1fb56485e736a87dcfe510c218632729122a4eb5d5b5d81df8be58527183e48f760b85c599f8813f89d706af7b22f77d68dc1"}, @generic={0x6b, 0x4, "07ece06586e01505f126e0db2ed1ac18b57549f080d741f38b0ccec6ba034d096429405619d01af435c8092be0e9c4a93c1b647e7c7f14f05efff305d2b85d51fedff750b87e5990d028fd338645029bd9ed95e00305acce8b899a786dbf30895be03148a7a1e3bf25"}]}}, {{0x9, 0x5, 0x6, 0x8, 0x400, 0x3, 0x5, 0xff}}, {{0x9, 0x5, 0xa, 0x10, 0x200, 0x6, 0x14, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0xc, 0x9, 0x4}]}}, {{0x9, 0x5, 0x5, 0x8, 0x210, 0xe8, 0x5, 0x3}}, {{0x9, 0x5, 0xa, 0x8, 0x10, 0x64, 0x8, 0xe, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x5, 0x2}]}}]}}]}}]}}, &(0x7f0000016780)={0xa, &(0x7f00000162c0)={0xa, 0x6, 0x201, 0x3, 0x8, 0xff, 0x20, 0x10}, 0x28, &(0x7f0000016300)={0x5, 0xf, 0x28, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x1, 0x7, 0x7, 0x6, 0xff}, @ptm_cap={0x3}, @wireless={0xb, 0x10, 0x1, 0x2, 0x61, 0xff, 0xf, 0x6, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x1, 0x3, 0xb, 0x100}]}, 0x7, [{0x4, &(0x7f0000016340)=@lang_id={0x4, 0x3, 0x457}}, {0xff, &(0x7f0000016380)=@string={0xff, 0x3, "85a764d829532917b6647a68a249b252f01a99f88767a2e9f13aeefab39cf6a405497e3244294b1bd485c0ec99338640a508fabbf11e0fd6a03bcc9cebaf83037aa77397cbdf0911c8dfb842f62f94766aa445925773c4f7c6701be8a05673afe95cf19c279ac62fd2720ed2dae689371c5151bf6b9e7727f8f497091c3aaa902f81e44c5173acf22152fcbc4d72a75e9ab4badc6788b2fdbb7e34b202e0e71feb1cc9b1ca791e92374cfc63cc7db5648591778bfc1948f9dad9b7fe74a588ddc9ad499993062666b3e0df0acaa67802ad37a86fcb411a2230bdd43fe8610f29c15179bf429f81876ee90b7d35a2263f91eb8d3c7c87c46600b45282ee"}}, {0x4, &(0x7f0000016480)=@lang_id={0x4, 0x3, 0x8406}}, {0x49, &(0x7f00000164c0)=@string={0x49, 0x3, "cb9d5f1c5fbc9474d59ffa54a92ba7aff97b2f65abf48aad8e2b09b60a5dc2744b250fe7529097bfbb2bcf99d0548a034fb7aecaf8dd808495be132e1b8c84abe53375dcf540d5"}}, {0x4, &(0x7f0000016540)=@lang_id={0x4, 0x3, 0x407}}, {0x102, &(0x7f0000016580)=@string={0x102, 0x3, "04ddeb57b5072b0dc9dc624cf2792daac535b02570dbb701e1db0e6c25d680f07b517f6582125baa7a7849eb0b11130e0024efe8a1c951363bf47a68fb5bd9acf185aea1627381f50343cb4bb8d7175131f2ae52a842db753904d3051a0ab082608560e8ac66b87dddbb9fa3514a31e5595170e3d21c018b37855992a2a4b348de99469b63f5438e240e23cfe0a26d30a91d953691d741b9d5d85dab27d40da71fc9d8677b0dc3e1d6060d0d98a71300d374e7bd550f6a57b6fcd444313f37367f5b55c20f1a2d44861e8a1a36bcdc769ffc146bb71ab5846dcb8231247f1636483dabb710d074fd2b8018d4c356d1825bb17bf96327e96ee867583243e8254e"}}, {0x9e, &(0x7f00000166c0)=@string={0x9e, 0x3, "ef2a4e829a0f6cdb32a449bba1d48f5dfe865e51f2287e2177391a43f9bbf1ca78d573f200eae40c60a21ddc2ad482df2a85f27559815bb4ebca560530b86553450ee38eaeb8712f6b77c14d47f85d8bbf641e1d9e09fa1e2be5e92c187ce56ef9949ae1d87cfbfe0ea1ba9f9b2ff0182d4b05ce506891c5a347ee33ccf9ce7d86d7ddf2bf38574d21d9654bbe80658680bef5589e2db6072d9fd0fd"}}]}) r28 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000016800)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r28, &(0x7f0000016b40)={0x2c, &(0x7f0000016880)={0x20, 0xb, 0xc8, {0xc8, 0x21, "01f48fe831d8d1992472173ea819a3a2ade96121341354e85ca198ec1fcf8590c939f727aa0e85856b357c23bc068f24a22cc6b71bd4add3ae66955e3ceb2a8f155c4feaf36d9c4802968a53b086a4a50dc35475e75c1851e7d408540774e8982191e50606991f3f33fa708ef6a94041511098b0267e737b9f399fad65b7cc2efa80eafc734bd5ab1fdc3decc026fa7675ef45a1d17ffe1c0b1e00b10273d7c57d183c74a3d9b1471322b59a98cebd12d16c2834b226cecaeaf960e3d90776c23923eae68d1e"}}, &(0x7f0000016980)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x280a}}, &(0x7f00000169c0)={0x0, 0xf, 0xc8, {0x5, 0xf, 0xc8, 0x5, [@ssp_cap={0x14, 0x10, 0xa, 0x3, 0x2, 0x9, 0xf, 0x0, [0xc0cf, 0xf]}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0x30ec, 0xf0f, 0x82, [0xc00f]}, @ext_cap={0x7, 0x10, 0x2, 0x0, 0xb, 0x8, 0xf}, @generic={0x8d, 0x10, 0xa, "422d46fc73f84b4dd0c3d24d79f270975a978d736a0aa3e586ae4e9a232483cf25269718cbb9df730362ce6b7cf0e3d10079c328ee2be8f5ffc242a07e20f7c3db607c73e2cac82f1c73c8fcaceb151e2022fe0c73ad6619a4dace08659699ed7660d45202749cda47dfa1e0db87664d1eff73f0606d30b778cb8808dfa6b24cc18add579f29e81b12e3"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x48, 0x6, 0xf2, 0x0, 0x2}]}}, &(0x7f0000016ac0)={0x20, 0x29, 0xf, {0xf, 0x29, 0x1, 0x3, 0xf6, 0x5, "d7db758c", "cb024e33"}}, &(0x7f0000016b00)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x2, 0x2, 0x80, 0x5, 0x7, 0x7, 0xff24}}}, &(0x7f0000016f40)={0x84, &(0x7f0000016b80)={0x20, 0x13, 0x2a, "b3644b33a496f2187a5863e64c407cecd2d6d13ae23ecf1c3c53f78ff217cff021e4718cea7fbe4c3ba3"}, 0xfffffffffffffffd, &(0x7f0000016bc0)={0x0, 0x8, 0x1, 0x6}, &(0x7f0000016c00)={0x20, 0x0, 0x4, {0x2, 0x1}}, &(0x7f0000016c40)={0x20, 0x0, 0x4, {0x40, 0x20}}, &(0x7f0000016c80)={0x40, 0x7, 0x2, 0x2}, &(0x7f0000016cc0)={0x40, 0x9, 0x1, 0x3}, &(0x7f0000016d00)={0x40, 0xb, 0x2, '{*'}, &(0x7f0000016d40)={0x40, 0xf, 0x2, 0x9}, &(0x7f0000016d80)={0x40, 0x13, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x2}}, &(0x7f0000016dc0)={0x40, 0x17, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0xe}}, &(0x7f0000016e00)={0x40, 0x19, 0x2, "1ac5"}, &(0x7f0000016e40)={0x40, 0x1a, 0x2, 0x100}, &(0x7f0000016e80)={0x40, 0x1c, 0x1, 0x7}, &(0x7f0000016ec0)={0x40, 0x1e, 0x1, 0xc8}, &(0x7f0000016f00)={0x40, 0x21, 0x1, 0x4f}}) syz_usb_disconnect(r27) syz_usb_ep_read(r27, 0x0, 0x4, &(0x7f0000017000)=""/4) syz_usb_ep_write(r28, 0x4, 0x9a, &(0x7f0000017040)="dd9c6225175b3c37dc1963b4d0f463d6e382d956edabd131d419ff0b343494a2c3c8bd5e321a506b68c9621ab544dc8bd17c2f62f3c56caecb3908a6430e4d9eafd02ca13dfdcc2d07c531313862ad4271ecb07f10143f48ff7e738a4a77623d0d4b8921084f7c7a9114220624e8f12287c7369f8b9193de6e3a67ff4bf7596fd6c107e477fc1df67c16fec951a212d960cd48e3a1758e8ec8e7") syz_usbip_server_init(0x3) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_getfd #define __NR_pidfd_getfd 438 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define always_inline __attribute__((always_inline)) inline #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_BOOT_ARGS 0x2F000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x400000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_ADDR_GLOBALS 0x17F000 #define X86_SYZOS_ADDR_PT_POOL 0x180000 #define X86_SYZOS_PT_POOL_SIZE 64 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x1000000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 9) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_PHYSICAL_ADDRESS 0x00002400 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_EXITINFO2 0x080 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define VMCB_RAX 0x5f8 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_TSS_BUSY 0x008b #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_MAX_L2_VMS 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static always_inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1) { struct kvm_run* run = (struct kvm_run*)a0; uint64_t expect = a1; if (!run) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered: run is NULL\n"); errno = EINVAL; return -1; } if (run->exit_reason != expect) { fprintf(stderr, "[SYZOS-DEBUG] KVM Exit Reason Mismatch\n"); fprintf(stderr, " is_write: %d\n", run->mmio.is_write); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)run->exit_reason); errno = EDOM; return -1; } return 0; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_LOAD_SYZOS = 310, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_nested_load_syzos { struct api_call_header header; uint64_t vm_id; uint64_t unused_pages; uint8_t program[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) #define MEM_REGION_FLAG_REMAINING (1 << 7) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; struct syzos_boot_args { uint32_t region_count; uint32_t reserved; struct mem_region regions[]; }; struct syzos_globals { uint64_t alloc_offset; uint64_t total_size; uint64_t text_sizes[KVM_MAX_VCPU]; struct l2_guest_regs l2_ctx[KVM_MAX_VCPU][KVM_MAX_L2_VMS]; uint64_t active_vm_id[KVM_MAX_VCPU]; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, UEXIT_INVALID_MAIN = (uint64_t)-4, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t cpu) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t size = globals->text_sizes[cpu]; uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; volatile uint64_t call = cmd->call; if ((call >= SYZOS_API_STOP) || (cmd->size > size)) { guest_uexit(UEXIT_INVALID_MAIN); return; } if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_SYZOS) { guest_handle_nested_load_syzos((struct api_call_nested_load_syzos*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit(UEXIT_END); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; asm volatile("movq %0, (%1)" ::"a"(exit_code), "r"(ptr) : "memory"); } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static uint64_t get_unused_memory_size() { volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { if (args->regions[i].gpa == X86_SYZOS_ADDR_UNUSED) return args->regions[i].pages * KVM_PAGE_SIZE; } return 0; } GUEST_CODE static uint64_t guest_alloc_page() { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (globals->total_size == 0) { uint64_t size = get_unused_memory_size(); __sync_val_compare_and_swap(&globals->total_size, 0, size); } uint64_t offset = __sync_fetch_and_add(&globals->alloc_offset, KVM_PAGE_SIZE); if (offset >= globals->total_size) guest_uexit(UEXIT_ASSERT); uint64_t ptr = X86_SYZOS_ADDR_UNUSED + offset; guest_memset((void*)ptr, 0, KVM_PAGE_SIZE); return ptr; } GUEST_CODE static void l2_map_page(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa, uint64_t host_pa, uint64_t flags) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pml4[pml4_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pdpt[pdpt_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pd[pd_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) pt[pt_idx] = (host_pa & ~0xFFF) | flags; } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id, uint64_t unused_pages) { uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; if (vendor == CPU_VENDOR_INTEL) { flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { struct mem_region r; r.gpa = args->regions[i].gpa; r.pages = args->regions[i].pages; r.flags = args->regions[i].flags; if (r.flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r.flags & MEM_REGION_FLAG_REMAINING) { r.pages = (unused_pages < 16) ? 16 : unused_pages; } for (int p = 0; p < r.pages; p++) { uint64_t gpa = r.gpa + (p * KVM_PAGE_SIZE); uint64_t backing; if (r.gpa == X86_SYZOS_ADDR_USER_CODE && p == 0) { backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); } else if (r.gpa == X86_SYZOS_ADDR_STACK_BOTTOM) { backing = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); } else { backing = gpa; } l2_map_page(cpu_id, vm_id, gpa, backing, flags); } } } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION = 6, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void handle_nested_uexit(uint64_t exit_code) { uint64_t level = (exit_code >> 56) + 1; exit_code = (exit_code & 0x00FFFFFFFFFFFFFFULL) | (level << 56); guest_uexit(exit_code); } GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_EPT_VIOLATION 0x30 #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == EXIT_REASON_EPT_VIOLATION) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 7 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == EXIT_REASON_EPT_VIOLATION) { uint64_t gpa = vmread(VMCS_GUEST_PHYSICAL_ADDRESS); if ((gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); vmwrite(VMCS_GUEST_RIP, vmread(VMCS_GUEST_RIP) + 3); return; } } syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx push %%rax mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[l2_regs_size], %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp jmp after_vmentry_label )" : : [l2_regs_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_NPF 0x400 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == VMEXIT_NPF) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 8 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); volatile uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == VMEXIT_NPF) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t fault_gpa = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_EXITINFO2); if ((fault_gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip + 3); return; } } syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, X86_SYZOS_ADDR_VAR_TSS); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id, 0); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, SVM_ATTR_TSS_BUSY); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, X86_EFER_LME | X86_EFER_LMA | X86_EFER_SVME); vmcb_write64(vmcb_addr, VMCB_RAX, 0); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id, 0); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static uint64_t l2_gpa_to_pa(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) return 0; return (pt[pt_idx] & ~0xFFF) + (gpa & 0xFFF); } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_backing = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_USER_CODE); if (!l2_code_backing) { guest_uexit(0xE2BAD4); return; } uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t prog_size = cmd->header.size - __builtin_offsetof(struct api_call_nested_load_syzos, program); uint64_t l2_code_backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (prog_size > KVM_PAGE_SIZE) prog_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->program, prog_size); uint64_t globals_pa = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_GLOBALS); if (!globals_pa) { guest_uexit(0xE2BAD3); return; } volatile struct syzos_globals* l2_globals = (volatile struct syzos_globals*)globals_pa; for (int i = 0; i < KVM_MAX_VCPU; i++) { l2_globals->text_sizes[i] = prog_size; globals->l2_ctx[i][vm_id].rdi = i; globals->l2_ctx[i][vm_id].rax = 0; } uint64_t entry_rip = executor_fn_guest_addr(guest_main); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, entry_rip); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { uint64_t vmcb = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); vmcb_write64(vmcb, VMCB_GUEST_RIP, entry_rip); vmcb_write64(vmcb, VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint64_t vmx_error_code = 0; uint64_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); globals->active_vm_id[cpu_id] = vm_id; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[launch] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[host_rsp_field], %%r10 mov %%rsp, %%r11 vmwrite %%r11, %%r10 mov %[l2_regs], %%rax mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 mov 0(%%rax), %%rax cmpq $0, 48(%%rsp) je 1f vmlaunch jmp 2f 1: vmresume 2: pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp mov $1, %[ret] jmp 3f .globl after_vmentry_label after_vmentry_label: xor %[ret], %[ret] 3: )" : [ret] "=&r"(fail_flag) : [launch] "r"((uint64_t)is_launch), [host_rsp_field] "i"(VMCS_HOST_RSP), [cpu_id] "r"(cpu_id), [l2_regs] "r"(l2_regs) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; globals->active_vm_id[cpu_id] = vm_id; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint8_t fail_flag = 0; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[vmcb_addr] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[l2_regs], %%rax mov 0(%%rax), %%rbx mov %[vmcb_addr], %%rcx mov %%rbx, 0x5f8(%%rcx) mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 clgi mov 48(%%rsp), %%rax vmrun 1: mov 48(%%rsp), %%rax setc %[fail_flag] pushq 0x70(%%rax) push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx mov 176(%%rsp), %%rax pushq 0x5f8(%%rax) mov 120(%%rsp), %%rdi mov %%rsp, %%rsi call nested_vm_exit_handler_amd add $128, %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp stgi after_vmentry_label_amd: )" : [fail_flag] "=m"(fail_flag) : [cpu_id] "r"(cpu_id), [vmcb_addr] "r"(vmcb_addr), [l2_regs] "r"(l2_regs), [l2_regs_size] "i"(sizeof(struct l2_guest_regs)) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 5, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_VAR_IDT, 10, 0}, {X86_SYZOS_ADDR_BOOT_ARGS, 1, 0}, {X86_SYZOS_ADDR_PT_POOL, X86_SYZOS_PT_POOL_SIZE, 0}, {X86_SYZOS_ADDR_GLOBALS, 1, 0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, {X86_SYZOS_ADDR_UNUSED, 0, MEM_REGION_FLAG_REMAINING}, }; #define SYZOS_REGION_COUNT (sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0])) struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; void* pt_pool_mem; void* globals_mem; void* region_base[SYZOS_REGION_COUNT]; }; static inline void* gpa_to_hva(struct kvm_syz_vm* vm, uint64_t gpa) { for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r->gpa == X86_SYZOS_ADDR_UNUSED) break; size_t region_size = r->pages * KVM_PAGE_SIZE; if (gpa >= r->gpa && gpa < r->gpa + region_size) return (void*)((char*)vm->region_base[i] + (gpa - r->gpa)); } return NULL; } #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(uint64_t)gpa_to_hva(vm, sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static uint64_t* get_host_pte_ptr(struct kvm_syz_vm* vm, uint64_t gpa) { if (gpa >= X86_SYZOS_ADDR_PT_POOL && gpa < X86_SYZOS_ADDR_PT_POOL + (X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE)) { uint64_t offset = gpa - X86_SYZOS_ADDR_PT_POOL; return (uint64_t*)((char*)vm->pt_pool_mem + offset); } return (uint64_t*)((char*)vm->gpa0_mem + gpa); } static void map_4k_page(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)((char*)vm->gpa0_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = get_host_pte_ptr(vm, pml4[pml4_idx] & PAGE_MASK); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = get_host_pte_ptr(vm, pdpt[pdpt_idx] & PAGE_MASK); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = get_host_pte_ptr(vm, pd[pd_idx] & PAGE_MASK); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(vm, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE}; memset(vm->pt_pool_mem, 0, X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE); memset(vm->gpa0_mem, 0, 5 * KVM_PAGE_SIZE); for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { int pages = syzos_mem_regions[i].pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) { if (total < 0) exit(1); pages = total; } map_4k_region(vm, &alloc, syzos_mem_regions[i].gpa, pages); if (!(syzos_mem_regions[i].flags & MEM_REGION_FLAG_NO_HOST_MEM)) total -= pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) break; } } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = 0}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = SVM_ATTR_TSS_BUSY, .limit_high_and_flags = 0, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[(X86_SYZOS_SEL_TSS64 >> 3) + 1] = (struct gdt_entry){ .limit_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 32), .base_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 48), .base_mid = 0, .access = 0, .limit_high_and_flags = 0, .base_high = 0}; } static void get_cpuid(uint32_t eax, uint32_t ecx, uint32_t* a, uint32_t* b, uint32_t* c, uint32_t* d) { *a = *b = *c = *d = 0; asm volatile("cpuid" : "=a"(*a), "=b"(*b), "=c"(*c), "=d"(*d) : "a"(eax), "c"(ecx)); } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd, int cpu_id) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)(uint64_t)gpa_to_hva(vm, sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_pg_table(vm); setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0; get_cpuid(0, 0, &eax, &ebx, &ecx, &edx); if (ebx == 0x68747541 && edx == 0x69746e65 && ecx == 0x444d4163) { sregs.efer |= X86_EFER_SVME; void* hsave_host = (void*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id)); memset(hsave_host, 0, KVM_PAGE_SIZE); } sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, uint64_t rip, uint64_t cpu_id) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = rip; regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd, cpu_id); setup_cpuid(cpufd); uint64_t entry_rip = executor_fn_guest_addr(guest_main); reset_cpu_regs(cpufd, entry_rip, cpu_id); if (vm->globals_mem) { struct syzos_globals* globals = (struct syzos_globals*)vm->globals_mem; globals->text_sizes[cpu_id] = text_size; } } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; struct syzos_boot_args* boot_args = NULL; for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) { vm->region_base[i] = NULL; continue; } size_t pages = r->pages; if (r->flags & MEM_REGION_FLAG_REMAINING) pages = allocator.size / KVM_PAGE_SIZE; struct addr_size next = alloc_guest_mem(&allocator, pages * KVM_PAGE_SIZE); vm->region_base[i] = next.addr; uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_PT_POOL) vm->pt_pool_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_GLOBALS) vm->globals_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_BOOT_ARGS) { boot_args = (struct syzos_boot_args*)next.addr; boot_args->region_count = SYZOS_REGION_COUNT; for (size_t k = 0; k < boot_args->region_count; k++) boot_args->regions[k] = syzos_mem_regions[k]; } if ((r->flags & MEM_REGION_FLAG_REMAINING) && boot_args) boot_args->regions[i].pages = pages; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); if (r->flags & MEM_REGION_FLAG_REMAINING) break; } } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void dump_vcpu_state(int cpufd, struct kvm_run* run) { struct kvm_regs regs; ioctl(cpufd, KVM_GET_REGS, ®s); struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); fprintf(stderr, "KVM_RUN structure:\n"); fprintf(stderr, " exit_reason: %d\n", run->exit_reason); fprintf(stderr, " hardware_entry_failure_reason: 0x%llx\n", run->fail_entry.hardware_entry_failure_reason); fprintf(stderr, "VCPU registers:\n"); fprintf(stderr, " rip: 0x%llx, rsp: 0x%llx, rflags: 0x%llx\n", regs.rip, regs.rsp, regs.rflags); fprintf(stderr, " rax: 0x%llx, rbx: 0x%llx, rcx: 0x%llx, rdx: 0x%llx\n", regs.rax, regs.rbx, regs.rcx, regs.rdx); fprintf(stderr, " rsi: 0x%llx, rdi: 0x%llx\n", regs.rsi, regs.rdi); fprintf(stderr, "VCPU sregs:\n"); fprintf(stderr, " cr0: 0x%llx, cr2: 0x%llx, cr3: 0x%llx, cr4: 0x%llx\n", sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4); fprintf(stderr, " efer: 0x%llx (LME=%d)\n", sregs.efer, (sregs.efer & X86_EFER_LME) ? 1 : 0); fprintf(stderr, " cs: s=0x%x, b=0x%llx, limit=0x%x, type=%d, l=%d, db=%d\n", sregs.cs.selector, sregs.cs.base, sregs.cs.limit, sregs.cs.type, sregs.cs.l, sregs.cs.db); fprintf(stderr, " ds: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.ds.selector, sregs.ds.base, sregs.ds.limit, sregs.ds.type, sregs.ds.db); fprintf(stderr, " tr: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.tr.selector, sregs.tr.base, sregs.tr.limit, sregs.tr.type, sregs.tr.db); fprintf(stderr, " idt: b=0x%llx, limit=0x%x\n", sregs.idt.base, sregs.idt.limit); } static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1, volatile long a2) { int cpufd = (int)a0; struct kvm_run* run = (struct kvm_run*)a1; uint64_t expect = a2; if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != X86_SYZOS_ADDR_UEXIT)) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered on VCPU %d\n", cpufd); dump_vcpu_state(cpufd, run); errno = EINVAL; return -1; } uint64_t actual_code = ((uint64_t*)(run->mmio.data))[0]; if (actual_code != expect) { fprintf(stderr, "[SYZOS-DEBUG] Exit Code Mismatch on VCPU %d\n", cpufd); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)actual_code); dump_vcpu_state(cpufd, run); errno = EDOM; return -1; } return 0; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } static void setup_sysctl() { int cad_pid = fork(); if (cad_pid < 0) exit(1); if (cad_pid == 0) { for (;;) sleep(100); } char tmppid[32]; snprintf(tmppid, sizeof(tmppid), "%d", cad_pid); struct { const char* name; const char* data; } files[] = { {"/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"}, {"/proc/sys/kernel/hung_task_check_interval_secs", "20"}, {"/proc/sys/net/core/bpf_jit_kallsyms", "1"}, {"/proc/sys/net/core/bpf_jit_harden", "0"}, {"/proc/sys/kernel/kptr_restrict", "0"}, {"/proc/sys/kernel/softlockup_all_cpu_backtrace", "1"}, {"/proc/sys/fs/mount-max", "100"}, {"/proc/sys/vm/oom_dump_tasks", "0"}, {"/proc/sys/debug/exception-trace", "0"}, {"/proc/sys/kernel/printk", "7 4 1 3"}, {"/proc/sys/kernel/keys/gc_delay", "1"}, {"/proc/sys/vm/oom_kill_allocating_task", "1"}, {"/proc/sys/kernel/ctrl-alt-del", "0"}, {"/proc/sys/kernel/cad_pid", tmppid}, }; for (size_t i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].name, files[i].data)) { } } kill(cad_pid, SIGKILL); while (waitpid(cad_pid, NULL, 0) != cad_pid) ; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 57; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 41 ? 4000 : 0) + (call == 48 ? 200 : 0) + (call == 50 ? 3000 : 0) + (call == 51 ? 3000 : 0) + (call == 52 ? 300 : 0) + (call == 53 ? 300 : 0) + (call == 54 ? 300 : 0) + (call == 55 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[29] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x200000000000, "/dev/admmidi#\000", 14); inject_fault(1); res = -1; res = syz_open_dev(/*dev=*/0x200000000000, /*id=*/0x302d694, /*flags=O_NOFOLLOW|O_DIRECTORY|FASYNC|O_APPEND*/0x32400); if (res != -1) r[0] = res; break; case 1: syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x80045700, /*arg=*/0x200000000040ul); break; case 2: memcpy((void*)0x200000000080, "/dev/hpet\000", 10); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000080ul, /*flags=*/0, /*mode=*/0); for (int i = 0; i < 4; i++) { syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000080ul, /*flags=*/0, /*mode=*/0); } if (res != -1) r[1] = res; break; case 3: syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x40045436, /*arg=*/0x17ul); break; case 4: *(uint32_t*)0x200000000100 = 0x14; syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/6, /*optname=*/0x1d, /*optval=*/0x2000000000c0ul, /*optlen=*/0x200000000100ul); break; case 5: *(uint64_t*)0x200000000340 = 0x8800000; *(uint64_t*)0x200000000348 = 0x200000000140; *(uint64_t*)0x200000000350 = 0x200000000180; *(uint64_t*)0x200000000358 = 0x2000000001c0; *(uint32_t*)0x200000000360 = 0; *(uint64_t*)0x200000000368 = 0x200000000200; *(uint64_t*)0x200000000370 = 0x72; *(uint64_t*)0x200000000378 = 0x200000000280; *(uint64_t*)0x200000000380 = 0x200000000300; *(uint32_t*)0x200000000300 = 0; *(uint32_t*)0x200000000304 = -1; *(uint32_t*)0x200000000308 = 0; *(uint32_t*)0x20000000030c = -1; *(uint32_t*)0x200000000310 = 0; *(uint32_t*)0x200000000314 = 0; *(uint32_t*)0x200000000318 = -1; *(uint32_t*)0x20000000031c = 0; *(uint64_t*)0x200000000388 = 8; *(uint32_t*)0x200000000390 = r[1]; res = -1; res = syz_clone3(/*args=*/0x200000000340, /*size=*/0x58); if (res != -1) r[2] = *(uint32_t*)0x200000000180; break; case 6: syscall(__NR_kcmp, /*pid1=*/r[2], /*pid2=*/0, /*type=KCMP_FILES*/2ul, /*fd1=*/r[0], /*fd2=*/(intptr_t)-1); break; case 7: *(uint32_t*)0x2000000003c0 = 0; *(uint32_t*)0x2000000003c4 = 4; *(uint32_t*)0x2000000003c8 = 0; *(uint32_t*)0x2000000003cc = 8; *(uint32_t*)0x200000000400 = 0x10; res = syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/0x84, /*opt=*/0, /*val=*/0x2000000003c0ul, /*len=*/0x200000000400ul); if (res != -1) r[3] = *(uint32_t*)0x2000000003c0; break; case 8: *(uint16_t*)0x200000000440 = 6; *(uint16_t*)0x200000000442 = 0x8207; *(uint32_t*)0x200000000444 = 0x96d; *(uint32_t*)0x200000000448 = 0x10; *(uint32_t*)0x20000000044c = r[3]; *(uint32_t*)0x200000000480 = 0x10; syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/0x84, /*opt=*/0x22, /*val=*/0x200000000440ul, /*len=*/0x200000000480ul); break; case 9: syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc04c6100, /*arg=*/0x200000000500ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 1, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xa, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 6); *(uint16_t*)0x200000000042 = 0x8000; memcpy((void*)0x200000000044, "\x63\x44\x8e\xdb\x2f\xb0", 6); *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 0; syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x10); break; case 11: memcpy((void*)0x200000000080, "wlan0\000", 6); memset((void*)0x2000000000c0, 2, 6); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/6, /*join_mode=JOIN_IBSS_BG_NO_SCAN*/2); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_kernel_create_files_as\000", 31); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\x28\x03\x83\x7c\xbc\xf3\x7b\xce\x72\xc1\xa7\x3b\x90\x9c\x68\xfe\x5b\xf7\xa6\x36\x3c\xdc\x90\xc0\x0d\xc6\x01\x3b\x35\xda\x02\xa6\x6a\x05\x91\x66\x71\x54\xa5\x56\x7c\x0e\x5e\xe6\x93\x3d\x6d\xa8\xbf\xed\xac\x5d\x27\x8a\x29\x1e\xfa\x30\x20\xba\x15\xe3\x90\xeb\x38\xda\x76\x26\x1c\x3a\xef\xf9\xee\xa8\xab\xea\xce", 77); memcpy((void*)0x200000000240, "\x6a\x0b\x56\xff\x4b\x8f\xac\x28\x77\x3c\xa1\x37\x65\x2b\x5b\x0f\xd8\x03\xa0\x41\x3c\x28\x20\x37\xf7\x21\xcb\x96\xec\xf2\xbb\x1a\x61\x6d\xc3\xd5\x6e\xee\xa2\x6f\x6b\x16\xf4\x56\x2d\x17\xc6\xd8\xb8\x83\x8f\x18\x44\xb5\x85\xeb\xcc\x0b\x56\x2f\x05\x57\xb2\xc7\xe9\xf0\xdd\xa1\xce\x4c\xc6\x1d", 72); res = -1; res = syz_clone(/*flags=CLONE_NEWCGROUP|CLONE_SETTLS*/0x2080000, /*stack=*/0x200000000140, /*stack_len=*/0x4d, /*parentid=*/0x2000000001c0, /*childtid=*/0x200000000200, /*tls=*/0x200000000240); if (res != -1) r[4] = res; break; case 14: *(uint64_t*)0x200000000480 = 0xc2e0; res = syscall(__NR_socketcall, /*call=*/8ul, /*args=*/0x200000000480ul); if (res != -1) r[5] = res; break; case 15: *(uint64_t*)0x2000000004c0 = 0x18000000; *(uint64_t*)0x2000000004c8 = 0x2000000002c0; *(uint64_t*)0x2000000004d0 = 0x200000000300; *(uint64_t*)0x2000000004d8 = 0x200000000340; *(uint32_t*)0x2000000004e0 = 9; *(uint64_t*)0x2000000004e8 = 0x200000000380; *(uint64_t*)0x2000000004f0 = 0x29; *(uint64_t*)0x2000000004f8 = 0x2000000003c0; *(uint64_t*)0x200000000500 = 0x200000000440; *(uint32_t*)0x200000000440 = r[4]; *(uint32_t*)0x200000000444 = r[4]; *(uint32_t*)0x200000000448 = r[4]; *(uint64_t*)0x200000000508 = 3; *(uint32_t*)0x200000000510 = r[5]; res = -1; res = syz_clone3(/*args=*/0x2000000004c0, /*size=*/0x58); if (res != -1) { r[6] = *(uint32_t*)0x2000000002c0; r[7] = *(uint32_t*)0x200000000300; r[8] = *(uint32_t*)0x200000000340; } break; case 16: memcpy((void*)0x200000000540, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000540); break; case 17: memcpy((void*)0x2000000006c0, "/dev/fuse\000", 10); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x2000000006c0ul, /*flags=*/2, /*mode=*/0); if (res != -1) r[9] = res; break; case 18: *(uint32_t*)0x200000002b00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/r[5], /*level=*/0, /*optname=*/0x11, /*optval=*/0x200000002a00ul, /*optlen=*/0x200000002b00ul); if (res != -1) r[10] = *(uint32_t*)0x200000002a34; break; case 19: *(uint32_t*)0x200000002b40 = 5; *(uint32_t*)0x200000002b44 = 0xee00; *(uint64_t*)0x200000002b48 = 1; *(uint64_t*)0x200000002b50 = 5; res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0x4018aee3, /*arg=*/0x200000002b40ul); if (res != -1) r[11] = *(uint32_t*)0x200000002b44; break; case 20: *(uint32_t*)0x200000002c00 = 0xee00; *(uint64_t*)0x200000002c08 = 0; *(uint64_t*)0x200000002c10 = 8; *(uint64_t*)0x200000002c18 = 1; *(uint32_t*)0x200000002c20 = 6; *(uint16_t*)0x200000002c24 = 5; *(uint16_t*)0x200000002c26 = 0; res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0x40286608, /*arg=*/0x200000002c00ul); if (res != -1) r[12] = *(uint32_t*)0x200000002c00; break; case 21: *(uint32_t*)0x200000002f00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/r[5], /*level=*/0x29, /*optname=*/0x23, /*optval=*/0x200000002e00ul, /*optlen=*/0x200000002f00ul); if (res != -1) r[13] = *(uint32_t*)0x200000002e34; break; case 22: *(uint32_t*)0x200000004040 = 8; *(uint32_t*)0x200000004044 = 0; *(uint32_t*)0x200000004048 = -1; *(uint32_t*)0x20000000404c = 2; *(uint32_t*)0x200000004050 = 0x10; *(uint32_t*)0x200000004054 = 4; *(uint16_t*)0x200000004058 = 7; *(uint32_t*)0x20000000405c = 0x7f; *(uint64_t*)0x200000004060 = 0xbb; *(uint64_t*)0x200000004068 = 0xf; *(uint64_t*)0x200000004070 = 4; *(uint32_t*)0x200000004078 = 0x800; *(uint32_t*)0x20000000407c = 2; *(uint16_t*)0x200000004080 = 5; *(uint16_t*)0x200000004082 = 0; *(uint64_t*)0x200000004088 = 0x200000002f40; memcpy((void*)0x200000002f40, "\xa0\xfc\x03\x37\xfa\xea\x63\x1f\x70\x4d\x04\xb5\xa5\x94\xdd\x3a\x87\xe2\x74\x7c\x38\x74\x0f\x43\x57\xe5\xcb\x22\x1b\xf4\x40\x57\x95\xc2\x99\x06\x22\x7d\x36\x4e\x04\x46\xeb\xf7\x7d\x11\x1a\xb6\x66\x81\x06\xa0\x02\x14\x0a\x81\x07\x1b\x6d\x28\xcf\xab\xb3\x7a\xea\x4e\x26\xc4\x65\x7d\xb3\x19\x16\xf1\x71\x81\xef\x2f\xbb\xa8\xcf\x19\x4a\x98\xc4\x35\xa1\x00\x7c\x27\x0c\xd6\xef\xf5\xc6\x42\x45\x37\x19\x7a\x13\x02\x02\xf2\x8c\xe2\x58\x6b\xe0\xce\xff\x0d\xb4\x7a\x35\x35\x12\x18\xf4\x9a\x45\x99\xa9\x8e\x93\xfd\x6f\xa6\xbe\x92\x17\x67\x82\xd2\x9c\xcf\xc9\x00\xc7\x67\xf4\xde\x10\x2c\x3a\x77\x79\x57\x7f\xf3\x6f\x42\x7d\xca\xed\x1e\x8d\xd3\x89\x65\x0f\xbe\x9c\xc0\xca\xb5\xb4\x39\x0e\x80\x5e\xc3\x0a\xd6\x41\x1c\xff\x60\x65\xa8\xa5\x76\x10\xab\x7c\x61\x01\x32\xa2\xa1\xbf\x37\xc8\x71\xd0\x6a\x9d\x78\xcc\x27\x68\x8f\x4b\xef\xa7\xbd\x11\x2a\x69\xdf\x64\xb5\x51\xe3", 214); *(uint64_t*)0x200000004090 = 0x200000003040; memcpy((void*)0x200000003040, "\x64\xb9\x52\x0e\xb1\x74\x93\x9e\xc8\x76\x43\xa2\xfd\xaf\xfe\xa4\x52\x7b\xbf\xd5\x1b\x07\xac\x94\x67\x16\x9d\x3c\x7b\xaa\x5d\xc6\x5b\x8a\x38\xd9\x50\xc8\x58\xff\x99\x23\x7e\x6e\xc0\x6b\x46\x56\xa5\x2a\xcb\x76\xc7\x55\xc1\xcf\xf1\xc0\xa6\x5e\x3d\x16\x32\xfa\xbd\x9e\x1b\x38\x18\x52\xb6\xfc\xfc\x05\x87\x44\x85\x6a\x80\xa2\x9f\xb4\xdb\xdd\x71\x5b\x3c\xd0\x8e\x15\xa5\x34\x05\xd0\xfd\x2f\xf7\xea\xc8\x36\x33\x8c\x4e\xca\x04\x56\xff\x78\xcc\x57\x12\x33\x21\x46\xb6\x71\xbc\x42\x86\x1c\xd8\xbb\x43\x20\x09\x85\xa3\x62\xf3\x9f\x15\xbd\x43\x7f\x06\x45\x8b\x86\x7d\x4b\xea\x22\x27\x49\x32\x50\xd8\x3f\xb4\x6f\x72\x97\xb8\xf8\xc2\x73\x51\xcc\xbe\xc4\xff\xd0\x71\x75\xa7\xc5\xe2\x31\x9e\x94\x21\x0d\x4a\xf5\x06\x1e\x74\x3f\x05\x0f\x2e\xa5\x38\xa3\xed\x9d\x03\x59\xf5\xa7\x54\x6c\x3d\x01\x13\xe2\x55\x26\x8c\xd0\x48\x3a\xb1\x86\xf9\xc5\x55\x02\x02\xa9\xfa\x3f\xa0\xc4\xa2\xa5\x80\x52\x41\x81\x9c\xf9\xc3\x45\xce\xcc\x6b\x77\xdd\x7c\x29\x97\x50\xb6\x7f\xf8\xcb\x5d\x9a\x6b\x0d\x3d\x98\x16\xdb\xeb\x6f\xdb\xc5\xea\x9f\xae\x4a\x25\xe1\x9b\x48\xe5\x10\xdd\xb5\xd4\xd1\x27\x1b\xa0\xc4\xa0\x83\xd0\x4c\xc5\x09\xb4\x0f\x1a\x84\x91\x95\xf3\xbc\x3e\x9f\x63\xb7\xcc\x74\x73\xff\xc7\x40\xcf\x1a\x97\x9b\xd1\xd7\xe9\x31\x7f\x6f\xc7\x7a\x62\xe5\xac\xab\x36\xc4\xa0\x63\x06\x9c\xfb\x20\x7d\xcc\x7a\xf7\x0b\x77\xa7\x43\xb3\x62\xd9\xd9\xfa\xe0\xdb\xc6\x80\x92\x3a\x0e\x34\x54\x02\x6b\x6d\xa9\x57\x9f\x35\x2a\xfe\xf7\xab\xbc\xa7\xbf\xc1\x4a\xef\x0f\xb3\xd1\x30\x55\x06\xb9\x79\x40\xea\x12\x7f\xfe\xd1\x3e\xee\xa6\xca\xe0\xbe\x96\xf5\xbe\x73\x85\xe8\xe9\xba\x4f\x00\xfd\xc5\x18\x59\xd8\x25\x19\x27\x18\xdc\xf2\x3e\x0b\x6d\xa4\x13\xaf\xf8\x54\xba\x52\x21\xba\x8d\x27\xff\x02\xb6\xc0\xf9\x66\x7f\x2f\xfe\x72\xf4\x34\xf4\xc7\x08\x5a\x52\xfe\xe5\xf0\x87\x1b\xc2\x0a\xeb\xc8\xef\x87\xc1\x7c\x49\xb2\xa4\x34\x24\x21\x54\x77\x0e\x3a\xe2\x68\xd5\xba\xe1\x1f\x22\xf2\x14\x61\x69\xd7\xa9\xc1\x6b\x5d\xaf\x83\x03\x11\x11\xce\x5c\xe9\x92\xd2\x75\xbb\x9b\xc5\xd1\x29\x0f\x7f\xea\x35\x66\x07\xe8\xdd\x9a\xcc\x55\x84\x9e\xeb\x50\x28\x27\x37\x4c\x45\xdc\x89\xdd\x11\x86\xec\x92\x10\xbf\xf8\xe0\x05\xb7\xcb\x2c\x13\x4a\x92\x2d\x6d\xdc\x51\x22\x81\xe6\xf5\xaa\x9b\x10\x4d\x04\xbc\xc6\x00\x0b\x9f\x95\xf7\x43\x93\xf3\x12\xc9\x90\xf7\xd2\x9d\xee\x0e\xf7\xa4\xb1\x58\xfe\x69\x19\x6b\x06\x83\xf3\x5e\x8b\x4b\xa6\x5b\xb4\x9b\x31\x3d\x92\xd6\xf6\x7f\x72\xf7\xc3\xe7\xde\x4d\xd8\x84\xd7\x2c\x78\x6d\x66\xbd\xf5\x98\xa1\x5f\x9a\xc2\x96\xea\x70\x74\x03\x43\xd9\x45\x91\x18\x64\x48\xae\x73\xee\xa6\x10\x1d\xe1\x3d\xf6\x67\xab\x6e\xa1\xf5\x5a\xba\x4c\x11\x3d\x0a\xc4\x2b\xba\x7e\xc5\xbd\x1d\x56\xb6\xbc\x94\x70\x45\x59\x5c\x76\xc8\xf6\x93\x39\xbd\x2f\x19\x3d\xe2\x46\x53\x30\x10\xf4\x2a\xc9\x3c\xe0\xaf\x99\xf4\x0a\xe8\xbf\x3a\x30\x54\x3d\x68\x61\xb2\xca\x30\x6c\x0c\x08\x1d\xb7\x92\xaf\x44\x88\x20\x40\x9c\x05\x33\x0b\xdb\xe4\x4f\x70\xc5\x56\x1d\xff\x87\x04\xb5\xee\xb7\x12\xac\xd3\x21\xfb\x7b\xd5\x8c\x80\x9f\xb1\x1d\x01\x7c\x34\x87\x98\x54\xf1\x53\x24\x17\x41\xfd\xf8\xde\x35\x35\x6b\xee\x7a\x0c\xb4\x0a\x72\x6c\xc7\x83\x17\x57\x59\xe2\x66\xdd\xbc\x98\xe3\xe5\xf8\x22\x02\x4e\x33\x59\xa7\xfe\xc0\xe0\x9f\x0d\x1e\x21\x42\x62\xea\x20\x9a\x9d\xdf\x12\x28\x0e\x28\x72\x33\x93\x36\x88\x17\xde\x6d\x20\x0a\xc6\xf9\xd1\x4c\xee\x80\xcb\x71\x35\x47\xca\xd5\x53\x33\xac\xaf\xf3\xa3\x2b\x48\x96\x48\x45\x50\x1b\xf1\x08\xe8\xf5\x15\x72\x8b\x36\x72\x62\x90\xb4\x78\xf7\xf3\xda\x9a\x62\xdd\xb1\xd4\x4f\x5e\xd5\x69\xc7\xcf\xf3\x04\x51\xb1\x35\x5d\x34\x91\xeb\x80\x34\x5c\xfd\xb9\x38\x47\x5f\x9d\x16\x18\x1c\xb1\xe3\xd7\x33\xea\x45\xab\xa0\x4c\xbe\x41\x9b\x1f\xe3\x9d\xe5\x14\xe8\xb0\x0d\xb8\x27\xfe\xc1\x95\xae\x77\x31\xb2\xa6\x4a\xd2\x58\xc1\xcf\x2d\x4c\xd9\x7d\xd9\xde\xc3\x56\x4f\x9c\xa7\x4e\xd6\x25\x83\x0e\xd3\x2b\x05\x07\xad\x8c\x97\xf6\x3f\x5a\x2b\x39\xbb\xae\xc0\x4b\x3b\x88\x9b\x6d\x7c\x9f\xb9\x89\x93\xd5\xe5\xae\x40\xcd\x6b\x63\x72\xbc\x63\x1d\x37\xda\xc4\xab\x3d\x48\xb5\x89\x5b\x00\x30\xe0\x02\xe7\xf4\x43\xbe\xad\x14\xa5\x77\x7e\xcf\x5e\xe9\x99\x83\xb3\xc0\xf5\x00\x53\x9d\x02\xba\x11\xcb\x4b\xf3\x25\x99\x06\xbb\xcc\x34\x85\x5e\x6d\x4b\x2c\x49\x31\x68\x16\xd4\xd1\x73\x40\xd8\x93\x8d\xbb\xad\x5f\x2c\xbf\xe8\x3d\xa5\x7f\x59\xe5\x1c\x9e\xb6\xff\x62\x15\xf7\x94\xf6\x82\x28\x20\xb0\x59\x12\xdf\x85\xfe\xa5\x3c\x04\x6d\xd6\xe8\x89\x24\xa1\x8e\x71\xc0\xcd\xa6\x58\xb5\x8a\xff\x26\x19\x4f\x88\xdf\x81\xda\xf0\x6e\xe0\x94\x2c\xda\x0d\xf1\x8b\x41\xb0\xe2\x30\xb3\x05\xb4\xf9\xa4\x7f\xdb\x18\xc6\xd6\x8c\xce\xba\x1f\x24\xf2\x75\x6b\xd9\x6a\x79\x91\x12\xc3\x48\x5e\x39\x4d\x2d\xd9\xfc\x87\xab\x1b\x46\x51\xad\x05\x8a\x3e\x44\x46\x1d\x2c\x72\xf0\x38\xff\x88\x11\x04\xcb\x75\xcc\x79\x68\x3a\x9d\x97\xd8\x81\xcf\xfb\x92\xb0\x5c\x12\xbf\x4d\x3a\xb4\xdb\xe1\x79\x08\xfb\x79\x9e\xaf\xfa\x9c\xaf\xa4\xa6\x1c\xe2\x0a\xa4\xb3\xeb\xc3\xc7\x52\x20\xaa\x65\xc9\x80\x3a\x77\xf1\x81\xda\x39\x24\xcc\xa5\xf6\x05\x96\x12\xe4\x54\x86\x10\x6f\x22\xb8\xc8\x91\xf7\xb1\x46\x62\xab\xd6\x4b\x32\x58\xed\x13\xbd\xcd\x6d\x1a\x77\xc6\xa4\x15\x19\xd6\x60\x63\x74\x3a\x19\x18\xbb\x13\xe9\xb7\x57\x7f\xb6\xbb\x7d\xf2\x3f\xf1\xb9\x6e\x78\x2b\xda\x63\x94\xd4\x86\x1a\x7e\x0a\xc8\x0d\x1c\x6c\xc8\x4a\x30\x3b\x78\x41\xe5\x89\xd6\x6b\xed\x37\xcc\xc0\x5f\x4e\x9b\x4d\xfb\xc5\x3d\x3b\x50\xd5\x0e\x02\xc8\x7d\x41\xf5\x3f\x86\xde\xcb\x39\xc7\x06\xf5\x37\x2e\x9d\x6e\x3d\xde\x53\x05\x96\x20\xd2\x78\x45\xf3\xed\x77\xcd\x58\x99\xe3\x3a\xed\x5c\x4f\xb1\x40\xf8\xe4\x05\xfa\x2e\x0e\x11\x72\xea\xa7\xd4\xe9\x12\x98\x7a\x0a\xa3\xac\xf7\xc2\xd8\xe9\x4d\x16\xc9\x98\xc9\x87\xfd\x40\x4b\x23\x4e\xf7\x36\x1d\x0c\x53\x87\xe6\xb9\xd5\x5f\xb9\x72\xc7\xdc\x21\x72\x26\xce\x13\xd8\x2a\x59\x31\x1f\xe2\x69\xa0\x9c\x38\x4e\x73\x9a\x66\xbe\x43\x54\x79\x1f\x38\x1e\x74\xcc\x5d\xfb\x9a\x92\xfb\xff\xf8\x59\x5d\xf2\x4b\x40\x3e\xaf\xb0\x04\x73\xeb\x0b\x2e\x7f\xee\x36\xdb\xa4\xa9\x08\x93\x8b\xcf\xcc\xe9\x61\xfd\x10\xec\x29\xe5\x6d\xfe\x40\x59\x1e\x13\xd5\xe5\x3f\x16\xc8\x75\x9c\xa2\x7f\x80\xce\x90\x4f\x2d\x7c\x43\x32\x10\x97\x59\x5e\x90\x76\x39\xf2\x0f\x9e\x8d\xce\x70\x0c\x39\xd0\xe4\x42\xda\x88\x7a\x4d\xf0\x82\xeb\x7e\x17\x2f\xaf\xdc\xb0\x0b\x00\x8c\xaf\x55\x23\xd1\xfe\x5f\x24\x0a\xe9\x91\x49\x6d\xb9\x33\x89\xaf\x41\x85\xe9\xc9\xcc\xbd\xcb\x97\x31\xce\x7a\x77\x0a\xe2\xab\xac\x9d\x8c\xdd\xf3\x13\x23\x1a\x55\xe1\x27\x7b\xd3\x6c\x1e\x44\x84\x2b\x38\x72\x55\x5c\xcd\xcb\x3a\x06\x84\x59\x13\x21\xff\x15\xdc\x6d\x2c\xef\xfd\x58\x5d\xbe\xb9\x90\xe4\x05\x4f\xab\xc1\x8a\x9e\x9f\x1d\xe1\x3b\xfa\xd9\xde\x7f\x8d\xeb\x6b\x6c\x47\x2c\x42\x33\x67\xee\xad\x52\x50\x04\xde\xfa\x9e\x17\xc6\x79\x02\x36\x0b\xf1\x63\xa0\x1e\x98\xf6\xe7\x55\xcf\xf6\x28\x2a\xee\xbd\x1e\x8a\x09\x71\x5c\x15\xb9\xed\xaa\x50\x0d\xe0\x74\xc2\x8b\xad\x6d\x03\x57\x8c\x5e\x1c\x87\xbe\x71\x17\xf5\x4e\xef\xc3\x31\x3c\x38\xb6\x1d\x88\xa6\xa5\x0a\x0f\x36\xfd\xbf\x08\x4c\xb4\x14\x47\xc6\x90\xd3\xff\xcc\x83\x14\xe9\x1a\xda\x81\xd3\x4a\xcc\xd3\xe0\x6d\x19\xbc\xa2\x8f\xb4\x9b\xed\x5e\x32\xf4\xeb\xd5\x49\x29\xe4\xab\x51\xa6\x59\xb8\x1c\x1c\x35\xdf\x9e\x51\x47\x69\xb9\xeb\x31\xd7\x1d\x43\x78\x64\xf5\x4e\x99\x2a\x2b\x9b\x15\xe2\xfd\x32\x07\x81\x77\x56\xb4\x86\xd0\x81\xaf\x39\x7b\x21\xa2\x58\x44\x3d\x86\xa2\x0a\x82\xda\xb3\x09\x4a\x48\x83\x32\x47\x91\xd6\x7c\xea\x91\x8b\xec\x79\x94\xab\xce\xc1\x80\xf8\xfb\xd4\xae\x90\xad\x2c\x78\x5d\xe7\x74\x73\x08\xd8\x0a\x73\x31\x86\x4b\xd1\xa9\xbf\xfb\x51\x44\x07\x78\x51\x93\x92\x74\x05\xf7\x78\xa1\x66\x51\x4a\x33\x9b\xfe\x16\xf5\xcb\x8e\xe3\x49\xa0\x8e\x25\xb9\x4d\xc3\x51\xc7\x2e\x98\xc6\xba\xf1\x86\x02\x50\x60\xcd\x98\xd7\xd1\x4b\xf8\xee\x06\x02\x40\x40\x5a\x1c\x10\x20\x2c\xb3\x48\x57\xab\x67\x4e\xff\x41\xcd\x46\xc0\x3d\x2f\xfc\xca\xbf\x19\x4e\x0f\x35\x16\x58\xab\x02\xd9\xa1\xf9\x28\x30\x61\x7d\xe6\x91\x35\x50\x95\x34\x64\x7b\xc4\xcc\x20\x52\x87\xb2\x51\x55\x3f\xcc\x76\x89\xd5\xe6\x69\xf9\xba\x4b\xdb\x40\x36\xe0\x64\xb2\xa7\x91\xea\x5d\xe9\x3c\x66\x91\x8a\xd6\x1c\xf1\x0b\xe4\xf5\x56\x4a\x07\x1b\x02\xb9\x36\x5b\xc5\x87\x31\x6e\x65\xbd\x12\x64\xfe\x1f\x8d\xc7\xd2\x44\xab\x33\x19\xe9\xa9\x05\xe2\x44\xa0\xd0\x00\xbf\x3c\x56\x68\x11\xf7\x29\xd1\x0f\x9d\x81\xb0\x60\xcb\x7f\xf9\x3d\xa8\x05\x6d\x64\x1f\x93\x12\x1c\x50\xb9\x87\xe4\x14\x9d\x44\xc2\x34\x91\xe9\xde\x6a\x5c\x1d\x6b\x26\xf6\x44\xb3\xb0\x20\x62\x7c\xaf\x32\xd4\x7f\x95\xa4\x85\x7b\x36\x53\x0f\xf5\xc5\xbe\x38\xca\x37\xb9\x0d\xec\x3b\xde\x10\x75\x61\x58\xd6\xdb\x91\xbc\xbb\xea\x66\x65\xfa\x14\x08\xae\xc0\x02\x5d\x9d\xfe\x3d\xe8\xa5\x7b\x8a\xf3\x00\x17\x9b\xff\x26\x03\x2e\x61\xdb\x60\xd6\xe2\x0a\xcb\x67\x15\x95\x05\x6f\xd6\x5e\x84\x03\x80\x40\xf0\x7d\x46\xdb\xd4\xcb\x8c\x0d\x3c\xe9\xfd\xa0\x02\xd2\x2e\x24\x75\x0f\x14\x58\x01\xaf\x85\xd7\x82\x68\x1b\xb9\xb1\x22\x8f\xb2\x81\xc5\x43\xe5\xdc\xde\xf8\x4b\x7a\x26\x26\xde\x59\xe1\xec\x79\xe4\x4d\x1a\x23\x0f\xed\xda\x6e\x30\x37\xb0\xe9\xc4\xca\x47\x5d\xcd\x31\x9b\x86\xbd\x4a\xb2\xcc\x3c\xd5\xee\x47\x85\x7a\xda\xa8\x8e\x7e\x77\xaf\xaa\xb3\xfd\x85\x07\x6e\xdb\x36\x15\xba\x44\xe9\x7b\x5e\x18\x1b\x5e\x8c\x86\x11\x78\x48\x54\xa8\xae\xbd\xcc\x09\x83\xe0\xb8\x37\x45\x5a\x29\x01\xb9\x19\x80\xb0\x5e\xfc\x92\x23\xd2\x06\xdc\xaa\x5b\xe6\x74\x5c\xbd\xfb\x6f\x9a\xf1\x38\x73\xb3\x77\x3f\x5a\x59\xbe\xaa\x0f\x4a\x36\xdd\xd3\x83\xd6\x3e\x12\xf5\x0e\x0f\x7c\x53\x3e\x6a\x55\x9e\x54\x5d\x28\x51\xd0\x4b\xd3\x6e\x41\x2d\x89\x1e\xac\x7b\xbf\xf3\x99\x36\x93\x7f\xa3\xe4\xfb\xfa\xf5\x10\x37\xc5\x0a\x7d\x57\x30\x05\x1e\x4c\x69\x84\xf3\x94\xf3\xf5\x9f\xaa\x61\xac\x96\xfc\x2b\xa4\xe3\x35\x64\xc2\xbb\xc6\x07\xb1\x8e\xf8\xae\xf1\x9b\x88\xb7\xac\x63\xce\xf3\xe0\x97\x1f\xa1\x15\x62\x33\x37\x3f\xa5\xb5\x8f\x16\xfa\x99\x31\x2d\x84\xa6\xb7\x90\xe7\xa6\x63\xba\x05\xe2\x37\x38\x5e\xb4\x13\xe4\x26\x0e\x02\x1b\xa3\x87\x91\x23\x57\xfe\xd3\x9f\x13\x66\xe7\x31\x8e\xbe\xa7\xb9\x21\xde\xd5\xd9\xf9\xab\x5a\x86\x12\x16\x48\x31\x0f\x09\x04\x25\x8a\x9e\x4d\x59\x0d\x65\x43\x1d\x23\xe6\x22\x30\x9d\xe9\x64\xcb\x77\xdf\x8f\x28\x07\x66\x7b\xd5\x81\x81\xe4\x85\xc2\xe0\x3c\x29\x5c\x15\xe5\x27\x4c\x70\x6c\x1a\x00\x27\xb6\x75\x1e\x40\x95\x9a\x15\x81\xc7\x10\x77\x4b\xd5\x57\x53\x67\xc9\x3c\x17\xfb\x84\x44\x97\x6e\x38\x47\x11\xd4\xde\xbc\xe0\x97\x54\xe9\x7b\x04\x8d\x47\xb3\xdd\x82\xf7\x5f\xa9\x39\x37\xd0\x72\x2c\xb2\x37\x9e\x8b\x4b\x02\x67\x59\x91\xed\x1b\xc5\xf1\xf1\x5f\xea\x5f\xbe\x59\xc6\x3a\x29\x91\xaf\x99\x8a\x21\x99\x1f\x1d\x46\xcd\x3d\x21\x1a\x53\x2c\xee\x73\x2f\xfb\xcf\x55\xb2\x87\x90\xc4\xba\xdb\xa7\x68\xc5\x7a\x26\x23\xdf\x69\xb3\x96\xc2\xac\xcf\x92\x58\x06\xd5\x52\x61\xb7\x08\x74\x35\xe4\x97\x45\x29\x75\xb1\x52\x66\x52\x2e\xf9\x76\x37\x95\x6f\xaa\x20\xe8\xec\x65\x3c\x9c\x0c\x07\x73\x60\x3d\x77\x67\x7d\x0e\xf1\xec\x99\xa0\xf6\x1c\xcc\xf7\xe1\x10\x30\x51\xa7\x85\x2a\x00\x77\xf9\x73\x36\x9f\x6d\x80\x56\xb7\x9c\x53\x7a\xea\x6b\x41\x07\x09\xdf\x69\x37\xb6\xb7\xce\x03\x39\x8e\x1a\x7a\x1e\xf8\xe0\x62\xbf\x5b\x5a\x11\x0b\xc0\xda\xf2\x76\x5c\x92\xe6\x95\x83\x4a\xdd\x9a\xc0\x3f\x5e\xa5\x6f\x8e\xc1\xd6\x4a\x8f\xad\x07\x41\x0e\x30\x19\xd8\x4c\x0e\x7c\xdf\x1c\x49\xe9\x50\x91\x79\x4a\x3a\xad\x82\xab\xf6\x3e\x9c\x6c\xeb\xab\xdf\x05\xe8\x05\x03\xd1\xba\x70\x37\xe9\xb0\xb3\x5a\xad\x55\x17\xa0\x29\x88\xa3\x43\xb6\xa4\xaf\x6d\x82\x77\x96\x4f\xcd\x3e\x72\x0c\x19\xeb\xcb\xca\x7c\x4a\x87\x7c\x4b\x17\x40\x5d\x4e\x04\xe2\xbf\xf0\x36\xd6\xf5\xe8\xda\x62\xd6\xec\x70\xd1\xcd\xd9\x70\xe8\xba\x36\xf7\xfa\x95\x6c\xbd\xe7\x89\x25\xa4\x43\xb9\x57\x9b\xe0\x39\xe5\x65\x39\x66\xe7\x45\xb1\xd9\x3c\x62\x97\x0f\x29\x07\xfb\x53\x5c\x88\x82\x0b\x95\xb2\x44\x09\xd1\xbb\x81\xe0\xcd\xfb\xdc\x39\x72\x78\xa8\xb1\xeb\xa6\x32\x5e\x69\x3a\x93\xb5\x50\xdc\x2d\x7f\xf0\x55\x98\xf8\x24\x67\x94\xb2\xd0\x1b\x58\xf3\x03\x24\xe4\x4c\x43\x9e\xc6\xe1\x70\xb6\x92\xef\x2d\x55\x2f\x33\x22\x42\x10\x1f\xe2\x45\x86\x56\x4b\x87\xe4\xd0\x4c\x5c\x41\x37\xf4\x53\x45\x1d\xc8\x2c\xe4\x9f\x93\xd5\x0e\x49\xac\xf2\xb9\x66\xd0\xd5\x00\xff\xf9\x9b\x98\x4d\x70\xfa\xa2\x06\x11\x87\x36\x9a\x3d\xd5\x03\x37\x87\x2c\x23\x0e\x6f\xbd\xa2\x42\x0e\x56\x58\x86\xb6\xee\xf5\x3e\xb5\x32\x23\x9a\x98\x23\x7b\xf8\xcf\x35\x49\xf6\x0b\x08\x3d\x81\xa1\x6e\x6a\x30\xc2\x6a\x74\x45\x6f\xbf\x8d\xdc\x24\x76\x78\x4e\x77\x6d\xf7\x49\x0a\x31\xe1\x11\x3c\xb0\xd8\x76\xd5\xca\x9f\xbf\xc3\x2c\xf6\x08\x1f\x75\x42\x01\x5b\x41\xae\x86\xf9\xc0\xbb\xfe\xd2\xb8\x47\x4b\xfc\xd7\x82\x84\x46\x7c\x22\xf1\xd6\xdf\x54\xbb\x3e\x28\xf5\xcf\xf0\x07\xe9\xd5\xd5\x59\x7c\x83\x7a\x72\xeb\x04\xef\x8d\x1f\x3a\xc0\x60\xb9\xf1\xff\xf3\xd7\x4d\xa3\x5b\xf1\xcc\x3f\xf9\xd8\x36\xbf\xc8\xd2\xcc\xb0\x72\x14\xaf\xd3\x57\xc2\x96\xae\x04\xa5\xce\x01\xfd\xc7\x79\xe9\xb4\xae\x6d\x67\x7c\x6f\xc4\x8f\x73\x83\x06\x4f\x2d\x21\x7d\x51\xe3\x90\x60\x9d\xad\x93\x30\x22\xed\x7c\x35\xf8\x9e\x83\xb5\x55\xc8\xe3\xcc\xec\x20\x4e\x59\x32\x28\xf3\x24\x44\x27\xcf\xed\x43\xbd\x37\x1e\xe5\xf5\x84\xce\xab\x01\xf8\x8d\x1c\x99\x47\x41\x89\xb8\x76\xc9\x53\x40\x89\xdd\x5d\x04\x60\xda\x83\x3a\xfb\x14\xcb\x1c\xb1\xf4\xbf\x85\x17\xff\xf8\x6f\x94\xa9\x19\xb9\xf8\xee\xb3\x60\x88\x7b\x13\x9f\x67\x59\x05\xce\xee\xfa\x05\x78\x6f\xd7\xea\xa8\xcc\x60\x10\xee\x28\x69\x89\xb6\x26\x9a\x45\x05\x2d\x4c\x62\xf7\x42\xbd\xc2\x52\xfb\xfd\xb2\x16\x6f\x9b\x02\x15\x31\x6c\xe5\x69\xd5\x3f\x12\xd7\xff\x1e\x92\xd2\xbf\x11\xb6\xed\x6a\xec\x3f\xe3\xf6\x2c\x49\xa4\xcd\x2f\xeb\xca\xe8\xe1\xb4\x4b\x38\xea\xf1\xa6\xe7\x8f\x2d\xa3\xcd\xd9\x4e\xde\xa7\x15\x00\x00\xd7\x01\x5c\xb6\x52\xba\x46\xd3\xb2\x31\x5b\x64\x9e\xdc\xcf\x47\xb5\x1d\x45\x85\xdb\xc7\x60\x64\xa1\x2b\x05\xce\xd6\xfd\x11\xfe\x37\x03\xad\x22\x67\xf9\x62\x97\xbc\xd4\x55\x81\x07\x69\x74\x6e\xe2\x64\xe7\x3d\x90\x43\x38\x4e\x3a\xf7\xb4\x45\xfd\xa9\xf1\x2f\xff\xbc\x7d\x63\xcd\xc1\x05\xeb\xf8\xec\x1f\x52\x47\x5c\x73\xb0\x6b\x4a\xf0\x80\x03\x7b\xab\xda\x88\x88\xb0\x5b\x3d\x00\x51\xd7\xaa\x6c\x94\x91\x40\xdf\x65\x80\x6c\x83\x66\xf8\xe3\x64\x0f\x5a\x74\x70\x26\x26\x96\xbd\x3c\xd4\xdb\x85\x50\x2c\xbd\x5f\xe2\x2b\xb0\xf5\x92\x87\x76\x8f\xb9\xc5\x2e\x69\x33\xe5\x68\xe0\xd3\xce\x72\x83\xa4\x20\xc8\x9f\xd0\x4e\x93\xe5\x65\xdf\x0f\xf6\x8c\xc7\x43\xcd\xcf\x4d\xfc\x7f\xf0\x9c\xbe\x8a\x77\xa0\x20\x80\x4f\x4c\x17\x61\x28\x46\x16\xd9\x58\x40\x1f\x57\xaf\x9d\xc7\x13\x62\x99\x2b\x3f\xf3\x43\x9c\xcf\x85\xf4\x3b\x6c\x08\x50\x98\x96\x50\xd8\xf5\x5b\xa1\x92\x2a\x65\x00\xd2\x72\xdd\x42\x38\x6c\xbb\x23\xe6\xe6\x7e\xc9\x26\xa1\xca\x93\x57\xf4\xc8\x4b\x76\x71\x52\xe6\xc4\x36\x17\xde\xf9\x4a\xc6\x01\x4a\xa3\xc6\xca\x84\x18\x59\xdc\x57\x52\x4a\x72\x27\x41\x24\x65\x30\xda\x55\x06\x71\xec\x17\xd2\xa3\x42\xe5\x57\xb4\x3c\x08\xa9\x3c\x12\x67\x63\x7f\xff\x37\xff\x4a\x40\x85\x52\x8e\x7c\xe6\xd0\x9d\xe6\x42\x99\x6f\xff\x98\x68\x85\x44\xa7\xc2\x3b\xff\x8b\x6f\xdb\xe5\x33\x42\x4c\xcb\x11\x9a\x56\x7f\x1f\x15\xc0\xb4\x65\x0e\xd8\x0e\xfe\x24\xab\x4d\x1c\x1e\x33\x30\x5a\xfd\x2c\xea\xc6\x82\xc0\xea\xca\xa5\x66\x9e\x44\x34\xf6\x34\xb1\xc6\x12\x71\xd9\x5b\x00\x95\xc7\xb1\xa6\x2a\x2d\x07\x3a\xad\x80\xc5\x10\x15\xbb\x51\x50\x84\x5c\x11\x86\x33\xa3\xc4\xc9\x4b\x74\x63\xfe\x73\x39\x18\x2e\xa0\x1a\x7e\x28\x63\x7c\x27\xb5\xf8\x60\x68\xa7\x37\x4a\xe7\x7c\x5c\xdd\x6d\xd9\xb4\x69\xdd\x9a\x47\x5c\x37\x52\x8e\x2f\x1c\x40\x13\x23\x59\xe9\xe6\x5e\x23\xad\x45\x95\xb1\x60\xad\x9a\x2d\x83\xcc\xe0\x78\xf4\xd6\x18\x1f\xd3\x02\x6c\x2a\x0b\x13\x02\xfa\xa6\x9a\x51\x80\xa2\xc2\x0b\x3a\x32\x87\x6e\xfc\x2a\x62\x81\xc4\x09\xc2\xe6\x6e\x00\xde\xb5\x30\x98\x19\x7f\x13\x18\x5b\x7d\xa5\x89\xb0\xcf\xe2\xa3\x12\xf0\xf6\x1e\xfa\xb2\x9a\x7b\x1b\x61\x4f\xaa\x57\xed\x37\xe0\x1f\x8b\x0c\xdf\xb2\xea\x78\x67\x74\x5d\x66\x69\xa4\xa8\x95\xb9\x7e\x1e\xd2\x4c\x2f\x3c\xf2\x3e\x88\x51\x13\x8d\x9a\x64\x0c\x2c\x0b\x32\x1d\x00\xf0\xa4\xdd\x9a\x72\xfe\x5b\xa4\x3a\xc4\x7d\xd3\x1a\x01\x4d\x31\xb7\x25\xee\x28\xcd\x8f\xbe\xd0\xbc\x78\x14\x59\x80\xb5\x86\xd3\x71\x84\x8b\xb9\x67\x48\x30\x3d\x0a\xd1\xfe\x2a\x2e\x7f\x5d\xd3\x40\x70\xc6\xfc\x50\xe1\x09\xdb\xb1\x5c\xdd\xcb\xc0\x4e\x1c\xf6\x35\x8d\x10\x50\xe6\x31\x9a\x34\xf1\x45\x2f\x44\x43\x6d\x8c\xea\x13\x7a\x37\xa1\xda\xd1\x3e\xfc\x2b\x9a\x95\x87\xa4\x3c\x2c\x3f\x3d\x5a\xa3\x2c\x09\x78\x52\x0d\x24\xda\xdd\x18\xef\xa8\x12\xa7\x2d\x33\xb2\xf4\x41\xac\x88\x52\x26\x55\x5f\x7c\xd2\x54\xab\x27\x71\x75\xc4\x35\x68\x3c\x36\xdf\x69\x7c\x2f\xb5\x36\x27\x19\x48\xe5\x38\xdd\x3b\xce\x39\x09\xa5\xc8\xc3\x7e\x97\xea\x37\x36\xcd\x1a\xda\x26\xf1\x3f\x12\x1a\x99\x06\x33\xd9\x5b\x59\xe6\x73\x93\x43\x29\x93\xc0\xc8\x4f\xd6\xd5\x2b\xeb\x7e\x3d\x02\xa4\x37\xeb\x28\x1a\xf5\x73\xba\x1c\x47\xf3\x73\xf6\xcc\xd6\xe0\xb1\x83\xa2\x1c\xbe\x9f\xdb\xb8\x2c\xcc\x39\x6f\x16\xaf\xf1\x99\x9f\xb8\x39\xeb\xca\xff\x97\xfa\x0b\xfd\x0d\x34\xcf\x8e\x57\x60\x6f\xd8\x23\x41\xdb\x31\x8e\x40\xcd\x9e\x85\xc1\x54\x46\x5d\xcc\xe1\xb7\xfd\x8b\x22\x80\x8f\x0e\x0d\x45\x4e\xf9\xa2\xb5\xa4\xc3\x5c\x0a\x12\x5b\x92\x37\x07\x00\x72\xd1\xcd\x82\x7c\xfd\xea\x8e\x3d\xe8\x33\xb0\x81\x4c\x8f\xf2\x60\xe6\xb3\x98\x07\xef\x86\xac\x67\x7a\xbd\xeb\x50\x7d\xd5\x7f\x69\x93\xd3\x03\xd5\x55\x17\x84\x0b\xd7\xaf\x1d\xb3\x98\x08\x21", 4096); res = syscall(__NR_shmctl, /*shmid=*/2, /*cmd=*/6, /*buf=*/0x200000004040ul); if (res != -1) r[14] = *(uint32_t*)0x200000004048; break; case 23: *(uint32_t*)0x2000000042c0 = 2; *(uint32_t*)0x2000000042c4 = 0; *(uint32_t*)0x2000000042c8 = 0; *(uint32_t*)0x2000000042cc = 3; *(uint32_t*)0x2000000042d0 = 0x44; *(uint32_t*)0x2000000042d4 = 7; *(uint16_t*)0x2000000042d8 = 0xff00; *(uint32_t*)0x2000000042dc = 0x80; *(uint64_t*)0x2000000042e0 = 0xe5; *(uint64_t*)0x2000000042e8 = 0; *(uint64_t*)0x2000000042f0 = 8; *(uint32_t*)0x2000000042f8 = r[7]; *(uint32_t*)0x2000000042fc = r[4]; *(uint16_t*)0x200000004300 = 0x800; *(uint16_t*)0x200000004302 = 0; *(uint64_t*)0x200000004308 = 0x200000004180; memcpy((void*)0x200000004180, "\xb8\x47\x2d\xa7\x63\xb7\xf2\x33\xe5\xd2\x38\x7c\x99\x8e\xd4\x35\x56\x57", 18); *(uint64_t*)0x200000004310 = 0x2000000041c0; memcpy((void*)0x2000000041c0, "\x10\xf1\x21\x59\x35\x43\xac\x48\x3e\xe5\xd9\xfc\x00\x93\xe2\x03\xb9\x27\xb4\x4b\xb5\x34\xa8\x71\x1a\x28\xdf\x30\xc8\x75\x70\xf2\x5d\x8d\xd6\x43\x46\x7a\x2c\x9e\x53\x1e\x8a\x4a\xa6\xe0\x33\xf5\x71\xb9\xfe\xea\xe8\xb6\x5d\x09\x3f\x91\x56\x28\x88\x5d\x3f\x02\x8c\x3f\x44\x47\x63\x2b\x36\xf2\x2e\x16\xc1\xfc\xb5\xe7\xbd\x69\x92\xc0\x89\xdf\x96\x1f\xee\x65\xda\x52\x26\x3c\x86\x54\x31\xc8\x32\x4d\x25\x20\x54\x27\x65\x39\x02\x00\x0e\xe5\xf2\x31\xb0\x3d\xf0\x0c\xf5\xb4\xff\x9f\x87\x79\xd3\x31\xa8\xb5\x11\xc4\xdd\xf3\xba\x9b\x68\xb4\x81\x33\xa4\xcd\x4f\x26\xe7\x37\x66\x50\xcb\xa6\x10\xc6\x2a\x68\xf4\x81\x02\x20\x00\x97\x06\xa8\x5a\x06\x31\x03\xdc\x90\xdf\x67\x13\x7a\x34\xa2\xdc\x60\xea\xcd\x86\x8a\x66\xd7\xf6\x8e\x69\xc0\x4c\xc1\x95\xfd\xc8\x08\x1c\x4b\xe4\x14\x86\x03\x24\x2c\xaf\x94\x67\x0f\x9e\x25\x55\x7e\xf9\xad\xa0\xf2\x3c\x59\x61\xfc\x07\xfe\x58\xc7\x8b\xff\x01\x3f\x83\x44\xdd\x96\x11\xe2\x31\x49\x63\xbf\x51\xdf\x6c\x98\x4c\x56\xb9\xaf", 236); res = syscall(__NR_shmctl, /*shmid=*/0x10000, /*cmd=*/2ul, /*buf=*/0x2000000042c0ul); if (res != -1) { r[15] = *(uint32_t*)0x2000000042c4; r[16] = *(uint32_t*)0x2000000042c8; } break; case 24: *(uint32_t*)0x200000004540 = 0x9732; *(uint32_t*)0x200000004544 = 0xee01; *(uint32_t*)0x200000004548 = 0xee01; *(uint32_t*)0x20000000454c = 5; *(uint32_t*)0x200000004550 = 4; *(uint32_t*)0x200000004554 = -1; *(uint16_t*)0x200000004558 = 5; *(uint32_t*)0x20000000455c = 0x80000000; *(uint64_t*)0x200000004560 = 9; *(uint64_t*)0x200000004568 = 5; *(uint64_t*)0x200000004570 = 0x8001; *(uint32_t*)0x200000004578 = r[7]; *(uint32_t*)0x20000000457c = 2; *(uint16_t*)0x200000004580 = 0xffc; *(uint16_t*)0x200000004582 = 0; *(uint64_t*)0x200000004588 = 0x200000004440; memcpy((void*)0x200000004440, "\xae\xb6\xd5\x07\x3a\xfa\xa3\x1c\x2e\x2b\x2c\x26\x91\x12\xdf\xff\x49\x39\x37\x39\x22\x07\xd1\x3f\xcd\x1a\x8e\xba\xa9\x97\xfd\x97\x6c\xcf\x81\x7f\x42\x90\xa8\x95\x65\xf4\x5f\x54\x38\x2b\x31\x3d\x34\x98\xe2\xa6\x76\xfb\x90\x8e\xe4\xd8\x92\x13\x1f\x01\xb8\x3d\xed\xd0\x94\x98\xc8\xc2\xc5\x6d\xf4\xef\x1c\x82\x32\x32\x0b\x42\xd5\x83\xcc\x60\x61\xc9\x2c\xc0\x6c\x76\x4f\xb0\xd4\x46\xa8\xb9\xa5\xf1\x90\x3c\x9b\x2b\x2b\xa4\x5c\x1e\xce\x47\xcd\x24\x9f\x20\x1b\x45\x7e\xe0\x3c\x79\xfb\xe2\x6f\xee\xa6\xde\xc1\x42\x68\x9a\xe2\x1b\x9c\xed\x84\x39\xf1\x0a\x2e\x3b\x65\x7a\x1e\x3a\xb7\x38\x54\xc1\x33\x8b\x6d\xb9\x05\x24\x8a\xe4\xbc\xee\x97\x3d\x06\x8e\x9b\xd4\x9b\xf4\xf9\xe8\xd0\x17\x7c\x72\x61\x2b\xce\x4e\xf6\xb4\xd7\x6c\x09\x39\x96\xde\x65", 183); *(uint64_t*)0x200000004590 = 0x200000004500; memcpy((void*)0x200000004500, "\x24\xa7\x29\x1c\x4a\xbc\x17\xba\x4a\xcd\xe1\xc6\xfb\xdb\x58\x89\x6a\xd2\x7d\xad\x25\x64\x40\x20\x7f\xf6\xa5\xe4\x8f\xf2\xa6\x18\x5f\x2c", 34); res = syscall(__NR_shmctl, /*shmid=*/0xfa95, /*cmd=*/0xbul, /*buf=*/0x200000004540ul); if (res != -1) { r[17] = *(uint32_t*)0x200000004544; r[18] = *(uint32_t*)0x200000004578; } break; case 25: memcpy((void*)0x200000000700, "\x2b\xce\x17\x78\xfe\xc9\xa1\x28\x6b\xf6\xab\xa5\x3c\x3a\xc4\x02\x86\xad\x6a\xa7\x11\x2d\x6f\x2f\xca\xbf\xd2\xba\x71\x3e\xaa\xdc\x81\x39\xe1\x4f\x61\x80\x70\x12\x6a\xc3\xa3\x8a\xd9\xcd\x7b\x5c\x94\xb1\x78\x3b\x26\x11\x52\x07\x29\x35\x3d\x56\xfc\x5b\xd5\xcb\xd4\xf1\x1d\x01\x35\x9c\xa9\xeb\x2e\x0c\x4c\xc6\x60\x95\x84\x6c\x2b\x10\xd4\x1e\xb8\x46\x77\xf1\xc3\x52\xbd\x90\xeb\xfa\x66\x12\x3a\x7a\x19\xf4\x5c\xae\xa8\x4f\x12\xe7\x76\x57\x93\x32\x46\xc4\x4a\x20\x9a\x4b\x9f\x15\x56\x87\xe2\xa4\xfd\x90\x2f\x57\xea\x49\x08\x5f\xaa\x76\x01\x19\x40\x68\x27\xdb\x2e\x6a\xde\x20\x29\xf8\x20\x1d\xe4\x7e\x97\xb1\x33\x85\x3a\xe7\x32\x14\xa7\x96\xe4\x81\x8d\x39\xcf\x10\xa8\xe6\xa6\xf1\x1a\x88\xe0\x82\xc9\xaa\x25\x85\x7a\x67\xa3\x2f\x35\xbc\x8f\x86\x7f\x04\x4d\x0f\x32\x99\x53\xdc\x06\x02\x24\x9d\x83\x19\x7e\x0e\xf5\xc9\x83\xb9\xd5\x56\xbd\x52\x7a\x6a\x59\x9f\x52\xa2\x11\xf9\xc7\x11\x3e\xdc\xc0\xe9\x3f\xc1\x8e\x79\xed\x69\xfb\x2a\x7f\xde\x97\xc9\xc3\x5e\x31\xe3\x5f\x07\x71\x37\xc8\xfd\x8b\xec\x40\x18\x14\xfb\x99\x81\x6d\x1e\xe5\xa5\xe7\xed\xc2\x10\xc6\x10\x97\x0d\xaf\x8a\xea\x89\xac\xbb\x75\x40\x82\xd8\xf6\x8e\xb4\xa0\x01\x06\x53\xc7\x06\x84\xa8\xdd\x7c\x00\x2b\xa7\xe4\x61\xc8\xdc\xc4\x5c\x22\x86\xda\x34\x27\x35\x14\x18\xcb\x24\xa9\x4d\x65\x56\xd6\x9e\x2a\x31\x9b\x5c\x0e\x69\xe6\xbf\x11\x1a\x9c\x45\x46\x7c\x41\x57\x5f\xdb\xfc\x26\x46\xda\xfd\xa3\x17\x9b\x0f\xca\xcc\x14\x9b\x45\xef\x10\xdc\x13\xf5\xfc\xe2\xe4\xa2\xc2\x2c\x2a\xe9\x92\xbc\x6b\xd5\x13\x23\xe7\x24\xe4\x66\xc7\x36\xdb\x1d\x34\x57\xee\x0f\x7d\xe1\x47\x66\x1d\xba\xdc\x94\x2b\xf0\xdf\x2f\x08\x9e\x98\x03\x81\xae\x88\x8a\xb0\x22\xfb\x54\x5c\x03\x43\xc4\x08\x7f\x2c\x1b\x6a\xe0\xcd\x21\xd0\xfd\x65\x65\x79\x09\x58\xc9\x3a\x67\x59\xa5\x75\x4b\x70\x0a\x6f\x53\xab\xbc\xa7\xd2\x2c\xdd\xcd\xd7\x09\xb2\x79\xd1\x11\xd6\xce\x1f\xd7\x91\xeb\xca\xf2\x60\x48\x09\x86\xb3\x21\xce\xcc\xf9\x55\x61\x8b\xbe\xa2\x78\x1d\x33\x14\x90\xcd\xe5\x73\x47\x93\xab\x07\x5f\x5a\x72\x93\x21\xae\xe1\x77\xfc\x3c\x20\xef\xd0\x79\x74\x46\xe5\x12\xc6\x25\xa3\xbc\x1a\x56\xf4\xc0\x18\x89\xf5\x74\x93\x3b\x72\x6f\x74\x37\xee\x04\x94\x91\xbc\xb9\x1f\x1c\x63\xa0\xb1\x75\xe2\xce\x56\x75\x07\xdd\x35\x4b\xf2\x6b\x08\x05\x9a\xc2\x29\x04\x6a\x6e\x75\xd3\xd3\x21\xee\x63\xc5\xab\xc1\xa7\x40\x9e\x20\x7e\x6f\xc5\x16\x79\xdf\x37\xbc\x7b\xa3\x39\xcb\xce\x32\xd4\x5a\x96\x09\x06\x88\x51\xb0\xa7\xf5\x81\xaa\xed\x7e\x99\x5c\x36\x77\x9d\x07\xc3\x57\xe5\xd9\x76\xf6\xde\xee\x4f\x36\x84\xf9\x7e\x7c\x61\x9d\x3c\xcc\x28\x72\x2f\x13\x0d\x93\x6d\x3c\x07\x3b\x9b\xb5\x19\x4e\xb9\xff\x69\x91\x0c\x6a\x3d\x58\x58\xc2\x86\x2b\xa8\xce\x94\x25\xce\xc1\xe8\x01\x18\x2a\x7f\xb5\xc7\x01\x7a\x41\x85\xd1\x3f\xeb\x35\x38\x29\xdc\x68\x1a\x56\x19\xf0\xa0\x2d\xb6\xeb\xde\x86\x0c\xf7\xc6\x29\x4d\x21\x45\xf9\xa5\x29\x18\x49\x76\x2d\x93\x81\x66\x82\xd1\x91\x89\xdd\x76\x82\x80\xdf\x4a\x68\xc8\x08\x01\xf6\x6a\xba\xbd\xf7\x22\xec\x21\x3a\x7b\x7f\x58\xc4\x61\x48\x68\x69\x00\x66\x9b\xdb\x0c\x64\x3d\x00\x5d\x60\x0d\x95\xc5\xcb\x5d\x28\xac\x4c\xd4\xc7\x02\x22\x94\x35\x2e\xd1\x35\x0c\x4e\x75\xfe\x89\x27\x89\x53\x92\xb0\x06\x2c\x78\x29\x2f\xc1\x5a\xd7\x03\x8d\x1b\xdd\xc9\x94\x53\x5e\x73\xcc\xc3\x3c\x9a\xb2\x33\x11\xd6\xf6\x5d\xe5\x98\xf5\xee\x9f\x91\x34\xca\x4e\x4b\x40\x9f\x21\xb0\xb0\xe4\x0f\x36\xaa\x5c\x78\x2b\x7b\xb8\x64\x70\x7a\xfd\xce\x1e\x7c\xfe\x5a\x27\xc1\xef\x3d\x2d\xc1\x41\x05\xd6\xa4\x89\xb8\x7e\x7a\xe1\x67\xae\x87\xa5\xf3\xcd\xa0\xb8\xa6\x22\x17\x62\x97\xf5\x32\x8b\x79\x69\x0d\xf9\x89\x79\xa4\x80\x6d\xea\x06\x93\x95\xf5\xb8\xe5\xbc\xec\x68\x3f\xd3\x9b\x86\xbc\xef\x86\x5d\xe6\x0f\xe4\x07\x29\x1d\x12\x7c\x4f\x00\x68\xbe\xc8\xae\x95\x73\x8f\xce\x42\x20\x5e\xf7\xcb\xba\x2a\x10\x76\x6e\x32\x19\x1c\xb4\xe5\x0c\x06\xdc\xf6\xca\x3a\xe7\x8c\x0c\xaa\x65\x8f\xd5\x8b\x65\x2c\xab\xdd\xe1\xdf\xa9\xd1\xf5\x4a\x44\x79\xad\x61\xd2\x5a\x47\xff\x08\xb3\x12\x25\x60\x09\x9b\xde\xc5\x5d\xeb\x11\x0e\x40\x6e\x08\x59\x53\x40\x88\x7e\x49\x67\x74\x54\xb6\x08\x60\x15\x3c\x4b\x1f\x7c\xeb\xef\x25\xda\xd0\x82\xf4\xd3\x40\x20\x78\x29\x8b\xfd\x39\x0b\xc7\x66\x23\x45\x95\x91\x8c\xbb\x3b\x6c\xdb\x99\x61\xe1\xbb\x1d\x4f\x7c\x7f\x24\x01\xa8\xd8\x0a\xc6\x2b\x14\x62\x4a\x3b\x16\xd9\x70\x46\xfc\xef\x8d\x02\x5d\xeb\x79\x40\x94\xd2\xce\xa5\x0c\xcb\xe2\x72\xe1\xc7\x9a\x71\x67\x80\x3c\x40\xa4\xcc\xee\x13\x84\x44\xe7\xa4\x15\x34\x77\x83\xbf\xe0\xff\xda\x3d\x50\x01\x6d\x0f\x6b\x1b\x06\x12\x6f\xcd\xd9\x23\x7a\xac\x40\x0b\x85\x49\xe4\xc1\x91\x7a\x25\xdb\x59\xcd\xba\xe2\x9d\x1e\xa5\xbd\x7d\x25\xc5\x75\x02\x2d\xc5\x5f\xf3\x2e\xd4\x2a\x61\x0e\x23\x94\x79\xbe\xab\x0d\xd6\x2a\x30\xa4\xfb\xed\xa0\xfc\xfe\x1d\x0b\x61\x3a\x8d\x06\x69\x33\x46\x6a\x9a\xb3\x12\x62\x70\x1d\x08\xe7\x79\x28\xf8\x8c\xf8\xa8\x38\xe9\x72\x98\x93\xe5\x50\x70\xef\xcc\x83\x73\x6f\x3c\xb3\x2e\xef\xc0\x8f\x24\x0d\x44\x9a\x61\xcd\xf2\x11\x6c\xe4\xea\xe7\xb9\x66\x9c\xe6\xfc\x52\x8b\x98\x34\x01\x2b\x0f\x7c\x54\x25\xc2\x62\x23\x7a\xe8\xa3\x01\xb6\xcf\xc0\x3a\x57\x9c\xb1\x09\xdf\x41\x7d\x85\x14\xaf\x61\x2d\x32\x0d\x0e\xd9\x6b\x7f\x7e\x4a\x48\xaa\xa3\x0f\x6c\x8f\x42\x7d\xb2\xf9\x81\xbe\xf3\x60\xb9\xd8\xc2\x77\xc8\x4a\x80\x15\xf4\x9b\xb8\x84\x0d\xfd\xbf\xd5\x40\x2a\x05\x3f\xbe\xdc\x07\x51\x58\x7e\xbf\x6d\xf4\xd6\x92\x85\xcc\x39\x8e\x98\xa7\xfc\xd6\x88\x76\xeb\x2b\xf6\xf9\x4f\xc0\xd0\x3d\x7a\x93\xb1\x44\x6c\xf2\xac\x7e\xc1\x1f\x8c\x3b\x62\xfc\xc0\x74\x1c\x37\x6d\x15\xcc\xd8\xdc\x9c\x85\x92\x94\x53\xa1\x77\xbc\x24\x24\xb3\x74\xcc\xad\x51\xa5\x7b\xd0\x52\x90\x24\x1e\x00\x38\x9e\x5d\x97\x33\xda\xc8\x43\xb2\x5f\x43\x94\xdb\x45\x0f\xe1\x6f\xdc\xbb\x56\x33\x37\x90\x04\x4d\x65\xad\x60\x6a\xe8\xca\x97\xce\xec\x3f\x80\x9d\x78\x90\x49\xa3\x29\x88\x81\x33\x9d\x2e\xd1\x60\x2f\x2b\xf2\xbd\xe3\xcc\x87\x16\x3c\xf1\xdc\x3f\x8e\x32\xe8\x59\xac\x7b\x2d\x27\x1a\xe4\x2a\x7a\xd0\x5e\x6f\xda\x9b\x98\xc1\x4b\xe9\xa3\xf6\x5b\x16\x25\x37\x43\x99\x59\x82\x23\x7d\x31\x30\xd1\x5a\x18\xf8\xf5\x32\xa8\xd0\x27\x3e\xab\xb3\x38\x67\x02\x85\x98\x33\x84\x47\x81\xdc\xeb\xf2\x16\x4f\x0a\x4b\x14\x11\xd8\x82\x99\xfa\x82\xe7\xba\xb7\x1a\x08\x36\xd5\x0b\x41\x8a\x6a\x47\xf7\x47\x22\x0f\xef\xee\x26\x85\xaf\x32\xc2\xde\x7c\x33\x75\xcc\xa1\x19\x14\xf2\xda\x17\xec\xc4\x6e\x63\x5a\xfd\xa8\xc3\x6f\xef\xf1\x0c\x7d\x6e\xbd\xcf\x7d\xa4\x41\x4b\x4f\xdb\x28\xc4\x2f\x73\x8c\x95\x61\xa6\x56\xb0\x1c\xa0\xbc\xb0\x22\x4e\xc8\x03\xe6\xa2\x38\x64\xe0\x14\x38\x97\x4b\xba\x22\x36\x92\x12\xca\xf0\x53\xe5\x60\xcf\x11\xac\x83\xec\x04\x85\xf5\x70\xf6\xe5\x36\x74\x42\x43\xc2\x11\xfd\xc0\x3c\xb3\x59\x04\xf1\xb3\xad\x1e\x79\x65\xd4\x73\x1a\xa0\x48\x21\x5d\xbe\x3b\x33\xd0\x96\x3b\x0d\x5c\x0e\xcc\x90\xfa\x99\x99\x7f\x19\xb5\x83\x57\x48\x68\xb4\x08\x1c\x9e\xa2\x71\x23\x43\xb9\x18\xd2\x2f\xa3\x7e\x8d\xf4\xdb\x67\x0a\x4b\xe4\x29\x5f\x69\x9c\x92\x4c\x4b\x7f\xeb\x71\x10\x3d\x9a\xef\x02\x70\xde\xd2\x9d\x4f\x42\xaf\x37\xa4\x87\xe2\xbc\x8d\xc0\xb0\xbd\x3f\x68\x70\x38\x5a\x1a\x8a\x98\x42\x20\xf7\x9a\x47\xa9\x81\xe9\x87\xdc\xa4\x46\x95\xce\x64\x87\xd5\x3c\x01\x90\x10\x54\x3b\x20\x42\x22\xef\xae\xf7\x20\x8d\xfa\x23\xf8\x08\xc4\x56\x13\xd5\x14\x46\x8b\x97\xfe\x57\xdf\x91\x1e\xac\x0c\x90\xed\x04\xf0\x06\x49\x32\x1c\x3a\xbd\x27\x01\xec\x1a\x01\x22\xb4\xbb\x48\x37\x7b\x5e\x92\x51\xc0\x20\x3f\xaf\x08\x98\x26\x0f\xf7\x47\xc5\xa8\x2e\xed\x23\x42\x50\x15\x88\x51\xa5\x09\x06\xac\x54\x92\x71\x9f\x97\x0a\x90\x62\x00\x5e\xf1\x67\x55\x76\x35\x1a\x8b\x3d\x9d\xda\x73\x5c\xc6\x5b\x82\x09\xe9\x86\x68\xb8\xd4\x97\x88\x5f\xb1\xd9\x1d\x89\x3e\x3e\x3f\xe9\x6d\xbf\x56\xb6\x1c\x60\x6a\x84\x63\xc4\x1f\xd8\xc9\xbe\x64\xdf\x1a\x59\x56\x27\xfc\x71\x14\x38\xee\xa8\xdf\xb7\x32\x35\xa4\x7b\xe9\xc0\x37\x04\xfe\xda\x19\xe5\x4f\x65\xa2\x87\x62\x94\x49\x5a\xca\x4d\x61\x1c\x9b\x43\x84\x29\x15\xfa\x7a\x51\xe4\x5e\x16\xc7\xd2\x28\x17\xc1\xb1\x59\xe0\xbf\x53\xdf\xfe\x16\xed\x63\x41\x61\xbe\x4c\xc9\x16\x9c\x95\x2b\x0b\xb5\xfb\xf4\x45\xae\xe0\xe9\xd3\x86\xd3\x00\x61\x18\x57\xc7\x0e\x95\xcf\x2e\x42\xa3\xe7\x9b\xf7\xc2\x02\xb7\x7c\xe4\xf5\x2d\x5e\x8d\xdf\x50\xd5\xdb\x3f\xa1\x0e\x95\xf2\x4d\x65\x61\x86\xd3\x56\xde\xdc\x85\xc6\xf8\x68\x4b\x81\x02\xeb\x01\x9c\x18\xda\x8a\x66\x3d\x70\xbe\x24\xea\xd9\xf1\xdc\xed\x78\xbd\x06\x8a\x6c\x9b\x32\x4d\xd7\x47\x73\x43\x18\xeb\xc6\x2a\x4a\x9c\x74\xeb\x34\x22\xcc\xde\xe0\x2f\x94\x7c\x1a\x76\xe7\x38\x54\x28\x06\xff\x2c\x9c\x85\x1a\xb7\x12\x17\xf7\x53\x9d\xa9\xc3\x35\x0a\x1f\xbd\x5e\x53\x90\xa0\x48\xcc\xac\x1f\x54\x13\xab\x2d\x81\x47\xd7\xb2\xd7\xd4\x93\x3e\x24\xd7\xff\x0d\x16\xfa\x34\xe2\x38\xe9\x31\x62\x27\x30\xda\x47\xe8\xee\x85\x35\x49\xf5\x7d\x8c\xd0\x41\x1f\xd3\xdd\xcd\x5d\x6b\xf3\x63\x88\xd0\x36\x86\x62\xf9\x5d\xae\x7d\x3b\xcb\x93\x2d\x62\xe0\xf8\x95\xa5\x6b\xd8\x79\xd1\xf5\x70\x43\xeb\x6a\xd4\x6e\x35\x97\x6c\x4f\xa6\x24\x42\x21\xe9\xa6\x8f\xb5\xa9\x3f\x25\x68\xc1\x77\x2a\xd1\xfa\xef\x2a\xab\x00\x21\xfe\x7d\xbc\x57\xf3\xa7\x77\xdd\xfe\x61\xf4\x1c\xc3\xf7\xdb\x0b\xbf\x63\x7b\xd4\x8f\x72\xd1\x1d\xd0\x52\xfb\x4e\x32\x52\x0d\x41\x39\xce\x9b\x92\x06\x21\xf1\xeb\x6f\x37\x88\x71\xf1\xe7\x94\xc3\x87\x59\x65\x0a\x0a\x74\x2c\x0e\x34\x03\xb6\xbe\x88\xe3\x19\x20\xc0\xf3\xaf\xb5\x8c\x68\x6b\xea\xee\x1d\x65\xd6\xd8\x3b\x8e\xaf\xa7\xd0\xbc\xaa\xef\x87\x5e\xfa\x7a\x27\x37\x1c\xac\x05\x99\xd4\x1b\xa5\x1a\xa5\xce\x65\xce\x48\xbc\xa2\x4d\x4a\x43\x8e\x6e\x3a\xc3\x3c\xf1\xfc\x7c\xd8\xcc\x3c\xd9\xb7\x51\x16\xb5\x3a\x09\xd9\x81\x41\xfc\xcd\xf0\xb0\x8d\x8f\x9d\x6e\xfd\xed\x52\xd1\x01\xc3\xed\x6b\x27\xf6\xc6\xe4\x2f\x9b\xa1\x99\xf3\x9c\x9a\x33\x77\x28\xbd\xe0\x5b\xbe\xee\x63\xe4\xdc\x68\x0e\xcf\x0f\x02\x0b\xcb\xbb\x7b\x6a\xd0\xba\x9b\x2a\xa6\x14\x39\x1e\x8a\xa4\x15\x52\x13\x73\x56\x95\x3e\xf2\x15\x35\xca\x4e\x32\x20\xa2\x6f\x06\x1c\x7e\x78\xeb\x42\x42\x88\x98\x16\x95\xe6\x51\xf6\xda\x90\x57\xc6\x11\x02\xf5\xd5\x8d\x33\x13\x58\xd6\x91\xce\x1b\xd7\xf6\x81\x60\xcb\x76\xfe\x77\xf0\x3f\xfd\x46\x0e\xcd\xa1\xfd\xb1\xa7\x83\x33\x89\x3f\x1d\xc5\xd0\x35\x7d\xc2\x43\x35\xd3\xf1\x2d\x7d\xf9\x13\x31\x69\xd9\xd2\x14\x45\xb6\xa5\x81\x95\x66\x3d\xa0\x33\x06\x31\xb7\x32\xc1\xdc\xc3\xe6\x58\xf2\x37\xf0\xf6\x9a\x11\x60\x2d\x4c\xac\x64\x68\x35\x3f\xaf\xcb\xf4\xca\xd1\xa3\xa2\x6d\x2d\xed\xdb\xa7\xcc\xc8\x86\x34\x7f\xf0\x59\xda\xcf\x96\x96\x98\x00\x18\x53\x30\x7a\x3c\x5b\x36\x34\xde\xa1\x62\xe6\x3b\xd2\x7b\x7c\x9d\xab\x63\xa6\x70\x59\x29\x9d\x69\x42\x67\x5d\x10\x68\x8a\x79\x7d\x6b\x51\x63\xea\xb8\x3b\x45\xb1\x84\x60\xc2\x8d\x6a\x83\x37\x1e\xca\x62\x6e\x9b\xdb\x94\xb9\x0a\x11\xa7\xfb\x7f\x7d\x9f\xec\x0d\x77\x3c\xc0\x56\x66\x36\x29\x2c\x7d\x90\xde\x64\x79\xae\x9f\xfc\xe8\xc3\x4e\x28\x4f\xf2\xfb\x4d\xa4\xc0\xb4\x62\x9a\x02\x3f\x1e\x9c\x1e\x79\xc5\xd6\xba\xe6\x25\x2c\xd4\xa3\x01\x53\xe8\xc1\xeb\xf0\x83\x89\xc2\x06\xd6\x6b\xec\xe9\x02\xed\x87\x7c\x36\x75\x6b\x3f\x9c\xaf\xe8\x41\xca\x61\xbf\xf3\x15\xfa\xe3\xaf\x3a\x18\x56\x3f\x71\xa7\x7e\xeb\x6f\xde\x0d\xb2\xce\xa7\xfe\x49\x4a\x78\x39\x1a\xfc\x1b\x21\xb2\x33\xe0\xc4\xb4\xa1\xa2\x3e\xee\x6f\xeb\xa1\xae\xe1\x12\x4e\xb0\x4e\xc4\xd2\x3b\x6a\xe5\xcc\xaf\x13\xac\xdb\x65\x6c\x72\x70\x7f\xed\x01\x0f\xc4\xab\x31\xba\x09\x3a\x22\xfa\x85\xe4\x73\x89\xac\xaf\xe2\xa2\x22\x98\xe5\x1d\x36\x73\x26\x95\x00\x8e\x65\xaf\xfd\xa7\x56\x13\xbb\xd2\x2f\x86\x9b\x05\xe9\xda\xfe\x41\x1d\xa8\x54\x9f\x14\x1e\x01\x8b\x36\x20\x49\xc6\xaf\x4e\xd7\x82\x37\x81\x72\xc5\x5a\xe7\xb1\xd0\x05\xa1\x90\x86\xc2\xab\x19\x74\x2f\xf7\xf9\xb3\x29\xdc\x56\x7f\x61\x47\x30\xef\x3e\x74\x78\xb6\x22\x09\xec\x2d\xb9\x0f\x3a\x60\x37\xaf\x0c\xb7\xbd\xcc\x8b\xad\x8b\x32\x86\x4a\x41\x67\xa3\x70\xd0\xf9\x16\xdc\x75\x1f\xb2\x8e\xe9\xc8\x00\xe5\x9e\x2e\x37\x20\xdb\xff\x36\x3b\x28\xcf\x26\x98\xfd\xb3\x06\x1b\xc3\x91\x97\x67\x7e\xfb\xca\x4f\x86\xda\x8a\x97\x6a\x1f\xe5\xf9\xe1\x83\xab\x9f\x3b\xdc\x9a\xb6\xae\x44\xb8\x71\x3a\x1e\xe0\x7b\x89\x4b\xf3\x74\x90\x46\x4f\x9d\x2c\x4f\x5a\x2a\x46\xc6\xb3\x03\x53\x43\xb9\x26\xdc\xa5\xd9\x93\xec\xb0\x74\x19\x1d\xf0\xe5\x0f\xbb\x11\x4c\x82\xb3\x69\xe1\x9d\x8c\xe9\x58\x02\x5e\x12\xa6\xe1\x35\xc3\x3c\x4e\x70\x40\xf2\xe5\xe4\xab\xb1\x43\xba\xfb\x7c\x71\x21\x44\xa9\x91\x09\xb0\x0d\xfd\x72\xf6\x6d\x6a\x5d\x7d\x1e\x6a\xea\xef\x79\x4f\xa4\x04\x57\x53\x28\xfe\xef\xd9\xc2\x08\xae\x71\x02\x36\xda\x12\xde\x52\x5c\x78\x40\x3e\x78\xfd\xcf\xb5\xcb\x34\x48\xf9\x38\x09\xea\xdb\xf8\xc6\xca\xec\xa7\x02\x83\x3a\x3d\x30\xbb\xaf\xe9\x4c\xa1\x4b\x5e\x91\x86\x4a\xa5\x75\x40\x94\x98\x93\x9c\x5b\x2c\xce\x2d\x33\xd1\xf1\x4a\xe3\xd7\x16\x9f\xfd\x51\xa7\x42\x1d\x2b\xe6\xa4\xf6\xce\x0d\x7f\xd5\xdd\x83\x4e\x02\x0c\x3e\x69\xcf\x5d\xeb\xe6\x9e\xe8\x63\xf5\x70\x2b\xab\x78\xfe\xcc\xd2\x85\xab\x47\x2b\x56\xd1\xc0\x6c\xe4\x0a\x79\xef\x15\xc0\x72\x36\x16\x36\x31\x74\x13\x72\x66\x43\xc9\x50\xc6\x7e\x57\x6f\xfd\x80\xd5\xf8\x08\x07\xb6\x72\x97\x36\x54\x7b\x00\xa0\xd4\x58\xe9\x3b\xf9\x64\xf4\x7d\xa3\x50\x77\x47\xec\x32\x3d\x31\x08\xc4\x49\x82\x62\x24\xea\x09\xaf\xa3\x66\x13\x33\x1a\x96\x1c\x5c\xf2\x59\x25\x2d\x0d\xac\xb5\x02\xfb\xc9\x87\xbb\xf6\xb1\xc8\xc6\x22\x5a\x6c\x0e\x65\xeb\xb5\xa5\x59\x45\xc5\xa0\x64\xec\x34\x6f\x84\x27\x0e\x3b\x38\xa1\x2a\xe7\x2c\x17\x80\x99\x75\xad\xa7\x2b\xad\x05\xa1\x2f\xda\x83\xf1\xb0\x0a\x42\x31\x04\x81\xca\x2a\x09\x90\xb6\x63\x96\x4e\x19\x4c\x92\x5c\x99\xce\xe8\x62\x79\xf6\x2c\x64\x54\x8a\x57\xd3\xf1\x67\xd6\x21\x3a\xcc\xbe\x67\x9a\x9f\xc2\x04\xd2\x10\x31\xf6\x4b\xd5\xf6\x8e\x8c\x75\xcf\x80\xaf\x20\x7c\xba\x25\xaa\x42\xfb\xc7\xdf\x07\x34\x25\x70\x00\xe5\xe9\xc2\x23\x36\x6d\x1d\xf4\x6f\x50\x8b\x8a\x8f\xba\x49\x33\x35\x2c\xb7\xc3\xf0\xe2\x5d\x66\xd8\xc5\x12\x9b\xdc\x46\x7d\xcd\xaf\x4f\x4a\x87\x1f\xea\x52\xb7\x07\xc8\x5c\xa1\xad\x30\xf0\x08\x04\xba\x50\x0c\xfb\xb2\xee\xe1\x8c\x68\x42\x09\x1c\x12\x0f\xf9\xf5\xfe\x91\x5a\x75\xa6\x23\xe5\x40\x7e\x77\xb2\xf2\xd7\xaa\x46\xe2\x4c\x96\x98\x6a\x60\x86\x55\x17\xc2\x67\x94\x5d\x39\x16\x92\xa1\xd3\xfe\xff\xc9\x35\x57\x67\x87\xc9\x0d\xa8\x46\xf9\x59\xe2\x6e\xef\x2f\x98\xce\x0b\x13\x17\x4f\xe4\x56\xc5\xd3\x3f\xb6\xbb\x65\xe8\x60\x3a\xf4\xf1\x02\x92\x9d\x84\x22\xb8\xbb\x5a\x24\xe0\xbe\xc7\x21\x4e\xe2\x3d\x9b\x8d\xd0\x7e\x7d\xaf\x18\xd8\x3f\xa6\x6d\x84\x9b\x91\xc7\x08\xf9\x9b\x46\x85\xc7\xb5\xdc\x95\x6d\x95\xc7\xfc\xea\xe7\x75\x9f\xea\xa0\xd2\xa0\x1f\x26\xb1\x7b\x9e\x5a\x23\x0c\x18\xc6\x10\xa7\xe7\x24\xdb\x79\xbe\xcd\x4a\xc0\xf1\x76\xbc\xf2\x04\x49\xe9\x0c\x3f\xae\x89\xc3\xa9\x93\xe2\xf9\xc5\x1e\x42\x8d\xc0\xbd\xdf\x67\xa7\xcd\x11\xf9\xce\x0d\xaf\xb4\x27\x7c\x32\x81\xb8\x8f\xa7\x13\x8d\x21\x7d\x79\xfe\x3e\xd7\x2b\x19\x5f\x27\x82\x0e\x33\x22\x9c\x5a\x6d\x7f\x49\x37\x20\xf9\x19\x0a\x1c\xb2\x29\xa3\xbe\xa0\xa7\x8f\x62\x9d\x00\x59\x3c\x98\x8c\x2d\x3f\xa0\x9f\x89\x35\xe2\x5b\xcd\x4c\xe0\x27\x6a\x16\xf2\x30\x6f\x7c\xbc\x89\x12\x52\x35\x91\xed\x88\x92\x1a\xa7\xae\xfe\x26\x71\x2f\x81\x02\x89\x06\xd7\x30\xfb\xe8\x19\x95\x52\x1e\x02\xe3\xdd\xfc\xa0\xf8\x81\xcb\x98\xa6\x61\xd2\xcf\x8d\x1f\xc3\x10\x84\x5d\xf4\xec\x58\x8c\x2b\x30\xfd\xfc\xe1\x81\xe6\xef\x9a\x65\x4e\x83\xfa\x69\xb7\x73\xfb\x51\x71\x77\x74\x93\x6e\x6d\x03\x77\x54\x78\x2f\xbf\xf1\x3d\x32\xa5\x0c\x75\xe2\x75\x3b\xca\xf4\xae\x37\x35\x26\xe6\x10\x60\x5f\x07\xc6\x77\xae\xda\xc8\xda\xf3\x79\x28\x3f\x2e\x59\xae\xdd\xe2\xc0\x19\x53\xd1\xbe\x45\x91\xef\x16\x5c\xa1\x90\x6d\xeb\xdc\x0b\x8e\x47\xde\xf1\xa3\x4d\x3c\x3a\x4c\x12\xea\xe8\x96\x68\xd1\x43\xd1\xb0\x98\x4f\x94\x50\x44\x70\x9d\xf8\x68\xd0\x97\x55\x14\xdc\x10\x93\x09\x0b\x0f\xe4\x29\x62\x34\x5e\xf4\x0b\x0d\xd8\x4f\xf7\xa2\x0f\x39\x4d\x5b\x3f\xc5\xa5\x5d\x69\xb4\xbb\xd0\x0b\x53\xe3\x17\x4c\x76\x0c\xb9\xc7\x9f\x27\x52\x75\x55\x8c\x69\x67\xf0\x3c\xb7\xb5\x4e\xc6\xc2\xa8\x60\x2a\x55\x57\xc4\x8e\x0c\xce\xae\xbc\x38\xc4\xcb\x35\xf1\x71\xfa\x42\x62\x2b\x1e\x8b\xe6\xdd\x32\x33\x75\x03\x3e\xde\x7b\xea\x93\xb6\xd6\x67\x75\x8f\xb9\x97\xcc\xee\x89\x6c\xb3\xa0\x3e\x47\xfe\x8b\x51\xbf\xef\xd7\x16\x5b\x4b\x16\x25\x46\xc2\xe4\xd4\x67\x10\x35\x3b\x73\xf6\xf1\xde\xa1\x7e\x44\x2b\x82\x72\xf6\xaf\xf9\x9c\x86\x43\x72\xe4\xc3\xe5\x63\x1b\xb7\x39\xb5\x9a\xd1\x23\x5a\x18\xaf\x7d\x59\xb7\x93\x20\xa4\x1b\x7c\x0e\x8d\x64\xd5\xa7\x94\x81\xcc\xe1\xe3\x1b\x33\x4a\xb3\x3e\x92\xe6\xa4\x29\x7f\x3d\xef\x0f\x1b\x34\x67\x5c\x7d\xe9\x10\xfe\x38\xe4\x94\xee\x01\x4b\xb8\x44\xe7\x07\xbd\x30\x2b\x24\x78\x6b\xd6\x06\x2b\xac\xb8\x2d\x52\x7a\xcd\xca\x23\x6f\x21\x7b\xf0\x47\x47\x42\x47\x6e\x6a\x93\x25\xd9\xee\x28\x2d\xee\x43\x63\x6b\xeb\xa5\x41\xe6\xaf\x65\xba\xb1\xf5\x82\x33\xa6\xf5\x58\xd8\xc6\x01\x9f\x4e\xe4\xc8\xe8\x33\xea\x16\x18\xb0\x53\xb3\xcd\xb8\xf8\x8f\x09\xce\x12\x25\xa6\x8f\x31\x9d\xe5\xbc\x58\x3e\xb3\xd2\x2f\x27\x32\x34\x3e\x9c\x0a\xcb\xd8\xef\xde\x7d\x9c\x0f\x22\x40\x6b\x9d\x1b\xeb\x10\xe7\xbc\x92\x80\x7c\x7b\xbd\xc0\x0b\x1d\x88\x53\x4e\x65\xdb\xa2\x56\x21\x67\xe2\xcf\x12\xa6\xf4\xb1\xe8\x9b\x24\x95\xbe\x63\x1f\xe9\xa7\xaf\xaf\x3e\x44\x02\x54\xa2\xda\x7e\xeb\x26\x1b\x40\xb4\xb2\xc8\xa2\x25\x7d\x75\xb0\x9b\x85\xb8\x1d\x79\x54\xac\x55\x31\x3a\xc4\x99\x0c\x54\xae\x40\x79\x3c\x21\x58\xcf\xeb\xf3\x29\xb2\x67\x40\x5d\xd2\xa5\xe7\x61\x54\xd2\x1d\x74\xed\xd4\xa1\xe0\x86\xf0\xf2\x40\xe7\x19\x96\xa0\x4e\x8f\x96\xec\x88\x22\xbc\x5f\xc9\x18\x38\xd1\x7d\x97\xb0\x3c\xab\x99\x58\x33\xaa\xd9\xfe\xd8\xdb\xd9\x44\xfc\x11\xab\x74\xfc\x51\x5f\xd8\xbc\x5c\x06\x74\x24\xd3\x2d\xbb\x99\xe4\x9e\x0d\x42\xa5\x97\xdd\x80\x73\x17\xd6\x69\xdf\x7c\x08\x97\x9d\xd6\x47\xca\xe4\xb9\xd1\x23\xa6\x44\x03\x7c\x68\xfd\x7b\x45\x4d\x15\x8b\x51\x28\x18\x5b\x7a\x07\x1b\x77\x45\x3e\x29\xef\x51\x83\xc0\x3f\x3d\xac\x27\x58\xfa\xd6\x67\x3d\x17\xb9\x5a\x42\xd4\x28\xb5\x6d\xd7\xac\xd6\xb4\x4a\x15\xf8\xa6\xac\xc4\xc7\x3d\x23\xfd\xdf\xc4\x4f\xe5\x7a\x9a\xdd\x19\x57\x96\xcf\x45\xc0\x00\x6f\x6a\x24\x16\x0d\xfb\x87\x98\x62\xb0\x11\xe7\x4b\x88\x0f\x5a\x4f\x5d\xc8\x05\x3a\x1f\x2c\x7d\x0e\x1d\x77\x2c\x62\xca\x02\x8b\x09\xce\xba\xc8\x8e\xa7\xa8\xa1\x85\x59\x96\x20\x16\x74\xf2\xeb\x71\xac\x52\x6c\x0a\x0e\xc4\x49\x3d\xaf\x01\xa5\x51\x6d\x2b\xf8\x8b\xd8\x11\x72\xa2\xf7\x5f\xaf\xb3\xcd\xe2\xc9\x2b\x7a\x02\x0e\x07\x67\xcb\xda\xdf\x65\x57\x55\xc3\x71\x5c\x6b\xf9\xcc\x3d\xf3\x8c\x38\x34\xa7\x24\x95\x05\xa6\x89\x48\x0c\xa3\xa9\x78\x79\x2a\xe9\xbe\xfd\xfb\x3f\x25\xe3\xdf\xec\x22\xa9\x0d\x66\xac\xbc\xe1\x63\x3a\x29\x7c\xc2\xbe\xd9\x75\x73\x1f\xbc\x97\xc0\x9d\xa8\x94\x22\x65\x33\x6d\x17\xb1\x3a\x52\xef\xff\x98\x62\x6a\x8b\x7b\x18\x8c\xfb\x9d\xfd\x33\xeb\x28\x76\x34\x08\x73\x2b\xba\xe7\xb8\x01\x22\xa9\x1a\xd9\x81\x38\x97\x75\x7e\xff\xb8\x43\x58\xdb\xd6\x2b\x01\x33\x24\x1a\xb9\xaf\xa7\x9e\x35\x3f\x5e\x7d\xb9\x16\x39\x21\xd6\x5e\xfc\x93\xe4\x08\xbc\x38\xff\x95\x84\x29\x05\xa9\x13\xd0\x84\xd2\x4f\xa2\x23\x59\xdf\x71\x0b\x39\x69\x4d\xe2\x40\x38\x98\x31\xe3\x44\xe9\xd5\x33\x2a\xc0\xc5\x48\x4e\xdc\x3a\x9a\xc6\x12\xf6\x68\xe4\xe7\x81\x80\x10\x9e\x12\x49\xef\x5d\xc2\x7c\xfd\xed\x52\xea\x37\xef\x3a\x7d\x1d\x02\x88\xa9\xf7\x53\x2f\xb9\xf3\xa3\x80\x29\x4c\xf0\x33\x29\x62\x8f\xe8\xfa\xc3\xb8\x12\x11\x30\xbc\x3d\xff\x51\xed\x6f\x83\x00\x80\x67\x86\xf9\xe5\x05\xde\x5d\x25\xd6\x87\xc4\x02\xc0\xbe\xdb\x7d\x41\xcd\xb9\xcf\xb8\x77\x14\xba\x29\x28\xbe\xce\xcb\xe1\xaa\x32\xdf\xda\x00\x17\x07\xc7\x84\xce\xe7\xf6\x46\x48\x77\xef\x87\x98\xc1\x60\x8c\x48\x7c\xe0\x88\xd0\x73\x08\xb4\xf1\x67\x2f\xb2\x8e\xfa\xd8\xae\xe8\x45\xff\x99\xe0\x0d\xb8\xd0\xa4\xef\xf1\x0e\x7e\x04\x82\xe1\x0d\x2d\x4f\x53\x6b\x90\xa1\x7f\x2c\xd0\x64\x99\x58\x61\x9a\x3b\xfc\x4c\x72\x65\x4a\xb9\xa0\xda\xe3\x09\x9d\x69\x58\xcc\x43\xac\xee\x94\xa4\x50\x15\x24\xe0\xa9\xdd\x76\x70\x0d\x81\x46\x1f\xfc\x9c\xde\x22\x27\x15\xd4\xc8\x91\x7c\x2e\x53\x56\x0b\x63\x53\xa0\x98\xc9\x48\xce\x16\x13\x1b\xca\xc5\x69\x48\x46\x94\x26\x57\xfb\xbd\x47\xd1\x4f\x0b\x9e\x6e\x0e\x38\x3e\x7d\x60\xef\xe2\xd9\x93\x5c\x04\xdf\xee\x10\xe2\x2f\x47\x4c\xf3\x82\x32\x9c\xce\x12\xae\x8d\x21\x0f\xfb\xd1\x7d\xd0\xf1\x86\x8f\x6c\x10\xaa\x34\xdc\x1f\xb7\xbb\xb7\xa2\x5d\xb0\xcd\xb0\xaf\xcb\x3a\x52\x34\x45\x56\x4c\x6b\xc6\xc0\xf8\x43\x3a\x67\x75\x88\x18\x52\xd9\x97\x0a\xa4\x20\x3c\x92\x58\xa9\x44\x27\x41\x68\x89\x9d\x5a\x81\x5d\x66\x50\x37\xda\x71\x6d\x53\x04\xe4\xf2\x6c\x28\x9a\x46\x38\x4b\x96\x5f\x2c\xa5\xaa\xcc\x1c\x81\x23\xb5\x4c\x14\xe8\x3a\x59\xb9\x97\x99\x64\x88\x14\x79\x77\x84\x25\x4e\x3f\xcc\xca\x53\x79\x0c\xe3\xf0\xc2\x4b\xa0\x17\x22\xd4\x2b\xaf\xfc\x81\x68\xa3\x6c\x95\xb5\x38\x8d\xef\x13\x7e\x6c\x92\x9e\x2e\xd1\x42\x99\x10\xd1\x38\xe7\x91\xf8\xc4\x5c\x37\xea\x0b\x8d\x5f\x25\xdb\xb2\xb4\x3a\x4c\x2e\x05\x27\x32\x7a\x58\x47\xdf\x44\xa2\x14\x22\x23\x30\x14\x4d\x26\x44\x63\x66\x76\x4f\x81\x6d\xb2\x84\x7b\xba\x48\x60\xf2\x2d\xca\x28\xae\xa5\xba\xd2\x98\xdc\x4e\x58\x88\xce\x73\x7b\x16\x96\xc9\x52\xc2\xa5\x15\x57\x4d\x10\xd4\xd2\xc3\xd0\xa2\x12\x32\x42\x2d\x0d\x60\x07\x45\x86\x2a\x31\x51\x3c\x97\x8c\x84\x42\xbe\xba\xb3\xe3\xef\xbc\x5b\xf0\x65\x72\x70\xd1\xdb\x26\xe9\x79\xcf\x50\xef\x7a\x3c\xfe\xe8\x80\xf7\x7a\x0b\x80\x2c\x7b\x37\x1b\xf9\x66\xa5\x41\x3d\x68\x74\xd9\x11\x1e\x7b\x98\xa9\x72\xbe\x26\xe2\x8f\xa9\xec\x1f\x77\x93\x91\xe3\xa4\x91\xd5\xe8\x69\x5f\x73\xd8\x87\x73\xa3\xd4\x06\x82\xff\xe1\xce\xa2\x37\xfa\x5a\x91\xd4\x8b\xd8\x2d\x8e\xcd\x25\xe6\xa6\x29\x2d\x17\x77\xe3\x8b\xe3\x7c\xcc\x8d\x96\xcf\x9d\x19\x1b\xa9\x05\x85\xe7\x28\xdc\x41\x5b\xc4\x06\xfd\x94\xe5\x3c\x67\x40\x71\xdf\x12\xea\x08\x9d\xcd\x94\xf9\xd9\x6b\x03\x86\xf7\x26\x05\x12\x67\xc9\x6e\x5c\x3d\x79\x49\xe8\x55\x02\xb5\xda\x43\xf1\x04\x93\xba\xa2\xfd\x77\xa0\x2f\xaa\xca\x33\x55\x8f\x78\xf0\x9f\x00\x43\x3b\xa9\x91\xef\x1b\x40\xc5\x99\x90\x39\xbe\xe1\x77\xfd\xa3\xba\x5d\xc0\x92\x51\x62\xe5\x9a\x8e\x32\x7c\x19\xe7\xd4\xe0\xaa\x8f\x13\x71\x07\x02\x71\xe0\x03\xce\x63\xf4\x27\x26\x5b\x6a\x2d\xfb\x1d\x68\x64\xf8\xcd\xf2\xa9\xd0\xf8\xb3\x8e\x57\x71\x2b\x85\x43\xa2\x0b\xe5\x02\x4a\xef\xfd\x25\x0a\x10\x6e\x78\x3a\x08\xa5\xae\x38\x5a\xc9\xa5\x76\xb3\xc1\xb0\x90\x36\xc5\x0f\x1a\x8d\x56\x99\xf1\xba\xd3\xd1\x69\x68\xf1\x1e\x9b\x1f\x54\xef\xdf\x3c\x2e\xc0\x3a\x1f\x12\x4a\xb5\xe5\xc4\x53\xd1\x9b\x93\x9b\x68\xd0\xa3\x39\x95\x1b\x5b\xb5\x5d\xa3\xeb\x45\x9c\x3f\x86\xa1\xde\x1b\x8b\x9c\xef\xe6\xe6\x0d\x14\xd8\xc6\x14\x31\x45\xe2\x4a\x85\xe9\xc0\x62\xa8\xf6\xbf\x5c\x9a\x51\xb2\xa5\x07\xff\xdf\x6f\x60\x1c\xd7\xd1\x0a\x7f\x3c\xb1\x6f\x38\xd7\xf2\xc4\x6e\xb2\xc1\xeb\xd2\x05\xd5\xb6\x0c\x5d\x5e\xc3\xd6\x0e\x15\x18\x9b\x9f\x44\x5c\xbf\x29\x17\x7b\x83\x55\xd8\xaf\x6b\xad\x6c\x6e\x3a\xda\xb3\x9d\xf7\x1e\xe2\xcf\x90\xdf\x9a\xb8\x68\x08\xe6\x2d\x1e\xc2\x4f\xf2\xbd\xe6\xfd\x56\xa2\x31\xe4\xe5\x56\xcc\x22\x7f\x5f\xa6\xd6\x17\xd5\x49\xae\xd8\xe2\xe3\x66\x01\x3d\x8a\x2c\x28\x99\xa5\xc7\x52\x62\x0d\x54\x47\x1f\x9c\xfe\x17\xb6\x87\xfe\xe4\x27\x99\xeb\x86\x21\xca\xbf\x3b\x81\x76\xdf\x65\x4b\x20\xf3\x48\xc9\x16\x7d\x70\xe9\x59\x22\x13\x38\xbf\x47\xcf\x3b\x34\x7d\xdb\x46\xe4\xea\x71\xfc\x82\x50\xcf\x48\x18\x60\x7a\x35\x95\x16\x65\xae\xec\x1b\x46\x84\xa9\xf2\xd5\x40\x39\xb6\x44\xe3\xff\xcf\x5e\xf2\xa2\x67\x3d\x97\x40\x8f\xb9\xc5\xb9\xee\x80\x28\x67\xfc\xfc\xbf\x3c\xed\x42\x95\xe5\x9e\x78\x36\x5d\xe8\xf3\x8d\x98\x06\x6b\xc1\x63\xb7\x55\x56\x8b\xb0\x2e\xec\xa3\x8e\x04\xfe\x45\xb7\x80\x9c\xc4\x42\x40\x23\xa2\x3b\x15\xe3\x74\xe3\x83\xd0\x1e\x02\xdc\x66\x92\x48\x47\xf3\x72\xd8\xad\xc3\xb8\xaa\xdd\xb6\xea\xf9\x57\x5f\x52\x42\x51\xca\x6f\xea\x93\xfa\x33\x57\xe8\x1e\x94\x71\x5f\xbb\xe3\xce\x2b\xbc\x0c\x3d\x44\x7a\x51\x18\xd8\x59\xb1\xa7\x43\xb3\xe8\xee\xbf\xd3\x52\xfc\x50\xc2\x8c\x89\xd9\xfb\xf2\x08\x7c\xbe\xdc\xdd\xad\xd1\x99\x3a\x35\xf7\x1b\xff\x4b\x6e\x91\x90\xfb\x18\x26\xfa\x2b\x30\x89\x01\x87\x61\x65\xc7\x04\x17\xdc\xe1\x6e\xa0\xc1\x97\x55\x74\xbd\xc7\xcc\xf8\xd9\x2b\x3e\x77\x2b\x57\xfb\xad\xee\x74\xfc\xfe\x7b\x73\xdb\xef\x59\xc7\xf2\xe5\xba\x57\xb9\xbe\x68\x43\xe0\x6d\x0c\x13\xda\x2f\x48\x78\x40\x73\x7a\x8d\xfc\x79\x0c\xd5\x53\xc6\x93\xa9\xd1\x26\x8a\x13\xac\xfa\x44\xfa\x5e\x4b\x4f\x0d\xa3\x76\xfc\xc0\xec\x82\x94\xfd\xc0\x18\x23\x89\x7f\x91\x21\x27\xdb\x76\x90\x3d\xf2\xcd\xbf\xb9\x90\x24\x00\xc8\x6b\xf5\x26\xdd\xbb\x47\xc8\xe4\x9b\x67\x30\x55\xf7\x0a\x7d\x90\x08\x1c\xd3\x19\x64\xe0\x51\x9d\x50\x4c\x17\x1c\xd4\x1a\xb7\x99\x79\x16\xa7\x11\xcd\xec\x24\xf8\x0f\x80\x39\xce\xc9\xf6\x5b\xfb\xfa\x93\xe7\xbf\x22\x83\x51\xa8\x18\x92\xe5\x71\x80\xae\xce\x3e\x6b\x0f\xf3\x36\x6d\xc6\x66\x44\x47\xfa\xe5\xbe\xd3\x81\xf6\x29\x13\x4a\xdf\xcc\x51\xec\xa2\xab\x32\x76\x68\x2e\x5d\x9f\x67\x7b\x30\x1d\x6e\x6d\xcf\xa8\x64\x61\xa5\x67\xcb\x9c\xbf\xda\x3d\x2f\x91\xb3\xab\xc2\x0a\x5a\x7d\x46\x5d\x57\xc5\x07\xfe\x9c\xad\x83\x43\xd6\x4f\x51\xbe\x63\x0c\xe8\x18\xab\x78\xe9\x2c\xc5\x40\x8f\x48\x02\x5f\xbb\xf8\x39\x6d\x88\x20\x1c\x04\x2f\xd7\x11\x82\xc3\xd5\xdd\x62\xac\xe3\xec\x92\x31\xf8\x47\xbd\xff\x19\xb7\xbc\xe4\xe0\x4d\x10\x22\xb3\x2d\x46\xc7\x47\x09\xaa\x49\x63\x16\x6a\xef\xc5\xad\x6e\xd9\x47\x01\xd4\x32\x7f\x39\x4e\x1c\x9d\x01\xfb\xd3\xf2\x59\x03\xc5\x02\x0a\x84\x87\x96\x30\x08\xf8\xe4\xee\xdf\xe9\xc8\xd6\x2c\xa9\xcd\x72\xa9\x62\x39\xb1\xc0\x42\x7c\xb4\xe1\x71\x18\x21\x9b\x42\xcb\x89\x73\x53\x62\x1d\x66\x7a\x53\x8d\x3b\xa3\xe9\x26\x67\x38\xfd\x25\x24\x68\x1f\xd6\x33\xc1\xf7\x1a\x51\x28\x62\x10\xbc\x79\x3f\xc8\x9c\x0f\x04\x38\x66\x48\x0b\x7e\x08\x62\xb7\xa1\x08\x59\x3b\x2e\x9f\x8d\x1f\xc6\x2b\x7c\x67\xf5\x0d\xff\x63\x8f\x93\x18\xfa\x26\x0f\x37\x30\xce\xc7\x08\x0a\xfd\x74\x36\x41\xde\x7d\x59\xbc\xa4\xd3\x21\xf0\x31\xf3\x5f\xa6\x16\xc4\x33\xed\x57\x2a\x39\xbb\x17\xb9\x3c\x85\x81\xb1\x2a\xa1\xd2\x51\x54\x1b\xb5\xb2\x1c\x63\x91\x7c\x5b\x70\xec\x65\xe9\x57\xc5\x9c\x64\x3a\x6c\x0a\xb0\x02\xb5\x46\xdd\x97\x03\x50\xbe\x2a\x57\xe1\xa8\xf0\xf4\x6b\x01\x19\x95\x0a\xab\x33\x01\xe5\xca\x05\x43\x53\x2e\x1f\x08\x19\x90\x75\x60\x9f\x22\xcb\x8c\x8f\xfc\xba\x4b\xc8\x1d\xf5\xda\x4b\xa7\xae\x6b\x11\x1b\x4c\xd9\xc6\xe2\xe6\xc2\x0a\xda\x23\x28\x20\xb4\x77\x53\xd6\x26\x2c\x2b\x9e\xa6\x1e\xad\x28\x1b\xa0\xc3\x1c\x3b\xdf\xc0\x6b\x8a\x42\x98\x22\x82\xa2\x15\xbe\xad\xa3\xae\x9b\x2e\xad\x9a\xfd\x24\xf5\x0b\xc2\x28\x18\x90\x09\x77\x91\xcf\x37\xb1\x96\x9b\x45\xba\x7e\xb1\x30\x53\x66\x76\x7e\xda\x01\xef\xd0\x57\xda\x56\x74\x31\xc4\x9e\x79\xc5\x5a\x58\x95\x4f\x12\xda\xb8\xf1\xb6\x88\x51\x3f\x4c\x3c\x49\xa5\xf2\x7e\xe5\x37\x50\xd8\x9b\x63\x37\x79\x98\x00\x58\x78\x9d\x26\xa6\xb1\x72\x0b\xe7\xca\x54\x9d\xe7\x4b\xdb\x76\x3f\x4d\xb1\xa6\xbb\x86\x0b\x05\xdb\xc4\x77\x5b\x20\xce\xd8\x71\xb4\xa9\xd9\xd8\x77\xab\xef\x6c\x4b\xb3\x9d\x36\x8e\xf7\xe7\xfb\xba\xc5\xcb\x88\x21\x2d\x87\xf3\xc7\x62\x06\x59\xcf\x4c\xe1\xc6\xee\xb0\xea\x83\x84\xa6\xdf\x2f\x29\x13\x34\xe5\x80\x84\xfc\x55\xa3\xb6\xd7\xa8\x35\x1f\x62\x5a\x71\xee\xce\x16\xfc\xb5\x2f\xcc\xa8\x88\x09\x3a\x04\x0f\x5f\x15\x7a\xe2\x7d\xd7\x9d\x26\xae\x55\x5d\xd0\xd2\x19\xb5\x85\x53\xdb\x3b\xd8\xb4\x8d\x85\x6b\x3e\x23\x3d\x19\x72\x65\x78\xd3\x82\xbe\x3d\x12\x3f\x86\x56\xdb\xa5\xe6\x1d\xb1\x4b\x62\x7e\xb0\x74\xdb\x68\xd5\xa6\x9c\x93\x51\x17\x44\x92\xb5\x08\x24\x82\x4d\x3d\x3a\xf7\x92\x95\xf0\x5c\xdb\xb4\x7c\x8e\xf7\xc8\x5d\x81\x5b\xdc\xba\xcf\x4b\x86\x27\x96\x5c\x07\xc8\xe1\x07\x9f\x20\x1e\x50\x98\x02\x84\xf2\x00\x5a\x92\xba\x82\x15\xd0\x6e\xf5\xef\xed\x59\x1f\x52\x79\xf1\x8a\x2f\xea\x04\x24\x66\xd7\x83\xe1\x08\x64\xe9\x3a\x54\xb8\x64\x9b\xb4\x43\x6d\x88\x6c\x78\x81\x9e\x92\x7c\x16\x3c\x76\x9c\x22\xfd\x6c\x1f\xfc\x50\x98\x49\xf6\x85\xac\xbc\x5c\x6e\xab\xe4\xbf\xb2\xe2\x65\x0b\xab\x17\x39\xa6\x95\x3b\x27\xa1\x84\x64\x64\xea\x8f\x56\xa7\x6c\xd3\x71\xa7\x47\x45\x95\x94\x9b\x6f\xd4\xdb\x07\x6d\x44\xce\xca\x31\x12\x22\x74\xec\x56\x8c\x58\x1d\x08\x8e\xe7\xf5\x68\xc0\x02\x4a\x49\x19\x20\x40\x1f\x16\x5d\xd1\x71\x1a\x2f\x9b\x03\x7e\xf4\xb4\x01\x9d\x22\x72\xe1\x9e\xd5\xcf\x41\x40\xe5\x8d\x74\xae\x1d\x93\x01\x8d\x09\xfe\xe3\x26\x3e\x81\x19\xfc\x7a\x48\x09\x45\x9c\x43\x4e\x93\xd3\x04\x70\x2f\x11\x0f\xc3\xa4\x0d\xfa\x78\xfd\xac\x5e\xdf\x24\x25\xd8\xdc\x16\x29\xbc\x95\xba\xb9\x32\x70\x32\x59\x8c\x2f\x55\x30\x78\x18\x7c\x3d\x07\x6f\x15\x67\x4c\xfb\x9e\x0f\x18\x2b\x68\xce\xdc\xec\x34\xcf\x04\x90\x90\x1a\xf1\x0a\x2d\x10\xac\x87\x31\xf7\x9e\x60\xea\x1e\xb1\x78\xa6\x01\x42\x97\xa5\xa3\xb8\x4b\x80\xde\xb5\xf3\xb5\x62\x04\xcd\xaf\x3a\x4c\xa0\xbc\xa0\x08\x3a\xca\xc6\xd2\xa5\x63\x71\x7e\xb7\x0b\x9d\x82\x75\xbb\x31\xdd\x4d\xa2\x5f\x6a\xaf\x3b\xb5\x76\x15\x2c\xc5\x98\x39\x9b\xfc\x1f\x70\x3f\x9d\x65\xc7\xca\x6f\xc4\x5d\x7c\xd8\x19\x12\x07\x1a\x94\xb4\x98\x17\x28\xbd\x3f\xa5\x32\xdd\x3a\xb9\x5e\xdc\x2c\x8a\x87\x92\x31\x6b\x78\x28\xc1\x7a\x0a\x11\x5a\x80\xee\x5f\x7c\x63\x2f\xa1\x23\xfc\xce\xae\xcb\x31\x19\x15\x34\x9c\x9b\x26\xf2\xed\x27\x52\x23\xd7\x9b\xac\x0c\x13\x76\x71\xc3\xac\x5f\x48\x9b\x42\xfb\xf5\xb1\x9b\x3a\x46\xae\x22\xa7\x2f\xe3\x47\xd8\xab\xf1\x11\x42\x96\x85\x62\xc6\x32\x9d\xfb\x94\x22\x49\xb5\x93\xd3\x7d\x17\xf4\x0d\x79\x3a\x48\x18\x92\x10\xe0\xb6\x0b\x95\x83\x75\xc0\x89\x93\xd3\x4e\x3e\xb0\xba\x69\x32\x43\x5c\xde\x73\xd5\x68\xd8\x1e\x0d\xf7\xf7\x6d\xab\x7c\x1c\x1f\x7e\x5b\x76\x41\x44\x89\x6f\xe5\xa8\x19\xa4\xf0\xae\xfa\x09\x9e\x1d\x84\xf8\xc1\x12\x02\xbc\x14\x1f\x7a\xe0\x3f\xb4\xfd\xbf\x5b\x6c\x30\x83\x4a\x4d\xcc\x7f\x9a\x64\xbb\xe1\x40\x76\x11\x0b\x97\x29\x76\x7e\x5f\x31\xed\xbf\x5d\xdc\x54\x0f\x3a\x31\xa3\x6f\x4a\x33\x2b\x5a\x24\xd9\xe0\xbe\x54\xf8\x16\x1b\x52\xf7\x6b\x78\x08\x3e\x40\xa6\x63\xc8\xd2\x0b\xfb\xc4\x46\x53\x3c\x2c\x4b\x78\xe6\x30\xbb\xc9\x4a\x24\xd9\x51\x60\x18\xfa\xff\xed\xc2\xe8\x5f\xb0\x91\xde\xea\xd3\x61\x2c\x8a\xb2\x41\xb1\x26\x47\xc2\xe7\x14\x07\xa9\xbb\xef\x11\xc9\x75\xed\xbb\x97\x22\xab\x61\x74\xa9\x19\x1c\x5f\x01\x28\xc1\xe0\xf4\x39\x33\x53\x68\x9a\xd1\x8b\x96\x78\x5a\x7d\x8e\x04\x5a\xdb\x80\x1a\xfe\x79\x00\x0f\x18\xec\xbc\x07\xea\x83\x93\x06\xbe\xcb\x86\x2b\x17\x53\xfe\xd5\x04\xdf\x00\x95\x46\x67\x2f\xd6\x5e\x60\xa2\xb5\x23\xae\x74\x77\x50\x2d\xb7\x5d\xeb\x99\x44\x52\xe0\xb3\xf7\xa8\x41\xa9\x8b\x8c\x0b\x0e\x82\x8f\x0c\xa6\x79\xe1\xfb\x97\xf8\xdf\x29\x2e\x2d\xb3\x0f\x75\x6f\xba\x17\x75\x45\xa0\x9b\xeb\x2b\xe1\x93\xfb\x3a\x1a\x94\xd3\x44\x56\xd9\x07\x1e\x63\x4b\xb8\xa4\x33\x09\x30\x2f\x6c\xe4\xc3\x38\xd4\x39\x27\x0c\x42\x6b\xaa\x04\x8b\xb9\x2e\xc1\x39\xe5\x0f\xc4\x57\xdb\x0f\x37\xb4\x94\xc5\x91\xf6\x71\x15\xbc\x9c\x52\x21\x52\xd2\x8f\x9c\xad\x16\x10\xbf\xfc\xea\x13\x9b\xf2\xc5\xe0\x23\x9d\x4f\x8d\xb1\x25\xf0\xc6\x68\x76\x8a\x02\xab\x70\x28\x14\xab\x61\xb5\x7e\x0d\xd8\x39\x54\x9c\xd7\x8c\x1d\x33\x1d\x3c\xf4\x2e\x0e\x94\x35\x9d\xf9\xf9\xd8\xd4\xfa\x2b\x98\x2a\x19\x77\xcc\x55\xa8\x88\x80\x56\x46\x23\x15\x45\xc2\xe9\x6a\x8b\x80\xc9\xdb\xda\xf7\xb7\x64\x40\x21\xf8\xdb\xdd\x8f\x3c\x37\x3a\x72\xa9\xc5\xa8\xad\x05\xc6\x7f\x50\xbd\x32\xa9\x6e\x19\xa6\x06\x17\x00\x61\x54\x2a\x0b\x1e\xe9\x0e\x3c\x75\x61\x9d\x95\x41\x6e\x1d\x2f\x6c\x76\xef\x08\xf6\x11\x88\x2c\x87\xd0\x96\xb2\xf8\x4c\x1b\x5f\x79\xc7\x28\x72\x7e\x00\xb0\x58\x9f\xf8\x67\x82\x4b\x88\x93\x9c\x3a\xcb\xa9\x6f\x59\xa3\xe3\x08\xef\x70\x68\xbd\x4a\xd8\x47\x8b\x9f\x0d\x6d\x5c\x90\xc8\xd3\xfd\xb1\xbc\xe0\x82\x2f\xd4\xdb\xf6\x04\x33\xd0\xfd\x9a\x1d\x00\xfa\xd0\x5b\x13\x5b\x0f\xca\x52\x29\x82\xbd\x41\xa1\xd3\x2c\xa9\xe1\x3c\xc2\xde\x18\x09\xe5\x1e\x12\xb5\x40\xdf\x58\xcc\x4b\xca\xcb\xc3\x94\x53\xe6\x2e\xff\xe1\xcb\xa6\x2a\x72\x5b\x7b\x69\x0a\x53\x1a\x16\x9b\x16\xcd\x4f\xb4\x23\x00\x18\xad\xbf\xeb\xfd\x58\xec\x47\x67\x42\xa8\xea\x7e\x8f\xf7\xe5\x6a\xb4\x63\xb3\x45\xa8\x42\x99\x86\x7f\x85\x7d\xe6\xea\x30\x75\x9a\x8d\xd0\x93\xe9\x8f\x99\xc6\x2f\x40\x95\x97\xf9\xa3\xdd\xd4\x90\xc8\x81\x33\xd9\x83\x1a\x7d\xdd\x0b\xbc\x35\x36\xd8\x0d\xea\xee\x38\xac\xb1\xba\x95\xba\x0c\xda\x91\x0f\x4b\x12\x0a\x59\x2b\xc9\x15\x04\xf4\xb0\xd9\x91\x71\xe2\xc4\x5d\x4e\x25\x6d\xc0\x3f\xed\xe6\x8e\xe1\xda\xbf\x80\x29\xc9\x9d\xec\x19\x8c\x4a\xad\xdb\x68\x17\xf8\x39\xf1\xda\x74\x97\x12\x67\xc2\x12\xbd\x22\x69\xf8\xcc\xcd\x32\x49\x5e\x8f\x72\x04\x48\x6d\x98\x59\x87\xc2\x5a\x5c\xb7\xef\xd6\x39\xb1\xdb\xd2\x50\x60\x22\xf6\xca\xf2\x4b\x09\x22\x62\x27\xd8\x03\x5c\xea\x83\xb9\xcb\x82\x1a\xc3\xfd\xae\xda\x5f\x22\xdf\xb1\x19\x15\x93\xf4\xd1\x65\x5e\x23\x54\x6c\x84\xa8\xff\x48\x27\x89\xbc\x92\xf1\x94\xdd\xa5\xf6\x14\xd6\x98\x6e\xac\x82\x9b\xab\x2b\x7a\x29\x22\x5b\xd5\x51\x76\x12\xd4\x0f\xda\x6a\x15\x3f\xc5\x2b\x24\x66\x33\x68\xad\xc2\xed\xf5\x6b\x07\xbb\x22\xf1\xb5\xd5\x26\xbf\xfb\x21\x28\x2c\x65\x4a\x77\x95\xa2\x76\x31\xf9\x5d\x88\x5d\xf4\xc0\xbc\xeb\x07\x12\xbf\xdd\xc0\x58\xdc\xbf\x32\x83\xa8\xb9\x66\x64\xdf\x54\x83\x40\x46\x6b\xd7\x17\x32\x9e\x6d\x54\x25\xcb\xd8\xf9\xe6\x44\x2e\xc4\x67\x13\x81\xb8\x01\x7e\x04\xba\xf1\x66\xd7\xb1\x4d\xdb\x51\x6a\x62\x4a\xc5\xc7\x65\x87\xa0\x0c\x65\x02\xa9\x40\x1c\xee\xc4\x82\x69\xc4\xeb\xf6\x70\xbd\x1c\xaf\x46\x13\xbc\xe8\x6e\x29\x7f\x9d\xd0\x02\x24\x08\xaf\x5c\x7a\x7e\x9c\xa4\xa1\xa2\xc7\xea\x50\x6d\xcc\xd7\xf8\x40\xeb\x4d\xe4\xdd\x3c\x73\x40\x06\xcb\x85\xe9\xa0\x53\x9f\x98\x8a\xb4\x5f\x59\x3d\x1d\x96\x06\x12\x2a\x2f\x10\x6e\x9f\x84\xf5\x2f\xf9\x17\x97\x07\x61\x03\xd0\x42\x58\x68\x46\xff\x73\x05\xc2\x73\xfe\x8e\xaf\x05\x3f\x6f\x2c\x7f\xd4\xf1\x18\x13\x4a\x8c\x82\x4b\xbb\x27\xe3\x19\x1a\x8b\x19\x25\x55\xc6\x61\x49\x08\xba\x54\x36\xa6\x73\x83\x0c\x27\xa6\x31\x69\xd3\xc6\x9d\x3f\x7e\x05\x2a\x6b\x6d\xe6\xfd\x2a\x54\x45\x72\xcb\xce\x67\xf6\x7a\x3b\x37\x83\xf4\xc8\xdb\x22\x71\xa4\xa1\x3c\x03\x55\xa9\x2c\x6b\x03\x6e\x5e\xf0\x6f\x53\x32\x3d\xb1\x43\x2b\xd5\xbe\xd2\x60\x15\x44\x38\x7d\xfe\xa3\xf5\xed\x9b\x25\x2f\xc9\xa2\x04\x11\x99\x94\x23\x94\x4f\xdc\x2d\x16\x3f\x66\xba\x18\x26\xc7\xbd\x6d\xa8\xe8\x95\xef\xb1\x9b\x4f\xe0\xf2\x03\x81\x42\xd7\x66\x5f\xaf\xaf\x97\x9c\x56\x35\x29\x40\xb5\x5c\xae\xf5\xf8\xf8\x81\xdb\x23\x06\x0d\xdd\x71\xf9\x9f\xca\xb6\xbf\xe4\x12\xbe\xb2\xa1\x7d\x10\x6f\xa4\x50\x91\x4a\xa7\x92\x0c\xb2\x12\x67\xe1\x6c\xb4\x94\x36\x05\x60\x98\x36\x14\x9f\x19\x70\xd5\xca\x6f\x31\x10\x14\xd5\xb6\x91\xc1\x45\xba\x81\xb4\xff\x94\xc7\x2f\xe1\x50\xea\x49\xe5\x60\x70\xcf\xf3\x4a\xbe\xe3\x70\x61\xe8\x71\xae\xcf\x5d\xcf\x9f\x91\xb5\x2a\x36\xeb\x99\x3c\x67\x89\xf0\x21\xbe\x51\x70\x89\x2c\xa8\x0d\x1c\x2a\xd5\xbb\xce\x3c\xe4\x06\xcf\xb4\x12\xbd\x66\xfd\x64\x42\xd7\x0e\xbe\x18\xcd\xcc\x29\x58\xc5\x09\x34\x1f\x05\x10", 8192); *(uint64_t*)0x200000004700 = 0x200000002700; *(uint32_t*)0x200000002700 = 0x50; *(uint32_t*)0x200000002704 = 0xfffffff5; *(uint64_t*)0x200000002708 = 6; *(uint32_t*)0x200000002710 = 7; *(uint32_t*)0x200000002714 = 0x2d; *(uint32_t*)0x200000002718 = 2; *(uint32_t*)0x20000000271c = 0x400000c; *(uint16_t*)0x200000002720 = 7; *(uint16_t*)0x200000002722 = 0x6b; *(uint32_t*)0x200000002724 = 0x80; *(uint32_t*)0x200000002728 = 3; *(uint16_t*)0x20000000272c = 0; *(uint16_t*)0x20000000272e = 0; *(uint32_t*)0x200000002730 = 1; *(uint32_t*)0x200000002734 = 4; memset((void*)0x200000002738, 0, 24); *(uint64_t*)0x200000004708 = 0x200000002780; *(uint32_t*)0x200000002780 = 0x18; *(uint32_t*)0x200000002784 = 0xfffffffe; *(uint64_t*)0x200000002788 = 4; *(uint64_t*)0x200000002790 = 5; *(uint64_t*)0x200000004710 = 0x2000000027c0; *(uint32_t*)0x2000000027c0 = 0x18; *(uint32_t*)0x2000000027c4 = 0; *(uint64_t*)0x2000000027c8 = 8; *(uint64_t*)0x2000000027d0 = 0x101; *(uint64_t*)0x200000004718 = 0x200000002800; *(uint32_t*)0x200000002800 = 0x18; *(uint32_t*)0x200000002804 = 0xfffffffe; *(uint64_t*)0x200000002808 = 4; *(uint32_t*)0x200000002810 = 0x50bf; *(uint32_t*)0x200000002814 = 0; *(uint64_t*)0x200000004720 = 0x200000002840; *(uint32_t*)0x200000002840 = 0x18; *(uint32_t*)0x200000002844 = 0; *(uint64_t*)0x200000002848 = 3; *(uint32_t*)0x200000002850 = 0xffff; *(uint32_t*)0x200000002854 = 0; *(uint64_t*)0x200000004728 = 0x200000002880; *(uint32_t*)0x200000002880 = 0x28; *(uint32_t*)0x200000002884 = 0; *(uint64_t*)0x200000002888 = 6; *(uint64_t*)0x200000002890 = 0xfffffffffffffff7; *(uint64_t*)0x200000002898 = 0; *(uint32_t*)0x2000000028a0 = 0; *(uint32_t*)0x2000000028a4 = r[4]; *(uint64_t*)0x200000004730 = 0x2000000028c0; *(uint32_t*)0x2000000028c0 = 0x60; *(uint32_t*)0x2000000028c4 = 0; *(uint64_t*)0x2000000028c8 = 0xa2; *(uint64_t*)0x2000000028d0 = 0xfffffffffffffffb; *(uint64_t*)0x2000000028d8 = 0; *(uint64_t*)0x2000000028e0 = 0x2867; *(uint64_t*)0x2000000028e8 = 0xd7f; *(uint64_t*)0x2000000028f0 = 2; *(uint32_t*)0x2000000028f8 = 0x28; *(uint32_t*)0x2000000028fc = 0xafb; *(uint32_t*)0x200000002900 = 7; *(uint32_t*)0x200000002904 = 0; memset((void*)0x200000002908, 0, 24); *(uint64_t*)0x200000004738 = 0x200000002940; *(uint32_t*)0x200000002940 = 0x18; *(uint32_t*)0x200000002944 = 0; *(uint64_t*)0x200000002948 = 0; *(uint32_t*)0x200000002950 = 0xb; *(uint32_t*)0x200000002954 = 0; *(uint64_t*)0x200000004740 = 0x200000002980; *(uint32_t*)0x200000002980 = 0x13; *(uint32_t*)0x200000002984 = 0; *(uint64_t*)0x200000002988 = 0x80000000; memcpy((void*)0x200000002990, "&,\000", 3); *(uint64_t*)0x200000004748 = 0x2000000029c0; *(uint32_t*)0x2000000029c0 = 0x20; *(uint32_t*)0x2000000029c4 = 0; *(uint64_t*)0x2000000029c8 = 0x41f; *(uint64_t*)0x2000000029d0 = 0; *(uint32_t*)0x2000000029d8 = 0; *(uint32_t*)0x2000000029dc = 0; *(uint64_t*)0x200000004750 = 0x200000002b80; *(uint32_t*)0x200000002b80 = 0x78; *(uint32_t*)0x200000002b84 = 0xfffffff5; *(uint64_t*)0x200000002b88 = 5; *(uint64_t*)0x200000002b90 = 0; *(uint32_t*)0x200000002b98 = 0x30; *(uint32_t*)0x200000002b9c = 0; *(uint64_t*)0x200000002ba0 = 0; *(uint64_t*)0x200000002ba8 = 0; *(uint64_t*)0x200000002bb0 = 0x9cb; *(uint64_t*)0x200000002bb8 = 6; *(uint64_t*)0x200000002bc0 = 0x45ff; *(uint64_t*)0x200000002bc8 = 8; *(uint32_t*)0x200000002bd0 = 0x7fffffff; *(uint32_t*)0x200000002bd4 = -1; *(uint32_t*)0x200000002bd8 = 2; *(uint32_t*)0x200000002bdc = 0x8000; *(uint32_t*)0x200000002be0 = 0xffff0001; *(uint32_t*)0x200000002be4 = r[10]; *(uint32_t*)0x200000002be8 = r[11]; *(uint32_t*)0x200000002bec = 0xb; *(uint32_t*)0x200000002bf0 = 7; *(uint32_t*)0x200000002bf4 = 0; *(uint64_t*)0x200000004758 = 0x200000002c40; *(uint32_t*)0x200000002c40 = 0x90; *(uint32_t*)0x200000002c44 = 0xffffffda; *(uint64_t*)0x200000002c48 = 0xfffffffffffffc00; *(uint64_t*)0x200000002c50 = 3; *(uint64_t*)0x200000002c58 = 0; *(uint64_t*)0x200000002c60 = 6; *(uint64_t*)0x200000002c68 = 4; *(uint32_t*)0x200000002c70 = 7; *(uint32_t*)0x200000002c74 = 6; *(uint64_t*)0x200000002c78 = 6; *(uint64_t*)0x200000002c80 = 0x5d; *(uint64_t*)0x200000002c88 = 8; *(uint64_t*)0x200000002c90 = 0; *(uint64_t*)0x200000002c98 = 0xfffffffffffffffc; *(uint64_t*)0x200000002ca0 = 1; *(uint32_t*)0x200000002ca8 = 3; *(uint32_t*)0x200000002cac = 8; *(uint32_t*)0x200000002cb0 = 8; *(uint32_t*)0x200000002cb4 = 0xa000; *(uint32_t*)0x200000002cb8 = 2; *(uint32_t*)0x200000002cbc = 0xee01; *(uint32_t*)0x200000002cc0 = r[12]; *(uint32_t*)0x200000002cc4 = 6; *(uint32_t*)0x200000002cc8 = 7; *(uint32_t*)0x200000002ccc = 0; *(uint64_t*)0x200000004760 = 0x200000002d00; *(uint32_t*)0x200000002d00 = 0xc8; *(uint32_t*)0x200000002d04 = 0xfffffffe; *(uint64_t*)0x200000002d08 = 1; *(uint64_t*)0x200000002d10 = 6; *(uint64_t*)0x200000002d18 = 5; *(uint32_t*)0x200000002d20 = 5; *(uint32_t*)0x200000002d24 = -1; memset((void*)0x200000002d28, 170, 5); *(uint64_t*)0x200000002d30 = 2; *(uint64_t*)0x200000002d38 = -1; *(uint32_t*)0x200000002d40 = 6; *(uint32_t*)0x200000002d44 = 7; memset((void*)0x200000002d48, 255, 6); *(uint64_t*)0x200000002d50 = 5; *(uint64_t*)0x200000002d58 = 5; *(uint32_t*)0x200000002d60 = 6; *(uint32_t*)0x200000002d64 = 0xc828; memset((void*)0x200000002d68, 2, 6); *(uint64_t*)0x200000002d70 = 3; *(uint64_t*)0x200000002d78 = 0xa; *(uint32_t*)0x200000002d80 = 0x1f; *(uint32_t*)0x200000002d84 = 2; memcpy((void*)0x200000002d88, "bpf_lsm_kernel_create_files_as\000", 31); *(uint64_t*)0x200000002da8 = 5; *(uint64_t*)0x200000002db0 = 0x100; *(uint32_t*)0x200000002db8 = 5; *(uint32_t*)0x200000002dbc = 9; memset((void*)0x200000002dc0, 170, 5); *(uint64_t*)0x200000004768 = 0x2000000040c0; *(uint32_t*)0x2000000040c0 = 0xb0; *(uint32_t*)0x2000000040c4 = 0; *(uint64_t*)0x2000000040c8 = 0xffffffffffff51c6; *(uint64_t*)0x2000000040d0 = 0; *(uint64_t*)0x2000000040d8 = 1; *(uint64_t*)0x2000000040e0 = 0x7fffffff; *(uint64_t*)0x2000000040e8 = 4; *(uint32_t*)0x2000000040f0 = 0x80; *(uint32_t*)0x2000000040f4 = 0xe; *(uint64_t*)0x2000000040f8 = 5; *(uint64_t*)0x200000004100 = 6; *(uint64_t*)0x200000004108 = 9; *(uint64_t*)0x200000004110 = 0; *(uint64_t*)0x200000004118 = 0x80; *(uint64_t*)0x200000004120 = 3; *(uint32_t*)0x200000004128 = 7; *(uint32_t*)0x20000000412c = 0xffffff01; *(uint32_t*)0x200000004130 = 5; *(uint32_t*)0x200000004134 = 0x6000; *(uint32_t*)0x200000004138 = 5; *(uint32_t*)0x20000000413c = r[13]; *(uint32_t*)0x200000004140 = r[14]; *(uint32_t*)0x200000004144 = 9; *(uint32_t*)0x200000004148 = 4; *(uint32_t*)0x20000000414c = 0; *(uint64_t*)0x200000004150 = 1; *(uint64_t*)0x200000004158 = 0x7fffffff; *(uint32_t*)0x200000004160 = 6; *(uint32_t*)0x200000004164 = 7; memset((void*)0x200000004168, 2, 6); *(uint64_t*)0x200000004770 = 0x200000004340; *(uint32_t*)0x200000004340 = 0xa0; *(uint32_t*)0x200000004344 = 0xfffffffe; *(uint64_t*)0x200000004348 = 0x4f4; *(uint64_t*)0x200000004350 = 0; *(uint64_t*)0x200000004358 = 3; *(uint64_t*)0x200000004360 = 0x58be8e49; *(uint64_t*)0x200000004368 = 0x88; *(uint32_t*)0x200000004370 = 0x80; *(uint32_t*)0x200000004374 = 2; *(uint64_t*)0x200000004378 = 0; *(uint64_t*)0x200000004380 = 7; *(uint64_t*)0x200000004388 = 0x8000000000000000; *(uint64_t*)0x200000004390 = 6; *(uint64_t*)0x200000004398 = 2; *(uint64_t*)0x2000000043a0 = 0; *(uint32_t*)0x2000000043a8 = 0x81; *(uint32_t*)0x2000000043ac = 0xb; *(uint32_t*)0x2000000043b0 = 0xfff; *(uint32_t*)0x2000000043b4 = 0x8000; *(uint32_t*)0x2000000043b8 = 0xc093; *(uint32_t*)0x2000000043bc = r[15]; *(uint32_t*)0x2000000043c0 = 0; *(uint32_t*)0x2000000043c4 = -1; *(uint32_t*)0x2000000043c8 = 0x9e9; *(uint32_t*)0x2000000043cc = 0; *(uint64_t*)0x2000000043d0 = 0; *(uint32_t*)0x2000000043d8 = 4; *(uint32_t*)0x2000000043dc = 0; *(uint64_t*)0x200000004778 = 0x200000004400; *(uint32_t*)0x200000004400 = 0x20; *(uint32_t*)0x200000004404 = 0xfffffffe; *(uint64_t*)0x200000004408 = 4; *(uint32_t*)0x200000004410 = 0x1000; *(uint32_t*)0x200000004414 = 4; *(uint32_t*)0x200000004418 = 7; *(uint32_t*)0x20000000441c = 3; *(uint64_t*)0x200000004780 = 0x2000000045c0; *(uint32_t*)0x2000000045c0 = 0x130; *(uint32_t*)0x2000000045c4 = 0; *(uint64_t*)0x2000000045c8 = 6; *(uint64_t*)0x2000000045d0 = 7; *(uint32_t*)0x2000000045d8 = 0xf; *(uint32_t*)0x2000000045dc = 0; memset((void*)0x2000000045e0, 0, 16); *(uint32_t*)0x2000000045f0 = 4; *(uint32_t*)0x2000000045f4 = 0xfffffffb; *(uint64_t*)0x2000000045f8 = 0xc3f; *(uint32_t*)0x200000004600 = 0xc6; *(uint32_t*)0x200000004604 = r[17]; *(uint32_t*)0x200000004608 = 0xee01; *(uint16_t*)0x20000000460c = 0x1000; memset((void*)0x20000000460e, 0, 2); *(uint64_t*)0x200000004610 = 0xc42b; *(uint64_t*)0x200000004618 = 0xfffffffffffffffb; *(uint64_t*)0x200000004620 = 8; *(uint64_t*)0x200000004628 = 0xfffffffffffff3f4; *(uint64_t*)0x200000004630 = 7; *(uint32_t*)0x200000004638 = 9; *(uint32_t*)0x20000000463c = 0; *(uint64_t*)0x200000004640 = 0x893b; *(uint32_t*)0x200000004648 = 0xc160; *(uint32_t*)0x20000000464c = 0; *(uint64_t*)0x200000004650 = 3; *(uint32_t*)0x200000004658 = 0x6a48; *(uint32_t*)0x20000000465c = 0; *(uint64_t*)0x200000004660 = 0x40; *(uint32_t*)0x200000004668 = 6; *(uint32_t*)0x20000000466c = 0; *(uint32_t*)0x200000004670 = 5; *(uint32_t*)0x200000004674 = 0; *(uint32_t*)0x200000004678 = 9; *(uint32_t*)0x20000000467c = 3; memset((void*)0x200000004680, 0, 112); syz_fuse_handle_req(/*fd=*/r[9], /*buf=*/0x200000000700, /*len=*/0x2000, /*res=*/0x200000004700); break; case 26: res = syscall(__NR_pidfd_getfd, /*pidfd=*/r[6], /*fd=*/r[9], /*flags=*/0ul); if (res != -1) r[19] = res; break; case 27: memcpy((void*)0x2000000047c0, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x2000000047c0, /*fd=*/r[19]); break; case 28: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 29: res = -1; res = syz_io_uring_complete(/*ring_ptr=*/0); if (res != -1) r[20] = res; break; case 30: *(uint32_t*)0x200000004804 = 0x87d1; *(uint32_t*)0x200000004808 = 0x200; *(uint32_t*)0x20000000480c = 3; *(uint32_t*)0x200000004810 = 0x92; *(uint32_t*)0x200000004818 = r[19]; memset((void*)0x20000000481c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x70d3, /*params=*/0x200000004800, /*ring_ptr=*/0x200000004880, /*sqes_ptr=*/0x2000000048c0); if (res != -1) { r[21] = *(uint64_t*)0x200000004880; r[22] = *(uint64_t*)0x2000000048c0; } break; case 31: *(uint8_t*)0x200000004980 = 0x1c; *(uint8_t*)0x200000004981 = 0x40; *(uint16_t*)0x200000004982 = 0; *(uint32_t*)0x200000004984 = r[20]; *(uint64_t*)0x200000004988 = 0x200000004900; *(uint64_t*)0x200000004900 = 0x8000; *(uint64_t*)0x200000004908 = 0x190; *(uint64_t*)0x200000004910 = 0x10; *(uint64_t*)0x200000004990 = 0x200000004940; memcpy((void*)0x200000004940, "./file0\000", 8); *(uint32_t*)0x200000004998 = 0x18; *(uint32_t*)0x20000000499c = 0; *(uint64_t*)0x2000000049a0 = 0x23456; *(uint16_t*)0x2000000049a8 = 0; *(uint16_t*)0x2000000049aa = 0; memset((void*)0x2000000049ac, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[21], /*sqes_ptr=*/r[22], /*sqe=*/0x200000004980); break; case 32: memcpy((void*)0x2000000049c0, "*(z,\000", 5); memcpy((void*)0x200000004ac0, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x8a\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x7e\xf6\xbf\x4c\x19\xc0\x4a\xa5\x7c\x4c\x2f\xf9\x2e\xe1\x46\x0e\xbf\x0e\x57\x59\x5c\xc3\x55\xaa\x22\x67\x95\x47\xef\x84\x49\x9e\xf9\x9d\x9b\xdd\x69\x1a\x9a\x0e\xe1\x9f\xba\x5f\xee\x97\xd9\xa9\x2b\xb7\xae\x3d\x75\x4a\x98\x45\x6c\xdb\xfd\x27\xda\x20\xf9\x77\xf4\xbf\x46\x30\xc3\xca\x42\x1a\x6a\xcf\x8d\x9f\x81\xd2\x93\xd3\xa0\xb0\x23\x27\xe4\x06\x32\x3e\x77\x3c\x64\xb8\x65\xc2\xc7\xa1\x02\x36\xfb\xbb\xb9\xc9\xea\xc5\xd1\x4f\x18\x75\x2a\x03\x89\xa5\x81\x59\x64\x04\x1b\x84\x4f\x71\x45\x5e\xa1\x2d\xdc\x9d\xcf\xb6\xe9\x00\xa3\x66\x57\x58\xcb\xa3\xc7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 192); syz_kfuzztest_run(/*name=*/0x2000000049c0, /*data=*/0x200000004a00, /*len=*/0xc0, /*buf=*/0x200000004ac0); break; case 33: *(uint64_t*)0x200000014f40 = 0; *(uint64_t*)0x200000014f48 = 0x200000014ac0; *(uint64_t*)0x200000014ac0 = 0x17d; *(uint64_t*)0x200000014ac8 = 0x20; *(uint64_t*)0x200000014ad0 = 0x25000; *(uint64_t*)0x200000014ad8 = 0x5591; *(uint64_t*)0x200000014ae0 = 0x64; *(uint64_t*)0x200000014ae8 = 0x18; *(uint32_t*)0x200000014af0 = 8; *(uint32_t*)0x200000014af4 = 0x57; *(uint64_t*)0x200000014af8 = 0x12d; *(uint64_t*)0x200000014b00 = 0x18; *(uint64_t*)0x200000014b08 = 3; *(uint64_t*)0x200000014b10 = 0x64; *(uint64_t*)0x200000014b18 = 0x18; *(uint32_t*)0x200000014b20 = 0; *(uint32_t*)0x200000014b24 = 2; *(uint64_t*)0x200000014b28 = 0x69; *(uint64_t*)0x200000014b30 = 0x20; *(uint64_t*)0x200000014b38 = 0xc003; *(uint64_t*)0x200000014b40 = 1; *(uint64_t*)0x200000014b48 = 0x64; *(uint64_t*)0x200000014b50 = 0x18; *(uint32_t*)0x200000014b58 = 0x10; *(uint32_t*)0x200000014b5c = 0xc; *(uint64_t*)0x200000014b60 = 0x12d; *(uint64_t*)0x200000014b68 = 0x18; *(uint64_t*)0x200000014b70 = 0; *(uint64_t*)0x200000014b78 = 0x12e; *(uint64_t*)0x200000014b80 = 0x7e; *(uint64_t*)0x200000014b88 = 1; memcpy((void*)0x200000014b90, "\x36\x2e\x36\x3e\x66\x43\x0f\x57\xa9\x00\x98\x00\x00\x66\xba\xf8\x0c\xb8\x28\x8f\xc6\x86\xef\x66\xba\xfc\x0c\xed\xb9\x71\x03\x00\x00\xb8\xc7\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x30\x42\x0f\x01\xc8\x66\xb8\x78\x00\x0f\x00\xd0\x40\x0f\x01\xc5\x66\xba\x43\x00\x66\xed\x40\x1d\x03\x00\x00\x00\xc7\x44\x24\x00\x00\x00\x00\x00\xc7\x44\x24\x02\x49\x3a\x56\x64\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\x0f\x32", 102); *(uint64_t*)0x200000014bf6 = 0x64; *(uint64_t*)0x200000014bfe = 0x18; *(uint32_t*)0x200000014c06 = 0xf; *(uint32_t*)0x200000014c0a = 4; *(uint64_t*)0x200000014c0e = 0x12e; *(uint64_t*)0x200000014c16 = 0x60; *(uint64_t*)0x200000014c1e = 0; memcpy((void*)0x200000014c26, "\xc4\x21\xf8\x10\x7a\xf0\x0f\xe7\x64\x9a\x4f\x47\xfb\x0f\x01\xca\x46\x0f\x08\xb9\x80\x00\x00\xc0\x0f\x32\x35\x00\x80\x00\x00\x0f\x30\x0f\x01\xcb\x40\x0f\x01\xcb\xc7\x44\x24\x00\x8d\x00\x00\x00\xc7\x44\x24\x02\x07\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\x0f\x52\x4b\x00", 72); *(uint64_t*)0x200000014c6e = 0; *(uint64_t*)0x200000014c76 = 0x18; *(uint64_t*)0x200000014c7e = 2; *(uint64_t*)0x200000014c86 = 0x12d; *(uint64_t*)0x200000014c8e = 0x18; *(uint64_t*)0x200000014c96 = 3; *(uint64_t*)0x200000014c9e = 0x17f; *(uint64_t*)0x200000014ca6 = 0x10; *(uint64_t*)0x200000014cae = 0; *(uint64_t*)0x200000014cb6 = 0x18; *(uint64_t*)0x200000014cbe = 4; *(uint64_t*)0x200000014cc6 = 0x12f; *(uint64_t*)0x200000014cce = 0x18; *(uint64_t*)0x200000014cd6 = 2; *(uint64_t*)0x200000014cde = 0x12e; *(uint64_t*)0x200000014ce6 = 0x56; *(uint64_t*)0x200000014cee = 3; memcpy((void*)0x200000014cf6, "\x0f\x01\xdf\x0f\xa8\x66\xba\xf8\x0c\xb8\x82\xca\xa9\x8f\xef\x66\xba\xfc\x0c\x66\xed\x67\x0f\x01\xca\x0f\xfd\xca\x46\x0f\x01\xb3\x90\x4e\x00\x00\x66\xba\x20\x00\x66\xb8\xb7\xea\x66\xef\x0f\x01\x32\xc4\xe1\x61\xeb\x58\x00\xb9\x81\x05\x00\x00\x0f\x32", 62); *(uint64_t*)0x200000014d34 = 0x180; *(uint64_t*)0x200000014d3c = 0x38; *(uint64_t*)0x200000014d44 = 1; *(uint64_t*)0x200000014d4c = 0x17; *(uint64_t*)0x200000014d54 = 4; *(uint64_t*)0x200000014d5c = 4; *(uint64_t*)0x200000014d64 = 0; *(uint64_t*)0x200000014d6c = 0x183; *(uint64_t*)0x200000014d74 = 0x18; *(uint64_t*)0x200000014d7c = 3; *(uint64_t*)0x200000014d84 = 0x65; *(uint64_t*)0x200000014d8c = 0x20; *(uint64_t*)0x200000014d94 = 0x32c; *(uint64_t*)0x200000014d9c = 0x10; *(uint64_t*)0x200000014da4 = 0x68; *(uint64_t*)0x200000014dac = 0x20; *(uint64_t*)0x200000014db4 = 7; *(uint64_t*)0x200000014dbc = 2; *(uint64_t*)0x200000014dc4 = 0xa; *(uint64_t*)0x200000014dcc = 0x56; memcpy((void*)0x200000014dd4, "\xf3\x41\xaf\x66\xb8\x3e\x00\x8e\xd0\xc4\xe1\x35\x73\xfa\xe7\x66\x0f\x74\xa6\x00\x00\x00\x00\x47\xdb\xc1\x45\x0f\x08\x66\x41\x0f\x38\x82\x94\x1f\x0e\x58\x39\xba\x47\x0f\x79\x55\x00\xc4\x01\x56\x51\xaf\x41\x04\x00\x00\x66\xba\xf8\x0c\xb8\xe2\x7f\xf4\x8d\xef\x66\xba\xfc\x0c\xec", 69); *(uint8_t*)0x200000014e19 = 0xc3; *(uint64_t*)0x200000014e1a = 0x12d; *(uint64_t*)0x200000014e22 = 0x18; *(uint64_t*)0x200000014e2a = 3; *(uint64_t*)0x200000014e32 = 0x12c; *(uint64_t*)0x200000014e3a = 0x18; *(uint64_t*)0x200000014e42 = 0; *(uint64_t*)0x200000014e4a = 0x12e; *(uint64_t*)0x200000014e52 = 0x6f; *(uint64_t*)0x200000014e5a = 3; memcpy((void*)0x200000014e62, "\xf3\x41\x0f\x22\x17\x66\xba\xf8\x0c\xb8\x61\x8e\xa1\x84\xef\x66\xba\xfc\x0c\xb0\x00\xee\x36\x64\x0f\x21\x39\xc4\x62\x41\x40\x32\x66\xba\x43\x00\x66\xb8\x0b\x00\x66\xef\x66\xba\x43\x00\xec\x40\x0f\x23\x38\x3e\x0f\xc7\x32\xc7\x44\x24\x00\xac\x00\x00\x00\xc7\x44\x24\x02\x90\x7c\x03\xe6\xff\x2c\x24\xb8\x05\x00\x00\x00\xb9\x97\x00\x00\x00\x0f\x01\xd9", 87); *(uint64_t*)0x200000014eb9 = 0x69; *(uint64_t*)0x200000014ec1 = 0x20; *(uint64_t*)0x200000014ec9 = 0xc3e5; *(uint64_t*)0x200000014ed1 = 2; *(uint64_t*)0x200000014ed9 = 0xc8; *(uint64_t*)0x200000014ee1 = 0x20; *(uint64_t*)0x200000014ee9 = 0xa1; *(uint64_t*)0x200000014ef1 = 2; *(uint64_t*)0x200000014ef9 = 0x65; *(uint64_t*)0x200000014f01 = 0x20; *(uint64_t*)0x200000014f09 = 0x12f; *(uint64_t*)0x200000014f11 = 2; *(uint64_t*)0x200000014f19 = 0x12c; *(uint64_t*)0x200000014f21 = 0x18; *(uint64_t*)0x200000014f29 = 0; *(uint64_t*)0x200000014f50 = 0x471; res = -1; res = syz_kvm_add_vcpu(/*vm=*/0, /*text=*/0x200000014f40); if (res != -1) r[23] = res; break; case 34: res = syscall(__NR_mmap, /*addr=*/0x200000fff000ul, /*len=*/0ul, /*prot=PROT_GROWSDOWN|PROT_SEM*/0x1000008ul, /*flags=MAP_PRIVATE*/2ul, /*cpufd=*/r[23], /*offset=*/0ul); if (res != -1) r[24] = res; break; case 35: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[24], /*exitcode=*/2); break; case 36: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[20], /*run=*/r[24], /*exitcode=*/0x10); break; case 37: *(uint64_t*)0x200000015140 = 0; *(uint64_t*)0x200000015148 = 0x200000014f80; memcpy((void*)0x200000014f80, "\x04\xea\xa0\xef\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x04\x01\x63\x60\x14\xc2\x80\x3c\xd1\xc0\x84\x60\x04\x00\x84\x78\x83\x0a\x84\x64\xbe\x01\x84\x60\x27\x3b\xa0\x3c\x00\x3c\xa5\x60\x04\x00\xa5\x78\x27\x72\xa5\x64\x9d\x4f\xa5\x60\x7c\x62\xc0\x3c\xdf\xa5\xc6\x60\x04\x00\xc6\x78\x78\x11\xc6\x64\x30\xb5\xc6\x60\xf2\xd6\xe0\x3c\xac\xca\xe7\x60\x04\x00\xe7\x78\x51\x98\xe7\x64\xfb\x3b\xe7\x60\x02\x00\x00\x44\x00\x00\xe0\x3f\x00\x00\xff\x63\x04\x00\xff\x7b\x00\x00\xff\x67\x00\x48\xff\x63\x60\x7b\xff\x1b\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\xfc\xf4\x63\x60\x76\x09\x80\x3c\x6c\xdf\x84\x60\x04\x00\x84\x78\x7c\xb5\x84\x64\x5d\x85\x84\x60\xf3\xc8\xa0\x3c\x84\x98\xa5\x60\x04\x00\xa5\x78\xa1\x6b\xa5\x64\x7c\x44\xa5\x60\x02\x00\x00\x44\x00\x00\x20\x3e\x00\x00\x31\x62\x04\x00\x31\x7a\x00\x00\x31\x66\x98\x00\x31\x62\x00\x00\x40\x3f\x00\x00\x5a\x63\x04\x00\x5a\x7b\x00\x00\x5a\x67\xe5\x13\x5a\x63\xaa\xfe\xf9\x7d\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x00\x80\x84\x60\xdc\x39\x00\x7c\x00\x00\x40\x3d\x00\x00\x4a\x61\x04\x00\x4a\x79\x00\x00\x4a\x65\x71\x99\x4a\x61\xa7\x5f\xc0\x7f\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x08\xef\x63\x60\x09\xc6\x80\x3c\x1c\x64\x84\x60\x04\x00\x84\x78\xb4\xf7\x84\x64\x66\xcc\x84\x60\x03\x80\xa0\x3c\x45\x8f\xa5\x60\x04\x00\xa5\x78\xcf\x35\xa5\x64\x75\x97\xa5\x60\xae\x5a\xc0\x3c\x19\x31\xc6\x60\x04\x00\xc6\x78\xa9\x6d\xc6\x64\x6f\x30\xc6\x60\x22\x00\x00\x44\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x12\x00\x00\x60\x24\x01\x00\x7c\x00\x00\xe0\x3f\x01\x00\xff\x63\x04\x00\xff\x7b\x00\x00\xff\x67\x00\x00\xff\x63\xa7\xff\xa0\x7e", 420); *(uint64_t*)0x200000015150 = 0x1a4; *(uint64_t*)0x200000015180 = 1; *(uint64_t*)0x200000015188 = 1; syz_kvm_setup_cpu(/*fd=*/r[20], /*cpufd=*/r[5], /*usermem=*/0x200000fe8000, /*text=*/0x200000015140, /*ntext=*/1, /*flags=*/0, /*opts=*/0x200000015180, /*nopt=*/1); break; case 38: syz_kvm_setup_syzos_vm(/*fd=*/r[5], /*usermem=*/0x200000c00000); break; case 39: *(uint32_t*)0x2000000151c0 = 1; syz_memcpy_off(/*ring_ptr=*/r[21], /*flag_off=SQ_FLAGS_OFFSET*/0x114, /*src=*/0x2000000151c0, /*src_off=*/0, /*nbytes=*/4); break; case 40: res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0xb704, /*arg=*/0x200000015280ul); if (res != -1) r[25] = *(uint32_t*)0x200000015280; break; case 41: memcpy((void*)0x200000015200, "adfs\000", 5); memcpy((void*)0x200000015240, "./file0\000", 8); memcpy((void*)0x2000000152c0, "gid", 3); *(uint8_t*)0x2000000152c3 = 0x3d; sprintf((char*)0x2000000152c4, "0x%016llx", (long long)r[16]); *(uint8_t*)0x2000000152d6 = 0x2c; memcpy((void*)0x2000000152d7, "uid", 3); *(uint8_t*)0x2000000152da = 0x3d; sprintf((char*)0x2000000152db, "0x%016llx", (long long)r[17]); *(uint8_t*)0x2000000152ed = 0x2c; memcpy((void*)0x2000000152ee, "uid", 3); *(uint8_t*)0x2000000152f1 = 0x3d; sprintf((char*)0x2000000152f2, "0x%016llx", (long long)r[13]); *(uint8_t*)0x200000015304 = 0x2c; memcpy((void*)0x200000015305, "othmask", 7); *(uint8_t*)0x20000001530c = 0x3d; sprintf((char*)0x20000001530d, "%023llo", (long long)7); *(uint8_t*)0x200000015324 = 0x2c; memcpy((void*)0x200000015325, "ftsuffix", 8); *(uint8_t*)0x20000001532d = 0x3d; sprintf((char*)0x20000001532e, "%020llu", (long long)0x100); *(uint8_t*)0x200000015342 = 0x2c; memcpy((void*)0x200000015343, "othmask", 7); *(uint8_t*)0x20000001534a = 0x3d; sprintf((char*)0x20000001534b, "%023llo", (long long)8); *(uint8_t*)0x200000015362 = 0x2c; memcpy((void*)0x200000015363, "fowner<", 7); sprintf((char*)0x20000001536a, "%020llu", (long long)r[25]); *(uint8_t*)0x20000001537e = 0x2c; memcpy((void*)0x20000001537f, "func", 4); *(uint8_t*)0x200000015383 = 0x3d; memcpy((void*)0x200000015384, "FIRMWARE_CHECK", 14); *(uint8_t*)0x200000015392 = 0x2c; memcpy((void*)0x200000015393, "smackfsdef", 10); *(uint8_t*)0x20000001539d = 0x3d; memset((void*)0x20000001539e, 0, 1); *(uint8_t*)0x20000001539f = 0x2c; memcpy((void*)0x2000000153a0, "hash", 4); *(uint8_t*)0x2000000153a4 = 0x2c; *(uint8_t*)0x2000000153a5 = 0; memcpy((void*)0x2000000153c0, "\x78\x9c\x6a\x9b\xe0\xf0\xd7\x80\xc9\x48\xed\x7f\x7b\xc9\xbd\xed\xdf\xf6\x00\x02\x00\x00\xff\xff\x38\xa7\x08\x1f", 28); syz_mount_image(/*fs=*/0x200000015200, /*dir=*/0x200000015240, /*flags=MS_PRIVATE|MS_NODIRATIME|MS_NODEV|MS_DIRSYNC*/0x40884, /*opts=*/0x2000000152c0, /*chdir=*/0, /*size=*/0x1c, /*img=*/0x2000000153c0); break; case 42: memcpy((void*)0x200000015400, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000015400, /*id=*/0xe, /*flags=__O_TMPFILE|O_TRUNC|O_NOFOLLOW*/0x420200); break; case 43: memcpy((void*)0x200000015440, "net/mcfilter6\000", 14); syz_open_procfs(/*pid=*/r[18], /*file=*/0x200000015440); break; case 44: syz_open_pts(/*fd=*/-1, /*flags=*/0); break; case 45: syz_pidfd_open(/*pid=*/r[8], /*flags=*/0); break; case 46: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=PKEY_DISABLE_ACCESS*/1ul); if (res != -1) r[26] = res; break; case 47: syz_pkey_set(/*key=*/r[26], /*val=PKEY_DISABLE_WRITE*/2); break; case 48: memcpy((void*)0x200000015480, "\x78\x9c\x00\x43\x00\xbc\xff\x1a\xa5\x3b\x2d\x97\x22\x56\x58\x64\x62\x48\x11\x35\x5b\x94\xa0\xd2\xd7\x8d\x09\xd2\x09\x51\xdf\x3c\x2c\x1a\x49\x88\xca\x48\xd4\x52\x61\xcc\x47\x3e\x4f\x65\xf6\x76\xe4\xe9\xb3\x8c\xde\x4a\xab\xa0\x5c\x20\xea\x6f\x37\xa5\x29\x42\x97\xe2\xc2\xa7\x6d\x7e\x55\x2d\xca\xd8\x01\x00\x00\xff\xff\xd6\x63\x1f\xa5", 83); syz_read_part_table(/*size=*/0x53, /*img=*/0x200000015480); break; case 49: syz_socket_connect_nvme_tcp(); break; case 50: *(uint8_t*)0x200000015500 = 0x12; *(uint8_t*)0x200000015501 = 1; *(uint16_t*)0x200000015502 = 0x310; *(uint8_t*)0x200000015504 = 0x99; *(uint8_t*)0x200000015505 = 0x45; *(uint8_t*)0x200000015506 = 0xdf; *(uint8_t*)0x200000015507 = -1; *(uint16_t*)0x200000015508 = 0x19d2; *(uint16_t*)0x20000001550a = 0xfff8; *(uint16_t*)0x20000001550c = 0xcd35; *(uint8_t*)0x20000001550e = 1; *(uint8_t*)0x20000001550f = 2; *(uint8_t*)0x200000015510 = 3; *(uint8_t*)0x200000015511 = 1; *(uint8_t*)0x200000015512 = 9; *(uint8_t*)0x200000015513 = 2; *(uint16_t*)0x200000015514 = 0xd8d; *(uint8_t*)0x200000015516 = 4; *(uint8_t*)0x200000015517 = 0xc; *(uint8_t*)0x200000015518 = 0xd4; *(uint8_t*)0x200000015519 = 0xb0; *(uint8_t*)0x20000001551a = 8; *(uint8_t*)0x20000001551b = 9; *(uint8_t*)0x20000001551c = 4; *(uint8_t*)0x20000001551d = 5; *(uint8_t*)0x20000001551e = 0xe; *(uint8_t*)0x20000001551f = 6; *(uint8_t*)0x200000015520 = -1; *(uint8_t*)0x200000015521 = -1; *(uint8_t*)0x200000015522 = -1; *(uint8_t*)0x200000015523 = 5; *(uint8_t*)0x200000015524 = 0xa; *(uint8_t*)0x200000015525 = 0x24; *(uint8_t*)0x200000015526 = 2; *(uint8_t*)0x200000015527 = 2; *(uint16_t*)0x200000015528 = 0x82; *(uint16_t*)0x20000001552a = 0x97; *(uint8_t*)0x20000001552c = 9; *(uint8_t*)0x20000001552d = 9; *(uint8_t*)0x20000001552e = 7; *(uint8_t*)0x20000001552f = 0x24; *(uint8_t*)0x200000015530 = 1; *(uint8_t*)0x200000015531 = 0x91; *(uint8_t*)0x200000015532 = 0x10; *(uint16_t*)0x200000015533 = 1; *(uint8_t*)0x200000015535 = 0xa; *(uint8_t*)0x200000015536 = 0x24; *(uint8_t*)0x200000015537 = 2; *(uint8_t*)0x200000015538 = 2; *(uint16_t*)0x200000015539 = 0x64; *(uint16_t*)0x20000001553b = 5; *(uint8_t*)0x20000001553d = 5; *(uint8_t*)0x20000001553e = 9; *(uint8_t*)0x20000001553f = 0xa; *(uint8_t*)0x200000015540 = 0x24; *(uint8_t*)0x200000015541 = 2; *(uint8_t*)0x200000015542 = 2; *(uint16_t*)0x200000015543 = 9; *(uint16_t*)0x200000015545 = 1; *(uint8_t*)0x200000015547 = 1; *(uint8_t*)0x200000015548 = 0x18; *(uint8_t*)0x200000015549 = 0xa; *(uint8_t*)0x20000001554a = 0x24; *(uint8_t*)0x20000001554b = 2; *(uint8_t*)0x20000001554c = 2; *(uint16_t*)0x20000001554d = 5; *(uint16_t*)0x20000001554f = 0x100; *(uint8_t*)0x200000015551 = 0; *(uint8_t*)0x200000015552 = 0x1f; *(uint8_t*)0x200000015553 = 0xa; *(uint8_t*)0x200000015554 = 0x24; *(uint8_t*)0x200000015555 = 2; *(uint8_t*)0x200000015556 = 2; *(uint16_t*)0x200000015557 = 0x200; *(uint16_t*)0x200000015559 = 2; *(uint8_t*)0x20000001555b = 6; *(uint8_t*)0x20000001555c = 6; *(uint8_t*)0x20000001555d = 9; *(uint8_t*)0x20000001555e = 0x24; *(uint8_t*)0x20000001555f = 2; *(uint8_t*)0x200000015560 = 1; *(uint8_t*)0x200000015561 = 0; *(uint8_t*)0x200000015562 = 9; *(uint8_t*)0x200000015563 = 4; *(uint8_t*)0x200000015564 = 1; *(uint8_t*)0x200000015565 = 0xdc; *(uint8_t*)0x200000015566 = 0xb; *(uint8_t*)0x200000015567 = 0x24; *(uint8_t*)0x200000015568 = 2; *(uint8_t*)0x200000015569 = 2; *(uint16_t*)0x20000001556a = 5; *(uint16_t*)0x20000001556c = 9; *(uint8_t*)0x20000001556e = 6; memcpy((void*)0x20000001556f, "\x42\xe9", 2); *(uint8_t*)0x200000015571 = 0x12; *(uint8_t*)0x200000015572 = 0x24; *(uint8_t*)0x200000015573 = 2; *(uint8_t*)0x200000015574 = 2; *(uint16_t*)0x200000015575 = 2; *(uint16_t*)0x200000015577 = 0xaecb; *(uint8_t*)0x200000015579 = 0; memcpy((void*)0x20000001557a, "\xe0\xff\x89\xcc\x39\xb2\x42\xb2\xb0", 9); *(uint8_t*)0x200000015583 = 7; *(uint8_t*)0x200000015584 = 0x24; *(uint8_t*)0x200000015585 = 1; *(uint8_t*)0x200000015586 = 0xc; *(uint8_t*)0x200000015587 = 2; *(uint16_t*)0x200000015588 = 2; *(uint8_t*)0x20000001558a = 9; *(uint8_t*)0x20000001558b = 5; *(uint8_t*)0x20000001558c = 1; *(uint8_t*)0x20000001558d = 0x1d; *(uint16_t*)0x20000001558e = 0x20; *(uint8_t*)0x200000015590 = 5; *(uint8_t*)0x200000015591 = 9; *(uint8_t*)0x200000015592 = 0xf; *(uint8_t*)0x200000015593 = 9; *(uint8_t*)0x200000015594 = 5; *(uint8_t*)0x200000015595 = 4; *(uint8_t*)0x200000015596 = 0x10; *(uint16_t*)0x200000015597 = 0x10; *(uint8_t*)0x200000015599 = 5; *(uint8_t*)0x20000001559a = 7; *(uint8_t*)0x20000001559b = 1; *(uint8_t*)0x20000001559c = 0x49; *(uint8_t*)0x20000001559d = 1; memcpy((void*)0x20000001559e, "\xbe\xdb\xdc\x40\xb6\x57\x91\x5a\xee\xa3\x6b\xef\xa7\x43\xbb\xf4\x76\xbb\xcc\x3a\x55\x77\x74\x37\xfd\x0c\x08\x62\xa5\x59\x1f\x0b\x80\x91\x62\x6c\x65\x64\xa6\x2b\x69\x95\xd0\xb1\xac\x34\x99\x5d\x44\x2d\xe5\x0d\x21\xf3\x0d\xa0\x8f\x64\xd3\xbb\x0e\x86\x08\x6e\x62\x96\x82\x16\xd8\xcb\xfe", 71); *(uint8_t*)0x2000000155e5 = 0xc; *(uint8_t*)0x2000000155e6 = 0xe; memcpy((void*)0x2000000155e7, "\x1c\xca\x42\xd0\xd4\xc1\x24\x78\xdb\xc7", 10); *(uint8_t*)0x2000000155f1 = 9; *(uint8_t*)0x2000000155f2 = 5; *(uint8_t*)0x2000000155f3 = 0xc; *(uint8_t*)0x2000000155f4 = 0xd; *(uint16_t*)0x2000000155f5 = 0x10; *(uint8_t*)0x2000000155f7 = 4; *(uint8_t*)0x2000000155f8 = 0xef; *(uint8_t*)0x2000000155f9 = 0xd; *(uint8_t*)0x2000000155fa = 9; *(uint8_t*)0x2000000155fb = 5; *(uint8_t*)0x2000000155fc = 0; *(uint8_t*)0x2000000155fd = 2; *(uint16_t*)0x2000000155fe = 0x40; *(uint8_t*)0x200000015600 = 1; *(uint8_t*)0x200000015601 = 0x92; *(uint8_t*)0x200000015602 = 1; *(uint8_t*)0x200000015603 = 7; *(uint8_t*)0x200000015604 = 0x25; *(uint8_t*)0x200000015605 = 1; *(uint8_t*)0x200000015606 = 8; *(uint8_t*)0x200000015607 = 0xf; *(uint16_t*)0x200000015608 = 9; *(uint8_t*)0x20000001560a = 0x9c; *(uint8_t*)0x20000001560b = 0x24; memcpy((void*)0x20000001560c, "\x94\x62\xe7\x8d\x67\xa7\x93\x83\x09\xf8\x93\x38\x8b\x58\x5f\x99\xed\x3c\xae\x5a\xeb\x24\x1e\x37\xea\xcc\x73\xfb\x04\x0b\x91\x7d\x69\x75\x87\xfd\x88\x85\xdc\xc8\x92\xbf\xee\x22\x87\x19\x88\xc7\x01\x88\xe9\xe8\x45\x46\xa7\x96\xe5\x6e\xa4\x83\x70\xdf\xca\x68\x9a\xaa\x0f\xfd\x08\x41\xc7\xe2\x8c\xbc\xec\xbc\x3b\xee\xb2\x54\xd9\x02\x49\x8d\xde\x37\x3f\x5e\x92\x09\x32\xac\xdf\x32\x22\xa5\x61\x17\x4a\x85\xce\x36\xd5\xf5\xc7\x09\x82\x9a\x04\x29\xf4\x8d\xe3\x26\x62\x11\xe3\x53\x22\x35\xca\xcb\x3a\x64\xff\xf3\xe3\x01\x82\xcd\x02\x7e\xa6\x60\xbc\xe2\x4c\xc1\x97\xbf\x35\x8f\x77\x95\x3c\x96\x4d\xe4\x53\x04\x16\x90\x7f\xa1", 154); *(uint8_t*)0x2000000156a6 = 9; *(uint8_t*)0x2000000156a7 = 5; *(uint8_t*)0x2000000156a8 = 6; *(uint8_t*)0x2000000156a9 = 0; *(uint16_t*)0x2000000156aa = 0x400; *(uint8_t*)0x2000000156ac = 4; *(uint8_t*)0x2000000156ad = 0; *(uint8_t*)0x2000000156ae = 6; *(uint8_t*)0x2000000156af = 9; *(uint8_t*)0x2000000156b0 = 5; *(uint8_t*)0x2000000156b1 = 0x1f; *(uint8_t*)0x2000000156b2 = 0xc; *(uint16_t*)0x2000000156b3 = 0x20; *(uint8_t*)0x2000000156b5 = 8; *(uint8_t*)0x2000000156b6 = 0x80; *(uint8_t*)0x2000000156b7 = 4; *(uint8_t*)0x2000000156b8 = 7; *(uint8_t*)0x2000000156b9 = 0x25; *(uint8_t*)0x2000000156ba = 1; *(uint8_t*)0x2000000156bb = 4; *(uint8_t*)0x2000000156bc = 0x40; *(uint16_t*)0x2000000156bd = 0xfff; *(uint8_t*)0x2000000156bf = 0x4a; *(uint8_t*)0x2000000156c0 = 9; memcpy((void*)0x2000000156c1, "\x13\xdf\x6f\x0c\x72\x3d\x23\x38\x80\xc0\x86\x9f\x46\xc9\x39\x9e\x14\x8e\xf0\xd9\x87\x29\x76\x35\xb6\xbf\x6f\x36\x9c\xbf\x8f\x07\xb3\x4b\x93\x76\xff\x57\xdc\xbd\xf2\x74\x65\xeb\x51\x53\xfb\x8d\xd7\xca\x2f\xab\x27\x37\xdd\x51\x5e\xde\xf1\xc9\x66\x91\x5e\x06\x76\xdb\x83\x1f\x2b\x91\x8d\x82", 72); *(uint8_t*)0x200000015709 = 9; *(uint8_t*)0x20000001570a = 4; *(uint8_t*)0x20000001570b = 0xe4; *(uint8_t*)0x20000001570c = 0xb; *(uint8_t*)0x20000001570d = 0xd; *(uint8_t*)0x20000001570e = -1; *(uint8_t*)0x20000001570f = 0xde; *(uint8_t*)0x200000015710 = 0x55; *(uint8_t*)0x200000015711 = 3; *(uint8_t*)0x200000015712 = 0xa; *(uint8_t*)0x200000015713 = 0x24; *(uint8_t*)0x200000015714 = 1; *(uint16_t*)0x200000015715 = 3; *(uint16_t*)0x200000015717 = 0xa; *(uint8_t*)0x200000015719 = 2; *(uint8_t*)0x20000001571a = 1; *(uint8_t*)0x20000001571b = 2; *(uint8_t*)0x20000001571c = 9; *(uint8_t*)0x20000001571d = 5; *(uint8_t*)0x20000001571e = 1; *(uint8_t*)0x20000001571f = 3; *(uint16_t*)0x200000015720 = 0x20; *(uint8_t*)0x200000015722 = 1; *(uint8_t*)0x200000015723 = 0x66; *(uint8_t*)0x200000015724 = 7; *(uint8_t*)0x200000015725 = 0x8c; *(uint8_t*)0x200000015726 = 0x23; memcpy((void*)0x200000015727, "\xc3\x44\xbd\x7f\x69\x0e\x11\x22\xd6\x52\x4c\xcd\x02\x57\xc1\x18\x5e\x61\xc3\xab\x3c\xcb\x36\x6e\xf9\x03\x7a\x58\x03\x54\x18\x72\x8d\x9a\xab\x96\x71\x7e\x22\x0d\x72\x20\xfb\x96\x4b\x7e\x92\x8d\x75\xef\x45\x85\x91\x31\x15\x90\x97\xfa\x85\xb2\xd2\x4e\xeb\x7f\xc5\x90\xe0\x48\xeb\x1b\xa8\x30\xac\x34\x3b\xfd\x9a\x3c\x32\xdf\xc9\x3f\xad\xcb\x90\xf9\x3a\x63\xc7\x37\x83\x4f\x5e\x2d\x4e\x73\x68\xe0\x2e\xc5\xf2\x10\x6b\xef\x93\x5e\x5e\x74\xc3\xe7\xd2\xd3\xd1\x6e\xbf\xfa\x13\xa8\x29\x49\x9d\xa4\x42\xf0\x17\x26\xd0\x7a\x33\x8f\xeb\x61\x2c\x3b\x6e\x51\x93\xb8", 138); *(uint8_t*)0x2000000157b1 = 9; *(uint8_t*)0x2000000157b2 = 5; *(uint8_t*)0x2000000157b3 = 1; *(uint8_t*)0x2000000157b4 = 0xc; *(uint16_t*)0x2000000157b5 = 0x10; *(uint8_t*)0x2000000157b7 = 6; *(uint8_t*)0x2000000157b8 = 0x73; *(uint8_t*)0x2000000157b9 = 2; *(uint8_t*)0x2000000157ba = 9; *(uint8_t*)0x2000000157bb = 5; *(uint8_t*)0x2000000157bc = 0xe; *(uint8_t*)0x2000000157bd = 1; *(uint16_t*)0x2000000157be = 0x40; *(uint8_t*)0x2000000157c0 = 0; *(uint8_t*)0x2000000157c1 = 0; *(uint8_t*)0x2000000157c2 = 0xe; *(uint8_t*)0x2000000157c3 = 7; *(uint8_t*)0x2000000157c4 = 0x25; *(uint8_t*)0x2000000157c5 = 1; *(uint8_t*)0x2000000157c6 = 8; *(uint8_t*)0x2000000157c7 = 8; *(uint16_t*)0x2000000157c8 = 0x9df1; *(uint8_t*)0x2000000157ca = 7; *(uint8_t*)0x2000000157cb = 0x25; *(uint8_t*)0x2000000157cc = 1; *(uint8_t*)0x2000000157cd = 4; *(uint8_t*)0x2000000157ce = 3; *(uint16_t*)0x2000000157cf = 0x84; *(uint8_t*)0x2000000157d1 = 9; *(uint8_t*)0x2000000157d2 = 5; *(uint8_t*)0x2000000157d3 = 7; *(uint8_t*)0x2000000157d4 = 0x10; *(uint16_t*)0x2000000157d5 = 8; *(uint8_t*)0x2000000157d7 = 0xd; *(uint8_t*)0x2000000157d8 = 6; *(uint8_t*)0x2000000157d9 = 6; *(uint8_t*)0x2000000157da = 0x9c; *(uint8_t*)0x2000000157db = 0x11; memcpy((void*)0x2000000157dc, "\x61\xc2\xc5\x81\xbc\xf0\xdc\x3a\x09\xec\x54\x65\xd8\xb3\x95\x93\xb5\x1c\xb5\x68\xad\x67\xbf\x21\x9f\x28\xa6\x37\xf8\xb8\xf3\xaa\xe7\xb6\xcf\x31\x06\x9d\xa5\x51\xc5\xd9\x0a\x29\x7a\xb0\xcf\xed\xa5\x43\xa0\xf7\x62\xc8\x18\x5b\xab\xc4\x3a\x4c\x9b\xb3\xb0\x95\xc0\xee\x13\x96\xf8\xb1\xfd\x62\x19\xb3\x16\x13\xb7\x56\x0d\x30\x9f\x17\x3c\x80\x67\x3f\xb0\x85\x29\xfc\x8f\x17\x52\x91\xf9\x98\x56\xaf\x19\x8c\xf4\x7a\x32\xc7\x6d\xf6\xbe\x44\x94\x93\xe5\xa6\x6e\xb4\x66\x4b\x84\x22\x6c\xa1\xe2\xc8\xf2\x02\x9a\xde\x7d\x75\x31\x6b\x10\x4a\x34\x80\xfb\xf7\xd4\x50\x9d\x74\x8c\x36\xf6\x59\xf8\xf5\x27\x43\xfd\x07\x7f\xc7\xdf\x42", 154); *(uint8_t*)0x200000015876 = 0x4e; *(uint8_t*)0x200000015877 = 4; memcpy((void*)0x200000015878, "\x57\xfa\xd1\x47\xfa\x12\xcd\x27\x89\x6e\x4e\x92\xba\x1a\xd4\x05\x8c\x8d\x43\xec\x21\x50\xd8\x73\x2f\xc5\xae\x10\x5a\x17\x4e\xd8\x39\x42\xdc\xb7\x9a\x05\xb1\x0f\xd4\x95\x7d\xbc\x1a\xc0\x27\xa2\xdf\x57\x28\xb2\xb2\xbb\x9b\x5b\xc5\x1f\x9a\x8c\x88\xe9\xfa\x85\x11\x38\xc7\xcd\xd7\x62\x66\x41\x91\x1c\xbe\x0c", 76); *(uint8_t*)0x2000000158c4 = 9; *(uint8_t*)0x2000000158c5 = 5; *(uint8_t*)0x2000000158c6 = 0; *(uint8_t*)0x2000000158c7 = 0xc; *(uint16_t*)0x2000000158c8 = 8; *(uint8_t*)0x2000000158ca = 8; *(uint8_t*)0x2000000158cb = 0x20; *(uint8_t*)0x2000000158cc = 0xc; *(uint8_t*)0x2000000158cd = 7; *(uint8_t*)0x2000000158ce = 0x25; *(uint8_t*)0x2000000158cf = 1; *(uint8_t*)0x2000000158d0 = 4; *(uint8_t*)0x2000000158d1 = 6; *(uint16_t*)0x2000000158d2 = 0x101; *(uint8_t*)0x2000000158d4 = 7; *(uint8_t*)0x2000000158d5 = 0x25; *(uint8_t*)0x2000000158d6 = 1; *(uint8_t*)0x2000000158d7 = 8; *(uint8_t*)0x2000000158d8 = 0xfd; *(uint16_t*)0x2000000158d9 = 2; *(uint8_t*)0x2000000158db = 9; *(uint8_t*)0x2000000158dc = 5; *(uint8_t*)0x2000000158dd = 0xb; *(uint8_t*)0x2000000158de = 0xc; *(uint16_t*)0x2000000158df = 0x10; *(uint8_t*)0x2000000158e1 = 0xf0; *(uint8_t*)0x2000000158e2 = 3; *(uint8_t*)0x2000000158e3 = 9; *(uint8_t*)0x2000000158e4 = 9; *(uint8_t*)0x2000000158e5 = 5; *(uint8_t*)0x2000000158e6 = 2; *(uint8_t*)0x2000000158e7 = 2; *(uint16_t*)0x2000000158e8 = 0x7b7; *(uint8_t*)0x2000000158ea = 9; *(uint8_t*)0x2000000158eb = 2; *(uint8_t*)0x2000000158ec = 0x78; *(uint8_t*)0x2000000158ed = 7; *(uint8_t*)0x2000000158ee = 0x25; *(uint8_t*)0x2000000158ef = 1; *(uint8_t*)0x2000000158f0 = 4; *(uint8_t*)0x2000000158f1 = 2; *(uint16_t*)0x2000000158f2 = 0x6e8; *(uint8_t*)0x2000000158f4 = 9; *(uint8_t*)0x2000000158f5 = 5; *(uint8_t*)0x2000000158f6 = 0xe; *(uint8_t*)0x2000000158f7 = 0; *(uint16_t*)0x2000000158f8 = 8; *(uint8_t*)0x2000000158fa = 0xb6; *(uint8_t*)0x2000000158fb = 0x47; *(uint8_t*)0x2000000158fc = 1; *(uint8_t*)0x2000000158fd = 0xea; *(uint8_t*)0x2000000158fe = 0xd; memcpy((void*)0x2000000158ff, "\xd7\xee\xf8\xad\xff\x59\x3f\xef\x60\x12\x57\xeb\x29\xf1\x12\x3c\x0f\x04\xcf\x50\xd2\xf0\x65\xa5\x2a\xb8\x35\xd4\x04\x54\xac\x46\xb6\x63\x87\x38\xe9\x75\x3c\x66\x06\x2b\x76\xd4\x57\xd6\xb3\x63\xf7\xb7\x63\x4f\xea\xac\x71\x9c\x3e\x90\x0c\xce\xb8\xd9\x69\x21\x0b\x57\x3a\x62\xd4\x51\x64\x98\xd5\x98\xa6\x1e\x6f\xa5\xbb\xd0\xfd\x38\x6f\x9f\x1d\x7a\xfe\xf4\xdd\xbe\x39\x49\x5d\x6e\x55\x5d\x24\x55\x5b\xf1\xbf\xfe\x21\xfc\x47\x2a\xb2\xa8\xd5\xd0\xf8\xa6\x11\xab\x5a\x46\xae\x9b\x23\xbb\x6a\x6b\x36\x39\x46\xda\xfb\xb2\xe7\x41\xd3\x4f\xe4\x56\xf5\x81\x63\x32\xd7\x2d\x43\x5f\xbd\x1f\xae\x47\x63\x32\x5d\xac\x58\xc2\xde\x0a\x67\x27\x7e\x2d\x74\xfe\xf5\xd8\xba\x6d\xe1\x7c\x31\xd5\xc7\xfb\x01\xa1\x3d\x3b\xf0\x0c\x31\x13\x41\x6b\x72\xb3\xe2\xe0\xb8\x0b\x4a\xb9\xcd\xa7\x7d\x2d\xe3\xed\x36\x8f\xab\x48\x41\xfd\x62\xac\xf6\x6e\x43\x21\x21\xb5\xf5\xd7\xc8\xc0\x36\x66\x0d\x7a\x35\x10\x33\x15\x5e\x3e\xef\x2f\xf2\x0f\x2a\xed\x82\x41\xd1\x76", 232); *(uint8_t*)0x2000000159e7 = 9; *(uint8_t*)0x2000000159e8 = 5; *(uint8_t*)0x2000000159e9 = 0xe; *(uint8_t*)0x2000000159ea = 3; *(uint16_t*)0x2000000159eb = 0x200; *(uint8_t*)0x2000000159ed = -1; *(uint8_t*)0x2000000159ee = 0x62; *(uint8_t*)0x2000000159ef = 5; *(uint8_t*)0x2000000159f0 = 0x55; *(uint8_t*)0x2000000159f1 = 0x23; memcpy((void*)0x2000000159f2, "\xd5\x22\xb5\x6c\x6d\xde\x6a\x69\x8a\x23\xe1\x0e\x4f\xc0\x79\x8f\x87\xc9\x46\xfa\x28\x48\xc7\x17\xa9\xa3\x31\x38\xfd\xb3\x47\x57\x93\xc1\xb4\xd1\x72\x2b\x3b\xcc\x36\x38\x4d\x25\x89\xa2\x7e\x5f\x22\xb2\x89\x72\x7e\x23\xf0\x39\xff\xdf\x2a\xb2\x5d\xa6\x2c\x09\x2e\xd0\x1c\xb1\x51\xb0\xad\x8b\xa7\x75\x8c\x32\xab\xd0\x7f\x79\x51\x4e\xba", 83); *(uint8_t*)0x200000015a45 = 0x96; *(uint8_t*)0x200000015a46 = 8; memcpy((void*)0x200000015a47, "\x70\xf4\xe5\xb8\x33\x74\xf7\xb0\xde\x44\xec\x45\x10\x5a\xc3\x14\x02\x14\x0e\x17\x62\x14\x64\x1e\x37\x97\xba\x0a\xea\x40\x13\xe3\xe7\xc2\x87\x1f\x78\x52\x8a\x25\x6a\x22\x49\xdc\xad\x68\x4f\xd5\x77\xa4\x28\xa1\x4f\x44\x6c\xe9\xd7\xde\x49\x36\x4a\xa1\x63\xc6\x8d\xd1\xe4\xe2\x0c\x0a\xa9\x8a\x26\x35\x47\xf0\x7d\xae\x9c\x3e\x45\xff\xec\x5b\xdc\xcf\xb9\x0b\x1a\xd9\x05\x4d\xa6\x28\x66\x62\x6b\xfb\xc3\x94\xa1\xe9\xae\xc6\xb3\x00\x42\x0a\x61\x67\xe6\xe6\xef\x43\x96\xdf\xfb\x6b\xfc\x18\xd3\xb2\x53\x77\x89\x27\x04\x23\x86\x75\x35\xf7\x5b\x14\x54\xcc\x3b\x8a\x6a\xef\x5b\x65\xb9\x77\x41\x39\xad\xcf", 148); *(uint8_t*)0x200000015adb = 9; *(uint8_t*)0x200000015adc = 5; *(uint8_t*)0x200000015add = 0xc; *(uint8_t*)0x200000015ade = 0x10; *(uint16_t*)0x200000015adf = 0x20; *(uint8_t*)0x200000015ae1 = 8; *(uint8_t*)0x200000015ae2 = 1; *(uint8_t*)0x200000015ae3 = 8; *(uint8_t*)0x200000015ae4 = 9; *(uint8_t*)0x200000015ae5 = 5; *(uint8_t*)0x200000015ae6 = 0xd; *(uint8_t*)0x200000015ae7 = 0x10; *(uint16_t*)0x200000015ae8 = 0x400; *(uint8_t*)0x200000015aea = 3; *(uint8_t*)0x200000015aeb = 0x6d; *(uint8_t*)0x200000015aec = 7; *(uint8_t*)0x200000015aed = 0x85; *(uint8_t*)0x200000015aee = 0xe; memcpy((void*)0x200000015aef, "\x1a\x54\xb4\xa0\x79\x76\xe1\x6c\xec\x50\x7f\x7c\xfe\x00\xc9\x35\x99\xf9\xfd\xef\xaf\x8b\xf8\x6c\xb9\xae\x60\xf5\xe7\x42\x6c\x78\xb3\xe0\x1c\xc8\xca\xb0\xaa\xf0\x9d\xeb\xba\xcd\x78\x5c\x9d\xe3\xbb\x89\x55\x1d\x0a\x24\x1f\x2d\x65\x83\x0f\x53\x64\x75\x49\x91\xfe\xea\xd8\x7f\xe8\xc8\xb9\x28\xac\x16\x85\x3a\xe9\x59\xea\xc2\x7b\x59\xcc\xc8\x6d\x22\x44\x2c\xa6\x29\xd1\x20\xb1\xa0\x9c\xf1\x41\x84\xa9\xc4\x87\x3f\x74\xae\x74\x82\x01\xf5\xf4\xe6\x49\xe3\x72\x4c\x7d\xdb\x89\xf4\x58\x47\x2b\x28\x5f\x9c\x10\xea\x40\x39\x3f\x30\x60", 131); *(uint8_t*)0x200000015b72 = 9; *(uint8_t*)0x200000015b73 = 5; *(uint8_t*)0x200000015b74 = 9; *(uint8_t*)0x200000015b75 = 0; *(uint16_t*)0x200000015b76 = 8; *(uint8_t*)0x200000015b78 = 0xa; *(uint8_t*)0x200000015b79 = 7; *(uint8_t*)0x200000015b7a = 2; *(uint8_t*)0x200000015b7b = 7; *(uint8_t*)0x200000015b7c = 0x25; *(uint8_t*)0x200000015b7d = 1; *(uint8_t*)0x200000015b7e = 0; *(uint8_t*)0x200000015b7f = 4; *(uint16_t*)0x200000015b80 = 0x4fb3; *(uint8_t*)0x200000015b82 = 9; *(uint8_t*)0x200000015b83 = 5; *(uint8_t*)0x200000015b84 = 7; *(uint8_t*)0x200000015b85 = 0x10; *(uint16_t*)0x200000015b86 = 0x3ff; *(uint8_t*)0x200000015b88 = 1; *(uint8_t*)0x200000015b89 = 0x88; *(uint8_t*)0x200000015b8a = 6; *(uint8_t*)0x200000015b8b = 9; *(uint8_t*)0x200000015b8c = 4; *(uint8_t*)0x200000015b8d = 0x10; *(uint8_t*)0x200000015b8e = 8; *(uint8_t*)0x200000015b8f = 0x10; *(uint8_t*)0x200000015b90 = -1; *(uint8_t*)0x200000015b91 = 0x5d; *(uint8_t*)0x200000015b92 = 0x81; *(uint8_t*)0x200000015b93 = 3; *(uint8_t*)0x200000015b94 = 0xb7; *(uint8_t*)0x200000015b95 = 0; memcpy((void*)0x200000015b96, "\xbe\xa8\xfd\xb5\x0e\x62\x4b\x76\x3d\xdd\xda\xf5\xed\x85\xd8\x17\x0c\xa8\x58\xcf\x74\xac\x67\x8e\xb5\x4d\x20\x45\xe5\xfb\xb2\x77\x21\x40\xe2\xcf\x18\x95\xcb\x69\x3a\x91\x4f\xfb\x89\x1c\xd2\xc9\x0d\x48\x27\xbc\xd3\x43\x59\xd7\x01\x07\x46\x2e\xad\x88\x9a\x6e\x4e\xd6\x96\x89\x35\xa8\x1a\x14\x7a\xc0\xcc\xc8\x1c\x38\xd6\x2d\x6a\x84\xcf\x50\x45\x52\xec\x37\xd6\x09\xb5\x47\x50\x18\xbd\xa1\x24\xc0\x9e\xa9\xf2\x13\x03\x86\x5f\xe4\x64\xab\xc3\x8c\xd8\x4a\xe4\x2d\xe3\x3e\x46\x91\x12\x7e\x2b\x85\x53\x83\x7d\x58\xcd\xa5\x1f\x11\xa0\x5a\x15\x38\xec\xff\x55\xe9\x0f\x34\xa1\xc5\x66\xc2\x34\xc0\x06\xd0\x0b\x50\xb4\xb2\x9e\x49\xb8\xd0\x90\xf5\xa2\x74\xae\x37\xe0\x3e\x49\x68\x2c\x44\xc2\xb1\xd9\xdb\x62\xf6\x32\x33\xf9\x67\x0c\xb2\xac", 181); *(uint8_t*)0x200000015c4b = 9; *(uint8_t*)0x200000015c4c = 5; *(uint8_t*)0x200000015c4d = 0xc; *(uint8_t*)0x200000015c4e = 0x10; *(uint16_t*)0x200000015c4f = 0x40; *(uint8_t*)0x200000015c51 = 9; *(uint8_t*)0x200000015c52 = 8; *(uint8_t*)0x200000015c53 = 2; *(uint8_t*)0x200000015c54 = 9; *(uint8_t*)0x200000015c55 = 5; *(uint8_t*)0x200000015c56 = 6; *(uint8_t*)0x200000015c57 = 2; *(uint16_t*)0x200000015c58 = 8; *(uint8_t*)0x200000015c5a = 3; *(uint8_t*)0x200000015c5b = 0x18; *(uint8_t*)0x200000015c5c = 0x1c; *(uint8_t*)0x200000015c5d = 0xf6; *(uint8_t*)0x200000015c5e = 0xc; memcpy((void*)0x200000015c5f, "\xd7\x72\x97\x11\x23\x6e\xb7\x89\x69\x91\xe6\xff\xe3\xdd\x76\x22\xe9\x6e\x2e\x7d\x17\x60\xab\x64\x52\x47\x2b\xba\xc1\xd0\x68\x61\xd9\xd4\x9e\x41\x00\x60\x6a\x22\x7d\x34\x2c\x61\x75\x94\x5a\xde\x9c\xc3\xf4\x6e\xc4\x62\x7f\x92\xca\xa5\xd7\x32\x27\xfa\xe7\xa3\x60\xd2\x5f\xac\x9e\x57\x44\x07\x3f\x0c\x05\x4c\x9a\x5b\x82\x58\xdd\x27\x9b\x73\x68\x76\x58\x4b\x90\x4d\x94\x3b\x23\xc2\x6d\x9e\x6b\xc2\xdd\x3b\x98\xf3\x62\x44\x15\x8c\x76\x0f\x0b\xf9\x75\x02\x91\x42\xb3\xf5\x8b\xb6\x3e\xc3\x76\xd7\xf5\xd9\x61\x18\x20\xd3\x80\xef\xd7\xde\x61\x63\xac\x8d\xc2\x71\x44\xe2\x1d\x92\xc9\x3f\xfe\xcc\x2d\x8c\x7b\x3b\xc5\xea\xd1\x81\x86\x3c\xd9\x6a\x0a\xbf\x28\x89\xeb\x10\xb6\x87\x91\x3f\xa8\x21\x4b\x89\xde\x11\xf5\x2b\x7d\x19\x36\xad\x9c\x1c\x45\xda\x86\xa1\x5e\x86\xb6\xc9\x06\x02\x91\xd8\x5b\x48\xeb\xc2\x34\x4d\xb8\xad\x8c\xc5\x2f\x79\xd4\xf0\x37\x7a\x89\x3b\x3d\xa6\x1c\xfc\x15\x13\xd2\xba\x95\x36\xd6\x19\x0d\xe8\x86\xa2\xd1\x8f\xf8\xab\x1f\x46\x3f\x15\x47\x1d\x7f\x96\xdc\x92\xd0\xac", 244); *(uint8_t*)0x200000015d53 = 9; *(uint8_t*)0x200000015d54 = 5; *(uint8_t*)0x200000015d55 = 7; *(uint8_t*)0x200000015d56 = 4; *(uint16_t*)0x200000015d57 = 0x20; *(uint8_t*)0x200000015d59 = 9; *(uint8_t*)0x200000015d5a = 2; *(uint8_t*)0x200000015d5b = 0x37; *(uint8_t*)0x200000015d5c = 9; *(uint8_t*)0x200000015d5d = 5; *(uint8_t*)0x200000015d5e = 0xf; *(uint8_t*)0x200000015d5f = 0x12; *(uint16_t*)0x200000015d60 = 8; *(uint8_t*)0x200000015d62 = 0xd; *(uint8_t*)0x200000015d63 = 6; *(uint8_t*)0x200000015d64 = 0xf; *(uint8_t*)0x200000015d65 = 0x40; *(uint8_t*)0x200000015d66 = 5; memcpy((void*)0x200000015d67, "\x71\xaf\xb2\x61\x7a\x61\xe7\x55\x29\xdd\xe0\xf3\x2f\xa6\xca\x4b\x85\x7a\x84\xb3\x12\x0b\x93\x61\x68\x64\x2c\x34\x04\x8f\x29\x2f\xc2\x7a\x3a\x8f\x1f\x74\x58\x0c\xdc\x36\xe9\xa4\x0b\x4f\xf6\x92\xf1\x32\x24\xb9\x14\xa8\x9f\xb7\x30\x85\x79\x3a\x5c\x22", 62); *(uint8_t*)0x200000015da5 = 9; *(uint8_t*)0x200000015da6 = 5; *(uint8_t*)0x200000015da7 = 0xd; *(uint8_t*)0x200000015da8 = 0xc; *(uint16_t*)0x200000015da9 = 0xf5f1; *(uint8_t*)0x200000015dab = 4; *(uint8_t*)0x200000015dac = 1; *(uint8_t*)0x200000015dad = 0; *(uint8_t*)0x200000015dae = 0x50; *(uint8_t*)0x200000015daf = 3; memcpy((void*)0x200000015db0, "\x17\xff\xd4\x73\xba\x28\xc3\x60\x59\x1f\x57\x1d\xc6\x0f\x13\x24\xd4\xa3\x4a\xb8\xd9\xd3\xc0\x68\x6c\x13\xa6\x1b\xda\x24\x64\xe1\x63\x54\x23\xeb\xf4\xed\x34\x03\x7b\xab\x62\xfd\x30\xa8\xdd\x0a\x89\xf1\xbc\xbf\xf3\xaf\x4f\x0c\x98\x9d\xdb\x6f\x03\x76\x0a\xe7\x6f\x63\xff\xdc\xbf\xbb\xfe\xe9\xa1\x35\x25\x73\x14\xaa", 78); *(uint8_t*)0x200000015dfe = 9; *(uint8_t*)0x200000015dff = 5; *(uint8_t*)0x200000015e00 = 6; *(uint8_t*)0x200000015e01 = 0; *(uint16_t*)0x200000015e02 = 8; *(uint8_t*)0x200000015e04 = 0x2d; *(uint8_t*)0x200000015e05 = 0x10; *(uint8_t*)0x200000015e06 = 0xba; *(uint8_t*)0x200000015e07 = 9; *(uint8_t*)0x200000015e08 = 5; *(uint8_t*)0x200000015e09 = 0xe; *(uint8_t*)0x200000015e0a = 0; *(uint16_t*)0x200000015e0b = 0x10; *(uint8_t*)0x200000015e0d = 8; *(uint8_t*)0x200000015e0e = 7; *(uint8_t*)0x200000015e0f = 0xac; *(uint8_t*)0x200000015e10 = 9; *(uint8_t*)0x200000015e11 = 5; *(uint8_t*)0x200000015e12 = 0xa; *(uint8_t*)0x200000015e13 = 8; *(uint16_t*)0x200000015e14 = 0x20; *(uint8_t*)0x200000015e16 = 9; *(uint8_t*)0x200000015e17 = 0x7c; *(uint8_t*)0x200000015e18 = 1; *(uint8_t*)0x200000015e19 = 7; *(uint8_t*)0x200000015e1a = 0x25; *(uint8_t*)0x200000015e1b = 1; *(uint8_t*)0x200000015e1c = 8; *(uint8_t*)0x200000015e1d = 9; *(uint16_t*)0x200000015e1e = 4; *(uint8_t*)0x200000015e20 = 9; *(uint8_t*)0x200000015e21 = 5; *(uint8_t*)0x200000015e22 = 0xb; *(uint8_t*)0x200000015e23 = 0x10; *(uint16_t*)0x200000015e24 = 0x3ff; *(uint8_t*)0x200000015e26 = 1; *(uint8_t*)0x200000015e27 = 4; *(uint8_t*)0x200000015e28 = 0xbd; *(uint8_t*)0x200000015e29 = 9; *(uint8_t*)0x200000015e2a = 5; *(uint8_t*)0x200000015e2b = 7; *(uint8_t*)0x200000015e2c = 3; *(uint16_t*)0x200000015e2d = 0x20; *(uint8_t*)0x200000015e2f = 6; *(uint8_t*)0x200000015e30 = 0xf; *(uint8_t*)0x200000015e31 = 0xe; *(uint8_t*)0x200000015e32 = 9; *(uint8_t*)0x200000015e33 = 5; *(uint8_t*)0x200000015e34 = 0xd; *(uint8_t*)0x200000015e35 = 0x10; *(uint16_t*)0x200000015e36 = 0x7f7; *(uint8_t*)0x200000015e38 = 4; *(uint8_t*)0x200000015e39 = 0x1c; *(uint8_t*)0x200000015e3a = 1; *(uint8_t*)0x200000015e3b = 9; *(uint8_t*)0x200000015e3c = 5; *(uint8_t*)0x200000015e3d = 0; *(uint8_t*)0x200000015e3e = 0; *(uint16_t*)0x200000015e3f = 0x5f33; *(uint8_t*)0x200000015e41 = 0x40; *(uint8_t*)0x200000015e42 = 6; *(uint8_t*)0x200000015e43 = 0x81; *(uint8_t*)0x200000015e44 = 0x54; *(uint8_t*)0x200000015e45 = 9; memcpy((void*)0x200000015e46, "\x22\xa0\x3d\x11\x7e\xdd\x7f\xf8\x02\xcd\xb5\x09\xb4\x9c\xf0\x7b\x18\x84\xa5\xd0\x6a\x28\x72\xff\xdd\x1f\x6a\x97\x4c\x05\x74\x87\x1d\x68\xb2\xfd\x80\xb9\xdd\xe5\x57\xda\x7e\xec\x4d\x7f\x27\x78\xa5\xc3\xa4\xbb\xef\x51\x9d\x15\x8a\x59\xf1\x52\xfe\x19\xf5\x98\xe4\x33\x60\xf8\xa2\x4a\xa9\x73\xc5\x6f\x46\xc4\xa6\x8a\x27\x3a\x1f\xc4", 82); *(uint8_t*)0x200000015e98 = 9; *(uint8_t*)0x200000015e99 = 5; *(uint8_t*)0x200000015e9a = 0xf; *(uint8_t*)0x200000015e9b = 0x10; *(uint16_t*)0x200000015e9c = 8; *(uint8_t*)0x200000015e9e = 5; *(uint8_t*)0x200000015e9f = 0x38; *(uint8_t*)0x200000015ea0 = 1; *(uint8_t*)0x200000015ea1 = 9; *(uint8_t*)0x200000015ea2 = 5; *(uint8_t*)0x200000015ea3 = 4; *(uint8_t*)0x200000015ea4 = 0x10; *(uint16_t*)0x200000015ea5 = 0x10; *(uint8_t*)0x200000015ea7 = 4; *(uint8_t*)0x200000015ea8 = 2; *(uint8_t*)0x200000015ea9 = 7; *(uint8_t*)0x200000015eaa = 0xda; *(uint8_t*)0x200000015eab = 0x26; memcpy((void*)0x200000015eac, "\x32\x16\x2d\x9c\xff\xd7\x54\x8d\xdc\x15\x24\xc6\x65\x1f\xa1\x12\xcb\x83\x99\xeb\x7d\xaa\x74\x6a\xf4\xa3\xf4\x58\x15\x9b\xd8\xa4\x87\xda\xde\x32\x17\xae\x32\x24\x61\x5d\x50\xba\x56\x43\x30\x19\x52\xfd\xd0\x82\xab\x52\xf6\x4e\xb3\x8b\xdd\xcf\x02\xb0\x67\x28\xa3\xbf\x4f\x73\xd3\xb7\x80\xa3\xa5\x80\x4b\xad\x04\xec\xc2\x27\x87\x69\x0f\x67\x25\x76\x74\xf7\x28\xb1\x02\x31\xba\x2d\xb8\x3c\xb4\xeb\x84\x1e\x55\x23\xeb\x43\xf3\x48\x2d\x3e\xc3\x3c\xb8\x18\x7b\x87\xaa\x08\xa2\x1e\x94\xe0\x39\x4a\x1e\xe8\xd8\xf0\xcc\x08\x89\x10\xab\xa4\xdb\xe5\xfe\xef\xc2\x45\x38\x0f\xf1\x44\x3e\x3a\x97\xbd\x4d\x5a\xdd\xd0\x1f\x11\x26\xd4\xb7\x0a\xbc\xbb\xe1\x40\x71\x6a\x1c\x66\xda\xc6\x1f\x66\x51\x4f\xce\xbe\x67\x64\x7b\x43\xbb\xd8\xe8\x48\x33\x3f\xf9\x95\x7e\xba\xac\xe9\xd0\x57\xb6\x27\xa6\x67\xe6\xf5\x1d\xae\xac\x30\x2b\x21\x29\xc2\x6d\x41\x5b\xc9\xa2\xee\x74\x95\xb3\x31\xb7\xda", 216); *(uint8_t*)0x200000015f84 = 7; *(uint8_t*)0x200000015f85 = 0x25; *(uint8_t*)0x200000015f86 = 1; *(uint8_t*)0x200000015f87 = 0; *(uint8_t*)0x200000015f88 = 7; *(uint16_t*)0x200000015f89 = 1; *(uint8_t*)0x200000015f8b = 9; *(uint8_t*)0x200000015f8c = 5; *(uint8_t*)0x200000015f8d = 3; *(uint8_t*)0x200000015f8e = 1; *(uint16_t*)0x200000015f8f = 0x40; *(uint8_t*)0x200000015f91 = 8; *(uint8_t*)0x200000015f92 = 7; *(uint8_t*)0x200000015f93 = 5; *(uint8_t*)0x200000015f94 = 9; *(uint8_t*)0x200000015f95 = 5; *(uint8_t*)0x200000015f96 = 0xb; *(uint8_t*)0x200000015f97 = 0x10; *(uint16_t*)0x200000015f98 = 0x40; *(uint8_t*)0x200000015f9a = 0xfe; *(uint8_t*)0x200000015f9b = 0; *(uint8_t*)0x200000015f9c = 0xd; *(uint8_t*)0x200000015f9d = 0xe1; *(uint8_t*)0x200000015f9e = 0x24; memcpy((void*)0x200000015f9f, "\x66\xc9\x68\xf6\x7f\x56\xd0\xab\x89\xd6\x81\x9c\x67\xd1\xd6\xc2\x15\xd2\xf3\xcf\x61\x5b\x37\x02\x8d\xb2\x69\xd9\x36\x08\xcd\xf0\x70\x41\x18\xe0\xdd\xbf\x97\x16\x6c\x27\xaf\xb5\x1a\x13\x2c\xd7\x0f\x0f\xa3\xb7\xad\x5e\xe3\xa4\x41\x02\x7a\x74\x12\x27\x81\xab\x0f\x1c\xe5\xfe\x7b\xd1\x15\x3c\x8f\xfc\xcd\x3e\xf1\x09\x21\x3f\x20\xd2\xba\xfd\x0e\x33\x1a\xbc\x5c\xd1\xfb\x54\x80\x9a\x06\xc8\xfa\x60\xa9\xf0\xfc\x8e\x11\x3f\x31\x8c\x3a\x7f\x7b\xc6\xfa\xbe\x19\x30\x94\xec\x49\x3d\x24\x6c\xbd\x70\x2b\xf0\x19\x79\x6a\x88\x72\xb3\xc4\x02\x34\xd8\xe9\x07\x31\xb2\xdf\xf8\x8a\x1f\x0c\x4f\x17\x86\xa1\x90\xeb\x16\x65\x1e\x3a\xc4\x5e\xdb\x14\xd9\xfb\x89\x86\x44\xbe\xd6\x15\x76\xbd\x7a\x9f\xd9\x0c\x52\x17\x21\x7f\x6b\x9a\xed\x19\xd4\xa2\x2b\xff\x48\x2d\x05\x8e\x60\x3d\x2a\x0c\xdc\x48\xb1\xb2\x71\xb7\x9b\x1e\x25\xd7\xfe\x6b\xb8\x20\x50\x6e\x48\x57\x9a\x78\xaf\x99\xe7\xe9\x42\x9b\xcd\x4b\x07\xbc\x01\x34", 223); *(uint8_t*)0x20000001607e = 0x40; *(uint8_t*)0x20000001607f = 5; memcpy((void*)0x200000016080, "\x8f\x82\xcc\x05\xdf\x67\x73\x41\x41\xe3\x56\xe9\x36\xa6\xe0\xa7\x24\x7a\xc2\x3b\x30\x90\x0c\x5f\xc4\x14\x8a\x14\x99\x0b\x50\x04\x68\x6d\xe6\xca\xce\x04\xad\xe3\x50\xf0\x4a\x3d\x07\x8c\x39\x10\xf7\xdb\xa4\x92\xaf\x85\xda\x64\x94\x32\xe2\x6a\x78\x54", 62); *(uint8_t*)0x2000000160be = 9; *(uint8_t*)0x2000000160bf = 4; *(uint8_t*)0x2000000160c0 = 0x88; *(uint8_t*)0x2000000160c1 = 1; *(uint8_t*)0x2000000160c2 = 8; *(uint8_t*)0x2000000160c3 = 0xeb; *(uint8_t*)0x2000000160c4 = 0x43; *(uint8_t*)0x2000000160c5 = 0x23; *(uint8_t*)0x2000000160c6 = 4; *(uint8_t*)0x2000000160c7 = 9; *(uint8_t*)0x2000000160c8 = 5; *(uint8_t*)0x2000000160c9 = 0xc; *(uint8_t*)0x2000000160ca = 0; *(uint16_t*)0x2000000160cb = 0x40; *(uint8_t*)0x2000000160cd = 8; *(uint8_t*)0x2000000160ce = 8; *(uint8_t*)0x2000000160cf = 5; *(uint8_t*)0x2000000160d0 = 9; *(uint8_t*)0x2000000160d1 = 5; *(uint8_t*)0x2000000160d2 = 0; *(uint8_t*)0x2000000160d3 = 0x10; *(uint16_t*)0x2000000160d4 = 0x20; *(uint8_t*)0x2000000160d6 = 0x9a; *(uint8_t*)0x2000000160d7 = 0x5f; *(uint8_t*)0x2000000160d8 = 7; *(uint8_t*)0x2000000160d9 = 7; *(uint8_t*)0x2000000160da = 0x25; *(uint8_t*)0x2000000160db = 1; *(uint8_t*)0x2000000160dc = 0; *(uint8_t*)0x2000000160dd = 0x81; *(uint16_t*)0x2000000160de = 4; *(uint8_t*)0x2000000160e0 = 7; *(uint8_t*)0x2000000160e1 = 0x25; *(uint8_t*)0x2000000160e2 = 1; *(uint8_t*)0x2000000160e3 = 0xc; *(uint8_t*)0x2000000160e4 = 0xf9; *(uint16_t*)0x2000000160e5 = 2; *(uint8_t*)0x2000000160e7 = 9; *(uint8_t*)0x2000000160e8 = 5; *(uint8_t*)0x2000000160e9 = 0xb; *(uint8_t*)0x2000000160ea = 0x10; *(uint16_t*)0x2000000160eb = 0x40; *(uint8_t*)0x2000000160ed = 7; *(uint8_t*)0x2000000160ee = 1; *(uint8_t*)0x2000000160ef = 2; *(uint8_t*)0x2000000160f0 = 7; *(uint8_t*)0x2000000160f1 = 0x25; *(uint8_t*)0x2000000160f2 = 1; *(uint8_t*)0x2000000160f3 = 4; *(uint8_t*)0x2000000160f4 = 6; *(uint16_t*)0x2000000160f5 = 1; *(uint8_t*)0x2000000160f7 = 7; *(uint8_t*)0x2000000160f8 = 0x25; *(uint8_t*)0x2000000160f9 = 1; *(uint8_t*)0x2000000160fa = 0xc; *(uint8_t*)0x2000000160fb = 0xd; *(uint16_t*)0x2000000160fc = 0x103; *(uint8_t*)0x2000000160fe = 9; *(uint8_t*)0x2000000160ff = 5; *(uint8_t*)0x200000016100 = 0xb; *(uint8_t*)0x200000016101 = 0xc; *(uint16_t*)0x200000016102 = 0x3ff; *(uint8_t*)0x200000016104 = 0xa9; *(uint8_t*)0x200000016105 = 1; *(uint8_t*)0x200000016106 = 6; *(uint8_t*)0x200000016107 = 0xfb; *(uint8_t*)0x200000016108 = 0x2c; memcpy((void*)0x200000016109, "\xdf\x60\xd2\x33\x06\x38\x67\xe6\x38\xf4\xac\x47\x4e\x68\x5f\xef\x8f\x86\x15\x57\xd0\xa3\x15\x66\xd5\x8b\xde\x1f\x04\xa1\x13\xf6\xcb\x64\xc9\x60\x56\xa8\x16\x85\xa6\xdf\xa2\x97\x8a\x60\xc2\xd9\x4e\x45\x0f\x66\x75\xe3\x8b\x44\xc9\x6b\xfb\xff\x6c\x5f\x37\x46\x60\x93\x46\x49\x74\x83\xdf\xc8\xac\x21\x27\x36\x2c\xdb\xda\xa0\x25\x39\x51\xa1\x82\x27\x21\x83\xf4\x56\xaa\xe2\xbd\x12\xb2\x92\xc6\x09\xe8\xe1\x4b\x4f\x8c\x18\x53\xe0\xd8\x7e\x0c\x31\x79\xc8\xbe\x7b\x07\x30\x72\x1b\xb3\x01\x59\x04\x08\x26\xf0\x93\x51\x0c\xe0\x22\x58\x76\x91\x62\x7b\x23\x6a\x66\x21\x56\x20\x41\x8d\xf3\x34\xd2\x8d\x1d\x14\xf0\xca\x3b\x9f\x4f\xcf\xf0\x6b\xa2\x49\xdd\x19\x50\x81\x98\x50\x3a\x2c\x2c\xd4\xf3\xab\xda\xdb\xd4\xf1\xac\xe4\xe6\x27\xbe\xc9\x72\x99\xa0\x02\x28\xe0\x9c\x06\x4e\x5f\x34\x2e\x00\xd8\xc8\xf2\xd5\xb1\xfb\x56\x48\x5e\x73\x6a\x87\xdc\xfe\x51\x0c\x21\x86\x32\x72\x91\x22\xa4\xeb\x5d\x5b\x5d\x81\xdf\x8b\xe5\x85\x27\x18\x3e\x48\xf7\x60\xb8\x5c\x59\x9f\x88\x13\xf8\x9d\x70\x6a\xf7\xb2\x2f\x77\xd6\x8d\xc1", 249); *(uint8_t*)0x200000016202 = 0x6b; *(uint8_t*)0x200000016203 = 4; memcpy((void*)0x200000016204, "\x07\xec\xe0\x65\x86\xe0\x15\x05\xf1\x26\xe0\xdb\x2e\xd1\xac\x18\xb5\x75\x49\xf0\x80\xd7\x41\xf3\x8b\x0c\xce\xc6\xba\x03\x4d\x09\x64\x29\x40\x56\x19\xd0\x1a\xf4\x35\xc8\x09\x2b\xe0\xe9\xc4\xa9\x3c\x1b\x64\x7e\x7c\x7f\x14\xf0\x5e\xff\xf3\x05\xd2\xb8\x5d\x51\xfe\xdf\xf7\x50\xb8\x7e\x59\x90\xd0\x28\xfd\x33\x86\x45\x02\x9b\xd9\xed\x95\xe0\x03\x05\xac\xce\x8b\x89\x9a\x78\x6d\xbf\x30\x89\x5b\xe0\x31\x48\xa7\xa1\xe3\xbf\x25", 105); *(uint8_t*)0x20000001626d = 9; *(uint8_t*)0x20000001626e = 5; *(uint8_t*)0x20000001626f = 6; *(uint8_t*)0x200000016270 = 8; *(uint16_t*)0x200000016271 = 0x400; *(uint8_t*)0x200000016273 = 3; *(uint8_t*)0x200000016274 = 5; *(uint8_t*)0x200000016275 = -1; *(uint8_t*)0x200000016276 = 9; *(uint8_t*)0x200000016277 = 5; *(uint8_t*)0x200000016278 = 0xa; *(uint8_t*)0x200000016279 = 0x10; *(uint16_t*)0x20000001627a = 0x200; *(uint8_t*)0x20000001627c = 6; *(uint8_t*)0x20000001627d = 0x14; *(uint8_t*)0x20000001627e = 6; *(uint8_t*)0x20000001627f = 7; *(uint8_t*)0x200000016280 = 0x25; *(uint8_t*)0x200000016281 = 1; *(uint8_t*)0x200000016282 = 0xc; *(uint8_t*)0x200000016283 = 9; *(uint16_t*)0x200000016284 = 4; *(uint8_t*)0x200000016286 = 9; *(uint8_t*)0x200000016287 = 5; *(uint8_t*)0x200000016288 = 5; *(uint8_t*)0x200000016289 = 8; *(uint16_t*)0x20000001628a = 0x210; *(uint8_t*)0x20000001628c = 0xe8; *(uint8_t*)0x20000001628d = 5; *(uint8_t*)0x20000001628e = 3; *(uint8_t*)0x20000001628f = 9; *(uint8_t*)0x200000016290 = 5; *(uint8_t*)0x200000016291 = 0xa; *(uint8_t*)0x200000016292 = 8; *(uint16_t*)0x200000016293 = 0x10; *(uint8_t*)0x200000016295 = 0x64; *(uint8_t*)0x200000016296 = 8; *(uint8_t*)0x200000016297 = 0xe; *(uint8_t*)0x200000016298 = 7; *(uint8_t*)0x200000016299 = 0x25; *(uint8_t*)0x20000001629a = 1; *(uint8_t*)0x20000001629b = 4; *(uint8_t*)0x20000001629c = 5; *(uint16_t*)0x20000001629d = 2; *(uint32_t*)0x200000016780 = 0xa; *(uint64_t*)0x200000016784 = 0x2000000162c0; *(uint8_t*)0x2000000162c0 = 0xa; *(uint8_t*)0x2000000162c1 = 6; *(uint16_t*)0x2000000162c2 = 0x201; *(uint8_t*)0x2000000162c4 = 3; *(uint8_t*)0x2000000162c5 = 8; *(uint8_t*)0x2000000162c6 = -1; *(uint8_t*)0x2000000162c7 = 0x20; *(uint8_t*)0x2000000162c8 = 0x10; *(uint8_t*)0x2000000162c9 = 0; *(uint32_t*)0x20000001678c = 0x28; *(uint64_t*)0x200000016790 = 0x200000016300; *(uint8_t*)0x200000016300 = 5; *(uint8_t*)0x200000016301 = 0xf; *(uint16_t*)0x200000016302 = 0x28; *(uint8_t*)0x200000016304 = 4; *(uint8_t*)0x200000016305 = 0xb; *(uint8_t*)0x200000016306 = 0x10; *(uint8_t*)0x200000016307 = 1; *(uint8_t*)0x200000016308 = 0xc; *(uint16_t*)0x200000016309 = 1; *(uint8_t*)0x20000001630b = 7; *(uint8_t*)0x20000001630c = 7; *(uint16_t*)0x20000001630d = 6; *(uint8_t*)0x20000001630f = -1; *(uint8_t*)0x200000016310 = 3; *(uint8_t*)0x200000016311 = 0x10; *(uint8_t*)0x200000016312 = 0xb; *(uint8_t*)0x200000016313 = 0xb; *(uint8_t*)0x200000016314 = 0x10; *(uint8_t*)0x200000016315 = 1; *(uint8_t*)0x200000016316 = 2; *(uint16_t*)0x200000016317 = 0x61; *(uint8_t*)0x200000016319 = -1; *(uint8_t*)0x20000001631a = 0xf; *(uint16_t*)0x20000001631b = 6; *(uint8_t*)0x20000001631d = 5; *(uint8_t*)0x20000001631e = 0xa; *(uint8_t*)0x20000001631f = 0x10; *(uint8_t*)0x200000016320 = 3; *(uint8_t*)0x200000016321 = 2; *(uint16_t*)0x200000016322 = 1; *(uint8_t*)0x200000016324 = 3; *(uint8_t*)0x200000016325 = 0xb; *(uint16_t*)0x200000016326 = 0x100; *(uint32_t*)0x200000016798 = 7; *(uint32_t*)0x20000001679c = 4; *(uint64_t*)0x2000000167a0 = 0x200000016340; *(uint8_t*)0x200000016340 = 4; *(uint8_t*)0x200000016341 = 3; *(uint16_t*)0x200000016342 = 0x457; *(uint32_t*)0x2000000167a8 = 0xff; *(uint64_t*)0x2000000167ac = 0x200000016380; *(uint8_t*)0x200000016380 = -1; *(uint8_t*)0x200000016381 = 3; memcpy((void*)0x200000016382, "\x85\xa7\x64\xd8\x29\x53\x29\x17\xb6\x64\x7a\x68\xa2\x49\xb2\x52\xf0\x1a\x99\xf8\x87\x67\xa2\xe9\xf1\x3a\xee\xfa\xb3\x9c\xf6\xa4\x05\x49\x7e\x32\x44\x29\x4b\x1b\xd4\x85\xc0\xec\x99\x33\x86\x40\xa5\x08\xfa\xbb\xf1\x1e\x0f\xd6\xa0\x3b\xcc\x9c\xeb\xaf\x83\x03\x7a\xa7\x73\x97\xcb\xdf\x09\x11\xc8\xdf\xb8\x42\xf6\x2f\x94\x76\x6a\xa4\x45\x92\x57\x73\xc4\xf7\xc6\x70\x1b\xe8\xa0\x56\x73\xaf\xe9\x5c\xf1\x9c\x27\x9a\xc6\x2f\xd2\x72\x0e\xd2\xda\xe6\x89\x37\x1c\x51\x51\xbf\x6b\x9e\x77\x27\xf8\xf4\x97\x09\x1c\x3a\xaa\x90\x2f\x81\xe4\x4c\x51\x73\xac\xf2\x21\x52\xfc\xbc\x4d\x72\xa7\x5e\x9a\xb4\xba\xdc\x67\x88\xb2\xfd\xbb\x7e\x34\xb2\x02\xe0\xe7\x1f\xeb\x1c\xc9\xb1\xca\x79\x1e\x92\x37\x4c\xfc\x63\xcc\x7d\xb5\x64\x85\x91\x77\x8b\xfc\x19\x48\xf9\xda\xd9\xb7\xfe\x74\xa5\x88\xdd\xc9\xad\x49\x99\x93\x06\x26\x66\xb3\xe0\xdf\x0a\xca\xa6\x78\x02\xad\x37\xa8\x6f\xcb\x41\x1a\x22\x30\xbd\xd4\x3f\xe8\x61\x0f\x29\xc1\x51\x79\xbf\x42\x9f\x81\x87\x6e\xe9\x0b\x7d\x35\xa2\x26\x3f\x91\xeb\x8d\x3c\x7c\x87\xc4\x66\x00\xb4\x52\x82\xee", 253); *(uint32_t*)0x2000000167b4 = 4; *(uint64_t*)0x2000000167b8 = 0x200000016480; *(uint8_t*)0x200000016480 = 4; *(uint8_t*)0x200000016481 = 3; *(uint16_t*)0x200000016482 = 0x8406; *(uint32_t*)0x2000000167c0 = 0x49; *(uint64_t*)0x2000000167c4 = 0x2000000164c0; *(uint8_t*)0x2000000164c0 = 0x49; *(uint8_t*)0x2000000164c1 = 3; memcpy((void*)0x2000000164c2, "\xcb\x9d\x5f\x1c\x5f\xbc\x94\x74\xd5\x9f\xfa\x54\xa9\x2b\xa7\xaf\xf9\x7b\x2f\x65\xab\xf4\x8a\xad\x8e\x2b\x09\xb6\x0a\x5d\xc2\x74\x4b\x25\x0f\xe7\x52\x90\x97\xbf\xbb\x2b\xcf\x99\xd0\x54\x8a\x03\x4f\xb7\xae\xca\xf8\xdd\x80\x84\x95\xbe\x13\x2e\x1b\x8c\x84\xab\xe5\x33\x75\xdc\xf5\x40\xd5", 71); *(uint32_t*)0x2000000167cc = 4; *(uint64_t*)0x2000000167d0 = 0x200000016540; *(uint8_t*)0x200000016540 = 4; *(uint8_t*)0x200000016541 = 3; *(uint16_t*)0x200000016542 = 0x407; *(uint32_t*)0x2000000167d8 = 0x102; *(uint64_t*)0x2000000167dc = 0x200000016580; *(uint8_t*)0x200000016580 = 2; *(uint8_t*)0x200000016581 = 3; memcpy((void*)0x200000016582, "\x04\xdd\xeb\x57\xb5\x07\x2b\x0d\xc9\xdc\x62\x4c\xf2\x79\x2d\xaa\xc5\x35\xb0\x25\x70\xdb\xb7\x01\xe1\xdb\x0e\x6c\x25\xd6\x80\xf0\x7b\x51\x7f\x65\x82\x12\x5b\xaa\x7a\x78\x49\xeb\x0b\x11\x13\x0e\x00\x24\xef\xe8\xa1\xc9\x51\x36\x3b\xf4\x7a\x68\xfb\x5b\xd9\xac\xf1\x85\xae\xa1\x62\x73\x81\xf5\x03\x43\xcb\x4b\xb8\xd7\x17\x51\x31\xf2\xae\x52\xa8\x42\xdb\x75\x39\x04\xd3\x05\x1a\x0a\xb0\x82\x60\x85\x60\xe8\xac\x66\xb8\x7d\xdd\xbb\x9f\xa3\x51\x4a\x31\xe5\x59\x51\x70\xe3\xd2\x1c\x01\x8b\x37\x85\x59\x92\xa2\xa4\xb3\x48\xde\x99\x46\x9b\x63\xf5\x43\x8e\x24\x0e\x23\xcf\xe0\xa2\x6d\x30\xa9\x1d\x95\x36\x91\xd7\x41\xb9\xd5\xd8\x5d\xab\x27\xd4\x0d\xa7\x1f\xc9\xd8\x67\x7b\x0d\xc3\xe1\xd6\x06\x0d\x0d\x98\xa7\x13\x00\xd3\x74\xe7\xbd\x55\x0f\x6a\x57\xb6\xfc\xd4\x44\x31\x3f\x37\x36\x7f\x5b\x55\xc2\x0f\x1a\x2d\x44\x86\x1e\x8a\x1a\x36\xbc\xdc\x76\x9f\xfc\x14\x6b\xb7\x1a\xb5\x84\x6d\xcb\x82\x31\x24\x7f\x16\x36\x48\x3d\xab\xb7\x10\xd0\x74\xfd\x2b\x80\x18\xd4\xc3\x56\xd1\x82\x5b\xb1\x7b\xf9\x63\x27\xe9\x6e\xe8\x67\x58\x32\x43\xe8\x25\x4e", 256); *(uint32_t*)0x2000000167e4 = 0x9e; *(uint64_t*)0x2000000167e8 = 0x2000000166c0; *(uint8_t*)0x2000000166c0 = 0x9e; *(uint8_t*)0x2000000166c1 = 3; memcpy((void*)0x2000000166c2, "\xef\x2a\x4e\x82\x9a\x0f\x6c\xdb\x32\xa4\x49\xbb\xa1\xd4\x8f\x5d\xfe\x86\x5e\x51\xf2\x28\x7e\x21\x77\x39\x1a\x43\xf9\xbb\xf1\xca\x78\xd5\x73\xf2\x00\xea\xe4\x0c\x60\xa2\x1d\xdc\x2a\xd4\x82\xdf\x2a\x85\xf2\x75\x59\x81\x5b\xb4\xeb\xca\x56\x05\x30\xb8\x65\x53\x45\x0e\xe3\x8e\xae\xb8\x71\x2f\x6b\x77\xc1\x4d\x47\xf8\x5d\x8b\xbf\x64\x1e\x1d\x9e\x09\xfa\x1e\x2b\xe5\xe9\x2c\x18\x7c\xe5\x6e\xf9\x94\x9a\xe1\xd8\x7c\xfb\xfe\x0e\xa1\xba\x9f\x9b\x2f\xf0\x18\x2d\x4b\x05\xce\x50\x68\x91\xc5\xa3\x47\xee\x33\xcc\xf9\xce\x7d\x86\xd7\xdd\xf2\xbf\x38\x57\x4d\x21\xd9\x65\x4b\xbe\x80\x65\x86\x80\xbe\xf5\x58\x9e\x2d\xb6\x07\x2d\x9f\xd0\xfd", 156); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_LOW*/1, /*dev_len=*/0xd9f, /*dev=*/0x200000015500, /*conn_descs=*/0x200000016780); if (res != -1) r[27] = res; break; case 51: *(uint8_t*)0x200000016800 = 0x12; *(uint8_t*)0x200000016801 = 1; *(uint16_t*)0x200000016802 = 0x200; *(uint8_t*)0x200000016804 = -1; *(uint8_t*)0x200000016805 = -1; *(uint8_t*)0x200000016806 = -1; *(uint8_t*)0x200000016807 = 0x40; *(uint16_t*)0x200000016808 = 0xcf3; *(uint16_t*)0x20000001680a = 0x9271; *(uint16_t*)0x20000001680c = 0x108; *(uint8_t*)0x20000001680e = 1; *(uint8_t*)0x20000001680f = 2; *(uint8_t*)0x200000016810 = 3; *(uint8_t*)0x200000016811 = 1; *(uint8_t*)0x200000016812 = 9; *(uint8_t*)0x200000016813 = 2; *(uint16_t*)0x200000016814 = 0x48; *(uint8_t*)0x200000016816 = 1; *(uint8_t*)0x200000016817 = 1; *(uint8_t*)0x200000016818 = 0; *(uint8_t*)0x200000016819 = 0x80; *(uint8_t*)0x20000001681a = 0xfa; *(uint8_t*)0x20000001681b = 9; *(uint8_t*)0x20000001681c = 4; *(uint8_t*)0x20000001681d = 0; *(uint8_t*)0x20000001681e = 0; *(uint8_t*)0x20000001681f = 6; *(uint8_t*)0x200000016820 = -1; *(uint8_t*)0x200000016821 = 0; *(uint8_t*)0x200000016822 = 0; *(uint8_t*)0x200000016823 = 0; *(uint8_t*)0x200000016824 = 9; *(uint8_t*)0x200000016825 = 5; *(uint8_t*)0x200000016826 = 1; *(uint8_t*)0x200000016827 = 2; *(uint16_t*)0x200000016828 = 0x200; *(uint8_t*)0x20000001682a = 0; *(uint8_t*)0x20000001682b = 0; *(uint8_t*)0x20000001682c = 0; *(uint8_t*)0x20000001682d = 9; *(uint8_t*)0x20000001682e = 5; *(uint8_t*)0x20000001682f = 0x82; *(uint8_t*)0x200000016830 = 2; *(uint16_t*)0x200000016831 = 0x200; *(uint8_t*)0x200000016833 = 0; *(uint8_t*)0x200000016834 = 0; *(uint8_t*)0x200000016835 = 0; *(uint8_t*)0x200000016836 = 9; *(uint8_t*)0x200000016837 = 5; *(uint8_t*)0x200000016838 = 0x83; *(uint8_t*)0x200000016839 = 3; *(uint16_t*)0x20000001683a = 0x40; *(uint8_t*)0x20000001683c = 1; *(uint8_t*)0x20000001683d = 0; *(uint8_t*)0x20000001683e = 0; *(uint8_t*)0x20000001683f = 9; *(uint8_t*)0x200000016840 = 5; *(uint8_t*)0x200000016841 = 4; *(uint8_t*)0x200000016842 = 3; *(uint16_t*)0x200000016843 = 0x40; *(uint8_t*)0x200000016845 = 1; *(uint8_t*)0x200000016846 = 0; *(uint8_t*)0x200000016847 = 0; *(uint8_t*)0x200000016848 = 9; *(uint8_t*)0x200000016849 = 5; *(uint8_t*)0x20000001684a = 5; *(uint8_t*)0x20000001684b = 2; *(uint16_t*)0x20000001684c = 0x200; *(uint8_t*)0x20000001684e = 0; *(uint8_t*)0x20000001684f = 0; *(uint8_t*)0x200000016850 = 0; *(uint8_t*)0x200000016851 = 9; *(uint8_t*)0x200000016852 = 5; *(uint8_t*)0x200000016853 = 6; *(uint8_t*)0x200000016854 = 2; *(uint16_t*)0x200000016855 = 0x200; *(uint8_t*)0x200000016857 = 0; *(uint8_t*)0x200000016858 = 0; *(uint8_t*)0x200000016859 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000016800, /*conn_descs=*/0); if (res != -1) r[28] = res; break; case 52: *(uint32_t*)0x200000016b40 = 0x2c; *(uint64_t*)0x200000016b44 = 0x200000016880; *(uint8_t*)0x200000016880 = 0x20; *(uint8_t*)0x200000016881 = 0xb; *(uint32_t*)0x200000016882 = 0xc8; *(uint8_t*)0x200000016886 = 0xc8; *(uint8_t*)0x200000016887 = 0x21; memcpy((void*)0x200000016888, "\x01\xf4\x8f\xe8\x31\xd8\xd1\x99\x24\x72\x17\x3e\xa8\x19\xa3\xa2\xad\xe9\x61\x21\x34\x13\x54\xe8\x5c\xa1\x98\xec\x1f\xcf\x85\x90\xc9\x39\xf7\x27\xaa\x0e\x85\x85\x6b\x35\x7c\x23\xbc\x06\x8f\x24\xa2\x2c\xc6\xb7\x1b\xd4\xad\xd3\xae\x66\x95\x5e\x3c\xeb\x2a\x8f\x15\x5c\x4f\xea\xf3\x6d\x9c\x48\x02\x96\x8a\x53\xb0\x86\xa4\xa5\x0d\xc3\x54\x75\xe7\x5c\x18\x51\xe7\xd4\x08\x54\x07\x74\xe8\x98\x21\x91\xe5\x06\x06\x99\x1f\x3f\x33\xfa\x70\x8e\xf6\xa9\x40\x41\x51\x10\x98\xb0\x26\x7e\x73\x7b\x9f\x39\x9f\xad\x65\xb7\xcc\x2e\xfa\x80\xea\xfc\x73\x4b\xd5\xab\x1f\xdc\x3d\xec\xc0\x26\xfa\x76\x75\xef\x45\xa1\xd1\x7f\xfe\x1c\x0b\x1e\x00\xb1\x02\x73\xd7\xc5\x7d\x18\x3c\x74\xa3\xd9\xb1\x47\x13\x22\xb5\x9a\x98\xce\xbd\x12\xd1\x6c\x28\x34\xb2\x26\xce\xca\xea\xf9\x60\xe3\xd9\x07\x76\xc2\x39\x23\xea\xe6\x8d\x1e", 198); *(uint64_t*)0x200000016b4c = 0x200000016980; *(uint8_t*)0x200000016980 = 0; *(uint8_t*)0x200000016981 = 3; *(uint32_t*)0x200000016982 = 4; *(uint8_t*)0x200000016986 = 4; *(uint8_t*)0x200000016987 = 3; *(uint16_t*)0x200000016988 = 0x280a; *(uint64_t*)0x200000016b54 = 0x2000000169c0; *(uint8_t*)0x2000000169c0 = 0; *(uint8_t*)0x2000000169c1 = 0xf; *(uint32_t*)0x2000000169c2 = 0xc8; *(uint8_t*)0x2000000169c6 = 5; *(uint8_t*)0x2000000169c7 = 0xf; *(uint16_t*)0x2000000169c8 = 0xc8; *(uint8_t*)0x2000000169ca = 5; *(uint8_t*)0x2000000169cb = 0x14; *(uint8_t*)0x2000000169cc = 0x10; *(uint8_t*)0x2000000169cd = 0xa; *(uint8_t*)0x2000000169ce = 3; STORE_BY_BITMASK(uint32_t, , 0x2000000169cf, 2, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000169cf, 9, 5, 27); *(uint16_t*)0x2000000169d3 = 0xf; *(uint16_t*)0x2000000169d5 = 0; *(uint32_t*)0x2000000169d7 = 0xc0cf; *(uint32_t*)0x2000000169db = 0xf; *(uint8_t*)0x2000000169df = 0x10; *(uint8_t*)0x2000000169e0 = 0x10; *(uint8_t*)0x2000000169e1 = 0xa; *(uint8_t*)0x2000000169e2 = 4; STORE_BY_BITMASK(uint32_t, , 0x2000000169e3, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000169e3, 0x30ec, 5, 27); *(uint16_t*)0x2000000169e7 = 0xf0f; *(uint16_t*)0x2000000169e9 = 0x82; *(uint32_t*)0x2000000169eb = 0xc00f; *(uint8_t*)0x2000000169ef = 7; *(uint8_t*)0x2000000169f0 = 0x10; *(uint8_t*)0x2000000169f1 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000169f2, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000169f3, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000169f3, 8, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000169f4, 0xf, 0, 16); *(uint8_t*)0x2000000169f6 = 0x8d; *(uint8_t*)0x2000000169f7 = 0x10; *(uint8_t*)0x2000000169f8 = 0xa; memcpy((void*)0x2000000169f9, "\x42\x2d\x46\xfc\x73\xf8\x4b\x4d\xd0\xc3\xd2\x4d\x79\xf2\x70\x97\x5a\x97\x8d\x73\x6a\x0a\xa3\xe5\x86\xae\x4e\x9a\x23\x24\x83\xcf\x25\x26\x97\x18\xcb\xb9\xdf\x73\x03\x62\xce\x6b\x7c\xf0\xe3\xd1\x00\x79\xc3\x28\xee\x2b\xe8\xf5\xff\xc2\x42\xa0\x7e\x20\xf7\xc3\xdb\x60\x7c\x73\xe2\xca\xc8\x2f\x1c\x73\xc8\xfc\xac\xeb\x15\x1e\x20\x22\xfe\x0c\x73\xad\x66\x19\xa4\xda\xce\x08\x65\x96\x99\xed\x76\x60\xd4\x52\x02\x74\x9c\xda\x47\xdf\xa1\xe0\xdb\x87\x66\x4d\x1e\xff\x73\xf0\x60\x6d\x30\xb7\x78\xcb\x88\x08\xdf\xa6\xb2\x4c\xc1\x8a\xdd\x57\x9f\x29\xe8\x1b\x12\xe3", 138); *(uint8_t*)0x200000016a83 = 0xb; *(uint8_t*)0x200000016a84 = 0x10; *(uint8_t*)0x200000016a85 = 1; *(uint8_t*)0x200000016a86 = 2; *(uint16_t*)0x200000016a87 = 0x48; *(uint8_t*)0x200000016a89 = 6; *(uint8_t*)0x200000016a8a = 0xf2; *(uint16_t*)0x200000016a8b = 0; *(uint8_t*)0x200000016a8d = 2; *(uint64_t*)0x200000016b5c = 0x200000016ac0; *(uint8_t*)0x200000016ac0 = 0x20; *(uint8_t*)0x200000016ac1 = 0x29; *(uint32_t*)0x200000016ac2 = 0xf; *(uint8_t*)0x200000016ac6 = 0xf; *(uint8_t*)0x200000016ac7 = 0x29; *(uint8_t*)0x200000016ac8 = 1; *(uint16_t*)0x200000016ac9 = 3; *(uint8_t*)0x200000016acb = 0xf6; *(uint8_t*)0x200000016acc = 5; memcpy((void*)0x200000016acd, "\xd7\xdb\x75\x8c", 4); memcpy((void*)0x200000016ad1, "\xcb\x02\x4e\x33", 4); *(uint64_t*)0x200000016b64 = 0x200000016b00; *(uint8_t*)0x200000016b00 = 0x20; *(uint8_t*)0x200000016b01 = 0x2a; *(uint32_t*)0x200000016b02 = 0xc; *(uint8_t*)0x200000016b06 = 0xc; *(uint8_t*)0x200000016b07 = 0x2a; *(uint8_t*)0x200000016b08 = 2; *(uint16_t*)0x200000016b09 = 2; *(uint8_t*)0x200000016b0b = 0x80; *(uint8_t*)0x200000016b0c = 5; *(uint8_t*)0x200000016b0d = 7; *(uint16_t*)0x200000016b0e = 7; *(uint16_t*)0x200000016b10 = 0xff24; *(uint32_t*)0x200000016f40 = 0x84; *(uint64_t*)0x200000016f44 = 0x200000016b80; *(uint8_t*)0x200000016b80 = 0x20; *(uint8_t*)0x200000016b81 = 0x13; *(uint32_t*)0x200000016b82 = 0x2a; memcpy((void*)0x200000016b86, "\xb3\x64\x4b\x33\xa4\x96\xf2\x18\x7a\x58\x63\xe6\x4c\x40\x7c\xec\xd2\xd6\xd1\x3a\xe2\x3e\xcf\x1c\x3c\x53\xf7\x8f\xf2\x17\xcf\xf0\x21\xe4\x71\x8c\xea\x7f\xbe\x4c\x3b\xa3", 42); *(uint64_t*)0x200000016f4c = 0xffffffff81000000; *(uint64_t*)0x200000016f54 = 0x200000016bc0; *(uint8_t*)0x200000016bc0 = 0; *(uint8_t*)0x200000016bc1 = 8; *(uint32_t*)0x200000016bc2 = 1; *(uint8_t*)0x200000016bc6 = 6; *(uint64_t*)0x200000016f5c = 0x200000016c00; *(uint8_t*)0x200000016c00 = 0x20; *(uint8_t*)0x200000016c01 = 0; *(uint32_t*)0x200000016c02 = 4; *(uint16_t*)0x200000016c06 = 2; *(uint16_t*)0x200000016c08 = 1; *(uint64_t*)0x200000016f64 = 0x200000016c40; *(uint8_t*)0x200000016c40 = 0x20; *(uint8_t*)0x200000016c41 = 0; *(uint32_t*)0x200000016c42 = 4; *(uint16_t*)0x200000016c46 = 0x40; *(uint16_t*)0x200000016c48 = 0x20; *(uint64_t*)0x200000016f6c = 0x200000016c80; *(uint8_t*)0x200000016c80 = 0x40; *(uint8_t*)0x200000016c81 = 7; *(uint32_t*)0x200000016c82 = 2; *(uint16_t*)0x200000016c86 = 2; *(uint64_t*)0x200000016f74 = 0x200000016cc0; *(uint8_t*)0x200000016cc0 = 0x40; *(uint8_t*)0x200000016cc1 = 9; *(uint32_t*)0x200000016cc2 = 1; *(uint8_t*)0x200000016cc6 = 3; *(uint64_t*)0x200000016f7c = 0x200000016d00; *(uint8_t*)0x200000016d00 = 0x40; *(uint8_t*)0x200000016d01 = 0xb; *(uint32_t*)0x200000016d02 = 2; memcpy((void*)0x200000016d06, "{*", 2); *(uint64_t*)0x200000016f84 = 0x200000016d40; *(uint8_t*)0x200000016d40 = 0x40; *(uint8_t*)0x200000016d41 = 0xf; *(uint32_t*)0x200000016d42 = 2; *(uint16_t*)0x200000016d46 = 9; *(uint64_t*)0x200000016f8c = 0x200000016d80; *(uint8_t*)0x200000016d80 = 0x40; *(uint8_t*)0x200000016d81 = 0x13; *(uint32_t*)0x200000016d82 = 6; *(uint8_t*)0x200000016d86 = 1; *(uint8_t*)0x200000016d87 = 0x80; *(uint8_t*)0x200000016d88 = 0xc2; *(uint8_t*)0x200000016d89 = 0; *(uint8_t*)0x200000016d8a = 0; *(uint8_t*)0x200000016d8b = 2; *(uint64_t*)0x200000016f94 = 0x200000016dc0; *(uint8_t*)0x200000016dc0 = 0x40; *(uint8_t*)0x200000016dc1 = 0x17; *(uint32_t*)0x200000016dc2 = 6; *(uint8_t*)0x200000016dc6 = 1; *(uint8_t*)0x200000016dc7 = 0x80; *(uint8_t*)0x200000016dc8 = 0xc2; *(uint8_t*)0x200000016dc9 = 0; *(uint8_t*)0x200000016dca = 0; *(uint8_t*)0x200000016dcb = 0xe; *(uint64_t*)0x200000016f9c = 0x200000016e00; *(uint8_t*)0x200000016e00 = 0x40; *(uint8_t*)0x200000016e01 = 0x19; *(uint32_t*)0x200000016e02 = 2; memcpy((void*)0x200000016e06, "\x1a\xc5", 2); *(uint64_t*)0x200000016fa4 = 0x200000016e40; *(uint8_t*)0x200000016e40 = 0x40; *(uint8_t*)0x200000016e41 = 0x1a; *(uint32_t*)0x200000016e42 = 2; *(uint16_t*)0x200000016e46 = 0x100; *(uint64_t*)0x200000016fac = 0x200000016e80; *(uint8_t*)0x200000016e80 = 0x40; *(uint8_t*)0x200000016e81 = 0x1c; *(uint32_t*)0x200000016e82 = 1; *(uint8_t*)0x200000016e86 = 7; *(uint64_t*)0x200000016fb4 = 0x200000016ec0; *(uint8_t*)0x200000016ec0 = 0x40; *(uint8_t*)0x200000016ec1 = 0x1e; *(uint32_t*)0x200000016ec2 = 1; *(uint8_t*)0x200000016ec6 = 0xc8; *(uint64_t*)0x200000016fbc = 0x200000016f00; *(uint8_t*)0x200000016f00 = 0x40; *(uint8_t*)0x200000016f01 = 0x21; *(uint32_t*)0x200000016f02 = 1; *(uint8_t*)0x200000016f06 = 0x4f; syz_usb_control_io(/*fd=*/r[28], /*descs=*/0x200000016b40, /*resps=*/0x200000016f40); break; case 53: syz_usb_disconnect(/*fd=*/r[27]); break; case 54: syz_usb_ep_read(/*fd=*/r[27], /*ep=*/0, /*len=*/4, /*data=*/0x200000017000); break; case 55: memcpy((void*)0x200000017040, "\xdd\x9c\x62\x25\x17\x5b\x3c\x37\xdc\x19\x63\xb4\xd0\xf4\x63\xd6\xe3\x82\xd9\x56\xed\xab\xd1\x31\xd4\x19\xff\x0b\x34\x34\x94\xa2\xc3\xc8\xbd\x5e\x32\x1a\x50\x6b\x68\xc9\x62\x1a\xb5\x44\xdc\x8b\xd1\x7c\x2f\x62\xf3\xc5\x6c\xae\xcb\x39\x08\xa6\x43\x0e\x4d\x9e\xaf\xd0\x2c\xa1\x3d\xfd\xcc\x2d\x07\xc5\x31\x31\x38\x62\xad\x42\x71\xec\xb0\x7f\x10\x14\x3f\x48\xff\x7e\x73\x8a\x4a\x77\x62\x3d\x0d\x4b\x89\x21\x08\x4f\x7c\x7a\x91\x14\x22\x06\x24\xe8\xf1\x22\x87\xc7\x36\x9f\x8b\x91\x93\xde\x6e\x3a\x67\xff\x4b\xf7\x59\x6f\xd6\xc1\x07\xe4\x77\xfc\x1d\xf6\x7c\x16\xfe\xc9\x51\xa2\x12\xd9\x60\xcd\x48\xe3\xa1\x75\x8e\x8e\xc8\xe7", 154); syz_usb_ep_write(/*fd=*/r[28], /*ep=*/4, /*len=*/0x9a, /*data=*/0x200000017040); break; case 56: syz_usbip_server_init(/*speed=USB_SPEED_HIGH*/3); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); setup_sysctl(); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :6186:17: error: '__NR_socketcall' undeclared (first use in this function) :6186:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor498532209 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/13 (1.34s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:true NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = syz_open_dev$admmidi(&(0x7f0000000000), 0x302d694, 0x32400) (fail_nth: 1) ioctl$SNDRV_RAWMIDI_IOCTL_PVERSION(r0, 0x80045700, &(0x7f0000000040)) (async) r1 = openat$hpet(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) (rerun: 4) ioctl$TIOCSIG(r1, 0x40045436, 0x17) getsockopt$inet6_tcp_TCP_REPAIR_WINDOW(r1, 0x6, 0x1d, &(0x7f00000000c0), &(0x7f0000000100)=0x14) syz_clone3(&(0x7f0000000340)={0x8800000, &(0x7f0000000140), &(0x7f0000000180)=0x0, &(0x7f00000001c0), {}, &(0x7f0000000200)=""/114, 0x72, &(0x7f0000000280)=""/109, &(0x7f0000000300)=[0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0], 0x8, {r1}}, 0x58) kcmp(r2, 0x0, 0x2, r0, 0xffffffffffffffff) getsockopt$inet_sctp6_SCTP_RTOINFO(r1, 0x84, 0x0, &(0x7f00000003c0)={0x0, 0x4, 0x0, 0x8}, &(0x7f0000000400)=0x10) getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r1, 0x84, 0x22, &(0x7f0000000440)={0x6, 0x8207, 0x96d, 0x10, r3}, &(0x7f0000000480)=0x10) ioctl$CEC_ADAP_G_CAPS(0xffffffffffffffff, 0xc04c6100, &(0x7f0000000500)) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@ctrl_frame=@pspoll={{}, @random=0x8000, @random="63448edb2fb0"}, 0x10) syz_80211_join_ibss(&(0x7f0000000080)='wlan0\x00', &(0x7f00000000c0)=@default_ap_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_kernel_create_files_as\x00') r4 = syz_clone(0x2080000, &(0x7f0000000140)="2803837cbcf37bce72c1a73b909c68fe5bf7a6363cdc90c00dc6013b35da02a66a0591667154a5567c0e5ee6933d6da8bfedac5d278a291efa3020ba15e390eb38da76261c3aeff9eea8abeace", 0x4d, &(0x7f00000001c0), &(0x7f0000000200), &(0x7f0000000240)="6a0b56ff4b8fac28773ca137652b5b0fd803a0413c282037f721cb96ecf2bb1a616dc3d56eeea26f6b16f4562d17c6d8b8838f1844b585ebcc0b562f0557b2c7e9f0dda1ce4cc61d") r5 = socketcall$auto_SYS_SOCKETPAIR(0x8, &(0x7f0000000480)=0xc2e0) syz_clone3(&(0x7f00000004c0)={0x18000000, &(0x7f00000002c0)=0xffffffffffffffff, &(0x7f0000000300)=0x0, &(0x7f0000000340)=0x0, {0x9}, &(0x7f0000000380)=""/41, 0x29, &(0x7f00000003c0)=""/107, &(0x7f0000000440)=[r4, r4, r4], 0x3, {r5}}, 0x58) syz_create_resource$binfmt(&(0x7f0000000540)='./file0\x00') syz_emit_ethernet(0x63, &(0x7f0000000580)={@remote, @link_local, @val={@void, {0x8100, 0x6, 0x0, 0x2}}, {@x25={0x805, {0x0, 0x0, 0x27, "ed9d0de7c64477f8a5d951f792474cf5075158244f9b1731f0f24acbf5389ee283a5851cd5cf33761e5cea7eddd7b163070852dce6e12da0688ac4ee0a17dcca77143e90d7e7935dc9bf2e32db4a"}}}}, &(0x7f0000000600)={0x1, 0x2, [0x9b6, 0xffa, 0x777, 0x5fe]}) syz_emit_vhci(&(0x7f0000000640)=@HCI_EVENT_PKT={0x4, @hci_ev_clock_offset={{0x1c, 0x5}, {0x80, 0xc8, 0x2}}}, 0x8) syz_extract_tcp_res(&(0x7f0000000680), 0x10001, 0xffff0001) r9 = openat$fuse(0xffffffffffffff9c, &(0x7f00000006c0), 0x2, 0x0) getsockopt$inet_IP_XFRM_POLICY(r5, 0x0, 0x11, &(0x7f0000002a00)={{{@in6=@local, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast1}, 0x0, @in=@empty}}, &(0x7f0000002b00)=0xe8) ioctl$auto_KVM_HAS_DEVICE_ATTR(r5, 0x4018aee3, &(0x7f0000002b40)={0x5, 0xee00, 0x1, 0x5}) ioctl$auto_EXT4_IOC_GROUP_ADD(r5, 0x40286608, &(0x7f0000002c00)={0xee00, 0x0, 0x8, 0x1, 0x6, 0x5}) getsockopt$inet6_IPV6_XFRM_POLICY(r5, 0x29, 0x23, &(0x7f0000002e00)={{{@in6=@private2, @in=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@dev}, 0x0, @in6=@ipv4={""/10, ""/2, @multicast2}}}, &(0x7f0000002f00)=0xe8) shmctl$auto(0x2, 0x6, &(0x7f0000004040)={{0x8, 0x0, 0xffffffffffffffff, 0x2, 0x10, 0x4, 0x7}, 0x7f, 0xbb, 0xf, 0x4, @raw=0x800, @raw=0x2, 0x5, 0x0, &(0x7f0000002f40)="a0fc0337faea631f704d04b5a594dd3a87e2747c38740f4357e5cb221bf4405795c29906227d364e0446ebf77d111ab6668106a002140a81071b6d28cfabb37aea4e26c4657db31916f17181ef2fbba8cf194a98c435a1007c270cd6eff5c6424537197a130202f28ce2586be0ceff0db47a35351218f49a4599a98e93fd6fa6be92176782d29ccfc900c767f4de102c3a7779577ff36f427dcaed1e8dd389650fbe9cc0cab5b4390e805ec30ad6411cff6065a8a57610ab7c610132a2a1bf37c871d06a9d78cc27688f4befa7bd112a69df64b551e3", &(0x7f0000003040)="64b9520eb174939ec87643a2fdaffea4527bbfd51b07ac9467169d3c7baa5dc65b8a38d950c858ff99237e6ec06b4656a52acb76c755c1cff1c0a65e3d1632fabd9e1b381852b6fcfc058744856a80a29fb4dbdd715b3cd08e15a53405d0fd2ff7eac836338c4eca0456ff78cc5712332146b671bc42861cd8bb43200985a362f39f15bd437f06458b867d4bea2227493250d83fb46f7297b8f8c27351ccbec4ffd07175a7c5e2319e94210d4af5061e743f050f2ea538a3ed9d0359f5a7546c3d0113e255268cd0483ab186f9c5550202a9fa3fa0c4a2a5805241819cf9c345cecc6b77dd7c299750b67ff8cb5d9a6b0d3d9816dbeb6fdbc5ea9fae4a25e19b48e510ddb5d4d1271ba0c4a083d04cc509b40f1a849195f3bc3e9f63b7cc7473ffc740cf1a979bd1d7e9317f6fc77a62e5acab36c4a063069cfb207dcc7af70b77a743b362d9d9fae0dbc680923a0e3454026b6da9579f352afef7abbca7bfc14aef0fb3d1305506b97940ea127ffed13eeea6cae0be96f5be7385e8e9ba4f00fdc51859d825192718dcf23e0b6da413aff854ba5221ba8d27ff02b6c0f9667f2ffe72f434f4c7085a52fee5f0871bc20aebc8ef87c17c49b2a434242154770e3ae268d5bae11f22f2146169d7a9c16b5daf83031111ce5ce992d275bb9bc5d1290f7fea356607e8dd9acc55849eeb502827374c45dc89dd1186ec9210bff8e005b7cb2c134a922d6ddc512281e6f5aa9b104d04bcc6000b9f95f74393f312c990f7d29dee0ef7a4b158fe69196b0683f35e8b4ba65bb49b313d92d6f67f72f7c3e7de4dd884d72c786d66bdf598a15f9ac296ea70740343d94591186448ae73eea6101de13df667ab6ea1f55aba4c113d0ac42bba7ec5bd1d56b6bc947045595c76c8f69339bd2f193de246533010f42ac93ce0af99f40ae8bf3a30543d6861b2ca306c0c081db792af448820409c05330bdbe44f70c5561dff8704b5eeb712acd321fb7bd58c809fb11d017c34879854f153241741fdf8de35356bee7a0cb40a726cc783175759e266ddbc98e3e5f822024e3359a7fec0e09f0d1e214262ea209a9ddf12280e28723393368817de6d200ac6f9d14cee80cb713547cad55333acaff3a32b48964845501bf108e8f515728b36726290b478f7f3da9a62ddb1d44f5ed569c7cff30451b1355d3491eb80345cfdb938475f9d16181cb1e3d733ea45aba04cbe419b1fe39de514e8b00db827fec195ae7731b2a64ad258c1cf2d4cd97dd9dec3564f9ca74ed625830ed32b0507ad8c97f63f5a2b39bbaec04b3b889b6d7c9fb98993d5e5ae40cd6b6372bc631d37dac4ab3d48b5895b0030e002e7f443bead14a5777ecf5ee99983b3c0f500539d02ba11cb4bf3259906bbcc34855e6d4b2c49316816d4d17340d8938dbbad5f2cbfe83da57f59e51c9eb6ff6215f794f6822820b05912df85fea53c046dd6e88924a18e71c0cda658b58aff26194f88df81daf06ee0942cda0df18b41b0e230b305b4f9a47fdb18c6d68cceba1f24f2756bd96a799112c3485e394d2dd9fc87ab1b4651ad058a3e44461d2c72f038ff881104cb75cc79683a9d97d881cffb92b05c12bf4d3ab4dbe17908fb799eaffa9cafa4a61ce20aa4b3ebc3c75220aa65c9803a77f181da3924cca5f6059612e45486106f22b8c891f7b14662abd64b3258ed13bdcd6d1a77c6a41519d66063743a1918bb13e9b7577fb6bb7df23ff1b96e782bda6394d4861a7e0ac80d1c6cc84a303b7841e589d66bed37ccc05f4e9b4dfbc53d3b50d50e02c87d41f53f86decb39c706f5372e9d6e3dde53059620d27845f3ed77cd5899e33aed5c4fb140f8e405fa2e0e1172eaa7d4e912987a0aa3acf7c2d8e94d16c998c987fd404b234ef7361d0c5387e6b9d55fb972c7dc217226ce13d82a59311fe269a09c384e739a66be4354791f381e74cc5dfb9a92fbfff8595df24b403eafb00473eb0b2e7fee36dba4a908938bcfcce961fd10ec29e56dfe40591e13d5e53f16c8759ca27f80ce904f2d7c43321097595e907639f20f9e8dce700c39d0e442da887a4df082eb7e172fafdcb00b008caf5523d1fe5f240ae991496db93389af4185e9c9ccbdcb9731ce7a770ae2abac9d8cddf313231a55e1277bd36c1e44842b3872555ccdcb3a0684591321ff15dc6d2ceffd585dbeb990e4054fabc18a9e9f1de13bfad9de7f8deb6b6c472c423367eead525004defa9e17c67902360bf163a01e98f6e755cff6282aeebd1e8a09715c15b9edaa500de074c28bad6d03578c5e1c87be7117f54eefc3313c38b61d88a6a50a0f36fdbf084cb41447c690d3ffcc8314e91ada81d34accd3e06d19bca28fb49bed5e32f4ebd54929e4ab51a659b81c1c35df9e514769b9eb31d71d437864f54e992a2b9b15e2fd3207817756b486d081af397b21a258443d86a20a82dab3094a4883324791d67cea918bec7994abcec180f8fbd4ae90ad2c785de7747308d80a7331864bd1a9bffb514407785193927405f778a166514a339bfe16f5cb8ee349a08e25b94dc351c72e98c6baf186025060cd98d7d14bf8ee060240405a1c10202cb34857ab674eff41cd46c03d2ffccabf194e0f351658ab02d9a1f92830617de69135509534647bc4cc205287b251553fcc7689d5e669f9ba4bdb4036e064b2a791ea5de93c66918ad61cf10be4f5564a071b02b9365bc587316e65bd1264fe1f8dc7d244ab3319e9a905e244a0d000bf3c566811f729d10f9d81b060cb7ff93da8056d641f93121c50b987e4149d44c23491e9de6a5c1d6b26f644b3b020627caf32d47f95a4857b36530ff5c5be38ca37b90dec3bde10756158d6db91bcbbea6665fa1408aec0025d9dfe3de8a57b8af300179bff26032e61db60d6e20acb671595056fd65e84038040f07d46dbd4cb8c0d3ce9fda002d22e24750f145801af85d782681bb9b1228fb281c543e5dcdef84b7a2626de59e1ec79e44d1a230fedda6e3037b0e9c4ca475dcd319b86bd4ab2cc3cd5ee47857adaa88e7e77afaab3fd85076edb3615ba44e97b5e181b5e8c8611784854a8aebdcc0983e0b837455a2901b91980b05efc9223d206dcaa5be6745cbdfb6f9af13873b3773f5a59beaa0f4a36ddd383d63e12f50e0f7c533e6a559e545d2851d04bd36e412d891eac7bbff39936937fa3e4fbfaf51037c50a7d5730051e4c6984f394f3f59faa61ac96fc2ba4e33564c2bbc607b18ef8aef19b88b7ac63cef3e0971fa1156233373fa5b58f16fa99312d84a6b790e7a663ba05e237385eb413e4260e021ba387912357fed39f1366e7318ebea7b921ded5d9f9ab5a86121648310f0904258a9e4d590d65431d23e622309de964cb77df8f2807667bd58181e485c2e03c295c15e5274c706c1a0027b6751e40959a1581c710774bd5575367c93c17fb8444976e384711d4debce09754e97b048d47b3dd82f75fa93937d0722cb2379e8b4b02675991ed1bc5f1f15fea5fbe59c63a2991af998a21991f1d46cd3d211a532cee732ffbcf55b28790c4badba768c57a2623df69b396c2accf925806d55261b7087435e497452975b15266522ef97637956faa20e8ec653c9c0c0773603d77677d0ef1ec99a0f61cccf7e1103051a7852a0077f973369f6d8056b79c537aea6b410709df6937b6b7ce03398e1a7a1ef8e062bf5b5a110bc0daf2765c92e695834add9ac03f5ea56f8ec1d64a8fad07410e3019d84c0e7cdf1c49e95091794a3aad82abf63e9c6cebabdf05e80503d1ba7037e9b0b35aad5517a02988a343b6a4af6d8277964fcd3e720c19ebcbca7c4a877c4b17405d4e04e2bff036d6f5e8da62d6ec70d1cdd970e8ba36f7fa956cbde78925a443b9579be039e5653966e745b1d93c62970f2907fb535c88820b95b24409d1bb81e0cdfbdc397278a8b1eba6325e693a93b550dc2d7ff05598f8246794b2d01b58f30324e44c439ec6e170b692ef2d552f332242101fe24586564b87e4d04c5c4137f453451dc82ce49f93d50e49acf2b966d0d500fff99b984d70faa2061187369a3dd50337872c230e6fbda2420e565886b6eef53eb532239a98237bf8cf3549f60b083d81a16e6a30c26a74456fbf8ddc2476784e776df7490a31e1113cb0d876d5ca9fbfc32cf6081f7542015b41ae86f9c0bbfed2b8474bfcd78284467c22f1d6df54bb3e28f5cff007e9d5d5597c837a72eb04ef8d1f3ac060b9f1fff3d74da35bf1cc3ff9d836bfc8d2ccb07214afd357c296ae04a5ce01fdc779e9b4ae6d677c6fc48f7383064f2d217d51e390609dad933022ed7c35f89e83b555c8e3ccec204e593228f3244427cfed43bd371ee5f584ceab01f88d1c99474189b876c9534089dd5d0460da833afb14cb1cb1f4bf8517fff86f94a919b9f8eeb360887b139f675905ceeefa05786fd7eaa8cc6010ee286989b6269a45052d4c62f742bdc252fbfdb2166f9b0215316ce569d53f12d7ff1e92d2bf11b6ed6aec3fe3f62c49a4cd2febcae8e1b44b38eaf1a6e78f2da3cdd94edea7150000d7015cb652ba46d3b2315b649edccf47b51d4585dbc76064a12b05ced6fd11fe3703ad2267f96297bcd455810769746ee264e73d9043384e3af7b445fda9f12fffbc7d63cdc105ebf8ec1f52475c73b06b4af080037babda8888b05b3d0051d7aa6c949140df65806c8366f8e3640f5a7470262696bd3cd4db85502cbd5fe22bb0f59287768fb9c52e6933e568e0d3ce7283a420c89fd04e93e565df0ff68cc743cdcf4dfc7ff09cbe8a77a020804f4c1761284616d958401f57af9dc71362992b3ff3439ccf85f43b6c0850989650d8f55ba1922a6500d272dd42386cbb23e6e67ec926a1ca9357f4c84b767152e6c43617def94ac6014aa3c6ca841859dc57524a722741246530da550671ec17d2a342e557b43c08a93c1267637fff37ff4a4085528e7ce6d09de642996fff98688544a7c23bff8b6fdbe533424ccb119a567f1f15c0b4650ed80efe24ab4d1c1e33305afd2ceac682c0eacaa5669e4434f634b1c61271d95b0095c7b1a62a2d073aad80c51015bb5150845c118633a3c4c94b7463fe7339182ea01a7e28637c27b5f86068a7374ae77c5cdd6dd9b469dd9a475c37528e2f1c40132359e9e65e23ad4595b160ad9a2d83cce078f4d6181fd3026c2a0b1302faa69a5180a2c20b3a32876efc2a6281c409c2e66e00deb53098197f13185b7da589b0cfe2a312f0f61efab29a7b1b614faa57ed37e01f8b0cdfb2ea7867745d6669a4a895b97e1ed24c2f3cf23e8851138d9a640c2c0b321d00f0a4dd9a72fe5ba43ac47dd31a014d31b725ee28cd8fbed0bc78145980b586d371848bb96748303d0ad1fe2a2e7f5dd34070c6fc50e109dbb15cddcbc04e1cf6358d1050e6319a34f1452f44436d8cea137a37a1dad13efc2b9a9587a43c2c3f3d5aa32c0978520d24dadd18efa812a72d33b2f441ac885226555f7cd254ab277175c435683c36df697c2fb536271948e538dd3bce3909a5c8c37e97ea3736cd1ada26f13f121a990633d95b59e67393432993c0c84fd6d52beb7e3d02a437eb281af573ba1c47f373f6ccd6e0b183a21cbe9fdbb82ccc396f16aff1999fb839ebcaff97fa0bfd0d34cf8e57606fd82341db318e40cd9e85c154465dcce1b7fd8b22808f0e0d454ef9a2b5a4c35c0a125b9237070072d1cd827cfdea8e3de833b0814c8ff260e6b39807ef86ac677abdeb507dd57f6993d303d55517840bd7af1db3980821"}) shmctl$auto_IPC_STAT(0x10000, 0x2, &(0x7f00000042c0)={{0x2, 0x0, 0x0, 0x3, 0x44, 0x7, 0xff00}, 0x80, 0xe5, 0x0, 0x8, @inferred=r7, @inferred=r4, 0x800, 0x0, &(0x7f0000004180)="b8472da763b7f233e5d2387c998ed4355657", &(0x7f00000041c0)="10f121593543ac483ee5d9fc0093e203b927b44bb534a8711a28df30c87570f25d8dd643467a2c9e531e8a4aa6e033f571b9feeae8b65d093f915628885d3f028c3f4447632b36f22e16c1fcb5e7bd6992c089df961fee65da52263c865431c8324d25205427653902000ee5f231b03df00cf5b4ff9f8779d331a8b511c4ddf3ba9b68b48133a4cd4f26e7376650cba610c62a68f4810220009706a85a063103dc90df67137a34a2dc60eacd868a66d7f68e69c04cc195fdc8081c4be4148603242caf94670f9e25557ef9ada0f23c5961fc07fe58c78bff013f8344dd9611e2314963bf51df6c984c56b9af"}) shmctl$auto_SHM_LOCK(0xfa95, 0xb, &(0x7f0000004540)={{0x9732, 0xee01, 0xee01, 0x5, 0x4, 0xffffffff, 0x5}, 0x80000000, 0x9, 0x5, 0x8001, @inferred=r7, @raw=0x2, 0xffc, 0x0, &(0x7f0000004440)="aeb6d5073afaa31c2e2b2c269112dfff493937392207d13fcd1a8ebaa997fd976ccf817f4290a89565f45f54382b313d3498e2a676fb908ee4d892131f01b83dedd09498c8c2c56df4ef1c8232320b42d583cc6061c92cc06c764fb0d446a8b9a5f1903c9b2b2ba45c1ece47cd249f201b457ee03c79fbe26feea6dec142689ae21b9ced8439f10a2e3b657a1e3ab73854c1338b6db905248ae4bcee973d068e9bd49bf4f9e8d0177c72612bce4ef6b4d76c093996de65", &(0x7f0000004500)="24a7291c4abc17ba4acde1c6fbdb58896ad27dad256440207ff6a5e48ff2a6185f2c"}) syz_fuse_handle_req(r9, &(0x7f0000000700)="2bce1778fec9a1286bf6aba53c3ac40286ad6aa7112d6f2fcabfd2ba713eaadc8139e14f618070126ac3a38ad9cd7b5c94b1783b2611520729353d56fc5bd5cbd4f11d01359ca9eb2e0c4cc66095846c2b10d41eb84677f1c352bd90ebfa66123a7a19f45caea84f12e77657933246c44a209a4b9f155687e2a4fd902f57ea49085faa760119406827db2e6ade2029f8201de47e97b133853ae73214a796e4818d39cf10a8e6a6f11a88e082c9aa25857a67a32f35bc8f867f044d0f329953dc0602249d83197e0ef5c983b9d556bd527a6a599f52a211f9c7113edcc0e93fc18e79ed69fb2a7fde97c9c35e31e35f077137c8fd8bec401814fb99816d1ee5a5e7edc210c610970daf8aea89acbb754082d8f68eb4a0010653c70684a8dd7c002ba7e461c8dcc45c2286da3427351418cb24a94d6556d69e2a319b5c0e69e6bf111a9c45467c41575fdbfc2646dafda3179b0fcacc149b45ef10dc13f5fce2e4a2c22c2ae992bc6bd51323e724e466c736db1d3457ee0f7de147661dbadc942bf0df2f089e980381ae888ab022fb545c0343c4087f2c1b6ae0cd21d0fd6565790958c93a6759a5754b700a6f53abbca7d22cddcdd709b279d111d6ce1fd791ebcaf260480986b321ceccf955618bbea2781d331490cde5734793ab075f5a729321aee177fc3c20efd0797446e512c625a3bc1a56f4c01889f574933b726f7437ee049491bcb91f1c63a0b175e2ce567507dd354bf26b08059ac229046a6e75d3d321ee63c5abc1a7409e207e6fc51679df37bc7ba339cbce32d45a9609068851b0a7f581aaed7e995c36779d07c357e5d976f6deee4f3684f97e7c619d3ccc28722f130d936d3c073b9bb5194eb9ff69910c6a3d5858c2862ba8ce9425cec1e801182a7fb5c7017a4185d13feb353829dc681a5619f0a02db6ebde860cf7c6294d2145f9a5291849762d93816682d19189dd768280df4a68c80801f66ababdf722ec213a7b7f58c46148686900669bdb0c643d005d600d95c5cb5d28ac4cd4c7022294352ed1350c4e75fe8927895392b0062c78292fc15ad7038d1bddc994535e73ccc33c9ab23311d6f65de598f5ee9f9134ca4e4b409f21b0b0e40f36aa5c782b7bb864707afdce1e7cfe5a27c1ef3d2dc14105d6a489b87e7ae167ae87a5f3cda0b8a622176297f5328b79690df98979a4806dea069395f5b8e5bcec683fd39b86bcef865de60fe407291d127c4f0068bec8ae95738fce42205ef7cbba2a10766e32191cb4e50c06dcf6ca3ae78c0caa658fd58b652cabdde1dfa9d1f54a4479ad61d25a47ff08b3122560099bdec55deb110e406e08595340887e49677454b60860153c4b1f7cebef25dad082f4d3402078298bfd390bc766234595918cbb3b6cdb9961e1bb1d4f7c7f2401a8d80ac62b14624a3b16d97046fcef8d025deb794094d2cea50ccbe272e1c79a7167803c40a4ccee138444e7a415347783bfe0ffda3d50016d0f6b1b06126fcdd9237aac400b8549e4c1917a25db59cdbae29d1ea5bd7d25c575022dc55ff32ed42a610e239479beab0dd62a30a4fbeda0fcfe1d0b613a8d066933466a9ab31262701d08e77928f88cf8a838e9729893e55070efcc83736f3cb32eefc08f240d449a61cdf2116ce4eae7b9669ce6fc528b9834012b0f7c5425c262237ae8a301b6cfc03a579cb109df417d8514af612d320d0ed96b7f7e4a48aaa30f6c8f427db2f981bef360b9d8c277c84a8015f49bb8840dfdbfd5402a053fbedc0751587ebf6df4d69285cc398e98a7fcd68876eb2bf6f94fc0d03d7a93b1446cf2ac7ec11f8c3b62fcc0741c376d15ccd8dc9c85929453a177bc2424b374ccad51a57bd05290241e00389e5d9733dac843b25f4394db450fe16fdcbb56333790044d65ad606ae8ca97ceec3f809d789049a3298881339d2ed1602f2bf2bde3cc87163cf1dc3f8e32e859ac7b2d271ae42a7ad05e6fda9b98c14be9a3f65b16253743995982237d3130d15a18f8f532a8d0273eabb3386702859833844781dcebf2164f0a4b1411d88299fa82e7bab71a0836d50b418a6a47f747220fefee2685af32c2de7c3375cca11914f2da17ecc46e635afda8c36feff10c7d6ebdcf7da4414b4fdb28c42f738c9561a656b01ca0bcb0224ec803e6a23864e01438974bba22369212caf053e560cf11ac83ec0485f570f6e536744243c211fdc03cb35904f1b3ad1e7965d4731aa048215dbe3b33d0963b0d5c0ecc90fa99997f19b583574868b4081c9ea2712343b918d22fa37e8df4db670a4be4295f699c924c4b7feb71103d9aef0270ded29d4f42af37a487e2bc8dc0b0bd3f6870385a1a8a984220f79a47a981e987dca44695ce6487d53c019010543b204222efaef7208dfa23f808c45613d514468b97fe57df911eac0c90ed04f00649321c3abd2701ec1a0122b4bb48377b5e9251c0203faf0898260ff747c5a82eed234250158851a50906ac5492719f970a9062005ef1675576351a8b3d9dda735cc65b8209e98668b8d497885fb1d91d893e3e3fe96dbf56b61c606a8463c41fd8c9be64df1a595627fc711438eea8dfb73235a47be9c03704feda19e54f65a2876294495aca4d611c9b43842915fa7a51e45e16c7d22817c1b159e0bf53dffe16ed634161be4cc9169c952b0bb5fbf445aee0e9d386d300611857c70e95cf2e42a3e79bf7c202b77ce4f52d5e8ddf50d5db3fa10e95f24d656186d356dedc85c6f8684b8102eb019c18da8a663d70be24ead9f1dced78bd068a6c9b324dd747734318ebc62a4a9c74eb3422ccdee02f947c1a76e738542806ff2c9c851ab71217f7539da9c3350a1fbd5e5390a048ccac1f5413ab2d8147d7b2d7d4933e24d7ff0d16fa34e238e931622730da47e8ee853549f57d8cd0411fd3ddcd5d6bf36388d0368662f95dae7d3bcb932d62e0f895a56bd879d1f57043eb6ad46e35976c4fa6244221e9a68fb5a93f2568c1772ad1faef2aab0021fe7dbc57f3a777ddfe61f41cc3f7db0bbf637bd48f72d11dd052fb4e32520d4139ce9b920621f1eb6f378871f1e794c38759650a0a742c0e3403b6be88e31920c0f3afb58c686beaee1d65d6d83b8eafa7d0bcaaef875efa7a27371cac0599d41ba51aa5ce65ce48bca24d4a438e6e3ac33cf1fc7cd8cc3cd9b75116b53a09d98141fccdf0b08d8f9d6efded52d101c3ed6b27f6c6e42f9ba199f39c9a337728bde05bbeee63e4dc680ecf0f020bcbbb7b6ad0ba9b2aa614391e8aa41552137356953ef21535ca4e3220a26f061c7e78eb424288981695e651f6da9057c61102f5d58d331358d691ce1bd7f68160cb76fe77f03ffd460ecda1fdb1a78333893f1dc5d0357dc24335d3f12d7df9133169d9d21445b6a58195663da0330631b732c1dcc3e658f237f0f69a11602d4cac6468353fafcbf4cad1a3a26d2deddba7ccc886347ff059dacf969698001853307a3c5b3634dea162e63bd27b7c9dab63a67059299d6942675d10688a797d6b5163eab83b45b18460c28d6a83371eca626e9bdb94b90a11a7fb7f7d9fec0d773cc0566636292c7d90de6479ae9ffce8c34e284ff2fb4da4c0b4629a023f1e9c1e79c5d6bae6252cd4a30153e8c1ebf08389c206d66bece902ed877c36756b3f9cafe841ca61bff315fae3af3a18563f71a77eeb6fde0db2cea7fe494a78391afc1b21b233e0c4b4a1a23eee6feba1aee1124eb04ec4d23b6ae5ccaf13acdb656c72707fed010fc4ab31ba093a22fa85e47389acafe2a22298e51d36732695008e65affda75613bbd22f869b05e9dafe411da8549f141e018b362049c6af4ed782378172c55ae7b1d005a19086c2ab19742ff7f9b329dc567f614730ef3e7478b62209ec2db90f3a6037af0cb7bdcc8bad8b32864a4167a370d0f916dc751fb28ee9c800e59e2e3720dbff363b28cf2698fdb3061bc39197677efbca4f86da8a976a1fe5f9e183ab9f3bdc9ab6ae44b8713a1ee07b894bf37490464f9d2c4f5a2a46c6b3035343b926dca5d993ecb074191df0e50fbb114c82b369e19d8ce958025e12a6e135c33c4e7040f2e5e4abb143bafb7c712144a99109b00dfd72f66d6a5d7d1e6aeaef794fa404575328feefd9c208ae710236da12de525c78403e78fdcfb5cb3448f93809eadbf8c6caeca702833a3d30bbafe94ca14b5e91864aa575409498939c5b2cce2d33d1f14ae3d7169ffd51a7421d2be6a4f6ce0d7fd5dd834e020c3e69cf5debe69ee863f5702bab78feccd285ab472b56d1c06ce40a79ef15c072361636317413726643c950c67e576ffd80d5f80807b6729736547b00a0d458e93bf964f47da3507747ec323d3108c449826224ea09afa36613331a961c5cf259252d0dacb502fbc987bbf6b1c8c6225a6c0e65ebb5a55945c5a064ec346f84270e3b38a12ae72c17809975ada72bad05a12fda83f1b00a42310481ca2a0990b663964e194c925c99cee86279f62c64548a57d3f167d6213accbe679a9fc204d21031f64bd5f68e8c75cf80af207cba25aa42fbc7df0734257000e5e9c223366d1df46f508b8a8fba4933352cb7c3f0e25d66d8c5129bdc467dcdaf4f4a871fea52b707c85ca1ad30f00804ba500cfbb2eee18c6842091c120ff9f5fe915a75a623e5407e77b2f2d7aa46e24c96986a60865517c267945d391692a1d3feffc935576787c90da846f959e26eef2f98ce0b13174fe456c5d33fb6bb65e8603af4f102929d8422b8bb5a24e0bec7214ee23d9b8dd07e7daf18d83fa66d849b91c708f99b4685c7b5dc956d95c7fceae7759feaa0d2a01f26b17b9e5a230c18c610a7e724db79becd4ac0f176bcf20449e90c3fae89c3a993e2f9c51e428dc0bddf67a7cd11f9ce0dafb4277c3281b88fa7138d217d79fe3ed72b195f27820e33229c5a6d7f493720f9190a1cb229a3bea0a78f629d00593c988c2d3fa09f8935e25bcd4ce0276a16f2306f7cbc8912523591ed88921aa7aefe26712f81028906d730fbe81995521e02e3ddfca0f881cb98a661d2cf8d1fc310845df4ec588c2b30fdfce181e6ef9a654e83fa69b773fb51717774936e6d037754782fbff13d32a50c75e2753bcaf4ae373526e610605f07c677aedac8daf379283f2e59aedde2c01953d1be4591ef165ca1906debdc0b8e47def1a34d3c3a4c12eae89668d143d1b0984f945044709df868d0975514dc1093090b0fe42962345ef40b0dd84ff7a20f394d5b3fc5a55d69b4bbd00b53e3174c760cb9c79f275275558c6967f03cb7b54ec6c2a8602a5557c48e0cceaebc38c4cb35f171fa42622b1e8be6dd323375033ede7bea93b6d667758fb997ccee896cb3a03e47fe8b51bfefd7165b4b162546c2e4d46710353b73f6f1dea17e442b8272f6aff99c864372e4c3e5631bb739b59ad1235a18af7d59b79320a41b7c0e8d64d5a79481cce1e31b334ab33e92e6a4297f3def0f1b34675c7de910fe38e494ee014bb844e707bd302b24786bd6062bacb82d527acdca236f217bf0474742476e6a9325d9ee282dee43636beba541e6af65bab1f58233a6f558d8c6019f4ee4c8e833ea1618b053b3cdb8f88f09ce1225a68f319de5bc583eb3d22f2732343e9c0acbd8efde7d9c0f22406b9d1beb10e7bc92807c7bbdc00b1d88534e65dba2562167e2cf12a6f4b1e89b2495be631fe9a7afaf3e440254a2da7eeb261b40b4b2c8a2257d75b09b85b81d7954ac55313ac4990c54ae40793c2158cfebf329b267405dd2a5e76154d21d74edd4a1e086f0f240e71996a04e8f96ec8822bc5fc91838d17d97b03cab995833aad9fed8dbd944fc11ab74fc515fd8bc5c067424d32dbb99e49e0d42a597dd807317d669df7c08979dd647cae4b9d123a644037c68fd7b454d158b5128185b7a071b77453e29ef5183c03f3dac2758fad6673d17b95a42d428b56dd7acd6b44a15f8a6acc4c73d23fddfc44fe57a9add195796cf45c0006f6a24160dfb879862b011e74b880f5a4f5dc8053a1f2c7d0e1d772c62ca028b09cebac88ea7a8a1855996201674f2eb71ac526c0a0ec4493daf01a5516d2bf88bd81172a2f75fafb3cde2c92b7a020e0767cbdadf655755c3715c6bf9cc3df38c3834a7249505a689480ca3a978792ae9befdfb3f25e3dfec22a90d66acbce1633a297cc2bed975731fbc97c09da8942265336d17b13a52efff98626a8b7b188cfb9dfd33eb28763408732bbae7b80122a91ad9813897757effb84358dbd62b0133241ab9afa79e353f5e7db9163921d65efc93e408bc38ff95842905a913d084d24fa22359df710b39694de240389831e344e9d5332ac0c5484edc3a9ac612f668e4e78180109e1249ef5dc27cfded52ea37ef3a7d1d0288a9f7532fb9f3a380294cf03329628fe8fac3b8121130bc3dff51ed6f8300806786f9e505de5d25d687c402c0bedb7d41cdb9cfb87714ba2928bececbe1aa32dfda001707c784cee7f6464877ef8798c1608c487ce088d07308b4f1672fb28efad8aee845ff99e00db8d0a4eff10e7e0482e10d2d4f536b90a17f2cd0649958619a3bfc4c72654ab9a0dae3099d6958cc43acee94a4501524e0a9dd76700d81461ffc9cde222715d4c8917c2e53560b6353a098c948ce16131bcac5694846942657fbbd47d14f0b9e6e0e383e7d60efe2d9935c04dfee10e22f474cf382329cce12ae8d210ffbd17dd0f1868f6c10aa34dc1fb7bbb7a25db0cdb0afcb3a523445564c6bc6c0f8433a6775881852d9970aa4203c9258a944274168899d5a815d665037da716d5304e4f26c289a46384b965f2ca5aacc1c8123b54c14e83a59b99799648814797784254e3fccca53790ce3f0c24ba01722d42baffc8168a36c95b5388def137e6c929e2ed1429910d138e791f8c45c37ea0b8d5f25dbb2b43a4c2e0527327a5847df44a214222330144d26446366764f816db2847bba4860f22dca28aea5bad298dc4e5888ce737b1696c952c2a515574d10d4d2c3d0a21232422d0d600745862a31513c978c8442bebab3e3efbc5bf0657270d1db26e979cf50ef7a3cfee880f77a0b802c7b371bf966a5413d6874d9111e7b98a972be26e28fa9ec1f779391e3a491d5e8695f73d88773a3d40682ffe1cea237fa5a91d48bd82d8ecd25e6a6292d1777e38be37ccc8d96cf9d191ba90585e728dc415bc406fd94e53c674071df12ea089dcd94f9d96b0386f726051267c96e5c3d7949e85502b5da43f10493baa2fd77a02faaca33558f78f09f00433ba991ef1b40c5999039bee177fda3ba5dc0925162e59a8e327c19e7d4e0aa8f1371070271e003ce63f427265b6a2dfb1d6864f8cdf2a9d0f8b38e57712b8543a20be5024aeffd250a106e783a08a5ae385ac9a576b3c1b09036c50f1a8d5699f1bad3d16968f11e9b1f54efdf3c2ec03a1f124ab5e5c453d19b939b68d0a339951b5bb55da3eb459c3f86a1de1b8b9cefe6e60d14d8c6143145e24a85e9c062a8f6bf5c9a51b2a507ffdf6f601cd7d10a7f3cb16f38d7f2c46eb2c1ebd205d5b60c5d5ec3d60e15189b9f445cbf29177b8355d8af6bad6c6e3adab39df71ee2cf90df9ab86808e62d1ec24ff2bde6fd56a231e4e556cc227f5fa6d617d549aed8e2e366013d8a2c2899a5c752620d54471f9cfe17b687fee42799eb8621cabf3b8176df654b20f348c9167d70e959221338bf47cf3b347ddb46e4ea71fc8250cf4818607a35951665aeec1b4684a9f2d54039b644e3ffcf5ef2a2673d97408fb9c5b9ee802867fcfcbf3ced4295e59e78365de8f38d98066bc163b755568bb02eeca38e04fe45b7809cc4424023a23b15e374e383d01e02dc66924847f372d8adc3b8aaddb6eaf9575f524251ca6fea93fa3357e81e94715fbbe3ce2bbc0c3d447a5118d859b1a743b3e8eebfd352fc50c28c89d9fbf2087cbedcddadd1993a35f71bff4b6e9190fb1826fa2b308901876165c70417dce16ea0c1975574bdc7ccf8d92b3e772b57fbadee74fcfe7b73dbef59c7f2e5ba57b9be6843e06d0c13da2f487840737a8dfc790cd553c693a9d1268a13acfa44fa5e4b4f0da376fcc0ec8294fdc01823897f912127db76903df2cdbfb9902400c86bf526ddbb47c8e49b673055f70a7d90081cd31964e0519d504c171cd41ab7997916a711cdec24f80f8039cec9f65bfbfa93e7bf228351a81892e57180aece3e6b0ff3366dc6664447fae5bed381f629134adfcc51eca2ab3276682e5d9f677b301d6e6dcfa86461a567cb9cbfda3d2f91b3abc20a5a7d465d57c507fe9cad8343d64f51be630ce818ab78e92cc5408f48025fbbf8396d88201c042fd71182c3d5dd62ace3ec9231f847bdff19b7bce4e04d1022b32d46c74709aa4963166aefc5ad6ed94701d4327f394e1c9d01fbd3f25903c5020a8487963008f8e4eedfe9c8d62ca9cd72a96239b1c0427cb4e17118219b42cb897353621d667a538d3ba3e9266738fd2524681fd633c1f71a51286210bc793fc89c0f043866480b7e0862b7a108593b2e9f8d1fc62b7c67f50dff638f9318fa260f3730cec7080afd743641de7d59bca4d321f031f35fa616c433ed572a39bb17b93c8581b12aa1d251541bb5b21c63917c5b70ec65e957c59c643a6c0ab002b546dd970350be2a57e1a8f0f46b0119950aab3301e5ca0543532e1f08199075609f22cb8c8ffcba4bc81df5da4ba7ae6b111b4cd9c6e2e6c20ada232820b47753d6262c2b9ea61ead281ba0c31c3bdfc06b8a42982282a215beada3ae9b2ead9afd24f50bc2281890097791cf37b1969b45ba7eb1305366767eda01efd057da567431c49e79c55a58954f12dab8f1b688513f4c3c49a5f27ee53750d89b633779980058789d26a6b1720be7ca549de74bdb763f4db1a6bb860b05dbc4775b20ced871b4a9d9d877abef6c4bb39d368ef7e7fbbac5cb88212d87f3c7620659cf4ce1c6eeb0ea8384a6df2f291334e58084fc55a3b6d7a8351f625a71eece16fcb52fcca888093a040f5f157ae27dd79d26ae555dd0d219b58553db3bd8b48d856b3e233d19726578d382be3d123f8656dba5e61db14b627eb074db68d5a69c9351174492b50824824d3d3af79295f05cdbb47c8ef7c85d815bdcbacf4b8627965c07c8e1079f201e50980284f2005a92ba8215d06ef5efed591f5279f18a2fea042466d783e10864e93a54b8649bb4436d886c78819e927c163c769c22fd6c1ffc509849f685acbc5c6eabe4bfb2e2650bab1739a6953b27a1846464ea8f56a76cd371a7474595949b6fd4db076d44ceca31122274ec568c581d088ee7f568c0024a491920401f165dd1711a2f9b037ef4b4019d2272e19ed5cf4140e58d74ae1d93018d09fee3263e8119fc7a4809459c434e93d304702f110fc3a40dfa78fdac5edf2425d8dc1629bc95bab9327032598c2f553078187c3d076f15674cfb9e0f182b68cedcec34cf0490901af10a2d10ac8731f79e60ea1eb178a6014297a5a3b84b80deb5f3b56204cdaf3a4ca0bca0083acac6d2a563717eb70b9d8275bb31dd4da25f6aaf3bb576152cc598399bfc1f703f9d65c7ca6fc45d7cd81912071a94b4981728bd3fa532dd3ab95edc2c8a8792316b7828c17a0a115a80ee5f7c632fa123fcceaecb311915349c9b26f2ed275223d79bac0c137671c3ac5f489b42fbf5b19b3a46ae22a72fe347d8abf11142968562c6329dfb942249b593d37d17f40d793a48189210e0b60b958375c08993d34e3eb0ba6932435cde73d568d81e0df7f76dab7c1c1f7e5b764144896fe5a819a4f0aefa099e1d84f8c11202bc141f7ae03fb4fdbf5b6c30834a4dcc7f9a64bbe14076110b9729767e5f31edbf5ddc540f3a31a36f4a332b5a24d9e0be54f8161b52f76b78083e40a663c8d20bfbc446533c2c4b78e630bbc94a24d9516018faffedc2e85fb091deead3612c8ab241b12647c2e71407a9bbef11c975edbb9722ab6174a9191c5f0128c1e0f4393353689ad18b96785a7d8e045adb801afe79000f18ecbc07ea839306becb862b1753fed504df009546672fd65e60a2b523ae7477502db75deb994452e0b3f7a841a98b8c0b0e828f0ca679e1fb97f8df292e2db30f756fba177545a09beb2be193fb3a1a94d34456d9071e634bb8a43309302f6ce4c338d439270c426baa048bb92ec139e50fc457db0f37b494c591f67115bc9c522152d28f9cad1610bffcea139bf2c5e0239d4f8db125f0c668768a02ab702814ab61b57e0dd839549cd78c1d331d3cf42e0e94359df9f9d8d4fa2b982a1977cc55a888805646231545c2e96a8b80c9dbdaf7b7644021f8dbdd8f3c373a72a9c5a8ad05c67f50bd32a96e19a606170061542a0b1ee90e3c75619d95416e1d2f6c76ef08f611882c87d096b2f84c1b5f79c728727e00b0589ff867824b88939c3acba96f59a3e308ef7068bd4ad8478b9f0d6d5c90c8d3fdb1bce0822fd4dbf60433d0fd9a1d00fad05b135b0fca522982bd41a1d32ca9e13cc2de1809e51e12b540df58cc4bcacbc39453e62effe1cba62a725b7b690a531a169b16cd4fb4230018adbfebfd58ec476742a8ea7e8ff7e56ab463b345a84299867f857de6ea30759a8dd093e98f99c62f409597f9a3ddd490c88133d9831a7ddd0bbc3536d80deaee38acb1ba95ba0cda910f4b120a592bc91504f4b0d99171e2c45d4e256dc03fede68ee1dabf8029c99dec198c4aaddb6817f839f1da74971267c212bd2269f8cccd32495e8f7204486d985987c25a5cb7efd639b1dbd2506022f6caf24b09226227d8035cea83b9cb821ac3fdaeda5f22dfb1191593f4d1655e23546c84a8ff482789bc92f194dda5f614d6986eac829bab2b7a29225bd5517612d40fda6a153fc52b24663368adc2edf56b07bb22f1b5d526bffb21282c654a7795a27631f95d885df4c0bceb0712bfddc058dcbf3283a8b96664df548340466bd717329e6d5425cbd8f9e6442ec4671381b8017e04baf166d7b14ddb516a624ac5c76587a00c6502a9401ceec48269c4ebf670bd1caf4613bce86e297f9dd0022408af5c7a7e9ca4a1a2c7ea506dccd7f840eb4de4dd3c734006cb85e9a0539f988ab45f593d1d9606122a2f106e9f84f52ff91797076103d042586846ff7305c273fe8eaf053f6f2c7fd4f118134a8c824bbb27e3191a8b192555c6614908ba5436a673830c27a63169d3c69d3f7e052a6b6de6fd2a544572cbce67f67a3b3783f4c8db2271a4a13c0355a92c6b036e5ef06f53323db1432bd5bed2601544387dfea3f5ed9b252fc9a20411999423944fdc2d163f66ba1826c7bd6da8e895efb19b4fe0f2038142d7665fafaf979c56352940b55caef5f8f881db23060ddd71f99fcab6bfe412beb2a17d106fa450914aa7920cb21267e16cb4943605609836149f1970d5ca6f311014d5b691c145ba81b4ff94c72fe150ea49e56070cff34abee37061e871aecf5dcf9f91b52a36eb993c6789f021be5170892ca80d1c2ad5bbce3ce406cfb412bd66fd6442d70ebe18cdcc2958c509341f0510", 0x2000, &(0x7f0000004700)={&(0x7f0000002700)={0x50, 0xfffffffffffffff5, 0x6, {0x7, 0x2d, 0x2, 0x400000c, 0x7, 0x6b, 0x80, 0x3, 0x0, 0x0, 0x1, 0x4}}, &(0x7f0000002780)={0x18, 0xfffffffffffffffe, 0x4, {0x5}}, &(0x7f00000027c0)={0x18, 0x0, 0x8, {0x101}}, &(0x7f0000002800)={0x18, 0xfffffffffffffffe, 0x4, {0x50bf}}, &(0x7f0000002840)={0x18, 0x0, 0x3, {0xffff}}, &(0x7f0000002880)={0x28, 0x0, 0x6, {{0xfffffffffffffff7, 0x0, 0x0, r4}}}, &(0x7f00000028c0)={0x60, 0x0, 0xa2, {{0xfffffffffffffffb, 0x0, 0x2867, 0xd7f, 0x2, 0x28, 0xafb, 0x7}}}, &(0x7f0000002940)={0x18, 0x0, 0x0, {0xb}}, &(0x7f0000002980)={0x13, 0x0, 0x80000000, {'&,\x00'}}, &(0x7f00000029c0)={0x20, 0x0, 0x41f}, &(0x7f0000002b80)={0x78, 0xfffffffffffffff5, 0x5, {0x0, 0x30, 0x0, {0x0, 0x0, 0x9cb, 0x6, 0x45ff, 0x8, 0x7fffffff, 0xffffffff, 0x2, 0x8000, 0xffff0001, r10, r11, 0xb, 0x7}}}, &(0x7f0000002c40)={0x90, 0xffffffffffffffda, 0xfffffffffffffc00, {0x3, 0x0, 0x6, 0x4, 0x7, 0x6, {0x6, 0x5d, 0x8, 0x0, 0xfffffffffffffffc, 0x1, 0x3, 0x8, 0x8, 0xa000, 0x2, 0xee01, r12, 0x6, 0x7}}}, &(0x7f0000002d00)={0xc8, 0xfffffffffffffffe, 0x1, [{0x6, 0x5, 0x5, 0xffffffff, '\xaa\xaa\xaa\xaa\xaa'}, {0x2, 0xffffffffffffffff, 0x6, 0x7, '\xff\xff\xff\xff\xff\xff'}, {0x5, 0x5, 0x6, 0xc828, '\x02\x02\x02\x02\x02\x02'}, {0x3, 0xa, 0x1f, 0x2, 'bpf_lsm_kernel_create_files_as\x00'}, {0x5, 0x100, 0x5, 0x9, '\xaa\xaa\xaa\xaa\xaa'}]}, &(0x7f00000040c0)={0xb0, 0x0, 0xffffffffffff51c6, [{{0x0, 0x1, 0x7fffffff, 0x4, 0x80, 0xe, {0x5, 0x6, 0x9, 0x0, 0x80, 0x3, 0x7, 0xffffff01, 0x5, 0x6000, 0x5, r13, r14, 0x9, 0x4}}, {0x1, 0x7fffffff, 0x6, 0x7, '\x02\x02\x02\x02\x02\x02'}}]}, &(0x7f0000004340)={0xa0, 0xfffffffffffffffe, 0x4f4, {{0x0, 0x3, 0x58be8e49, 0x88, 0x80, 0x2, {0x0, 0x7, 0x8000000000000000, 0x6, 0x2, 0x0, 0x81, 0xb, 0xfff, 0x8000, 0xc093, r15, 0x0, 0xffffffff, 0x9e9}}, {0x0, 0x4}}}, &(0x7f0000004400)={0x20, 0xfffffffffffffffe, 0x4, {0x1000, 0x4, 0x7, 0x3}}, &(0x7f00000045c0)={0x130, 0x0, 0x6, {0x7, 0xf, 0x0, '\x00', {0x4, 0xfffffffb, 0xc3f, 0xc6, r17, 0xee01, 0x1000, '\x00', 0xc42b, 0xfffffffffffffffb, 0x8, 0xfffffffffffff3f4, {0x7, 0x9}, {0x893b, 0xc160}, {0x3, 0x6a48}, {0x40, 0x6}, 0x5, 0x0, 0x9, 0x3}}}}) r19 = pidfd_getfd(r6, r9, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f00000047c0), r19) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r20 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x70d3, &(0x7f0000004800)={0x0, 0x87d1, 0x200, 0x3, 0x92, 0x0, r19}, &(0x7f0000004880)=0x0, &(0x7f00000048c0)=0x0) syz_io_uring_submit(r21, r22, &(0x7f0000004980)=@IORING_OP_OPENAT2={0x1c, 0x40, 0x0, r20, &(0x7f0000004900)={0x8000, 0x190, 0x10}, &(0x7f0000004940)='./file0\x00', 0x18, 0x0, 0x23456}) syz_kfuzztest_run(&(0x7f00000049c0)='*(z,\x00', &(0x7f0000004a00)="f77ef6bf4c19c04aa57c4c2ff92ee1460ebf0e57595cc355aa22679547ef84499ef99d9bdd691a9a0ee19fba5fee97d9a92bb7ae3d754a98456cdbfd27da20f977f4bf4630c3ca421a6acf8d9f81d293d3a0b02327e406323e773c64b865c2c7a10236fbbbb9c9eac5d14f18752a0389a5815964041b844f71455ea12ddc9dcfb6e900a3665758cba3c7", 0x8a, &(0x7f0000004ac0)="a58109a5e0dab93137d420471cbb19fc28b13363208467ace8722160a2bd5fa04e7573442cee6621bbaf3e0c408199fa9834f59a314bc375b4a23459d2020312ab4194c9fd9c5864c82edc3367a0f8cdb8a0ff39b96fe339e352c903af49c77365b3acb2eb431c8d988b517dfc639532eed4ae0b4ed9c64d53b29a18fbad20223062a257aa5e183089cbfdaa0c46a4b8ab8dab0990adb18eb03e5c0d4d72ae0de6f67dc96de9940f710684bcfc0bd26cde3ea3fce39ee9d71faf2324cc661626b1b6cf4189a0eef57977918a8b3e2c135549e367e4a7d2527e24cb424d663f00266d3996d6fe636e1a9d035a54ff46778c6b0d18c4acc3e5b23a5566323e1e0a256661d688b18da8298963f74441acd2b82ba472242de35402df8f05bdf0d54b383787dae5ae1d143d21df935fd0305a61f83cc42a45ba77a5317948705b59fbbc921815cd56984c44f89d8075bb7bc5afdad2beaee82b73df1eb95bb0389c04a3fcf33dd342b8353fff76a627d69c5a76bc39bc57c99732ea8830e692bc09bef94da07faf89d6302deb5111ae54523c2c16a35019d120b871e797a9a9f12e2d3b73e6ef1e7b9a4e8048e36b3ee1721b98743a96cab0c508a6a534058b341f4d917fbbff140b8c5b51b8b42c605ea4d2b0a935c501d5b9ae3f1ff3deba846c0d596308f1bf3e0496a7284732d79555c34ac567d731b4677e09287ea315b3eedd503596c4c601210d7ef8a6316359183e039d5b211db87457ea44f43384e3c37e668ccb54964b12ea874057cb6a75559812d939bed5a168e7ff02f22facd5fa33e3067996282f603fc71676d7ea9e38f7ca727b18b933adf118e8bf652cf36e2147b97fb298671a62480065d517c935c5b5d76014c13aefa1a7606018648676eacfe90065aabdeb53e1289471682cb6a1f3efe7d1ca73fe8ad262442414b266fe7dc1dfa1ec7135e9e64e1bfe49a1bfe7ce3bada05f01b47ea14a4c92b50654d7ce442725dae73d5e93f722316920670e213f8b09d9da58df0eecd0b0d98081d5355300e0231a0543793dca00255f3d189b046c999f70cdb5d4043594a486a23cb9c78fd4c0c6c3d9858de57bafe71fcc1cf3327a63b0d841bca21c72977a80c9f4d3dee4c10baeeecf7ccf8071b1f618c749f3b0fc699d910e5282a431a9767c064c7010bc390f8285035c462ef24c879ef11f3e42eb1513791c7da91608a95e5e2b4803c946dcd77b7ce004a6d8c6274ceb2ca3e07cbb1c41d70522c6ed156dfc3db146c3df4f2cc286f4bfe994e1d7e20cae2bab653590845b7105ccc12773330b05b52763bf42826fe3badf907716d8507f8e8a17e51507a0a9cb37e6a663e4c17880e21736f37d17f173685161cb9407007eef711927e6c3ddb5ed72df605cc1bf3b92af0a86ca60fe7f042cbdaeebd9a419b144d2772b10e673f1538c798b82f48a143abf4dfdb76f747517a13ab1f35e598586cf6a7fba9371b0ce35b14cd7f34685ef0c2afa71ce7dd13b4c31732a98dfba7bb9ed0dc35a8905debe4f7bd03bb2ee00ff45b955845a3a876dc0426d23a2c524b819aa04a671fa1cd09dbd35b6e63f64f9930b1f4ee1032e46adfbb94c65bc3d9ec61b6faf65e76a572cb3173fc3eff366435d99a370971c85274736fb87e72bc74e2eb4b6a195e4c7c4de5ca2d65b0ba4fca7fb335ba405b8f1e5ae24bee8d554d82a42d50fad4db1bed0570218f5a47a2e156d76c0956cab5c3a44d63abbd2b8dd54dd3055fade3c31b5946daa3cdac4fb507b3445e2a414d35044938aae903adde90f8412316b2a3b6fca7a908be62eb8c5460f3015b13b5ab43822538cc9b860984a4a257bc9ef6f7fd9193840c3e46361a1ebfc9117dd57f0d7e1cc21ddcf1b17ca21a8fe52108184730abcf9c0be332ad8c37fe842f65a54e869db23bbb6d44aefea29e1ddc32788d242e46989fe3ea6908056591ae9ed91efaf199618a6b6362892e55b83f83b80da9e0e716a2c6e42eaef2016de831f76a7c73c2c8d847595e03dd51a0e998b74b846b8c1f7ad4c528bfbe594e26b66b6fd9ae5c2701f1e1924a449634d64171d2eb2ed04c5accf540b477ce77474fda9fdfbe294b1c1bc051b8f3cadaadaa79aec8a99190afe7b64499d19e9dcb61f3d63c01810726b4956c28101070a1747de55f9baed6ed3bd4dccc963a2a882028bef5805a871fb35586e124616bc141f1c2db9056ac2bd367789beb277dc9583777f5708a95aebca263f57d96f70783919b012737c2c64997b154a26d5bb01fc5a288dbb01cc37e943114cb4d375bc82dc48737e15e209b48cb9645f408218751ae62cc86a38f37df83a0130248ecb35c484353408a343a02704a56321a7b46b6518ba59892b5839319d74f4ffd52efff0b25ab63d2bd33dcb193b785c87cedbf9985b0cdc7a105850f8fcf601647f299b6ce3da49bb042a3d6705a877a9fa60d16a946f2ba38bc73f03702fe63fa12814e9c0ebd6fbf41e55a88b275933d221dd957472c4e0592d2f1bea33feb1a1947ce0391b23b46e1244891d2507c0fcfdf60213e2904246fe0022db77b15466525a8e074ea9229f11a2ce2fa8b3c2184e64f26774d723a01213a7deb991b30e4a18e42a94e26e553c465b85397e8344c87dac3ac004b6094da9ff287b9100f770c7d5b919a22f84fc30534162660ecf71bbff9bff48ce42a1fed6dfdf2930f2974e341f6d8b4e9c551ee437934702e6bc0da5515712d7be5a6b49ada3b6322939df6fd5b319475e8312f41c5d37f52f82e7598d7d71f3001d2db5431c5520ae57ae3c7cc495dab8b7e8d04e5610eb5111184a857af2f0723a52cf4c602c6fe47a3b6f7805d95712ceb22e24860d6a5e17cfdc25ec795a7089ff927da535f2be46da244e3569712dabb82b007e156a17579217c5fb8b43d28836e9d280726cd7192ba8f018a73c129b09479ec3eb2651104f56719cff6adea42c320bdd528d6ab33bef8c807fd69e055bb1c1c89547d34badd8fc3a064eb7abfec85d8d4396cb221d7767282ed873561a7263cb241303825f1fda618a9e64dd6a4299581e7a2eec9e750506c20504ba2abd8856bcbeb36a17a63cc8c77619c29476bda703bf3bff6c2019cd8376713970b56f825fb72e83626c2bd6805031a2945ea9efd2f4780ccb5bd8a3607ba78cd79115849f6d95c93eda04e6fd8857b1f2ea0073e5db2116964e7f8d1d35909a3ef8336e07e0db4a93f5c902303191436b2623235b3c694eca299262184d983ba33a0bda2c04ceb8df35302ab079ca7ea4b52102e39593b2c375f10fb7906d10ef3c9149296dcca884c0181bbc3304519f797685038c4e66f90f414797f389334db759641025af4848af615061d903ce2146e4bf7936dc4f2be7f420ef7561fb341bed654e3f93c1253159f76a75d67378f5e9151f8b665d10676e848329b007ac9aea4c1b37c893df05e9dc2a631818620976190acb08cc4e413b1f371cb2601e1aaf3c2a4787b9aba6e11e838cc41a39983101825627f5591b85ce06044c61f5d6c00ffea265340c675a2171a31da662b7713eb49204e4fd5d478f3599dd76952a7d4875cb972fbce7a59165db90fce3ec9ce9a0311abab969a9e24a8eb5a33887835b198bbf51a857a70455186bc5f0e65660fadb5c7cf45bfac5046931b24ff30b32ed35a6abfd48efe4ff29cac0e03c9cbdb90ee70718fdc5f172ce01b680c30084ef62a41d421efcbba1077d88c6cb5d8f57cf6c896d96e5cac28f85bcfa21c5f929908d6e66f1e28063c1fd98e5079b60d12559bf6a164901337d10e0bb16b9d43b719bb6b482036eee61cedc39b7773dda85ea04826b8669b3c86873ca24d10b61dd16b6a54b7c416deec8b0287ca8f3d2f66aa53012cf10f6f7e2de8c9d63551485d98715337d106d6ae2b7a48f2ede892d8f04a9116d1d27765d4863ea0d2efd68fc1b8a39260e064e5c72ec53d18107b1ca044fd5b42808d71400b1526efba0ceb57c27e53f29327b314901e177564f92988aac81fa0780fda44257056bf6cd90a49a56f942f84d5b1a239d5067f00d0f4c3cfa7cd60c1a90c409b813aaa49e94587bfce1fff62303116ddda4e75bc058b06f46d58014083a4321c3d1a6899425874bbf9dc195448c0d29711c23a88fbd4351e457009a10d1d2ecd47651c5cd9dcede7f8231063437cfb05a319bbd6189d794c6f5c99b6278941c94931c876289ce33b3e3bce842b69689b9aee44a423d2d429d996c6bb6ceeafccb15e1f63366b790d68a093a85cd6b5bd476b283e17be3eaef83b701391d728e518edc491652c06e0a93ee98803f8fc051d90418f905344b5dc6585e2ab9ae7b8c9c8ffcc98f6a76ab30f337b5cdf14e99e353f152c8c30e98acb4452d7edd261fc1f176f9b5c6a4f207a26caa9da306f9c9441f88d274a2f89d8978922bd2af4d1a98ddbca53e08239f0e3ce8aa8ca7f554fd4ad5b84f12e4a6c44a85d8a649f461ff01e77faa59c6eed9d62c73ff34081a31a065f0a17ca7ba63c5fe753f5c1d7d4e11de3568409ad43bffc4da91b22970340ad4b5a5e7dc4574a4d436ee50745ab58b1f06a61ab3c2b16ba2df015be8f1237356cf133bca98ae7f78c87391ab7fa80edbd0ac93348019cf2db466cf046775b21c8d2522a6208b3db796ad26728e4bedf47c31976cf2f1a66207f9ac46c8cbb6cf005642d991fca160e9b259e422e565f510bcd996da07c64cf369d7f7348f61f234349b887a41ea2f98ab7eebfd3968762c50d84116bd21b0103581b54ea07ba388b96fb66024c9e208e506f107f7418884edffdb1fac8fc6ef9dbe021e9c9f8f86a98dded8c81713fcab3efa63509d188a3576f824cff6c5b622a82b6cb74e937f0957dbc0f55ad3d0b6573a7310fe31098bf875eab3b1211999ddac846e5c202a7262bc70e1568f88e349c6d315d39f2c30a2c9db3b97a7e6a3cbf45bb675e3cf75edf033d7b9a5e600c52c8e7bb899de1ad3d98b2ef30b85f1e5adce2837cb1e2190eb341a29a000a03b46552d4350eb6ca5a5d826c074874708580e4bac76cc11f88d368d531ff7248d3f624f2e409d330a2696793f58f7736c08c86d28a3225359730346be9437f035ecd92bc2c8aac40b2592b4c6b79af380f49d811ae459173f5cf917f63f229e87109198b6cd64f6c303a4f8a40972c837e0f51ff047bdcf4bc5347dd748756b295a921b652ef9fd55bed20f7ee4054b45214e54a366dc98ce23ac69fd75a3dc41691de2b0035924fb5e7d2d9ff777d7b0207e9398d1a6ab8496fe6245dcf3c8e6f745622a015e339602caadc9001c30d89ec31deb8cef3e15488d26c1704e30982cf45c9df58e293cdbca0a032da51a08df5d2fe0a93a5ac28d3d512d684be20f62fbdf066d345ebb642733de0331b2c9ac7a6001f8f6d248ea197cfbf662d7bb620d996ab31de7c4bb3ea1303321530c7f63d6a6fd53d9fea3d515f107cb881eecb0d749f84fb687d98cd27372fb06f49d628c4750edcc6b2bb1cf6c5d65c1650e3f8b759716f183314e9f7afe38cfe54fdc4768b624a7d054ff45588ebcccac5ac65b150103976625cdfacacab24c635eeaf40d99639585cfffbc3f16908336425ab7cbd0b6b4dae4e0ce1a0dab2592900a988638bdc9da5b824710a7dd7ec9b818c01b1cbfa687a4428d293579b2cb0593e5f1b1abeb116ecbe1c0c6ac5a2b3cee613676c16537391883ec7792f75b04e342ef1dffe504fdd124ded4e4fc547cef5c60ea3433cfac40ee734602288f94d1570031df971b2c457dc366e77b799dc14e002d29999c2426b124e1992dcc1618837d3a290ad7f892f8461634e67f9afa1b6f841827b289d1c82177f9b035ed14e7a2671adfa1bbf3b6737413364c49caa5dc32bc927143527144f3a46d19735aec0242a80e7ebabfa1bf7222c60e489f0a8706ea2ecd66ce3f9d500129d475c7eefe38545d0a696c8c8f01bae8393c89adbcb85e6eba1884c674d9091078d4c3759b25e7f511d4fbd70d3dac32352328c066ea2f81cc7f5427508270145ebfd80807d9ec0a6cbb2219d69ea0a30d5e20f914ebae00a9e37e49c6c611f17c799192c7120f8f89e3a316f98f54d36078e794464941fa43822a701b55ac941dd30f882d0795b9c9ce0e86cb670fe920d4f6fb595e657599e6da0f7de097c0193cbbacdaef6c3ee2294ae7217311315ac073b6780b6365e6a1039526eb313cc5dcc9dac4aadfdab4efdbff316d59091231cd1a54d6c6d644c8efd2baa527dde2c7aacb9dd305047d8bc04d67a7cb60d0270cc4a01f2a6dc9bd5bf0d5e0c52f45721e4508dbdfe9d1a37cc04769d82015844d10e74defdb36973ce0fe8a08ae859bc8d1fda984c99a6be8f024d99b6f1fb85f390cb2166b275f7376d5460c9181116b91778a91ffd5ccc4acb50d4e1d6e241aed090b7053303ab6ede389eb0302f7522e92778034d0a9a0bd5f56494734d7315d627dc7e9746ab1be23a4b4e6646b116ecd04131c56c6ca3a18f8d3754c35932ba5ecad1d5e0b5c37bc4519dbeeb4b9e7ad044a76e364c89bd52a3bc2fd089ef1229b55a378faad365fb36a6d363e0263d378f06862b7c6e16a0ae886b9b5392ac4f9ddaf86f5de4e463396e99de388cd4c346de1038a46b339a121a07aa415aaf8c76ca129a33ce42e00d59776e9ab89ffc92a01665bb5a10709c644ca3f8d8eca20029173a36b9d3741190e0d296cef78012d90962a4db05412c154f84f41a503ba3cf60decdc2ce4c947b4e379a4627cb5c09525e60133e8f80d1bd9201cf39762b95f66a40c62fcb7362293361319265d687bbd9cc645ee9e7125408ba40ee6f1e63b4d546f14976967c21cf74dcd824a73d9bd7041befbcfd6ea0a8d2b7758fc85e09baaee1bbc890d3134253e9b0491f719d8812532d65ce926390fadcdd25b05f45a61ae8e61e61bb83c8f9b6504312bde871b10a6c5b487cae61dd249ad157234ea8d28e136169f0559c93d67315ab3a67d947ca9b5551cb6be93dfe22bb1aa07c7dd99c493d0623bdd3650f09965054ecb738b5d5740322f57ea9f2494622f10a369f1dc8d38468b21931a5138a9fbb7814ea39d0b914a2c3fda44c1c63ed8725986fc07567befa41ca21adf7909beb981ce3944d4af2917dcef3e4581a6238a5280d7d613ad28528df86625ce764b8b03e26454cbd5d74ba7e047fa6715399f12f97cc5d0f74cf6c1085da2b86bba80a6354493ee32d9877a7c315a7f99b59a3831e61704086158fb751ea302eafc5bad6057a4280ba67c564f1347a775e428548e6e09bbc160eb1e8b3e40455390d59dfa1f0de5ab2e4f8f6decfde3cc1ba04938d9344b7a9beb36f78ba04dc031c9fab5c741da098cec3aedf4e253df7711b2d9cc38efcf310b6a777b8de675288d6c90786eeecf935f437b27738cee097d4978a9eb10c1ad686d5a4d739c85cb92c7694a5ce675beff415abede4b165881ad5f9ce9d0a17ae710c8a890f53420dbfc9f3935a8771b6a48324c13a6e5aae85dbeb26845a9469f0187793d0faba88ae60822dfdfd9f2f2921b863046d108be2f6f809c95e5e3e57413cfc0fc94a6d0c95faad1d7914c454502ae615cf562c86c8362285c35e7bc011fdeae0f402fdb813964ce1012243a791868b505bb4a62ffb9c2545b5e2d39b2696839a510f0a1c41ad45da72de7a077c39a24312b8edd290d0fb6774c6d4a47dd3a6f4856a6d9108af7d5042164a578616ee49dd3a1cc74e8d083cae83bc1117889f9744bf95092d70ca295d8f66a1a18454ee9ec6982ef1a1ed9550a87cfeedfe12ca5b7cd9099591f6f9f978c938640a4fb880fb9b61ff04b8073857b18c87ec2f038febdd6162909523fed57387bf0aad4429f3ce8b99663cd060bb2f9a09922e579ab34765be81b0aa877d99d8aa0ab0ea03ebc4cf3d8e4af1725651386ad6dbfda41888a0dd20c8b2de01123bfb8d496fed4070056c666004cc73568e760e2276a1baee496a5c836d8854dc3ac3f645f5433ca815b580f787c3864b232df3d372c50474e45640d8e2933aad519fa64cf4fdfaf029b41dfa454f423a8a8d4655290ecab35136ea1fde850d3e7c67937b909fdf0de0af7a2fcde657a601b970471cf992e4e2ccc8df88f7064911024c0306f59734ddf01e0c864f5c314f658588aa179c1077d0f2804858359173cdaddc4f9c15816c8738e6aea3a83c28a12e1f1bbb9d9b46be631268aff72b605bd6115d0af106fb0e362f82170f8c2b0f67d91496a2da8783105529c996af674c80daed482297dee05d32bcc55e046f7d81348946cd183b63e34ca25d624a66e448bb8d532c335eaaabcdc2ca8c822eb6849cacb1fb0039f90fc0f7868327e9b3474880c15030ca2490e0de01e254e4a257d730bfdbdb1897e37ef516e2af7cdb9108308350f77bdc500a3740d181ee8e9ba6064f6af79624512b736a03969ab5735c247f2b417b87597fd33cf0cd406a42747f938d871186fc6b20e02a0f379834d0a2c1afb2d07ef20e857bcaa16fb795e66405ffa3867b35e88f54b953ad8907d89b62f56eb148cc5a051f2cda1f4774a251b9f9a69a1c048928c4fe0fc24f9f77ec55d864e9c3b6afb0ec5c1832e8eb6d560c900a347bd85f7d017da13daf645667db3ed1dc3970b5a5c246858d556f5b266a212c2d70e7473c359e967879bd39c574d22f17402bfa850a0eeed253035c4b79209d95ff3fcfbca84e14412953c8c690708699a035d021a2a61d317bd19ed34418b5ff4bd53b685b9bcb0eff6341eb2c749b1896e2d4f14b782b0a43b78eac491bf1c49c9512d848630d7d7bd80b9356bf60540c8465f7f6b0920ca8d7e9fdef6d64bbd81ac6f838193b8146b047c7ac4b934ca28e742eb73b4d3d2b6bb795a74684192157e4a1b0192c3115f49ae45f06296794757b27c19f33e0f3ee30d756164695ab589aef025da931b2c3153220b7ea56043bc27f806affb93296ac617f3abb21a2a34f96c7257d1a8efbf252ed417dfa42886eaed942cd06c3281e6df3fba6a2cec9b90ddb63ca533b21aef73bfb8db3666785fad461b7479688d8f5530018dd8a52849a8c256f4aa86460574c702b9bdc1ec1e6bc246913b8f2686f697b0809b9f55fa9b8521d69b246cee705ebf7964c8e9200b6600b488033fc88a834b00efbe385326395df0f530f34d1d88c6a9c605a67ed64da81b4021874bd8e66f96953cd8bec7b1eaa4543f158bb4e1027895cb8e8c8ea9cfddde92de0f79387543b2021739b1156b828ce23ac3ae6aeb250692b9f25733207aadcbc0aea4f46ac4dc8cfe8d53b5839e9544002bff2a791ddff2b3bc7efdfae13842732a8bfb7d971526f6ca2998f9287fe03397e01321b3a13a128bb61689534b06550085290c7f9202b07b3583ce0461e9bb3716362bcff7f28ced83aa57311c7dd7368f0e285a9b7ef805ae8d43406d70e753ecdb7f9ec942a0370f69468583615ca7cf746b497642b8bd3545d5218880f6a439e4b57318a6f9b11f04def62c91d7d39082209687d93bad79f4cd874f5b9f9615ad75bf02ae6689f4142683212bf4abdf2662259dc3007002b791bbb17caef153e14f0999f33ef3e9288401626e2d4acc4040f735e88214454a59bfd412b090d6c3e9ffb1e0512cf033c60fbd04ccff556e8735ee57bf3e78870bf8382d85f51a9afaaa8d23eb7ef95cd64d2c14e4df21d675379e8b62373d11b60e4c3cbfeeef453048bffc69e13dde6bccdf3a598e0c4954b3c91f842e8d48da9ab294b49bf1e7c085c6eab52d9529c2dd4244f731997ba0858480a17d125e3e735d4dd1fa420db3889e57a6f00b5d88d669d837fe46978e99c8fd3c0daa663aee7442868a7be6530f72fd2da551611641530967d5e3f44fe15fb437d6675ba911a947804a92495d57fc0038e9f4956846f0ddeaf5c7173a4d642bf70f4c4a09d00a67306873e2e01fe789e16c334949cc4bd802a5890361eba8efedda780afe2026ce5d9da88bb9a5c01f098d7a45fee1c213db3b1421c4d8bdea3477654e24bc40b152e9871b174e3a94d6968b21a24c1abf795edb89308fe666e1b22fe4002b8c419f98c1244e0a032d18f0e10def94a12b4b38266489e34ad7361af7a860f8ae19fe08f8f76e5b458212dc62aec387667342598f5bac9c12c57808e218c85822436ff75b12998078373d1f7a0c4076b5d0785df6c0a5c8af9422cf89058607b69c701712684a30d4db89f32334ba86f5ca420cb38765e612237962292066772b0f407d0c0ec346d4eca1bb80bf8cc68f807d0f59baa4f9d5f505e67737d5d6b7d730d6d146b604900563067893d08c31660fffdcde2c57619f4717b1086bd14c417c3c893e777a92a2a00cde56012bb1fda1ee20c922417efccc828247cd4e3d62aaf1e889e0c7862474288c8bd145e7345c3110e941b5113b05d84d1cdc54c8c8b1cc3f2b93ca822559cbdbb4e5629ab98b6cd9021c84f385415d3b3acdc4a751bb22fc0f643bc39c03264dbeb81dfc7b1953767f2c5db305c18a636ea6fcb5eb685cf38a0539bffd437265b966f46c062291cdd14a380bda6e7b31301b8db274be67a2260865c5187660aef5d16642102a7c61671b13505909173cfdcf6c1aaa6633f4730d2cd0c8500e8cebfea8bb2241daf9ad9447c67569b31abf33e914617bbf1d0c4342507be61144ff0d3eafeed6776d60e07f02cc120e6db38245ceb8f08ae630ed9e548e459878c84abedab3176030d820d72eca7808688868aa72324834377e201f42b6e5c017eb8ebe2c2758720823d645f37d33c072955cdcad179dcf14f008283ff3a7382296e9272ccb6d3ad0a1163cb970ffd1d5dad50b31f75733f792a7dca4fd13bca3391c90d7828cd044c0e72225f7146875717af9ce4e65a06f8ecd67f1899b4cab06bac1bc2e4944e62419ec9fa1b0735666e4f2360b9fe3b51cdc4d6523cb4f8820c5bcb8feade4cc2c09533cfb326e090eed808040182373cfc2619662356cc5ff8535df5d03f68fa01020f149d13327554320ec2b199cec922d0d7f0495e3bf5a35e9ba8cbe717fc2d5f2d7724b7016cb07c3db1f06e9dfb890b45a8cc036422739771011c4a4124b1600c2cdf16fb9df3f76ce1b31236ef41ef4c3d085f9c8f44ef82bf042a1eedb77f515489c5cf7ecc245965dfd29b9bf27664a5684ac5343228e42bc1779ad40476ac8860a59418d683568a907f678471ba9df5a7ddd28d7058609d3e577fc1ad425d8707f9503718859f28273755924876d469a1fa1f447b7612d2b80768ab044dfa3f662e969885a82896dfb88707aee9c11f96c8c273cc87facc17778e5d1a1d0d2a781068a56e56c0d7421aaf33167cdef4022802cc12ceafc99948fa2a02c766758ed98da6cfb3a2148b9f78095dad01e35bb36ed8d49af270ebce76d37ca39e7ee7fc614dbe7e85d78f4619888289b0a4dd2f965e8314ad4069b6750fbcce00e64a3fc33119453227645b8182078e6c813db7e5ab787fb990ff52ad1033ce56a2c849fb8fbde6259a6af5fae321ec771fb59e15c052b71336cd46b8a993e2a335c64f25fd588f1463247fea99bdf9cf90e1f83218c4c43e97f0938cf991e4a735763e565918177b951071df51c3a17dbbe319681912fb4814bf47c9830697aeb7a5a923750236479cafa956692d983d24b2e848052af874df7a8cb2987b7a80c10cb4266fc47fa7603f56f0b8cae45cde5632540a7e6bdee9a44656adb538dc504a898f2a6bafb396239031e70081eff03a5999f942db7696a8da01c99817a71cea8129cd27f7fbbc6f171034a84305cb33e08e7d9979fe70b5dc18da2db64973dbcdb085368b18aed290f36135d634343d068fcb94774b0266cd45928406930994702d39dd87326b2ace2bdfe10bbe9ff1044faeee498ef18182f228424f53abd6b70ac64c907913956b4241a4d98b6f392a61a984d98020bd7594ac09ca269eb7dd86261021b5f1aa3772cee8de11bf8512cdab489ad67fbf2f6f86c124f5f781b288344d7c6117e75ad3bc097b4d17026aed559de65219044a8d5aefda109dca57011e888183055ee2112453096028aeef3196b8350ce5c7af28ae0b187b64c7b6796c801d93f620f9e8af2499a27e5a59ddfa907e826bad8c3b46250ac1561ec0e21fa17b72565f3fe1b0a369273de5bd04e65512b41333ed743a51a57d8debac85ecc46a41408b551f2f46fcba4babde89d353e654a1f7cccb06389c4bb30dcabd5f7f468bd6a1eed6933f85e9eebd0348f1c4dff82e39a1a198837f8aa69c6251fe1d64211e379b1b84a1f2f430db7d158ddae9d0d2da1a7aff1fb5cfd59f0c6b8afec6f0e48c4ef7ac2a764b54469d78fea5d9b2b5445747b69d4f70e9f980928b816e354175ba1291733844ab959772eafb60a32e6eaff4779eacb11356385845e4a2598688eee44b54af6b0285fc7fc5e2b7297398ebdba3190a3ee656f54849be33da2d679700ec4f78d45e7e3fdf9c67d822434dea8cef46d34148277dced030e80b3214f3e568de522f744e66c61d08165aecd311d86d3b343a33e20c1cd965fc72f37a34a63f1eae73d3b03fa704589353f586e202c458234cf4d52af8e583077c784229b3db98189c760c97b3f02af5ed34b0b3a87ebad6a2d47fe6c060f9c08c573549e649eb894ace871adfeb681bd4e6ea5065393afb66cffe8c025c18f398a373dd8ba0c543f9fcec2ec7fff239d967b1c1d17ba2bd7fefc473c75685e844ed73703738c25bef71ee392f70d5105fb6c477e254d0c6e42b62906dcf7b74744899a0f199512a0bea3dc7d1ed1f64d316fc1d8aee157b3e22d00c129fe798a8d3bb1baac4812ab9c3f914a080e484b3894cc72dc2113570660106741d08c8f0199e2196866a83fa53b304d36cc682f11f7c925ed532feffe9db4f855eae8b1ba9cee4463b669b5cd91323a2d51e72e24aa292d2a1579a034b9a39ac3711ec9974ff6f91375e0a91975ea3259964156329f47d6fe8d6596ebb46feb7557bad5c3c7492745bd7e214888174cd1573bde3b044b98437ff6917366b1d07a445b95c604c098fbc25f53712ae786f56326d9580704ee3b44d1106f7b7997e37367e108b46886511019cac3ce31d759c267e067e8f2518bab84cf27bd430274ce4f62e9741effc8447d4f7bf98881e48b94c575e6304a0015f10ff9ae6a942d0a410595f55e3b9a55460cf84b0590ab869aa4dfd2b02d248040214a3549b9031ef29c639335f68910a65e105fd83e16f7dbbf76eb9829935231ba7409c1b4ac81f20097a0e60eda384adf185e64b056805c80eb485aa975f35a571b3de5b7d6108e89049d1a37f121a3be8818b69c6141f342fd75f7c5ed80aaf42b9152d8356716f47781de9e63e4af5ddad120d1bbf7bc68a2f4e5cffaf80021606949e4e2311f6a15df4eae8a2d6733cd77612115047a9aed3524edde7df72ea1c3d976df25dbed5e7ba341a7bcce987039f7b99a93d13b2c14eeef72ff7b4611c13b37e6f6ca2d54bc8756ef444030b7996b42b8f58c9ed18f7b719378fbe94f64baad4273c51efcb2beeb57545490debc9bea9450a8d781b21376f6c62c440940887af80a0ae87c17d624b9493e37402dc741c65524ed09aa115b43967ee8153966b435ce3f204811fab2bea5f2ef5e5186df86a2ce2370597894ef31ec2c0c19208daed00be9bc9c0306f1889ef797ac87eec61e5cc61ed110f6590578a91f987ff86deed1f4dce08f5f2b96c0502f5cdf88a59d9628ec41a7ccf192d3aefa8ec975bba4a877059138488664adcdb393a47735ca5f43153e0c79c403ce9bec7012259333cd11e9e42e3863be2711a48bf5330c207c0d8da651a1ce0c53b94ddf246d1054689502763b34acf020c4ce280e0c8f22d406319f54cad6e6d5b3976969e687138a52a292277634f2cb6c1337ebaf11684d1e2601a0f92f2864c40c57547e5efc32b08cea3964860f90f0133a17e13c60ea71d16e6861cf3e1865f584303b0f16b80e6128aada9fc0e6fae29dba4a3fc993b406795bfac7afb5ec9ec8e6b4eac7a86418ce9513ea353ee47811aacc144975eabc6dc9278631a9e92ce0668b0db8bbbf5a54c79906ff638809f7d696ef49ae47e0740922b15c503559f0118b0a979e2ec8d25081043c72ec0c5f3e20f6182594bf5f3aae3be1bcc90b994a7a88c35363e12f76fe9a67c256b4a30d73668676cb87e1aa1cb90eb253a2f6642b9a2315f48f6b44b5857e692d8a6db0e064cdbd0b8ae746352cad11812e180df03eae8de9e5804edff73d19a22af88a7fea01ae7888c77f06f42c216d30edadcad5ec56ab99c94248b6fdc1d5fe0411ee122f375ec47bd9ab630255a2b14e71fed7068d3e2d58c558a5106fd0ff61c6e9309bb5899ddc993d529baa355e9c4bfdbd04e88f67c564b34f1c4093a83ab27a05929f29162b448bda177a4725008ca3d61e31f10192918371c568e917f3212de031a5c5696caf0b2f85e778c26fac0c642e69f759da27c8c7a44cae86e0d0972ed8ba0e87416740b3f0687f052dededf00101e230c3662c36dad8537592871199e48a7235f125cf031311e1ee339b7a62387b52ac1640d5b2795ee2af827f09c8314b013536373548592d64bc54e36c850c44c39dc230cc99da7bc514d29043bb9ef2a227f1f912e2c6d906123c1d1db2b813985db6ffe2c41b3dc5f82620b9eb51f9e351eb6a115409b70eb5227122437bc53ad500af869b84c624cbbf5a0020ac0cbfde82229b3e7bc3063969474efdbbee571cc553ce2f1e08be6c494c5c660a220e9107be93dbb4e04cebfcb8107737432b144f90cb9b6b078d813de2c803c09003606af461c18a2b5e6d472f3144984007ed13474ecc167fca167cb9ebd6f7e37070b4d5ef787d90eb776d94ba5fd63cd3dc1c555176f1d5e090aff9013665ecbe4ffaebed5ddfc40434dc1e94c954a3e5c6fc8a2ccf679c1ad8c5c98bc3107f5bc7b639f23203aeb8d3c00d89a0675f14d486b83b72bb453ac3fb74da84aba00322d7716cae55a3865e5f4d18070e02d3d19df09479a41c8da91fb084a429849a7907d2b9f0776fe0bb5d51bbdd0045894e96a1f090be36417c6603d5ef01864f221b36dc34ad05f43dd8b099afad95f23f2c611ad9581deefec4e8314fab34761f9bcb47fa508b38ab19142148bcb6bcd8d35074919d89de51fdebcb40ae9608a7edfbf3cdf00db9dbf33bbace91ffbd5c25c29a71305a2abf343160ccf922dee487519aea764bde66617977f0be874a35d468240bb81038252ae8994dff0053fe21a82f68f039fae01c52cf1f6857ee51e17d5cb2c6c8dbf8560afec66f1a0d527507bab2b7df5e8984d12eba2d07d836ee7e01967fb23599a3583b625a75e7553bc66b2cda3a4b67b0e864dc868dd1c78904a74686a91919e670e7fc918037c4f76df3a78b860bc0459a12bc207c30b1badd85324f5a1e623b661aec28027bc086ccea49bd22f39560d289e233c4231252e8cfb6af721ac7cd1b6b37a14fbde4393e44e1b25e302b1ce29bea6344912d1f7e90633816845fccd3ff7242a008a743e5a47d48ab3e01c21f2e4606e96b08567496789315d87936f45c66db50de407fc101153536949306822e1bba513ea3375581b8f235b827b3bde08213cd1852f36744d9ec05fc35de3b5fd1912b14a38eed439a6f7dbb37c3e55690af6cb75945423ee6dd24362327874e960677072199c4d3d03181f6db4370a7269d9d778d0cddf67e266a29a22d5eb7129f2d5204ab8c3c5d01bbcbfa60b11fcac944ddccb27661860a8addf6377a3a3b9f7747334f233c5a44a55ed08ad05d233c7c43e6eaac0f89e0082ddf70c406814c3dd60178c23ea58ff7e6ee0a3a57358337e7fb83be96255a35d17914e6237a3a74215bd4ceb8e9fd3f0850dca086c46efdbd99ffd86f07d219d1e2b087b000b8ccef9e49337563b48a27a505970f30cd550b873e32a8447d8853b129d0a40afbcd900aa29a9a59332435587b38d2da503171da6f7f50d2442ae1d23cd4069c38d0a6eca268f9e162ca56f920aa7b0e6799d2029e82ba34a82959ae737db3e7906dc8dd1bdfb36e4107e36a54875348b9e45b8e7233ae4a1c0fe85755ba6166ade7d34bf631e9af8f5f90548ac7acb613f32c74addaf42d97fc9be84d30d18821b796be490f28274fe68233003641a956acc9bc3a09d5f43aa22fe3a2b98a8b2a15b23265ec438e3b15a1d137ac2761f7349311c8e4ee18dfda5f96d66e16ddc255fe70ff2a051ccf744fb7eafbe2b5fb713918c8c776436f09004deaef5da7409fae7876850bbf62f17c0d48ca74d902338c756a337d3286a72087788f7a42f4f1675d6f0ee957b7984f21cd95074559b8b2ca49e67b4cb7634f513a1722351ee15e9059ffe289e8c989ada53b47483d4077e9d146e5428da1cc19194ff182f7d2a2287635fa4e4a81a290a3cfe38f376eae489e1df5e9a5d59beaec83a30e9af78893e4f3eca07fd4379b15353c7534c639c7b33a0ad5b58b956e8fea983ee12896bb61f07564ab52345ecda4c181f4d810db0088f6054b8609aabb4fcd48205dce63810eda0775307d72544adf2828a2a3bf105b6a6af965b8ce30eebec78f49383e9e0542f0d3aad5bf48f639e022a021b1e661b10fa7ac6a86322537822c42a4883b0522bae9ced98b1e4812992384859925860eecc78fd0ecd14f4cc117d9350537a8d80c2a6c952ac2cfc4fd7adbedea1c0634438d88126307f01042ba7a13869802d0798cc0b42cf2c1db9132dc7b5e69c807b5a2baab3a35563cff152cdec01c47aa9accb546d2b0287fbed70359e15b1f7a78d79d32cb6047d9de5dc87850e23976280dda2e1622be5df43f0bd2f71234c631cb60a6736f1cd27545dab2db2fad1b6ca00b85b6180bf8ffd8b32a353d1c251e8d0401a7dc818b51efbdb52cbbb4f7370d2ff05d320e97862c7ceb40972f58f6175e88d22db6b18d0ffbee99f0f90bfaca89b94296dda5d2babcbee5189332d9ec6f9223f0197e5a98b85e6bc00e8801f52ae06bbc73cf8d2ff6ffdf9211f95d5c18b27c44a9d33dafd6b6ea8568154a0168610898f9b143f5aaebfdea26c0b7e789036c99d9ac8652794bed15212203b8dc3ffc5fe9a50cb3f493dc4e0e463f828d0d9f1b50681c30e155f1e3748769a61ec7f305aa303f32a1a149f399793041ed3cbe612b6a73b03f61c9ef4477311026bfff61678d33970f92c2375e862e8c5d2c682d45f47cd59d9c2bf7f5bdaefa550d4cafb6650fb5bdc3842215efa90e6d259e05098df0d27adca16a386b6f9f2f94a477bf10c3bf9d06544ab19d9d0da819dde1d61d317db510cf3483d0d7cb4ff99e076a2be55348c2a1d3fbcfc0855ff8492d2e1b87fa50771fd68ef7dd2c20ce5fc7b19b7333a8945ef4b614d487ffd49bba89bbf0eafd5980ee6d196f8dda8b07c723d1fce05295c646f0d20eb0ba3792f657c0408d2ee889022c169461bd494b62d2b9ce26742a324ec630cab022637122976bd24e587ccee270c82f0e5c182ce82eea8ba0b67b7a78f2604ff9770b9943516b471867a6d9f1cca6a49dd717ff8d2528e54f9d297dcf248805b9228ac6f072a947aeab962ac407d712ee40891f2a09d6265950fc05f4ffab6068a59043a3ebb67a3b947ee0cbccafbc5e543fd6c685c864f32c5b37c1e4b0420dd1fbf4ec519e6e8b38ede98dc0daab773bbf3c9c3eca5d3d50ad2204fab49c3772c369bad9df71c00624f24eef6770cc0a151154252ef33a2585b53cfcac85e22dc8aae052038a31e9d55013ebee2204775d07aa5210e86cd63ef1b0466431cd16adb9bd78b0e1f8ceeb86c052ea9c986afdcd6f9c297afd4b14011c34060203f4e13965e12d518785dfea41d7c726f4918d20e5f1249bc84e380fe0dbce2548c1d85cd6bc6c996257a101e28d3d62b75b7fa492f49561f1046590ffb2838e2da043b1d83aac7b5e9b8a3f9ef22740e1f91fe9b0957e5d3b4187e4380a47599ffce0a56f92260708ae42df7a7c69517f2f9995edd32ae81bddde727945fdf1a99b13a00131f978a354f54b7c3816c168ccd15d5c7985357e1dfa254713ef6608a4a4ed8190baa0fad97ba418c2a9aff145bf721f1fe9952e848a46073e9876ddf1a91b1be116016e17c6f0eda76c4bb577d24069f116c327383e1f01b189fbca1d553eddc8848e9d7ca67274811e2f80c6b4b523e95e0429bb6fbf818f1270fc90b32afc8b2324cb746bea8f14123323d253a8eb005561fa1be4d4a155ab4e26c92d48aaa0e10f9822cf267cfa4b5bffd4c89f80a7b84cebf71de8f1b49ced1cefed76fc5235228fd98d68bd1646e54c77eca6839209d3f088cdd806cfbcd863456b41801b68cdb5b8106955013a56b5b829c8d3591ec6bd8328bad2dacb62c98ac8dde7591b4350c2b7cf3e20e99ac8c19aa1c52a164815cdd1c56f053dd0e4f293c1cf06c133e11448bf2c1f26dda792c3cef658b714f1f7de70a3c42211558289625ed699242aac645613b7faf7cb1cc76fa0e346092dca4f88d59ee9791db16bbe92085fa1fb1521cbe0db5c00378a5af17ca725c1de4a9fab6d291d55a2432f6f8f035a1e0a4eadbeaee9ffdf7b11a2074f2b7f5e495029a7e63c9af460ec7c34fbef8b874ad06bf7c08f78b0c683d0d89bba894de6d6147f6de02b1872ad8d86183189b11ad67dde3adc51355819bc5d1225cd326ea3daaa9cc4184ad92db15188b1e39058cf730eafcdf6b169f1655032a5b7311beec7f145232683178e15ff8440f2801e5e840a48103d82be492e5bd17dba0c47b653b781c1af173a0c7273db72a674e3a00d70b897451fc903dc43574e64fc7569f881ca7379c6da873732611d5fbfc234d758ec0c16a141ef17763689beb502081ede9b11a9a492debdc9a09a5cea5e2316cbc0eb5f5246ee0fc838173eddbff63a68dfcf4265a5db77db823748209a5aefb86d17d90f9b61b64f8e789888a29595b5fc475fddd1242dbde9662cee751041174e5387506b332de62511b2b3bf89ef6ca8498b42ce1cc1aea01f4827ca8c4989008b10acdf2662b06f7635b26c8a95ff6d4d4c4dc60b44b9e8364a98a7d98e6abfaff73c1c2dd69c52dd12deac3ca415645b1c1c7b963a0ff113b44f54ea1444eb907f2657df2e95a73d8cdd783c4676bfe5fe5a71abbf2aae079f49e6d51e10cdc8a7fb8e26b2f605e54596fdb178133f746fa96435455d5fbf1b19b585d34e8205c92e7e03500b8b80e41c42eaeea933b76fdf2c0accffd051cc0f77b9d85cfe84ab71662c7f83f3b6e272b82fe886d0febb4345d9afdfcff94a1ff107b6678805ade9f768aa6e33394b391779ca937c90282e9124c41425289cc23507eba96df73e2af99993cea1306f59b8c59816b538cca401d7f2bfee84b3aec9e054d048054ac2cd280d3e55c5e027716938b7b31ee1b2f00f95f1b3ca9540011a4844e86d2cc75f681394e4679493e9d18075a659a458299961d18cde645dae173364a4dc0be39f4b6fd5ca7b619b26686a812417a9f1d3e46646c730eea7b4f61a8152101a56732e09d2507b3a0eedc180bbd4e61280283f783aa8e9759d6670bf28e13526d89aca86780216f137077d761972a988e1bd9303d44b7e00027bc7f537ba703a2d285b659e7c8a5d14c5ca705a1eae9ce67dd99f5bf5992bc612c5a0a01d161d8547211c072d33f6bf88ea8980da01cb87712e9a0c8b93f80e6deed1b6a092326a1da99bfa9de4dd9fcb53e586ba169cd008b7623468fd1bcd7ccf915902158a139311a02ad62c6272a50349349f8a6aef9d44038f759ee57b816122a5ce8c2d7c14a65f24694c5338d596d0458c484afeeb8c25fdfa10560aa42ae8cfc82eaa108b567f86e33e9123e69d84dcad2f1fd9ff60f90ff413a22b2870f16b0d35c388183595d5bdfce35b314af588ce9e5ee061b8e8f1089b14e1e77b2b3f6acb232fadffdccb18bac721d90a852384fe51a16fd4da788bb76645211cc162a9f1d0dfc1eb29aa11d85b783ec23db41db8caacd9e88614a51cd444eae3db3e22c5a92b0d30cfa5403a2f28778bd9df158cc082bb8c7e7bc6484dab455c390b85a4304a8bc23a268c6faf3bf85c98056d0f715e74eaa86c4b6af45458a3b0e40b658702fd883a55eb4b6fd3fd65556157bd58d0ec42f06f23214c537a5b6bd1394c74615748b337c8c1d7fdf44bf49e35f7bbbea1d8ba854c060f883fc03f3d3dcb7244977f5ac62e696a0ecf3c419e0794d3abe77d156e0b97ed5a043b6dcde1f7f2ec010d9e4fd5d53a13956027a489eee7b497ad2649a0523de4767a8fdef6fb66bd49744ccd599d2efeb267f0d2990f234cc80fd069a97d1875390d6e2aff8fe2f1eddeaaa4f3ed528cae8c9ee67953e3a3c32732f0db007f106f584390c5370e3edbe2bad78fdf2ac2056a9faf243546d26b856b788eb5d7969837b3ba153c655b4c41048192b77f5528bc75abb50d85eddd8e9686a48d722b03ed945276a83d9abada8825f6a97eba1fc9fdcf92a74b05db9ce32fee161182999d06727875439ff109491da219e0d53e03dc46d205d4e690f2543fcac1cf45ebc60194306761d8683dd2586929a5dadc2547f953d99b7bfcf9b4c2c44937e7de619643b392a866bc88a8eb9b6d0a925e4d6f0d574be68f31059d14edbb50bb75b705f531b66bfc5af6d29095f38a127b46c01b2640f952496e7246ddafa8d3289b36b800431fafa24795b4a73ba1ff13bde91b5a1f69e151e6ee9eb795197bfc9ff7ab1b3ddbfbd959fcefedbe5bb15b64e1122f231870f7c3d4c372a4c1123d30aa097b4764f4d14851833355d7b1a01e5a37b867ddd53026ba9038f8fda171ea1f1f9d85ed47d90739a85e0006b0ed40a2b10b4154178240ee2e42cbed699efa0720943cd35836ab42246a1e3f890d727d1cff39f7fe2c70851065f0c52631770f62ea024f60a8ca18e0ae7afcc8a184cb6fa4a2c6d6c311a91ec25e7efd7e8d09525fdbdb9904364ea00d331c354d33c2ee010c6294a9acf7cc0ce7c184eec91fa95accad3dd7e43d66d5c5b8440769563bedec750cd4157b1e96a57bcad3ba84fde6998591d2a435a0af48be7810693a3e4dd4ef072db8b5a14b9496a53b818bcb124c0b6beff036c373f1a9afdb2344819903f173a800a29d412aa3d22bea42d70e95e061e543902e60a1a2747a2e0344189f942c03a2b1fb004bcb11bf0e495ac79b58cab4dacaad7d8b84ab2e0fd199728029b16e0bf714a8dd10750931d167e819802ffa3c177e0e6d8df2d43daa2c55db0e3edea123d0da42b4d8c0c12c92586594444030f217c8e545eee3a723c57070f02def3f50bc6d21a6ffb635d74117e23d80b14c36a0c741189dc77b5c9cfaaae1b736e8663db61fb5b6d354a53b6344ac549ef3ca9ae5edbdff88ca10f1ae2fb33d2f2b230827a50aa40a09fe87a34ec4dd49a76de5483b7f58ef1ab4d8d78214818a8667f9e9e72f9cd9a6adeed0f63aac8fd5a3510e5627f5f3ab8ee216f9dc3c718c04237ec3ac1f67e119753704ff4c6a7b913890cc3d1e18ec06691808e72ad057896ede0974cb10b0e70388384f377499575836a24bdecfa92aa379307caab1a27882439707814b25bbedd64d7b030a6bfbe5d3048e6cd9ea43008a018a77f3ce008a22d07fcb237e462674bacfe0862f255625b2f455f61bf9e5fa363ac46afac12a0fc687b6d802c6c04a5db7ca3428e7afbd73d1934058e6e2836cf9bfc19f7b796bb5aab698cf9cf1d9cd031862780cd05cf6a9c3285070a5745b43d8c52303308aab14ef77982dfbf4fd8f5b08480cd283246eab28d678a22a692588eef2c63044c739fde5f96d13b4b21b19b8d926752d061c7dd09c94aefa338be45987a2b038d0db15be1254e9afc337b321aef2dae93708b388bd1c0661ad11d461e69927dd0c9710d89de9ed029d99b9ce06f739b69d8184354aef35d8783f7cef2a3aa3edcd4786605a743def859c6c9ae766eb73ed46e2a58fa655f0c8c12404ad083d0f76d6ba561cc152956b636fba83fc612bc544f9f926c35fc508e7d382372b26a2f0c3b3633f76c0805201ef9e35a83fb69371b5c6aa9b3840740e26d62c3d908ccde8dac511bfcffc039bf3fcd91e89e6f9a77ef342fbf2cce80ce2ba8648e61210ce698455e3c90a099f8409b73acc15cf99f7969a5d9d6ce52a7f9b590579f3292324e1ff18908467ead6d425938e715c640179429668be956a52011e16dd94e2bcefd176d7f8f3a68729d72322889ef6cf64e0cf040318620167df45b71a80f3db12bc8645c055268a5b7ccfcbe2635d64862b8c75c070171f234035ffe120e6395a2be238c02b1324cf52937b49f915c23a31ef3c8b36cbc20df99f0be4af200cadc4be04de5af0152b9f95e5980a4c94efa65d86d95a7d9533c643f2db6a9f9054aae02a4b9715405b6cda9062c8edcf925c8ee3eff1fdfdb29117b8ecd6bd15bcdb82977286bc771991d11110941b3ac2c5091249d1867a8ec1fd63415966c4cbfd3a686fac9cc89212dfdc6d980665c5857d3add0045cd0a7fcae14a929c8672f95c5aa8fb24af5fa88208c2ecc5bc647cc8e29bfd7e27ab76509efe431c13fdd015336f36c1adccca0def73d33ea6e540421b4c54377f4c4ddb53ac33b2e547fc0dcaf801a8be09afeb183a3eee9f04e935296f297aae794d42ff0fa99d5a4a80989f29738c30d7fd66ab2de83d6409f7c09133f3b6f77e56f443b419d42a814d86d8ec4f6e7fe3bbeb7af41cb7d4956be1c5668c6bc5761139bcc3a4a15d6d8c904a8877f336643abe7da978ec24c59e991502c4d7912f86a77d7d2f10742fecd1cbd3758d69989af8032bd91ca0ba4c82d7883a47e07bc6990e21876bd590df875ba7b434f53512be5e8e069e5fbef1c09a2e78946f4bc93d067f5e5bbac905fb3ebb3001346c40270998de04524d1c94959b1c0a4a858be5139590d5a082763b98de9f9871238494d985f8eb9a063fcb08005742a4675312f40183a2a72a3a230c2655f4bc880388a7697ccca97be15aab36de2c275963b4650c636112800401c6aed61351839fe1d0716c0e9ed48c16015dbfdede31f614443f10a52d357fcfb884da7adfcea1787de1aae9380b505189f14e50d55f297306fae7f7ca911cb0a11b8c17c64146dd1b1f20092788f90151bba09717769a3aa09e8fb2474fa8d7594115e8a6e4c201f07692f14ba61e295c029e379a6337a6ddb24ce5ca6479516131784f727f10ac32186e1b5a7cee6560b5244a68bc79049ac92e97f20a9f1c0c3243b8efdc25599fce6d2dee1658e8eb2fb82db4c683f814df56f3c02dcfb4061b579423db569cf6a7b1ca97658b8884696419273320e7d533ebbcb69841a73bb49c1fd4b64730808c08e9672ca774010c6b23fe3b52e5d23a06023ea3d83c03a75a8d8bd0dc6c7752d120c68e48e69dc32cfebfc7d33de0138d7f0b6eeac085381f6daba83fe587177db68a6d789b1b0cbc59c72caaf525b0948f3034181a4a8a9a0c5a854b41ad44e987fbb3c7451fca963b90148445edc4bc7b53a821992bc547d06f14dd456788dbf4bb3e0f390a4df70d67fdd906b60a4abd72982df615ab711e1b564fb29af96a217b35453fb7ed9c3ec684b9cd6fd6bacb88e60c39eed8a95baea27af6ad12b5525d91a3b41ed009d5e87683a2d7cedfe25ddae724bb60bd22c54ebe8724edfcf6ad0cafa63c4163370fea7565bd7e12875b77ece62f399e594e3af27f75dbd14b7ba859dbd6b4480c6b9ef34dafdee8c2b36d28e52f320e9f8f3f635b7eb03e584f5b376dd81fb1a41316b6ef01072772a33ccae1c43c5c9e22435badc3d8ff28864a39f2c0dc7ac3d5feba33e70aba25e0c49084c1710078e1cbb5525fa17c3e0b128fc45028b6c266bd3ab04e11a6fb07ffb58ef4f6dee7bf2ff554b759d35b50e0be22f7eaa3250265282185772e08293b0dc8bee4c8d7db097556e860f482c8c3e9b6e864fb477d45c955ac82f034b397e6e75a4404637f0c61d4ed90dfe15382e85ef48e6fc1d248dc1b943dc4fca20568fdf634b9b0baaa7874186ac02a887b0344275a985785fdf59b3a71d3c75b275d10d8b591d6b72096a77e2b996d0349dc4d9c54830616c73e8c48a472c4551ac4660e196d38e890f7931c1d0cd6d90c551315e85fc3661338773bd4a4ff861f0f3e892fb4d58069b3ad97b2d1bfd72ec44e4a295684d1422b30e1ae95b5c1c7f275a75dfc4f7a1c2e3bc0f0f42252883992912c95ffb334b1878c65a4bbe1e34f926babb642924229b1021f326c8a50e5525121f49dae936dd56844d9dec93aa1435a16574ecd414bb039032db875a2d729d47a3d8f0386fe9b067cf025b7e1dd3341827055ccc88677999609ece87add06b2f07f957703524e99aa0c3389741b14233b5eded5af8e44a47031803ab23f734aed4121ad93b12e7f632733c2b57219ef9879b4aed4af9094a4924efda16615fe74f3585a70ed067d38f722541082ca2546b032a991beec9efdf6d055f9cfe33717ee55af6b33cf61fbff69b1c1301173d20a2511249b5c6438cb510b36c54c7fec67c3bff5cf712baa3a2c36c415f488e883a4bec4c2a10cb3fa105d1aa3c829ef6967ee6d6add1aa9b3a88f7a6e69c4a0cc253f17902f37cbbef417195127b21d4fc95848312bb82992d5a95431aa8eaebf16e10a4030ad676d5f29032c611fd5da2d4c887433bbf3280d7d0626989ad5f31f5bb8d85e3d83bafc3747a52e5cf844d6130679d5893f9211eb9d09d1fc90d83fc56c5809a86c055c14489712ffc6606144fed013bbd2795bbc477afd5712c41d2a23ea998f73e5f0f6ac6c5a7debdff6f978295c1385d946e5e388c05903d77264bb45db975d1a4aa53d6e76599507827b86ac522a63f999d5bef7c517f1c8a80027e04c39222588e5b405576b0c2a902207c0d5cd38ff267969479d0111c21fe4559c4d9cc5173d761211b2490cef996cfd500a457f774f2a2180b1e2962851f8e50086fb27808cb4e58d835124633238778ecb04dcca45142657da5766f2cf330cf5c8de8ae869036da37cd3e43291590c3a22df431d2e271c78d3bf1c2554497ac43523af157b96b799b8c52fd5a7530c4065c4e23f9be087d911d9123ad6193db87bf4bbac1c62d1ef5af2f12e86d23342c14e814bce96b58bf22957152ea290ae0916e88beffd93704f7895a2c8a329bef11680989dd1d3e0aedced41acbf80efc3f21c71c2c1c2e93ab1d9984f76b70ade85a391a4bfc05192b2b773dd3209ca50c35be3344b143142b25912763cb1555faf6155e83e57cdf5f0e4c0d865d297547a6087fcc7df7e4512f4691c90d25b1a8693e76b4ef8dd37f8f93e982a2beaef083c4fcd49f904b7c9d1ecd8bd2cb56282fa90314ee4f601565c497557d4d3f304cf2dd67bd973d7c6bf2ab1c4027d207218b71f2e19622c655689f1551bad47d5d9537a48cbe5a2c3288413c2b458deded658a4f604205d58915514bee43c783082d656b431af8b2e29db931f4a6871a587905571937c7e08b2080f901364f029bbe175d1c317abc8048461b717c36afd3ff608f6242c0b256cb5fe817b87fc75d07cd0e477023ca620c454b339557802842e5d60ca94e6cb89185ebccfc1b34b8a00a5ec56d350581318b8dc021d85223cb6a07bc512885577763c99274ae4d295514b94aab14ae0d0dbb9508e2eaada54a66de04fa0d848ea67ced8d6adf278a0de8ca8bd6f36ccff7cba1ed67e145201d5258b40bf1ca99279ecff9d78ee85a88276e5533c620e80ed6c7c17a9a12b03f5a740c37774e889de0e0761501ae589562d3240cbac3855eff6eea626f2c64d297e9cc97dc739ec7a7cf9c33b54055e630c8a84887281bcc48e8b4caf4054fac8ea7d0c0b06f220f80f9f141346fb8df194c314104f623b44621bcb35443346ea09914a96d6c7ed59cedc7c4ce71912bb8dbf8fdcf13bfa13080ac1e04bdeb46c5c57be88db4fe1f7dd916bb44a34afa1902f502587d7f910eb91fe910f359759975a7748fda76d42bb488b0c346ead2bb433ec158b1ef83f1a65581861656a32221f74598e38217c9b39405221c74b16682fc98a52b1e139de85e3b4329609449d4dfa4f21ee40dcaec4e827416f3636203abc837275bb08b69e55fd274fda90c1cdb3482c47ce59523e136b2302b300bc86bf088a6952a56fe1627cd6aecdf5a5260f78c4a677ed1a21d8952e2e161a7378a181479825c437a8ae26bd4e9690b1f18086decfcb311b625f40b31082d143c4f0e4d2c61cd2bd111d35855fb2ad1fae254175a6ec2c997ec8120b1e87c132d477ec5aff4b011b82355a2bbe72b7b191e0ed3583900fd1ed473a11ceb50b218e064ab7042b751628fadc59d1c5041224abce2e3ae008a0fef5efbacb160c2b5a712310012ccff9d20bf50a7465b621d860f73af8d3f6c195ec548d31e13a179a21b0ffaffd762fd48fb955a6f5a97632c4af55dbca3ff6ad479600bd96ae31f3204aa83407f8b8b1e16e497e26d6b1e64d45d8e9ecf7a2dde939cfbca025246b7ffe29fc2388aae16dbe4577a920e00c27975174d0207e458e55f4778c5a9e62954645c322310cf09fece830043ba6b437be2ad91212c3d5219dab65d10c76052ee3945fbc37ae320b016cb7052911063c65cc5ba42bd91f62371a0fb6dfdf5f79d179cb96e21b40a4bbd95847055efc523e264679c8fbdfbd89608a227e413619536ef2481e9b1e9c888e0c96a0882e9a0d3cd8fd3a152b3b41d8e7c25ac72734fb31697e42246c33392201b5209e75f148ebfe5bfaac751ff30e1c2ff276b1b55232350bdc0183763833429e3e92d522fd00e1a6db089b89d9ed044886d9c6574b874eebb5d0f53f57cb97172d09a93c1ef21676c24143be15dcf7a9da0a9dfcd864d029065dfaf64a9f3aefc34598c40d374a79bfc1ea338f85918e1150aa97794932aeafa662fac1ecfdbc2aa798b1b73485a0d1f5f518e05c1f6625756237a934e5e1c8b018d349ed85f592d9294e5a2a62b90f76c29e2e031fb7c2b0d00fc6ce1f01140c3c9b38e5e8055b05eed83d78f1b8b004f3d5d3eaef72bb7e007d99d74b0bb171aa057bd8f61bd370c2bcf8223a236380fa5e509811ddd96479126cd358aabb4b3260c1a18a94e108ed69aaa11e9518c0ed7e3e57aac3e8f515624b473700777ce1d04bb181d4e184579eead6c344ddc948bd8806e84dc0cc9920d9022b56bd040278e3aab3085baa8495858567578cb3c6e4f923e2a342877acc4d201ee570954c39c88942aecbb26a9536d037c6ea9c494f837b8075075d6749c4bc34c0a99351a488367a3b04431459ec541372a55dedf8fa7f82aced1ec8e35aec3c7e5982d764625e82f5180cc2a80f9320dd83a69952a3058dab1afe582877574eea63f0e480e4a6ac3f97cfd767603b9f3f80599a928fb07242a3bd9b351d019a22c5a1a3e0be03ee2a196fb5bea872ea5ecf879347b0e0a90291d99ea55058df72d2968bfcca089e3aeee0a1dedfc8788384daad697ad0576a744182bfe2753800b15864a858979faf21e447548892c100fb563a6b30d6d3ff16179eaa0cdd1ee1e0fc66d14c949c88d6ee66a75cb200656be83f4450ca6c0dd082df80c6ee04a97bf9e70007fbd80342b879c2b84c7b1891e6b53f47e5b935247c67bdc86cdc14c86e138282c61abf08dc80644aa56210c8441d2a928c7e0114cb9b60e13b40c9439a9c45c49296b0b5965ae7d67062ffbf9d41ed4159085d00b6089b0ce0bc273a7e9ce3f2ddf551f1b3c3665fc2d10dac4e2474057634bd8f416750b093ea4ee6e2545c7e8d6c9cea3c6f526aa3a26c18bbb9843cdd6a13a07ba65ff28e54b30ee85adc3436d63bdcbb27f9d0b311eee89435baffeabf61eabeef68adfeca8c90c075e64f63d6b2706219bf37d32ee804a42e3893470a5a2e2262e02cd49d7371a65bb54326f1a770d8d497cc47018262db5bb76a5d7176ed4f00d37ab55cbbb09d4800e5db5f4e15bdeb8922e4841c6a69782658b1bfc1f8571ac40aef4cf29573b600f1c8ba9bb97b1a52938bb1badd102c9b886b13da8ca1fc5a6775fb2014cbbd00d44595d9ab996020e64993cd7d0a7e9668a736d9383063a807f455d3940cd60a778308d40f6b4b3f6c44a6a7c384ce205f7253fcaf58fc872294827aa0fdf2acaa80b13901a39b54a5c4068fabd3db4edb01395abab31fc93ea622fbefef1f1be3bfd3821f6324b5f2136bd859a73bfde1c2e1f03a35e39e511e9d75dfcd141961ac295731c12650a34c3d4ae62a520597c1a6796f0c9837c1d1f6f489a885ec3c817223c9e4e00b5316326cfa04ed0c96ec2982800f7e24efacb9d318eed725bf09985f568e2edf9cf339e0955e07c3d13c46d390977dceff5ae53574cf11d0bdf761e0a63faba357cbef4848cfdee7d6c4c8d0b25726272fb16d91b644e2782f24f3e9c8f248590c67da670854100eca4152665c8a19270feaf30fc7640a859141aa7891b1f31bf4820de7b9494c1eef30b82d51772813ab49586e15d60651e679325bd92fbd462d85a44bbfbe2784392881c5049c047d8fe58d492948189fe172b1eff1159af539a1a5e29930dc6075ec1cd33828fe3095af3aa657f58b2ddbd714d2a3fd9b4361222b4ac303421a8f956ab8999812d6e48e9b232d3a87d192035d90b5df5e02da633e0eaf432dc1c9a695129e6f43d399a7c9415455e022426c28063da8084fd7019ba2674da9d70f7f6a821e46f6dcdd6680c9a10b455626a7eeb736aa57b4a22d42eadaa207a517c8528f030920d778f43e61eea485220dc76c39a987eef36f3134cf6c11fb4cd6a19be039c8c6c30f69228b045054f5e92a8f682448143b0c94065d783f8b62365002a3cfac75fd0b4074a35b704a3de7aacb72a86ccabb9f5d03357f41728fbcf954befdd68a24bc29a5b9177cbefcc9ce022d5f64bdeac623b30a53a8de8047174be91f54bda1ea8f753aee703a53e47dc02c3f84676b743c56fd2b2516ea9f2fd4c32ba085bdd7e39ccc47b6b0ec9a41ce6b5c35ecb79bea1d47f7088963d2cc5e1744d5a89da8fc5f2dfecf5e10809d28b575c32536e6057f22e98f53c2e5245c633c2147596e75777b707c670a8339d69c4444979a291bb167f4f410dc17cc215ec3cee119869821cc925f8e432689eb1b73e31473eeab613966dbb11b0f3749ec4828abde9f28044dbe4437ba556e01f16f68a763b7484ab8ea0b14263130fe1f00a1171396f1ca7a2c8a0f495a9731a9e37b50cdc9fa88bd723a572002b07a7ec9cf93fa6d0deeb97962baa2b4b0e31cb14630968c9690ad0d278a893d1c345eb7788ccdd4b9337a6f5d2d70c1f28fdd9a1270b124f7772e843b8e2a849caa11a3689813b4ccab6cd43276fc64d28aadf3e8e7b3437c2f5c8a6f3ae9151c07d30860b27c9d2934478f10a86bd583bb4f2ddecbe23f4edff95ddb2fd4fc9d7061dd74f4bbe620acd61874bd2e9af9f70061d764a87c9abf3b7eb296f7a0edf17034571b7c28c43edfa27bc5a3e0745dd73e22d0bc7dc4a7d110bf2158e9bc9c8a8bb7b6ad1ab7ecb68f47fef387383e8794507783e03bca6c9b671b4739c0f11f38664485ca3712ebc32f613ace20e734ca5755b940d9dba51d342f2611ac2734b20353c8c1075c7661f85c65e86fe92405b8c2032ba1dd5bca75af90434f911de577093fffae2195fe621c74b3cd8558a7cbb49861da17abb9fbc064c1c4955f8910107bf2989bd29fce7976d4500f537d6e233770b8022bae47c133f5b89088847d0ca3dde83547d8496c04b718496637c54b79a0503487f06e91f082216cdba4ea80b572b488cd69982e1352bdc9b0e544e068f73d1dd7fc2e5f5c5d6ebc22a0e6953c8b196607f12e9e31386e584ea5210eb666460b36e82bdf986f3f8ca1ade7bf79b9dcf1a6a06fd0a2f51271124db1ee9cb39adad646e20ae318e49b7aa8dbaae5f857b63ae802719e80105d3663cf006da07c9e06e0d40c7907f07fab03ab70dc5262a56e04ac7756b0fcc89b18c67642732341c25212136b9d325b324cb197612b30ee9b9f022f04ff454000858ddac08749670ba112884ea4b2ed85fabede4b892c554336c9451bfcf36d78dbd9ddd9767b550d0cf7ef7c264fced822116991445e717c8d69e975e3d9d541ceb413983a6d96426e62d2a921ec7600dfc3931f32d3cba4e51dde53e212fe07ee159ca4ade9e30d09f7c2b3b0fccf6d187d589535a3aaf209732ac42fe81cb00a889ad8b9bb75f1772c18b44d3f4261af589eabdf9b8e9b469096b41b2b8eb98078c9ffc798d64f81d043cd3f66744e86416cd4bc5f71f24a0311a4dd0fe4fc510d832680b89334ec7ff9118b7281928d7e4b2932de5b4082a677eded64c7bdcdd467eda1fa33b62e260461124d865452cf7491f960dad10a51069ba3dbb9f083c434789cf69c8902bb4969c5f0647967ca12a5f899352b3b024c576f8ce6b7dc50781f2465d1737765f056c72428207c2fa19fe1d3f2b706685cd7eb1073d491e414953322ba3cf13cf92dc474f6bab9d8f313475b0394a48bd78677a6451ecc945bf4fa497e859fa682a01778728717fe908e3d48bc82db826d9703bf504ddb3cb5c84d38ce5839caa6207dbf71a12d172c77c1ee024d3be331d0cc96a67927fad13efc14227e0ad78119d6880733a4002e3cb350653fe7b0e4958b0817599367aa6411da366d21aa606f139a3285e3e74a0f40e6bf85638bb03280e4c027b39b35b2703e15436c613ee72c7a0674a48d4d20ca92a0d425ffc8fa74835fd405406b282bd33620b314351e7f3e5562cc2daa2dcf5231858c7359c97a2226c8486738b22197a015ff487b5448ef37ea634d2cca81cad4d61fefbca05390bf40e7f27115c3229644c919d4fa094642bf85294640c521bd5a3e2141f97205757c4894997b5daf67a4a62dda7b38652c3fdcabdfe520508db54ee4c17f9385f14e61f5d707099356c979cafe94e6d298735f45cdfa27beb45cc223408afa53003f5541b066e5573171b00d8d53bc4396853dba190411c8b8089ce92b632bd48ff54840a5dc25965d6e37aa6395925a752fd7ebfce007bccc40e14c6f8f58304a3d0e7dbf03cbb5d836b17c3ffe71c2456f7f5147154dffda5cd403165913bb3486ed6e8c15b8a1e221a468cd0761e8d2e615721528879dc68124c5b9122e643ba77050542ae563871e048585e53bfbb4b34694916a917cd822bb773569b80fad04beca3bcdc4b58003fc2451ceeddae5110f5c836b759df3a096d0b577d5c337c584baa1e33661abbf15888a07e9d77edc465a39911492daa3a7f3854a081f1c099055ca034bf2c3051a3e3b89a3bba56d7d0394b8dafc4a5d32d6a2e9a459a72a5874da011ce1fba698bc5004fef10eb9174955f8c2e8ebd6fd879304fa0261631999ae144e904d58af1f8942dc9e5ca7f4d9cfe325e21839f1a5416754e3a8516c8cb44918d614060a876dec4ec9d178553af480f2ce021419e34c0c94183c6d69518f4429707ee433551cece21aeed9871baa3f661ee0c9d188fe58107842664dbfd62703be0be82b8434ccac61ea1e8eba609411a4e8eba9b5b706cafc22684f7c4702a8a6c04584f95f62e4be8452920ceb06606589a502c41ec5524daeeb527b84af3eabbea7b4cbef34b62a2503f32ee7713668e637336e51042a109fc7447f0c5a29b5a8daeb2347cd393f097f57bc1f4cce1fc8e2f4d7df8e1962fc8d60ef1857db7040147606d0ab30e6192c549eb49f22d93b3ac7dab5c309746d564db0c4b2a7298d9204d703cc6926423e0ef97fcf64dc459b3c709e1cc8cdecbd9ccbe0d9767bab9204ef39273aed5607963a86db08cd32d7294a1167404f0827b905a0d9d72440b221a637094f2b9d7a278356a10ce2791bcd5fb948c0711036192df7d0d5c48d1874351d90b385a81952499fdee3d0feec349b148cfdf69ef89b4ebe2b49eadb9a67e9b329c8106ca2ba96919501820294489a53721d194571c01e21a3a742862d0dcfcc80ad2533c35d68a40b4c052ce26c6ddd1e99f1d195534858ccd4bd86ebbdb9548d00dec3e65cd5e99dd701d86452208d00dde644c74a928ae4014e22c40646a5cd68ff740ce9e45a8df5cf11d7e42b7ea56f67ac9de7f581eb01ce9951c251e19e9a8750b4b08742d94582cc348589220beb8630d293d8fccac127e160da78f942d86e3b6ac03084bbd5c0d8dd69a6d9dd81e118ae7b703ba2bd0373cb93794f10584e0920700efe62c2c3fa3d3ab5ab310bb08eb714d597a531593a283a56a195e61d190410e9101cb3eefd7ebdb59c72735bd614a50693b8b5f8d60974a2886355ce6ef33290cfb0fa4cfef47db3f54742057dd6f449dabb06806736e96587368d0cf2cc8d6b5d88c2880c58b60c28dcf8ef8b8183348fa7c958ed5867a13a897f830f6050b4dc6971bda930a175bf1e8922471362a3d8924497465c5db18371bf6138d7d43599eb498bf42589250bf81a17eac6876d939939b377c5a2d36034d0946b9fccce67b753e705ccc014560bae394f9433bce16b8eed5cb857cd575b4bf406878fb325cbe98a0ad637b90613a4d4fb9c59d9885f2c16d44fe43a5209c49b0e6c4d300f5d7cf93d3aa5483c5884c6a457d035c1a68c4f55ff153d8115584def9cb093a5fc8176f57699d9736a63d3dbb5cff0c286985e81026ef6ddd660ca636c4e2ce29b85e7cf0053850ac8b35ef628f9d26aa7d43aff1f9bb4bd4573df7fa4594aebe69d7f9b3495a2ad47a79d430cf9853c334c4fa0808dd39cdb61a009decb23137377c84422f37b2d37801d7cabae0ee026534d57111a549f872ef6c401a9f438da15462b8ff7b124a18b04d3f9f5f5d9412dd0b902f455a5b91e4eda472e2c79e09e6595e3327ff1fa25a22abfe7249b3b75d9d3c28514a156ea721fab6a1d5ab86c6651aed8e4ce344290bc50191a9827190c4e111cdd866f1218e0e580b4677e2f3dedb97b62dfc1707038f562ce1b112b154a008c87e7d7e0d57a54de120e06285984db8837486d9b88208375ad5e672362d6cfee921b4bd99f3d9ce654ac9746713ceba947d45fb77879dedd89cfa09ef8b36279a3966216bc7e6737f8352d6acf7839d547e6c8f60197937af1ef1c40d7a8d68b37389465c1a253f509a1ef224ace5d352a45103638b4aee55edbc86b4ed1b8c57bde8305ef11ae3b7dbfda735141d5c5109ce18cabccb84b84af3f5a7c7d15f47ee7b2ad7dd16165537e9cca3a286f0e1c329ea9aacf5e7cbed343388cbdfc846c09717d35037a73c48e0df81e0a743845332b783185824e43b09e4fb3c3af605c568d967a679086b305e1b20e31d83627d5a186fcdf6853134da031a6038f8ddc96b056db1005c4c9866ef831e20a14e29395102f6aae11bf7e9df48511dba8e0939362a20faf369a7848f12e390d89f5a6c020d43b97756fb4d9ae1bc02025fb5099fac5e5c60eece74b99dc3259abb6fb1a28bb134f9cf89ec17cc0ce8d76575c3e16e59e48271fee7193354e41affea19b6840767244b7903a4ea44d3c541301a6db9aa403dbc7f961b03b4e253ecf4392e1fc170b81a62594157271dd89825510c10c502603366b4dbef6b112b7a2c68f50f189cbe6a187caec6abab643abf8943eb2889a818f314b0b7dafb178b2a4898efae1b18953ebe25a503024c9d7cc61213d332f76871dc6e57b42ba6185fde1926a745c8660f433b16c10262ddce1f4ef61440e94ccf4ec05c68a350f7fd6bc53809af8296005fc48ccf4681eb6387d0830dad5cb6b78ea044633e9c07714d5231ff329cacec19254403f55eb1064b9d900babb4bdcede3169bd43c8205bdc10a33bb48952afd1361e3dcbee0928ddcefa310f262abffc71a009b57c5bec4f8c7376813f5858712d46a053dd4cb4a7b3ba6dc5cc6f14fd6ab8a8ff6842972b91f5478818caa679859639ec8c8d4315a4e60634e03b7d38f638dab4724704a4b1158a0ca18f353ab2567cc3c4af0372b50f2457fd58791aa15bac8f0e089bb2fccf3616df85d579d99dd36742c5636aa79a0a81d2f482d5e349c25f53466b8590deef67eb326c67843629037394937ab5f63cbd9b005fcbe6ddadc1e42607a8a9ebebfc0cc67102d78c3c30fa219f054f256fb0ebcb86dfd1b53412cad52e1b1af8db229187c0ac79ec7f694451705aa508baf79dccfb074a08518757dc1b1ebb6b9690dcf987c1e89192b611819b5139c1a387f111b99f64443eef1a174289e0b5a5121b1e049f34c2bdc44375852269ad6e79fad6ecd78400d788f337a8c6a4f763d51cc7acafdf26cabb4f2d4c26d7f041a876e74f600758cbc497fc3ef5a1562af0047a278504f321b219e81af6130b0a0c7ea0664e6e173a87c3bec8c9f6bc7648a3765c2e04e62f71d03e12f97c971f63c34f2be07d8e702744370e818a690ab2ac354dc43d0a57aae77897679665d14f9b51e74856ef47548d9ffd8879ce92fb17b37d0e82927901fc93bf4b83c26584150fdb31caa28753bc146a37f4ed3088461a79ac84d4b770b0379b303efe3bd29b03642ef42e182571943f99715c4e836dad10262e0b1ac46525eb5a04cfac7fddac48482e5144f3be1eed50994371262df1617e1c339ab0da7daf130cee62f1d8d29cb4d3a80159dbb4c2d76468dffb16e6f0121b97f63639f9833656b0a31882eb95de199c7a82eb9af95cca03a4cb0b16c8757e4524b9ddc0ca0defe255411ab47699351ea8ae0e06279769899c3964c71183850e7b17c488567c74547242b7b863c6d6add597b46769a4eeb41f383e79c8b186b77afca4875cb377809dfafe197e440d07cec9f1fc2d588d206282cec08ca99ec3b31bf38102a297ae26804390ce1e5a3f21771a9856ac0ac9d94519fa79b4cf9e09ca292f8f01c1ff6f038cd8f05ce647240ac71bcd3c1f1e561705077ae8551d218bba050ee59fbe09d983bd690703cbccfefa6cce9535f0cbb9365eaf1fd46a823f254d143c85f9045cf1a4d1432350465585f888ba1be810f479a97f1691530145bb5c0f77d01f607dc801ee3a2a7d1f5e1245183e91ed4170121abd7e7fac429c1476fc332e7d9ba5ecb4a63cc9bd343ec1104abab38504706f1f53bb5bf2e2fc2393389144d7f3871051aea5846c976e4f7d4f0b73d8299f0a545842eda16924b5008e31a5306c961f7dd9d00a428c02f8e37d0e199270a27515ae73472eb9d8b20ce24053873cd123250efac0c95b86cabc4b096f0df6c9f69fbec30489b0f1b53d81c3331a2dac9435eaf7334fb55e0127b1097adcb21b38da9d2d674de21b836e836391f05de168fc4fc1d79c61af1bb79d88b422a9219d00bbfb997cddc992a9a85257ab84e0b9118069c25bbe4e539f850919b6815a776b515627eac1069d2138c7a847cabbf7edc86334a98882d9eaf580c42ea2ce1ad8381c35353184740d9f2d0e4e6d2f1c5a62ebdfb4aff0ab01d78586afa3b9975e32c270547e0eac603357a92686ed42fbc437535d4cbea0e67a9d0a24d30a6e0063ca3d7a92c167c2b3a5bc16f0bc7a903261df582444cfbe6d584549fb67ace7e358252f0c69d3c2e16ce07ee39b66ebaee381efdcc7eee9a45bc9ffb0a1a834a894093be1200f2128cf5de140ae726a569570ea1175592ed2708752425c165cf761bebe4c59e55deb288a18c7a034b71e9a352617d417a0b7008404732cb1f5a5de959ab865301e6a3526dab2ecc25b2f162abaf3e851e945a31c30e09edb32c65ff7dc25d76dd2a146f888ba0e2367c8479d5be598125a6d57e60e6ecfc362c61d8066254297e8c0854ecdf8268b83ef3be802342be14292d51dca07937dcb6a374651e3c54dbf3e5d8e8b0c956e78916612c6aa0407352a5f4fca1af086c212659a6493081ab05e5abc6a929b1c5c3a9e375cc8b5067ff145830d9702c7381ea21e21e448cbbbf19bc5d0efe82c5324bd15596ddd7a2e7da4f1e4ef42baba96fad664ebf06b178ae923cd76d0f346ea3cf090aa209d4e2cac9787804af2daad3436ea0ed675e75087a0e3e861d9e03cf1b43ac1354d525bf4cb0abb4cb5e32a55c8ff0ed9e109e10a97c0d5a651c0e066a7e11173218b17c9331d94a98c812e23afebbcb915e3bc88cd49dd74d4b63a099fbd2a270f1edc1c23ba93f2d8b0952f958f7768f6a5be0f4843ffd7cc0334adb9f21540fa356174b7f7ff9537477f78b8b5cbc6d59994fa7092aac0b50e253c9304904754c2b848141fe57400bfcec940e3cd4735300cd2970a8612de4f35571f12e77cf3004112795f38bd7344686fd378e14cb2a59d0f93f02ca35d3a13ee66be128f5aa341883b699a87365f15950183681a4dbd7626cb78c2324e7ee1fa5823239cd6d5b4851e06c7e4d1670117b7935211f340e3e8b398440aeb253c8c9c6b3ece94e33fa5c1ac5b9559bd485220b09494f82ecf4c63be96122864c6ac4595c6edb38555bafa58627ddb0a64f9a2890110a44a4a75ba83cc1713d316af0dc15105d7f85433db0fa5f3c1cc27f8b7dc170f84fa476624eb5ad8a9f74aca45bd638f19adb63203cb60a1cd61e1ca386267455f546a985f6ae4b1e0566daa33acae1db01b4cb13b513186038b5e2d08b8ec0e1a0619b0c0de1e08ebc9076c25367bef919287e2d105da4985a45cb5bd34557f55b3958fe07185b4315280406207a4c28f557abac99b93aa6ec7615a405a83603e8900c013380ef8ffd7c5285bbb976f5f680cc5e0d67948f450e47c5efb3b3e4d252060efa0a1e4310bf5487480586881f49676e64a9b1b3309d75aae70a3fa8a967f0576b18477e87e6a5dbb9e8e1eb365c3c12152f140cccf6fad11218622053e7e8978712955c4b537558a5ca9ae6ed0f6d20d3adebee1c1174d990c97c6fd387ff527c3717fd3fecddc2379015461e0ef1270d03810bbd44d03c9548744990ab84df2e961b272bdd889bb59e588d0772dadb5e41461331e7a0d85e065c4016ca40a0b18c6163c3d84edea32efeb2cf6123d6b64d0f6b980f89ceb9caf62854fa1d026c0dd965cba5216b7d2755fa4c7384d77d006bd0bb0db39063dde7a6c244feb5d745c48a893f3f46ee091e832f6d114dff8bc0fb8be91060c28f2ccaf6c3aa3d066e9579829a7f39f36682e4e8e47a9c0186e1528a97bc8c155cd0b1e2ef43a6712fdf84546e84e18c1000e9dcc1eaa7f0138bad6fe137be123a8cbcc399c8f49f3854fcfbec9b7d034be5cf7b9b39c804065fabcc5dceef8ec6e9cff42b9aa7a4135c9e42e4da3b8c7db3cba3cde41917368cb3d2c50ee9cc81e0983312d52c116e260758270929980323ad9eeb5b29655674cbcd7a77b12cc6a89d31afcd831720b283449cd87cee6f63dcc55908f19a10c97e264264cc9f14264d5646c3728b63d8aee045b4e4a4f2bc9103b81b5ab97729b083e849a891f27d4a41f6f97a85c81f703695b1ee5a45b8e95a8d58b4c8efa5fc3f6c10cbd4aeebbee4ca7a1e2fdf197d8b01ab64c8808846f374f1ba9aab06f0be4ef6537f4b5cde1d41e281b45dc9f77b8e9ddd066285c5088d9bdd5fabd6ccfa6a138989c214e87ae9c21e28e0a3892ac267f3778930833d90f7d65c33c8990b43b18a30b730b82282a933d22249706a21e516f4144e08195c9aff5056c68c3cb78fc246cb255c3293254f325fb4149977a1c8d1ae6c17f47024ea5c267bf2fd52f91c42fa2477958683e33cfbb2c01f42d21c7cc7ac96ac9fcfa030030ecf95b97569466adf3663c4ab8428b10e096a03059c5db55b445c486dd0750c6e95f3b081492d193b4c3d879849f1d59e558d0c84fe46e97f85bd1bd158bbcbdb5058d66e10f4b785ceb39a2e0940295369d58e4ab3f9d360ba1f08a1306b3e4ab28d14d0652ebfa8dd4011775dc77410d296e0b9747ad446a851a1185f82202d84052e1f01baed09470a0742722224365f0c3ab00293a84643568b36c2a9e9db2f723b232982a3532647e8cdfe45f2ac4b348a7ca5f1b29b199c9c1eabb9b475d30727adfb73c5c631f75c030c2e30da1afbc0991bd246b5011e1c3b1663bd0d24f6d135b3025e6b30b0bd64c323b02376de98cffc6727ca9f12ce4f88e99ca67f1eed3260e26596a1c1464674b38da151b470f501e6f936820448dec3bbb564e0ce79ecd21d3d4d8f5732747e3f9c14c7bdfcda194d50c6da3898b1fe9f65a06bcf04bdb0c5ef86b0358a9ee8786e4f20ed30535c8057934a28bb8bc81909a779ac3a5ae9c82021b700e37b2c9443ed2af742f97458ea50ac965c6b31d5f12494bbdf884a66f81f879e4b1c9e28a191631ab71c7a4672d663d563bb0b62c82176cb1c0685b07e662b0dd0aa66a1c36666311e9feba90be9479b38a268a94ce26b992bdefcf04d90b85a7e1ed30883acf162a504b35ef88bcfbf933962b804fcd5850e4a23dee62f2febe03a63f6074637e75dc4ac3c33e2a8c0a794c0f7ec4a2eb99023ffb398dfec22bc0221ab320c11a004042775316eb0fd5c4697ca7a19de0943323bcd0c566816299810236fc9fe576f41be808a5442ff7b1cd1a4ba8f1119b6191c1371c75c61bb7bedf95226c0aea22139777285324f052acfec873de5da629a99c75f8ef70ed33fb47a2712127cb2d6b79e23657dff6eb4f13903d9e0db788b268d94368d332ea55c067346b2a13fdecf34e57ddca370a3d86a03f2e93a88c71031cb418afe036cfc35b532f60416d0005811398633af0015a5ec75f47a0183cdaa52e92a5813966adcba1e784c539f58d136f6e25a73dda0f33507b11f82a7bea1673f96d702065c87ee6408103610ddcb252a85bb22a2e34cd136b9720a8747508f5929908da6d9b2a3377fb9363514b24fb17c884067bcd6200614394eff78ec3c62660c006874c7a595149fa25f0582830e7484523ffbcd3094c0d08d22441debba0400633f4081c7306eaae9b38044dd11da2ab0436589a0d244aee003049f0e1347799679de5c8ed8f155cf648093fde2933fec97fb69df07e18b6984f4f4ecb2bcaf74ecf38d4eca96ddb692d977546e6f26e52d45c2a7de16b75fefa3beba96b36741591b46ba24df1a8de44768c41569458acb8605dd2edf305f00982079c93a6aaedc955992166c367476dcb8fbfe7f86c4446b5b014fda58d49e0651f0be952d76110541849921683cfced3178cb15f9920d6825a865302516bbc15c32503855658844a6b33767d712f631523ad7f56233f55025950fd0aa9732266243070bfaa7136f3f821169ba3d015d71770b22fa46632079c47a1a23e9c53eecb1b3f955bfb5350214687b1d943a5e77ff937aac9424362ccbf6eafecde9661924ca33962cd2ef9796b27248b20779360ebe11a3bf2d4459756ce235880b318dea65f9bcd7fcba6a33de5f50cc27047e492eb138cc4591ae1c5fe34cf6d3a64b3eb0d02ba2d22698e8678cb8d899671544ede6b8921145a2849fff42b427aca7f7bb243d853e46ae18efab9107179ebb86f7c8a81ea015983273f2e4c29a0470ef8832ae2c214adea2b3f01936a3d2eccfcd6105d04e7b09346ed3aa304c2db87202c918658f431d579f6946f51613d395b984e7567b2d301ca8b2685bdfa0833c643008f89dd20a440e5b244af0035d5925617ed84707a5473431eb61fca3c5b10de22400a2eb0eddcd8a5134c7916316366e1bf8a3020739cedb85a4dc8aeed1282407526dd7da644baf2034e29bb6caa05374fde9a9109eabebc0482bf4b59875cb120b34f5e9ee8a0b85948e8db59b5fea4bfcd3caebfff3aeec731045ef384e2e15770dc759df8a09cc007717845c18db806f075cc76a2d156dbbdd3876298b677c31716dd37b76f4cfa635bba9898afb11d480a825b6f97b1515fb0b8b6e42a63d95122d6462c951a9779b1158de5eae17db71e3f2bdb86a4f09da628d828234a35eec94352e1388618f78b5f1cddb4753e4ec94204c36cfc9468d378d9ccf2333c3ebd4c04788de26de37989c82bbebf44c64f9d45a1e662fc25141f41bee53d890de898b3e699d6de74e2e1b90c606753168c893730df2a00cf624c3b34f8cd4a43c4ab63ea0a6ed7cd52fc5c6c68a57fda3936cea35f547535a45debdd69bfa886d282b22086529c2a69c6bc0bb6f11762badba6309aef54ad27a3e6895b4a90131d6df547a114326d2874483b2fac339ae3a934fc989d7b666903b4e90af08535e9ff279dd76c874341347343a2e26aa76cae3405eab7ddad8c3a60f8347d30d8feadc041549473d197955b91f7b738327c04ac34516477c1de75009ae8951ea020acc5a497043e970f0a67a693ac7b4a48e19d52d553d893b1fadadf219cc922a9aac10f8c7d7e0e549bd84657842d3d9830733396da1c1e2a88724b469171697439c884a379dd3943d10c27df424260ce8bdf91113cdba1507a01e59de6c0474852032dd54e8b620c9ba7c3736e34fd16c665ef10902cd1c596b2af6ce83f5d0add77b4559403756b79e041f5573418f12706053f4c726666b4d79a3df6fb4613a8a87ee5ae2bddc369175d7b1ac4d033910ad2f00b61fb1c1586da8ba4d3011899edeffe9bdba511d5bdca105adf1fc6e3d9d659ebef369e9acbc004d395a9f5fb96d4be3400b688d5f05f9ce43a7d87bead0b202bd588209b2a3e835f3804a809fd5cd1216bf93a14469e42ff95846c974fa6fb62b2021e71a31e1e66b3821780a90cafdfc7345e5a937a803ee4d3a5051a68b0dddd3ec70b7002ba20d54003de6d185e2e43cd33b87e6d3cc4589fa890054f39a40783522c092f7205310bb4216d08273a2467006d57c66adc3599995d25702a79a75eeae658aa06af9cf2492b4ee3c18e73965b8dc2615ea1ae7efa407f5e2751b91794bd28c57f7e652ca1a50d9fdc0dc165482fc13801910d77cf4ae987a8e67d8e19fe9e002ab55e997b977b0541c7c8c4e76871ef700b8f0c47e73d3d4473c17ff30da32779b8d1b1a289046038e606590d5aa672c11c3650859c3c31b412e1385a7f5f4b9a3cf757eb8cf64e2f6298fdfc68d659eab6fa1baddd0695ea5c97d50cfefd518ec8357f739435170382b6033691b54600890e20205b8683c47d7d436ebf42c7e7c117d38175467f0d24af74d412ad77b9f2535154a012be7cc5f01242345356f24b64793c6e34ac53683b169db9c29ccbed4f79fd4174426bffcde651db4c796333fedf446a5ca1fd98780bfab32cb02e23dd2532bc6ee5cddd9cae2ecdd90902d01b22b8b2d522d8049b0cf890d4f807b1ef23a871362edcb7bf11df5a056f2ed1d855d9d268bed624587a29c1c2116e6fa2756fd1869b956e999e5baa07ded7bf5899e9bf9b92c157e93ce9d34fa87ebdd1c2d8a88e33acbb4c7d0dd4f4e469bc6249f93e1b11efeff0a49171dcca566f0d3ae8e66fe659816db503833351febdc802b58bcd0531c5f1a9aacab91dac6dd7fc534d6a8ef2f2b9549e0261ba19a633041bc73044c7c52406195f0edfbc223eaf922e70769ad2bcd00ffe5130c6e1f70b5b520ce3efd8cf2a2688d2965697cfc1108c15301f157a598830d7e0f38f6f66fa965e141233242c30f555dca8480793e45ec30d7fcac73f077ab5e6e10363e1039fc4bd1401aad0669d2b15dd5b6fb3c2ce020ed6ef87ed28f1c056fd48bd934515896d69011ebf8f2710603b546b61b2ff4283287d833360826bc8c10b51eb90aec5481a1904f52c2e0b6680863e52ea691db2f48a7f7dfa12a8cf26d3da8377e6486a417e10849cdf1cf67577343184d2b5b4085d6e1a933f81f77fb50878d263eba1be1246552d8572b36d8dca0fe9e2c90178f335e4a75de232d67e1f7a7557bda375094bc6af447522d64ff6b89057f8e467a90d8e7578aaa91cb37a1a2c886c9fd933d0a938d6483bf7c10da4e861e7e73077bddc1923da616e8c073355559318b2d518b0fb4d76d86a01af9fb2812a12819f7692db73bd4d9dc02b89192acdc0322f3fab51b4e27fd94454c891165e41830423ed14b9f42d6131d4ac22076a5577020615a6fb9e8c444cb2bae4b957f55d36e7708acba083a42a33bfcc0fa1302ba0897df69d3289fc9e3094a7ff849325b6c723c305271e369ba8e705bf9be5b78f97681edf1ab07106077304be151512008fefdea23e3bc84ddd0e03fd919be860d797dc6550f067122a685a58ff810057b0a1ff35545a62b617b3cf85859a5962302fb7f6f660e0a840f823039b6a5ec186599b9428deef3899ffe6bb69e8d4584daef04243011819ee52f08c7eb62146e8e43c7c3836f9cfc3b330a56719ad32215896d23176cf46886a80cfe4961b7c29b6b35d07907e9d05cb66e2c5e1e7b5959ff1ea53696fdc6fbda789a16892eeff4f99a2f5b951d04fb01a9dfa4e1a422e5a75e7504ab530f2e5283747897af16b9e468edc921ba3a3bd4132dd7a2881531865e0a858cbabce180e9f1d20faf2ef90e8bc74139d608f34246cac9894d0872db0fe2b0469a64f7ba507be62d54f7cc069df2617f93ea94c888e1b7e1630b00f16ff12699033bf800d4680ca196ba4381a383e11fbb90dbb071fa109aa054cdcc00a9be4d0a118f21cdd487a14c8e02a4260b62d44cb3bb8de6b6decd86f461328b89a9e56137a1ed2ac6f72464262e0de7239b2b61082c0b6ec2e2cd8679c0669bf3f95c4c3cfbda5f9b6d01ce316d8a6890507f4eec10dc24e73599f5732d8fb388fede07545a6135fd72d8ae5340b189c83602cd9e68c4614297a9c73983825d1eeed7a6f852811f2853ab5d82e477e4048ced6cc74583abb5ffa5e83a256dbcd574693cb43663e7b555f19af242e9c232e3618e724d732dc5f5f402a9e3145db2c5d57e229104a72be2f9cc8cd9be7a51b8c364e4271731f6d2574db5523bbf86b6a54abe98e05e08378a50db14adab782b693c3e38b9fae76ac7a92d99ac54cc22ab02c4da5ba9bb2d6c061290fe1f718d27079881ea1b8c2f009bc30fef95d1137334c3e3076e3708fed585f24c566e462ec23217e0c743847e32dda3f562f6290d4d078ed29b67d3e8489199b3bce09a25bdc779f332b9400424d02decface9f5b035d6e4015da8c21b15a0de7d24176f267a653c518d48ab85d884345d5b9dab8a1b3ce718b4da4ac17557d4a45e18d8ad4e12b5dd890c226ce720b529bfc708055f2705282f516b76884a65b3e36dd5e3a996aa49045d3d04af3f1608ff8c8e128894cc60d434e24e4f7a37e43b848e3d97a233be44b0d871cb13337347efd0bd39236aa8ba98d816d069aba2989a871e08693ac0d36aabf9f816172b73104e5261dbf21aaccf71af5a23c24749506f8b3f607212672447a7479ee9fe0cfb8278cff53d16601ba84f767c9ade2f650a65dc98c6ce825196c0ad677623d7d08496abb32ec48d4e41b38765e47784316e59e29b800cdac01733c165d995d7a2da4364de947c8ba5a8d92277453f75da3eb0ebfea55f6f4a81316138d98707c26d82909947d8b10f8eede8c962a6971e43bc0cdbf3d336e1a2b26d8bc193d3f3ddac7d0bc8bf8469191583bfd74e3ec7bbe6d65ce9439b78f0b2b961459e33c15e5b394faa0a1031e81248ba57a29c5fb967f904dad09a5ec165e6779009c3290eedb2cfb436337f76a090129183cc06c6ad31916e2608b4f75bc937456909ef3e42616ea7a61632744b2e26b23a49a9292577491ece6a0c1fac4d8b799d73a6b851a45faae4c096c11064e3868f198931c0bb31684c73958083a4aa38934989c9b65f6a9eb741faf69471e8323db69e64488a3742dd4b39b8e48d223b2149aee19aa788561bbfa180786cd147d0beaa1353cb83804d3f8baf651a2170a240ad0d7aff2c6598dfff27e990960e307b6aae80a41ea5bc1108e2acc8281f821937f32434fa05aa4065663bcbf8c78f9d865fba140c4ee44394ab6618528f74282477f1bdca5e46fc6d94166397de69a592e7c8c065913742cbb7c0967d07a33047d9c4a4e01d9faae52046bdbb2bee22abc65cf068ad3d3265ec6dc1553c514ad41c15c436b98d77642b8fa63eeb38d6efd2d7d90ba7ac034337238a342fa1c6d7bbb1ca43a9f3035c4a5f16757fb521f1d45ff3e81defa599088c33a866ce7efa466af415ea22e54bbc60ed404cd12dc0a7d21f8a3b6211edf4feba8913a54df4f0c6148c41ffacbce903085f797481a93a20fb199abd400758d81746df44cc4112e3490899e058e7cb25e1a4ff90175b12ea03b5eae7ea66bfc54106c9d600f0015a43d2d322fa52bc7a12acaf93c38781d5bfc4f6d07a57a937a1a59eaf2277c9c498a878ca89fc7dcded6d91f54e66e563f06319cd818daf054f3d2ed62c13257862084e5246d1b99089f9239eb18403e6a098c354815d978dd27f4f0fe1f0483358c92821a65b7b601d98936b1906bae272bd8a45067826e4e0ebdd1efa253b0c178315c7ddfb658fddd1d6cc01703fb4b6a5244451d4b220d6a67f42de30df871fb81e416f2c39a8aec52c22d5359777fc624be2d7eca7859832b956c05c130930b7304194863913156cb36d5e772a780f334abbfbbc59269e71fced1b39faee80a60e5b440117bdbb9dc5f8de0e01de14b1551d85e96b6fc02a383929e1016254a27d2ce2e10b21bd7344707465488b8186b01e6ca347499c4ddde942b522395e05d0a681fad00618e9765d5945db954818e5b846395187ef5e1fe2a25be1d48055fbe9bcb9673f9b4d6d9a40daa3d99707c45f6b298e71c8a98b4cc6b4a838e0a64303c9f799638699feec8641ba6c3f97ad6bc641c193c29d1ccb9f910878acc0f486a29a8e9a7ccf4582b1e1fe0b71b8ca688395cc0bfce5851713eb34d4a4d444cf29721b7fec0294a1fe949ddfffbcf550b75b89fafddb2676f6e14b6bbeb5ffc357037c5db4736b80369323ec14e8634394dba9c347451e8a351a28e4bbb9265e18460b7fac0e272edeff89eed69e85a3f45c9d4b56225c34e3146905f40ed44a69325a58a01cfb6609c1b320fc80048f1ad7dfb5aac1288275653b6d07d3765cdb45b64f9905c25f828ce61d42f8c310addac2e74ce83e429e6c29249de2094e90015f432ceeee273db535f59a7b4de6506c7ea84665236e9a4224e7ac6a3abeb227a3911e683d5ec4588a680dd786bd6b632f3b092549215440064314b8523768341faf0154925b228504f8ebb69e760451afddc79ba57195d76a5003b01b013a4d264605108446ab17d1d57d6838c62cc10ffdef3b02769246c7e69917ee9bac22bba79391463f7db1c3be1948faf63b7df86d39818265a5719f4b7f2ab0413efa5b87952e112ffa74ceef99dffd8822da76e2162b51055fae76a996e4dff4c02df53c108245217a8a9c65683fe1bc2710b7e29b6963cbb21cdaf3d83cd1a91543faf5226e2e77099fdd4a90528f7209347c44c195f2dd897d6b66b341540721c5988e7502e10c40a04a4dd5e30f8f380b612f6d651818184f278a98079830d75b8e2c2b8ae5a7d3d2dda66e6c889761f9613fdefc418013e691e87dde8e18b83b6948248f8292672fe54e6bfa709870c9cbfefd114734b70459955ee7a04b2f7b814b1b3535e64c39a0f157d81f863ac8beeeef806d5afb4350b28bc07bf2bdb6249697ee1798b85ca3078e3683b4dd7dc68e44a05ce5d0763a608f0ddfad90ba08652c8f143447937d1104398343d6faf6586d2a45250b3f5973c3deaf26fa4e4a52e4bacd4f99ed7e76668c3597404a28f31746f94c12c5f65b1b57f338cf936e7c55f6e9aa5ee608efdc4b706674bf07423a30e8538122849903c6a0a7b814a41852f8b4c1dd136c31f548f54853bf10fea0d147d420b9b63e4cba3d68b18254114c68cb21e9cb60241aac96a308b70138fd441d5b0d1f3fe589e4b963ed18490a45914bd40cfa03d4e130ff3be37b12b63052c2210e90447330654900a9c00cf8edeb4884f9fd09f4009cddf0b7ae23d7a04ea3d02871215d5b8286d1adde59dd572cef31b375ab5e9a128de765ece13dbbd11f7be8ceafb7cfd07debf8ed1cc7e2d70b8f6ad57f16272d83e3ff3087d000c1f0aa1ba1e380c12f4abd810d40fb78f160e03ced14c6ebfca4dbe80a3c398df7216f8661d4179e4527e1ba0be1bc846d76670dd6740fa4165e3eb6b7f0980de86c9f2bfe31780a9c8cbf60d046ac604b60e2d850021e79014ec3722f06ca33a3fe047043bd0326d54db57658fb3170f602b25ecd1f1e7e3e6654897974ef8ab0248d3eb4bf4860ec45abe703ac33971bbb16eaea69d0480956c298596d1a90487ed5517850c726354820f18c0997c9116f12c148de2a663fe4810c1aff6a5e05f350c42187920b98dda54c35da5f6285e687b306278fb9e429f8db1f1e38c998acf318456e293d182b3612df2505bd4e63769bce1d0bb23078eeb5b4ec09d92a1bb293c47ace0dc768b35f807ba31546a84ce3bca34b58e0a575763ffc308bd64c5c339daf909767ff62820c90c427a58fe9bc2979525e1209f56f708a266ce14356ed3847031d73c3eee8cf1d2d27122cb432a90f35b19dd053ba6738a3c6b5606c2221c3d5fd28283911cc71eb74f0e397f1feca139f6c6c8e0f9f5c12786a42157845183a76716725f7e7e5dae6645a736337a49b83e152ca6afe45d6748f7f4c496f736d96e8b10ee74c71c003550a4be8bdaa56101b7d9bd0027aaa6900e58fcc77772ad493a8a613603c3bc32927dd2c2455923e924bd66c5d7ec7937fe0f3a6f2eba16463480711142963da156cb9ed2c1a4f5a3c541eb1358565687f6f6206e0414d610b4122beb2adc9f521af15af9db87b6adbc8205183582bf1c916d0ce050a0ecdefc24353d00d435d6b07ffd1eeec39b3154f654f733a5c95371168b86be13932cc0df2d27c487d0d6860be3c5c5e7e209157b32f709f2def27bc38662629d054fc4b51510b62a1a53795ad5936e8afc2a1f410334df60fd2a66079f9c6065868b75e2699f15bd07ffec14ffbfc54cc40c4a01dede88fe3b34303867194afbf3810a0b3aaa1aab621d572479c5b8dfc7ed5bc233dee16b56401698a9fa5c0d12b5dd0e3f4db43eba06bc3445ceb95e5594af8221f884fb6ebf7a65691eb7cb67e844e32ea088105e35e96cbee00c323bacb35e0607e3ec9ac48eabe223de34074925d459abadd5e76c79220aae51aa78d558c5d3dbe2d0bcfe8727337372fc414388104662bd2baa1e840d9d6e594c3e2f7e89d626208d6ec0a5e203530081951de4b62347488f79af8bdbd26c5679379abbab3a7ce861197292af472a71a5c459944b7439b13b4649764aff5096182c10a71c1815d3bfe77e183c93af8d78007c204862cd4022da552901ca37328546a62acbda72427c8b1c345be78330f623004b388dcfb05a6f5e007362f70da614d08645b2ad355716b8231946950218b14971ecdffafc99bb657995b7959b9503d97ebe08340edbc45e2714b9975161c56b070e00a0553261b466b198e4686f097c14ea9212feef595529ad03b617e6a1c6bca1d3cd23e321eb694d37bdc83f36bf23e3d581555366f6c575ea8221fff4b25fb9fbd69e9f024e7c5aea79cc96e66501eed51d4f3763a92dbe7ccc296f9373afef9b18bd5d2ec48c44b5c5f7f5255a5fcfca7c9d9f176fa5ab4ad6812c8aebace697645887b33463eda823b1285380db9a63aabb7057d8b7832a50f083f72834dd5a19e9099598fd155a827228a95572754096720a754c6cb488884bc5b2078558f39ef9135312271720ad6b13ff397c7d2f97c28f4ceb2286d5c59512f6d8859c5668d74faa8f13f9adb520ff42d18a7521bf5bfac4216d193217fa222178bbe75d1ef215dab17326d47fe3166e0f6de5ed889e906791edcecae3df5bf113884e95adbd600cb07aa372bb95ded3fd88ef7fb5397a243783134794cadbf514ce633089bf1059222b0b43a4e07694a33480b180d10d5e7db4e678a144337e2a482f8e5d2dad6c4c15ec9f89ff641c46d2b5f77e045722bd706e6893faff3f4a2eb87a7751850b9092b05a9b81f901e2b180c1793515863b5b97601b20f26bdb9021fc20d6668fdbe555f2839c2fb275b10b047ba757ca3b7a01695a0407468e0b96bc8825ebba00273f21de02825f6db3c0d5db001285e5c16f4292532f6c9484f1b6e1d208d9c33621d66bddc1229df59eb12a27bfcec3cca6a83a2d217b6219ec4262e13650ed233750649d41c94c449659a09a7e320e0c5baa04750717b948fbb59ee30eef68054fc5d78af32b77593afccb04d31930c9c13874d3462845ea68ea7b4ef4e09dcd3aa8e32acdb473d2d6973f64846f8137e5a29505a6e29bb2342107b333c2c52f4dcae0114eb09215db428d4d870396f918a2b66fa02ad8e7a6831b6225428c0aa82b31d330be622d0439d0cab77cd1067c327b9b76ab619cac5660183863039545102db106586cc9663f4c57390fbc9a61211bf330a362644c23c1d9d61c567f30c661502961a55ed5135a273c5a60ac7115a20b8c6e0c544a252d63b446e8d36a93f4baa6af482ee89b72522ae090466072c7efd4e9577a50b89b33bd58cbd926281a63d776eed85982b46c5782bca2abbf9c2a4f494ea5373453b3ed9059262d081518754094367893772e2ffa11eeda145aea80ccb114afa3d41baf632c29777759731618b2ba0b27467612154db70052a3054b46705b30f48a543e36e2a80b6485ac73b650819fbdc0981ac5af93f930a93c026139e1ab88ffed59377d396cd43794439db3c8675cbc95865dc59f523cf60cc9458dc55d8ef9e124daa7dc4a2113f22f19dfe24e2c286e76b517ea0ee654602f30a09c58c46df9c48625a939eb217f0f7675175bcb2718fb938dc5e7c3c0608f73905ed94c64e033cdec10070d979b0d6f1f8c15c45a42eaefa27f3485b3e72681406a2b0971d9e106c5e538e40ff6a2499b627ecb5ff2fef9d3cd42812c22a965828495e2a89f2657aafbc389c21e8abdfc0f7a13346538d352c968c05b45850ac585ed5a667f07f33033c546f11c0d1dc150c6d9cb94e9722fd3d1b1a57aef79319ffc6d087cc60039840865f0e5cf978a06b5d18f08864d433d5310d98cc32dff4b373ea1ce8783caff58d1bb9c687abb74de768dd3078a013f72e0a87ebc88871bb3e3aab075242a00473566c4c13c17645d9df37e50a6128c7edf26bad4cacc140355df5b313be464b4eef7a211c2467cdee511f4fc5b803e4bef5ac1aae85e1c9b772d4d5a879e35f11997f11ff1a09598aa171c5c05d3694382a80d466e0ccce376dd92a6ee85e7906137ba3f934aa6a97761abe99ea0270754d73f9a04aee8853fa4350f55780393a3d156844fc35897ef0ae4f987041b1166954f8d96114734a777e8ac21a7bd5c5c7b02f5cd38ad2160ac9060973a91a58c36c60564981209620d88ecb44b56fcec157cf1dd518b22b0da5fff82a3e444a48f3f2f1e3cc23a08847c99e074704669294ecd576378deae6cd1c99871a513b3bc3b68198e6b18b2913c3733b378b6cb54bf966f429342f959bdc6c3db2a53eb3bb20a31974858e7f232b4324e1ef0048b9a71244c6cd2c3edfa20e1cfde955e2bf9044ba4f105ded26b2c7a95ec1283849e5f5eb1c578580cb3aa2026f072e7256136adb7fe23918b3cf703e11d8a5674d72726505bf90be55447bed894cde5c266ebe02fa26b167125320e47da1229d4e7b6101c0ab3ad58a0c99c1a60c7540460c914ad9da5fccf3eb1e6970b29a801a2bead23270c8eea61d84ea0db431043a183353864b693398d96267d7375b483d810a1c717dd68540c82bf828ed7290fbee27362e66ecb4f00b7a97e676e06c319fd2b2db6d56f6ebd50eba9dd30a1aeae5892dd51d2442e73c4facb36eb05d0c9592a6a5544e3467aaf6707852a5b464438c80f3e004b761fbe0047e39043d10b4995384c19e8f0797ff770a12fc9914fc7707083aa7392757debe027b051fb9374bfbf826892b2d9f52dba07cdbb024126e77a65a8230982d8d5216e26d9abe79d4e11149b160fdbe2098f60fdb11049a2f33a53b1d86716902c238d83c587d429315c0e887c0a6e81b24c93ca6deb7fd0142cb781e0fbb32767d20c7a5e4624526aaa4547bc192b43854fda8ed1b64810cb79079de920904f5e35313d7acb8334cedce1dc173e222c374d85c74df41edcbe894d57829e6461fbc21532a87f930ea6cbfad678af4987bcc58fcd035550b00e73615e4c581adef7a90639aba3a37c913ffeb17ed58e0bfe8b71c321ccd62ef13c73b7526c322ffabd04713fd83722895432efdaaa76a162e48b881f830029865773559e648959f368b60a58185ea62be84f3116445c0def90f4db6d8c64ac032bd734f9cfea0da8a670d3227a99b0687bbd5f01e1cf45b300745a628bb61835976afc8d49c40e31288065894c816eee600d179fd387f85f0bb9ebaebf8c1fcd2361ec5ae837e9169e5f164e0b4add81daa50f8e94a5d44e5845f49fc07dd10a68cdd6d2f8102f25a2da3103a9dd6e60267212833d684e28f20316ffe1b663647147f84e3d7130731160ae9b35aa2ef8c83cfbaf2268007c5c896a360948a8bb4370f6a6b6612f1fc8ef38cfa514fdd33580f048ad31697fd2ec177d4d27d8b4f6f591eb0c6cb48972012647f9dc77f6091adc0c5feef2b188942d81febaaa8470c2fd3edb621f1fc953924b38802c563c2ce2c35bb57503d09858b90671f0847dbb94608a0956d9267bfaab36e58f17586fbb7b747e51152ed1cc1966b262c0a77b08d521a0cf8d9790b82b6dd54b5082b152ec06c8bb7ed3574af7d813f2de720a80a9145173d886bb0ae641334cde508bf49f34dd65a31e6c1a188f323258e782c819106c7bf5bd7e1ea0865dcbe31f04e4e6aedb1abf869f8b424d4cd1a9b4d74b7999cd9572b575c89ed30ae8c072f9c403bcbe237d06dbce991b05bf5ab04a1df6634acfd289d6e8b05b5cb252008a2d0fd2fae67ffa56c0ef17b6e077dad36911d9fd909fb00f66e20182f6b496d30dd00d38a3020e394f1b66d69a0043609c7b70c0e9b4c7ba3dac140c60767e463bad88631ee5af9757e89be88e9fb89a783bde3aac1e0a0a44fc5c820330822f3969ef9508e24bea9dc68165d7cb8a10c227aea4780e19a010a451893cb6f29656b34bc202b4191faf3b2c965ba3c3d750b77560bc2335ddaf63557f3fdb2ea421c505224103cd6228964aed3677b68485c38942860b14f18e95b2409bae164684aae856207b6a17e1aa569f93634d1b922daabc0c423feb28d7c4bb3b32b6cb761f01912ca12ba023882af2d80b215f54ac3aa6d4c2dc1d2ad9e4f88799ffc0d8b19b379827177d75a82e2d661b20d75c2620011f89592b5a6acd861706e9ed56a779272583a3c60f479864e667fc8e214a413eacb563bdd584c594ce633d3f10bee3713d453e32f147f5bdc7a4e775ecf20eb883e6d4e866fcfd99bcc41fa8e3266d48b97f0a218892233536fa25141a46d5a41f7ae4713297a2f95ce0e6661d2116a05601a346210f5ffc0dad79efd531156be2cb07ab6be8bc58ed98cfa69bab6ceb638dbc8d97b6d44603bd96c204acce5cfb677fc80e5f7cd9058fe77100fa41da58b4dde00bf5481400422a1e1ba54ab8e4b80c22434e80a2f016149f0899f6663bdf9a89e201ebb69aad3c37748b71756ab35c358765bb77d1289716fe89899f49f22ef736b90b17516e1cc8d9e91e172d56a6361dfc06fa10852005be0b013bc0a528e56da8b69e30cbde3567f0750f99daf96c64e35280245861c092de0865bcb2913156f08a84ef7ead5a357408b244c61b26e34da3a80fc82e1485beecf5377d3d95d77eb3dd11979789b9bc24fde7698f7103891419eacdcd32e5287e79a72db4338c986d3df9a04182e18ee200551ebce1f3351bc0728cf3b59d5d95345092625e9406d14bf8a53348e279e518096d98018af438d87686ecd02bf442d73e46511c8e8fc553a58f9faa99ae9fbae97154ed855c7e85caf2d980d267684c6dfdd7bc5e6fe5db46b4ed64567df9b38a71bd49ec38802b91c8515efc7aadb278381685ccd253f2ef88ad1cd987cb10ab5de4bd8de8faa6c567b5a072c2403e92976e87e1749b995d5da1b23369c70d7e009151bd3163f1d1e69755546882a1b0c57b1cf48fd62a8c46b8b56ccc84dd2799d0bb0a3be9121eef3f860cd1aba1da5c4491cf117a09c330a08b3aa5c00c7f91a898ffa405cae4fb84ee3033e44a808b309eb89ceefa81e65bef7d27672b2e0aea89b8522c3ba136df5241c4ff20469351ad28e8f2e3645a01e0a8ac15181b247ac95b91a08d0f184d166f4fc19f98148f2193ad2a6fd39c9a06160198615123b884b3318821348cf5bdccb04ff6bc8cb876fde4588c3244e2aeb2e8d24b1775a942a41ac7d274155b8910c3685d4146fe5400c17e83e8288a560acbd6a819f80024e548ac5881d6faad171b6223c5883defb2d5fcfae9ef86d046bc7a24f69fb9b1d661178caf72fda94b29cf03ed188a7452a9e8fe9f0d1e0ce0c6ddec550dfa0281b007a752235cb63ef66ccdd05591067516523a813ab7186f2be8d8f88092628ed50b8b8fe3355e963ce181b2a7761640b6433596c330ebdea5437d2579f795810a1d1353e2a7eecd868c23debf3b417a43d71bba4e9114c64a7743e762ba34fbcb9002ac936e869f95a24d9558b952470f6fb124a7a107d2934da909278593aba7c7143ca0cf802f957a3f8e0557451c216f82c1750fd74baeb0a414786eabab18a5cb1826f9800c471c23dd7ad43d497565c078a75e3d02f6dc72cbd9488849389af509d5f8b64a4ca215ef6b148fb4ab9b52e72181945cb6d64b951976c34c315bc7edc2705838ae09e821ce5b1821bb3d5d409dd6542745dd5a74aa6276add2d479c6f16c1b868d7856256c93c6d4d4a2f630ff40363e0a07182bb4131eee6fbd18a236da2adaaf6a7b70660874d7296f69e9309668c75e4a5f8144f93348a4a8141c2d1885546047f343a096eb255735a9590b9714bb5263b3bcae7a467c6356f50af9d49ee572ec529f2bf3894675d554334c1ea92c5fa121de3ef1b9f74cd953aca996d23ab6decd343ac53e2f99a249fb988f4ca796c0a849798f0f97495c10b9a0c8509c4bcff637662696949efc09251a06a22c22603847584330cfea0375d8c5bdce8dc49574865afbdb3673a76d91a4dc0eb7e3adf438a8f0c8c03dcccfdedddf4d44abac93d84d8f73a7a4bd8d0bd07122410bf9215dca11ff32e98eb1739b26e71890a21ea173ff62382c56bda1514776e65d36924e2590790e812d24cd2aac5752a02dcca068a4c5f4eb69a707280721e755d3601a2a18ded5eeb61fdbe7dae292976137780bb94cdc30a247223a39f94b324d9d013da3189c2cff87cdb6c2d60b271f33094db4ef5dcf9ed72fc21244c9cd4be4d3328e815f5101643868abb4e50de054c95554316f3a827016dd9474787d3403472ccf47484cacf52ba3865dd233b99e6884bb09536e65175f4ab58e9b138fb659f29a216225a1a89c94a0a537ce70f69001aa8b3f3e9c271d7acc8f61da6d9f9b0beda683fe87e40e61240ba431223cf98fed0ce930bf8e44edb42afcf54fc10c46f93b8c4d70d5b305507e6a5e2ed79b32085b7598a90659d2d929def4026ef7e9fc489bd22160929a0892c3897226fe63b54424aad314454ebe080e29ecc3e6172cf0f64fb2566a77813fd0f03df52f7542399a134cf6bdb23b01276ff2d6e2db82661fb1aa69388e55c087c3897309940477ed3e222f860eec00e012404ae81c6ca35f1ae7400e0aececf33348bb4adba665abcfbaea95ced173132f6d6298c2899cd6184f9e9d2f62e9d5c07177a3de17f59e7ef60600c3b741af36e7764ce2cb376ca9646f1134e89a0187662fe24c7be0973779d4f5bb3dcd05d8ef4e3481bba1d7199149d1b34c074640a8a2d9614a1d3f2547837c9dadcba164da6cb5899f85554640792f0d3e5076cbec862732dd8dda895695efbaa77ca0ca967630df62d746780e82cc16a066ed736889c9f3c533bc4340b3046ea8bf75707daaceee2c7582f179b1f1259b03b4bbbcc510768bd494b4ddbe27db9ac24aca119bc04175752328c5bf91e4995392c98d934ae13ebb92756e4bbb80053c1dbd56d7989a0d13f81a62f05a33653ea10edee1b38ce2608ec8c2ef69152bd442c79463e563ba7c5461ef96d170b0640a7566e56e510e66cc795f71d9d728ae1b235e72b546f7b3219d05c4bcc39ac269cf69f1c301d228060b8093322378b1684c6c396271cedb32989cb13da07022dae62db8a489b32bdc5989a7266528c5857a43f0cea8a8926aec1a732603fb80ff5b0342f17092f2f4ba5e9fc4e49bd96405824578c2543fb27c32f3299060de4b11c12678da6aa215e2a02cfc99a602405b130495b699483143274e1429794df198ad773abcfa16a6417fbe9fa64f97f8037dc80b0ab21821058990c4775a052079a1adcdc89deb0ecd2f1e916b0d77489438857c462ad98eb4d601e6c313c8c590e3543b4ddf31bdcc2fa83e193c74688dd1c5f8df7cd9b0401f2c67ea55fbc47fbcc3d8289d548fa058ac480d71d8d4fc4c48c1f1b82e1777e298002e97af72a4966807b9bee4f244cd8bd2a8c37ad5a91a520e30a43142ee4c8e9d1f106ce5b108b71508d67aabed8332800f1383514748c57b2d2689432bf826d7894ffe86f7f2e7cee69d461060f21b37de45abb6e7d15025bca8ff9b582a6fd4ac7f9d61cb356592f4a3ec762c5027af675d65b73a5ff5a8337c42bba72b71df49a0ed42e9feec65dfd4d96d79c7a4ecc2f51bb2cc056300d941505de6bbafcbddf7c663e48aa5fbe9978ca1789b794b6bf4fad0b7efd18c30a0e3641c4ffb3531d1fbebb11e01784279e61dce68db708f838839433ab24268c36123367d20cdd91cf0302452e23b83b3118d8dff460701ada0c6d61b7d054e9dc07d5460ea91e16103a26290962affac4aa486c29e18056ab56dc87c2f0215ccb7ff553427bf38e76488b38bcedef19033fa05ddb5a4c9f352337914ed1acf852adc9a8355a231741ef9b82db7178a93f302a39dd1feff376a21e469a72dc59abfe41624aeded1a0af7a20d89551f8e4af0b1ceb5d934c5ee7e9cd0497d660d0d58513de8ec71f89384ce4f3047f5c5e599c444f52d7080f266785d9cc950d723ec588edeea7e743f477b50ef6d493cb350bbb867f9367b65ccbe52a03674f284a08d36bc50aab4a3f0c91dd68acf6d2b5c605484b94dc331257feb5b3b8128aab2a441d7c04eadc7521e6ba756e3d7e69a3a2f41cc71d7115f4adec5eeced9cd516171ec3bd6106ce196783e946a23aab8dac73f2559f59a998dae80cdc54d83aff7a88a9622bce3045511cb77de14789832efe7340fbac4ff25a7883ad5bca41741a3144a0f9c5b8d2f03ded15b72415cb3447cb621409481b4501eea8cfb8ab6ae53b9d0095aea90fb84c7160ecaa8d04b2a2f757a24c75599472e7c6f629279d57ab897ca4b84398f1841aa0acdb7cc208455e9ddba3db8095aa6e31a5e5a284946b26db2706951d5a6ca7b33354839fb8a424cced92f9db490534b27c93678e362b5a2c12041827004abcf80b3c9f7659fb1b2c671002796b86869b29388d5df277289535c976fb56ea1a938cebf824f2e9093ffa058e41264abb4eb08edb505e51c0f9bfe3d4f97e52e84884793d4db290692fb25cd68509390f1ae6869ec8dca8a824279a455ab7db604e563bf6096755f838e5b4087380035f2041426ac0014fcc4c5decdc74453cb407616c57ce736039464e998b8fee6d423bb377a16a2b1fd8adc418abaaabdb2bee541a5c312d8454a36b4b1c718ce74e862da4a9e239da612f3f07d529e46251d85629242c7b0d4f5370f7ecbdacdf9ee925d7b717455ee78f11f99c94ad4cc2f8c598e845226669251292287987019a6d4df23999c46783f66d9c0d1ab4df572c972c9e837993bfa68bfaeee52c98211dc9e0c1b254e7c23bb6a05de76d7005e2fa82d4d2ac444f31a45b31fbd4237f2805cbb18111e091f182ee7d43501c1e4e1ae69997d7dde527b01bafb92482ba3870ce8211b9779a1479f168676371e606ec9c4da411283c845839f2440f6b9373d901653a26e45ae2145ad6ef2ef5729d9eabe50cb51d17eabd72e08a61a428a1a336836eed361e9a4d1cb2f312d7b3e5765f054edd1d7477076db18592b8b880c78f1ad6b9d6e680729b906d8e44652fcdb628d7e0ac1b5ddc8ffa2fa26710aca2989d3e5dc0ad481829c9dcfa99f5560e3aa2ec5f11c1fc995a14e2959cf492b07002cd80c066ffd4bca1e0c5f8628717daf7eb3cbbbe2542e3f5a18c9ba54d56bec9f52f0310635fcf92df6a4738cdf845a3caf7b3859edf9220f291dba1aac89c07693dd220763739798b687cd6b27d896a692536ad7e847ccac64984cf9ae18174d0c23109f82cc943b004e07ac6741045dc0cd4a302257b6bd4eeea0d0f3e7af93f1b3abe724ece35482f2afe205ed2265824302454e8a29bfc39e943232b7afb435e7517d6ce926c5fdd49ecac1be18435ff5665d0f724a2bc2d22f19a6c1428e2f686419b124cc76861f3070ebcbd99812cb10ecb357a0e1171ee64a67237762927adf9784ab9033f6b566f7218fa67109f9607fce2a4b8b74a3cd5a9ceafa4ce0b38be85144505c0bdc18a49ad0ca23051d563d14af02e2ec8147e8f2bc0bd30c69debfe2c170dda04de73fc777aea45027e56805a4b8c3fbf09315da5b05de928df4397977b26ce3e54d36643b0e229cfa6f832085fb3008c03e924a5b6232fd0a82c1b1b91967fa5a1b166c67f05ee6481d895f21aae704825fd44a635c29ac3ce0f5aa28262d845f4cd0891134ca5846a6b62ce7fc90a6bae5304eb0f533838b522a74365e6ec1957375d09c511d221439dc8f17d4b90e298815d7b9df23dac9a6adfc2608c062d1328de36b9b8390b330a99d50590d7d3f566e11022f7c066869422260b693c06e38b025157442b473e97b7eb2b4365e494f813a99c695447bd3155199597ca8ffe224b08d3fe81eb80afc5f2c5ca9778754251d8c7e35b063855d66cdb5ebd722d444c4654989edde1fbc78d2647b041148a159414b94805b0c76eaa242886d8b45f3f98489cbcfaeadbdcf2ac5ebc6b32e684d7467e63e935a6cdefaa3f78f8ee8a00ff9da25feb8fce6fff1033231a4aef0725907534f174e5386484fa18b781f3f6894affba4d496deeecc374f4b3e69f95a5997c8978a4e0a29c470b32864261d08d5679796ee633a6230d2b2f71e9f219df7e95d4042b3cc991352e50715c5ef56dc07afe11509d905b2d357bf03b2366582ff9d473c9a559670a4dbf02d215c5b3367a1bf08adb7cc5c208a2264906b67d4d9ba2a15f146549578b20aed14013f42dd268aaad8e2979bb51c5ed81988e6030b6f5082d1cc212ba2e2c8b8084ff0e72490f0d14048a507beccfabd6d4b683bd7dbf4bd65a45809166b207b187a310fb2558df0caca91362dc72c3ae5d2def3c16a8f4b96fef21f76d1b7ef57c93917976d0384d06f0bd1dd8088d777eb6c1bccd68fcd68efa860cea38018e46668210d678b248f53f83f0c4b922e8de99a6e734289991e1046a1291b249874de24687c24b3070d7e8024f47973570660787b0854a229b014e38ba8dd1d12250b899e46df956ddc02ee440a577756fa0052a305b3dcd21aa4013be057a6fbd43b579a5d57d3edf2c74d83114b96e55d601d5076eb3d113311ee1abae22fa5ea7107b8e20bce63e2806e395e86db9302fbcb1e66a7f03158d508a06c17fd81560cf48196ac12813c7f1c7a2920121f26194210632af96a2372a96bab8f2b237d9260ec7e9c5fee28d4571c3f74a47ffc4303f794f6d161061c63eab2d6b71e6fa6601edbe0228a47e62b5ec8fe591c147545b74d57c098e2373cc1cda4a35d1c3c40a5a5baa4af89d1c21cdbc2c4d8ba4db7b3c58db287ab79f63ac779d6e812776e143a32e12746ed3b1c8cffde5300b2428c5eaac80d63dc69242c83f86bf7166a42a0f70daf00a005f6cdea71cc02a75490f185f6e3b1524b3de595df869652a502aeaa9873a10960387b3b8610e53e84ef62f4d211f81c8bbe4639bfcd02664574f80dd9904b9552c0ddb1f0bec77868f116325e82208b93b11e559ca17259c7c2be47ccfa0a6e87dc081b2bafb7cb9fe41eede8bce6c2ffb156294d436b814ca9b222339711efcec9e5dde3cb9ee5773a96a8a241247d69cfce4a51c8713b85d11e2fa1ba53adb8290701aed0a755b97b7e2c6304566911de3181a6515c056c7a484e3910d1974eeb9eb862109884781881aa681a43e1dad8780c4ded42fb4d6a19437e8d523ca01401e3a4bccaf17b3f8eb98e7826490ca1ee44df361c39c9e9f9623fa86c7fbe46a4a55b70576332372930c4768eb910d4aa4df356327ac851f87cba7637b991577987b46d7020c118452833a683f7aa9953afc3faff0997011415fbdf8088418027b990b62d7ae15dd99a2789b53f20fb9dfac425ba5116bfc0bb903a851ecfae1895bc86a1d50ccd869b29d7ae0b9a6833bf16ffeb0f65ed4be2cbdb742456010cfd1eaab378d1b394ff3366b9000a79bc0573ce4ca6ae5946650c94c192b6c84699ed64b44c59fc890e510a8f6c4e2430f482f4ed9bd7501790bd9f7362e34afe53a0dc6aae15dfa531b85c837af2ea7ac9ebdfb2f960e6a4d18890ee9afe1a4d2c7c4a2046e2d260fab484a9b62752fac90214633b10472fb143c66e41a7d5904750f3ab61f10731c9fb11df99417bfb57f277ac9808d7e1ddd05e4840c5fca77f16bda3ea2e8defbb0455e03df458c1407fd6e4ee34fb5b264f8a83cf1437992202c4bd4195f5abdc136fabf9bc6e04202587cc87cd8254e7393839cb35fed61fc6c6cd1ee20845b79f418cd04cb533e82c42e956d7bb781f1ecad11e440593c9cffc2e6ffec8d21e04c3f80fd29c4abcba1110f8fdc9c16e9f8f0c0bc0e82bbcb43b46b597b48b94e73d106553d51de33b5fce8c0f183446085b690738464f6ca44ab07d8fe63df04d9462632449644b970c5db757d7f1d8d8da3c5244d8b85e958ac52a34079f5712bd1e586abc64aee4fd75a62800f202a5082261ef2e549999a96a1ca69e7382b59a3f702fe96746a8bcf917ec39556adaccb91e84d0345d789b0c14b09a7249e8143023294e08e55c69a8e15447d15e4856929051f64c760d4ad8501db3a4d9ae65d39060f27c78582f0e772b9f57eb748fef6a3061136f908cfafebee6b3295dc7e15aafe03cd975f9318560ea75002dc70b2e27c64cf8459c63aa7f1cd3abb5a2b28bb797b557c4cf05c56102deddfd954c39800a55db62e79bf256d763e8f854ce3d075ed2efd27e8c6d6558602bcf7c4be0036c6ada79ed34db5995b36e2da666f36f7bf5565c8f5a265acbd909cbb1c8b874214682e64a852f6aecc7354f81da36cc00de2c2cd22163837a7c9bebe44fc520a1564213a939dfa2b11f531d246460861022e78e7745316cbe2f212238fd22bb1e3d0813136b0ee7816b0db76e47ac08ff9a103d2b946d0b656bfaead6af2e3d766a853f8cb09bc3b53295d2e21cb9e34cbf4e8a6075e8973d74e8a01cb78b660149dd6c0380ff8e6d59430d542920d62bb915d74d2503d6a0b49377a618a757476f538719e36013409579661e04ff86f916cccf3a7aa895da4323364961c6b340c9b82c7200abbb1cdef23da98ef8a7942a8b633f7f6984abbead113210042bdd6e99b69f8d7e65bb1fff7d5c4c98a54754871d53440c86c1a4c228fec4bb090335c5528aff48ef3ce9ddcdb3c1ab44ceee0093f74382f93c5b66c45b9d9b2ef7bd92677397c9181f1f53d90c49939a4e9481a1d22548e7d6f727be762bacb6c58cc7224ef4c5279abe6cc5849c216c2f69d41460cab2e6e96a43d7f3b08c74b15e2f9af245c8749acc8eb7f93f19eaa2255f82a532d8acc5c7d7ae0553fbe847d658f7e47d2c770ac02a72df9cd764cd47e29a552b6d28d3c8340fb672adf10a8921a0e361d59e48eaaca7a7c931e5603cbbbd3ffb37a7f4aeeddff8ae56e5c37f1407a78a986c4aa3e19919e9c2c93fb921e72ae93c3b030853722d03cf59baf3cb086e3e3e4047d51c64f28ccfe468a6d492f824ee68eabb4dc6788a745ee23faa23810dc3196a7d6a64eb7a7c42ce6afa846840604bbe0ad77319fd41a59aaa40e83ff99a5a5d1543bb828894f9f1e79000f3d0fd21883aeed024ec5d0ff5190e7ed6ad7ede9b3524de15799b28bc2bd9568c654f9100a47a2e8e4d1042b2a2401ea990359fbe1ea9c5a23a8c9d52ed8b01cc65c942e136a862f7be5fbb30f438f8bc84d599bc18d4fc1275da1c1b3f64d03d25e9daa63bf2537ff257f591c55af5f56402fe83d18f9257527bad9b2ac65d35407d4b0a43c58356c606b85fe56c387ddbbefcda8a71cffcb29193a51209748d8021d5d123540e50954fc4131d2535681a6799944605b79b4de9fb12c0db182d6204df04db4cb28da9e41753cc3dee7658483efe54115bcb68017d65af0ed4ae29939d6c8da3b3c6b23dbd1c86877c9513fb8d2aa04870f212a4d5d0261d8067997e4618fa3675db86b472589bae3f9e6246b83187a84b2cbd8194548c2651b2e32430835d6e1392c0729e5e718e5455c5548c7ade623de02991ef30b34647622c8961eb14d305634d59844af5550e99858de852451fb4bc9b589e5fb2960b1e056cac90d3c75b17cf2caf98e261a3c4f24d848902f186ff916e776f65e9cbc0a84afc58d7b97352e3d73d0bcac5b8930dc5180788fbceb260a0a8ddaf68116b467874c4a2388713f8aae969fe09fdf1aa072ca5fba6239b27fa1d1bf5a77a50d5334b61c855bc2a494ef4844471be8a02f04dc9b182e48bcf8f44440f897de9bdf03cdddc340a0a225dc4fc89b6a65f3685ee414e26bd9d998b7d764e6da265c15efe857e226574c16c5fd9ab2e7bce95e9c61b356f39029b7b2d293d2e96548ccb21637f4e10c5911c73d3feafa76f760c8eadedc2599e0f1330f95905e694b601028742518c3b31df3c8981ab7640fc86e6873ec0659e08375b7beaf648ef96b7061341153491199b5da75e217cb88ce407e1b5a1ecc4b2e7e8db7238ee1914834e2903317fc40fe42129af84835bf647f90af2ad6bbdef712a2a96cc822e6c40a65ebffbf37d022be19d16a8249640e0349da99e4afcfe04b618dece4713eb74ad58984f1625e32d9bd266fb9cee63d3c71ce16abd1ea5f6ea1f4a91b70ef74e0a919f34e9ba8277df39b047f759a8bacac75fac20ccabb5f2e6f60e3436711c5711955c7742dd6d9e8a9b83d5cccd5ae3448b25cdb35ecc8f20a4c34bddc374ee9167f7fcd2f6a2cee9672ba4eeacbbc98574db1988c71e8212e2d35dd0f303691c4191990bdbcc3fb770d59b0a90433bb2dfb3539ed007bf529702031fcf429fe0bda4abfc427a9fe71a1a94bb264ee88dbb8c31f222adffd9ddbfe46feccd67655fd944bd4751466a59d69ea36d910e2c9b4111a955ff14d46ff6e6afe568231dedf800a90773cc1f8f956617ac44a2eb6e64b88ed5a07b943321c63a02ed711854f4b60a299dad987a82933961600db05a2f4eb7846a8d01cc22bc4529502c9ed664cd90f5d2f2a4d50334b4c41f45838d5de74a6b2b558ea1d1b34dc21d7f7d0fd6c01967852ff0e0f40fee4dadb242b7b8e7af4cea79842215e4baf008ccbbaa475006f25340c392534d4ede113ea0245c73bc624af6de72d50562eee999a5b98ee53bd69c1b1bd999328456e154b7430f2f228749328e25233b5c598ec8b9e5352814fb3fd15a7112c0a8f9855dd55ff6b747777f93cd15a07f118657a267dbdc51d30e9681fe89851f5a6c7b6b4527a97753d0784a9f60406b54b47028407e177c43888278968fe637e336cbef51ee438608d052efa715c874fccea267e400a305c22a2357d9c5afda431e0adf26ca41c978f202792fc1589ba7ccbf9900e1c9e35e9ba5843c864f8eb28d226b2f3c3212ad02100d8971672190f56a6e058f70daf9764cb86c36d677f42e06bb291b4ac3be2e1dadfecf2807eb62eb065a91dddedaccd8cce08fcef4488ec725be165765f60ddc628b555952449cd8a2ddd50e06f6244184b7266a2eae1db9a0e951ea4b80f1d973011a1ddfa3a0adf2ea03ba520c9025c3de01faeff8b74cd343efa2e886d18a50861dcce0941de826c5cd4cd9adfa4658faf8ca8f1bdd5fdd2742f55528f190b974c1d756126dd587bce6c0a54310103fcb750b4b0b97e032f7f3c1a64c5b37e51fa88305f735c6acad068a4fd8836049f9b1ba83ab3bb7301370429538601a0d2599aa1fb71085703f000f0f00ca386cc2f6600c0948caec2451f373494db089f4337cff642ab03059174ceb2a20ce3f8d2ed77ecde59855dc6a380fa0a9f1e0fb9dfd007ae1af1f101dd154ed5bdba618715261795b60ab5079d085634559da89134c141da8ab660c12d3e85bd90081478e8a0e2653d26c303bcc58721189d02688e9b7f0cb8d26a0c011f3b31611ca63f519fc1d5152f0aaa2fb599ee719b9f5e3e6a5e00173f87d9b3fb9eada124df2d95b0bceb55c984b1230f93bf8e114dbdffe2d7df566f596a628212bc50cac930df46bbcf3b28ccabc05f33c8c529e54fea057949a50aa183d2be6a17c3c825622793c0f8c93ac0ca3cdc1b748273d6f9a20cc09f2ee1f1bffd215a3def20886bab9047c227bda97d87752df8914d7dd0361b4b089611b5a4bce46fbdbb65709ea7b6026201a121eacad55bb8d0065555593d44d604d8c567f6ffa29d3f1cbb69b68402e85c0d5d951e74a46ffc4fb77711d0a3e28e4718d2a6d2f2118d98660d8920e914013caa24e3580ea7bd689f2aea02af380c1d7eba106c5ceced9e6070d00edd5f776a631fb83d021c0b410999c0cf55f0867ad828881d62677b3fa39c4d83f24b737220ed4f125b7c74cad934c3baf98a7583a6d5919271d7d7da84b360eac3b27a6505770f1b92305481dc6a0eda80c5ae69c90851e0283525020904fde991ed16da489bb25b2c82bdcb2a013130d49e7a35969497d7bbbfda112262a294ca959c005620144fb17448866da6e10cb6241ba38b1588dba72ffb8d04cd84e6d4ca0bc590f2be21aa223b0d5ff9ce06295fcdcb728a8ec85d92bc6fa270fd93f0ff4a0610c9904986a43d1275560ab2f50b3f5ffd5e860e8047f5c97e1d77d2643090508c3809da67ce192cdc9edc7f62941807ce1ff296fa1b8ab53b8da2d7e009be69e4213a0b76fb0bfd573f41d8bcf751686c41340713bfd76dc91ec0d7650cfa3c827631de51b70424d1d75d8f5e7c02d3344e2bd4d0eb848842c2d5a61f37b03986639a19b48974d943124edff77c84e57107974a4cf44cfac12d09cfaf96f5b914f9bdeacf9ad1c561486f5beaa92c9eb3fb975009cea69df9c0b2ed1c2a67ffe6b9a32b964ad127cf224479732005f66bb8a3270b013e12b74cec9cdcf24de84f4c74bca46c58e1dceed2fe2f79d4ad4963b129396deb616f878c8efff2998d96ae66aa3ddf059369457dbd321fe13bc50debeb8675c5c57e20e652741cc9e9dd84d3b30711947299b438c3dafa4146f4491c799822338acb8355dfe2633639f199f44e4ecb21e00a94cae6aee4e283d0db21dda8b618c6660ec344c11904aefe8bb5d977100e8ee4dbef63b9f353130e284923efde506b315af747a360b8adf718a63a7b8d5423b32dc484df2c552ff396cff605a228d54913202c3f6ee7e8042a4499675735569481fd5ec03610cee19c161f524ada7461afcb61a75d1b4d8b030ef3cc7d9880d2bd7aac7892ad0ed4784c15036d2456db2f0c082cee850a6d7ad435575f821a7cc5276d628b5c17f0a02d9df2ca6f62e6dad864ec46531c49fbbfdeabf6391563a0b8612d79272f222d85226918f128f50cd94753cf1f375cda5c9c5fcffc326c5f2d9d7790bf55ff665f7ae3029f983f1e9b0d8de6c0d239b36ac79bd43093839a8a7e3fb02fa8c47f6152e00b3bc4510728bbe5f8ebf24d6125a781e5c88e1c71c0b84f0179020c849936206cd98cac5bad53934a44e04b1803b0f2090b2c090eda5adcbb6787cce9aea155064290b05504a58e9d9539512ea246f1119f80148bebdd2490d7542a393258583ec4ff745458626abb729244137b67d7566fab4cbf3e2adda931509bb7d7dede5106db43a7639ae428cb33716e91019f784768682a0f0484b0d3f61104c52029a45a43488595d70357457010ad8bfc37c38fd0ab5536c20d18e40718e04cc8ac529432d6168ed48b95790ee9c6581b6d3b3fc14a3a864d6858c58af0ff02689d9de1b47f58fc0a8fc5780ea1742204e73be47c87121cca8662930a36eadca33487359f1a0f298971d83ec5562b2a9f32e69ea409cfc55bdac633b0ff384cab1d47ab47ae03c435d518ea5686e038a048b5df7241e51e884ed590392968919bd32593d6af5eeebdbd12f55820c138fd6c77e74d247b3cb28a70216615720c4bfd09d7068fd7cfadf7293fd6dfdf13a96867cda9db64b71255bece80bb8e376b4628c1a0064406e28a9656286941f1536c3375b908072c42c63a58bfca416497a4c84d917b89574f736c99d821569e2c785ffaefc545e4560d1425260d27cddd471137f17f76b7dd2029666f0a27d3194644d366f051c3066639a34d8636db5b8991911bf15743b23bed633305c4355ac820b85e7aa6c65e95ebdc68afcf1214ce569ecb575f760810da7edd05f5c8889a6e9d9940d2705702990860f3dc4d93b7230e94b1e317192bfafe8f8b5cd5ab7b1a7917a6dca13cc5956deabde65b1ba3e84e1f91dcf2ac6f0fa7c9ec942f2d7003b8167139dd2d6eedbab9d882131808a73c39554d3621aa75636ec73a1a8e30c697f4784f901eae702b4c5a7916341642f4790589b84b5c9a9f1999be3e29745154cbafe19ee29df11e231217e3475aafc3260f0dacbae05c74a9ed6c8856a84449611c67677be04ac0c31253aef76a3d5f6f431ea74f117fa76a3a888fa533b7bd84b0bea1948751790127e106b26a4c20160d53eba82f316c15bb17387bd3d0f9fa45005bc7630ee47538cae45ffe236400e4107dc9b5da5ced163acc49d85e2749208d218421f4e197be52bd75db2ea073b0cfa6fcec7ba7f2274cf7bacff7e459ce37317f72f084ee8f8dc573495dcef970a2e630013da40f5fdfea42578864d532aea7790e0319ddb4c93764b4a6a3d3269ac34f05acb211e4022245ffa64c46081ba910e8de2662a714e637d5dc0d46f83d85653799c7b22c931a5ee9f5b5365f23110721edd3c8812a5a124e0828042a9d9e5cf4934a3ee44a1550bf41fce8a14bbf372b01c3891cfab88560804bd838eb145ea51f219fa325fc175f38e63ad4fb30fd0ddf0062f871f3d5cdf557c3c8b6a02c2bdd7ae243193572e6df06281e3996b2e288f0375720afdc44206175839c50cf33fce705cbd6f65dbff9122946c8668bdedb016914e418145b104fa7c0d76b42ad8864ebbf916b03baae9591c473d60d3590c92e2803a7804c6012d5b011e96c6dd5248ab2c4e78e9402bc49a036017c1cdea653de71f4b998f553bb34a9b6b7538de01fd27d52d2d2523fe3a596f1c6e90e0da6ed3296d9690d3afe291f34d40ae76eb1bf7cbf61514ff3b32399794afba583849887aebe463814461251d08116c9b6c05db158ca15071e993e08ca0c49af4d23c1f7631df7fb7b5236d76d6aac8e6f8ac33688e94bf875c428c90ac2cfd16c7b19b959125953b2ebc38c478d97adf89921379a682622c107a466983e1d4a018dfa27608f21a9051535cbf4760f5631dea4df7758208d827dddeb18301af4c0f9597ace619b1e695647ee17770b85453bf2a3894ccb1894ff65616cf29327898ccdc544d64fdac5a3e4b01b063ea1a68546607e7b51465b58d60cd94c7b514a5c559724e6b1f802a0591e00b75679cbbc8eabbacc17c03f7449562dd8ac34249e7290f22d0173c5efb34c92de42910034f2e5ed65d04e6709355a9ea7c58fd5fe3f85f009bf204864560aca7a879fb5e26483c90647ab0d46f4bacbdf8430a76b8a94150d70b8db44340157d0b9fbc03225e33d63c44441836ddfe85649d2f1179fa96d5ec5583f6d01ad2e415b9683980f331843080e89110fd593687a6b767ac47b49e9704f26eba543c28dd26889e5d8107720d11e92a761f5021f77d2df4ed85c65d7d86c65bb68f149be503b93641e56922d9981593d5178eb25570be83dace578564123db5db6058d98d00d09cda503372ab65602e3dd7b63fd8e2fd8fda5f53dc29cb2bcdff527db0d49625716334bf5e3dfc4224968c0a9de9258e2e0a0a6bf16dd6667ff4cb598da611120e330de93acdc96048a638959c76e0bbf2938996639c6e324181b1fc70c7ce91988c32613840b7b6ae89b5886e7592ef39353583c62fb9a6742efab711e6c65507ae8dc66e85fb09c81db26c741dfc6a2ae64bcbca671ff426ba3a2b4f23db884b0945e0bbfadb90c62077bf729e7df1b1c20bdf15f7b1d549c63e056aa31312bd32c1d455ff18fe865f4704f0b3c1f8b4add3b2d6f1b4d70c97ece5faeade75da3846145b0cf4d308e8472b41990bcb7ac1e7868eb814c6d1dca980583d250a50974474e9f79032a80c34f44abe3d19a04f4059359d4bc6b38afd1f27254c00e7cdd1c4e5e501e2f99ca0d58f5010a5bb19101ad9001491a69378038b464d793d4832af28a2e7266cc61b9a82c01ea9deea974b5e386a239e93a7e8f986915900589b615b780213bfa24f56b425dc7456e1fe70dc57d0e1bc3069b0fdc6024ea813e0e2554223b0fb1991d841e539104c30adb0a685c24a04fcd6d0409d2dffb949352218df4d80978c64249798213b6c4368468cae0f61d636cd1f57fc99cc27f9feac4380a896449562ebfdbdbd89cb567422ab617ccd41d674c400907fc51b12e1a9ef2b35dd1dea86625a9819ffffc4cf2bf0a090fbb323bb2b410b01355c6e036bb70fa0b5d7df25d0180ee48cb6a84be30beee9fefcfc386dc16146cb772146b2665786763cd2db1f06a44340ee6d942f426cab6d9988a14cca830956e7907232f47125b866ce223a58fc04c1440bafc8134ad0acf1dd2ef5279390bb842f1e19f6b39898616649d7c1ec8421236fbc779b1693c0030220002b5a4b5de78ba14caec8a9f578483b07aa13543048b28fe2403bb8a3a5c6632f7e52f737534a19e87e7fe60ae03d9273573159208332ef98be87018f024978d4ec6629c9b79ea490973464adfb9bbf2b84fadbc3015d8dc4dbfd372cc54f4c84d2c402c538592ce2a8966b44daf432f8d1fd0a9abb66debc10ff2f6c874815c596361064f935b57b26cc31571c2ad33dc9cefcb307684d295368e4fa8c15d490833b11a1bf787ca1d214ed705e33f139218369fb694ae42da41b2e830e29b8d609e51a2d793471ef2c474fb445d0b3f2d5c65e8418cf16f0fb0937f785005e8a678df65558987089cfa38d78a926c179a354bd40fac48843a7427a5c135e85710d1ded6beef534925cad099d5cb3e7af503bfff666f7a68a5cc36a4098e04bb65de79c81888b51b88537521579b150e5ef9d0cd621ea956820e8a384ae98269c09e88a59892ea43b10b0aac13141903cfac8da80bbb60f70f8681620ee655cbcf1973983e6f24fe3070fbe323657179e7a0bd44ef5d619d3686ae06041b1d483960ffcb3d3e088e78b6e8fb6e8fb7cad6db7617ca8618c3229263e179de93a3b3a538b14bd060480ba0bff298fff01d25e40c4ecf8339b18035ee22f46c2f801c9a158750e5af4d358e9f83c7d849c136e23d509e24850729fbd32f2d7f10c04fdd70bbae22c2ade00abbf1fd6aae066894c1aad0d947b7c78a9a27a74e19492dafa1024724186ee9b3db8b72efe7d9c15405edbd97324870f080aa3260df0a2326992d796d93a9b0b727bd10ebb1aa4b252b8e08d2843750355d443f2a8a688898048810530048c2bb97104fae86fe8888e09bdc935a64f51a480bdc35151cb874616c21c6d02be49925d9e69196cf6d045c7823666d4902ebfa353f8997695e1714337990fbe98435e75c0ade4353bc4ef208ff6b389477e9cfd820061c059139781291b5cf213769dc429a34d04cf2606168c724acae08df128b468dc73d4965105fd46252633ae7e93cd2389cbca0ec43c03ebed0705d278468f84835a22497e88de4f97b3774ec1145f2dab3ec5c3ea9a03232f458e36e5964b25bb4b7391aafdda257a465d915629f0ae761ab62634e5896f566f2b09c9c0b6d0e7c477812f7dc8004b6250ce4ebc4073d9f0d67890edbba6bdda25a43369f0e15d358232b8b801790db2131880de8d7ac41259dd36c143559d83bbdea615946370697cf665f9f8b2fdd7f2ec5b41dd61ab00b207873c8db9b2e75f71b3d2f68eb4dfcaee6cd7400d981f59d770d51d15598f6622ee4765222e77ef70e6e31468c4704f145f48a9beaafe9a08195e2ed3a09ebb21ee183cef2addfa7b8cbea29ef00a06565f89fd8ec23dc1e03c236f1b706aede07aaffbc35ff89eae9edee57ef81d51ca0b881ff474d49264523f3f7af130b7e9bafb313fcbc9ec9d7ce8a23857d669294eff470937afff9a361f263a378d99b45697e61db08249ac838570c39687e4678eb9f3d45429b814f1f63e4b6cfb329b5639500050cdf21e014184418fdeeead744bdfd7d18bead1635340abc1c3cede4d65b5a5f47a3abcbafb537f0f56fd43ed5b3384dc8c1ee9875d4482d11c7ebd5541c37bd774e6faf6fe67db625d331b9a5ed366e45de2c1ed84e1a19959821d974d6478510d12bfbbc4c7c5bbd208e67b6f5ca526ba93a8f1fbde0cd8bcf8dd2e0d01ef54fa404e88c72180257c260148a02499f1d9278cd92b27cbfbf6da4c2de1c06453525c8193801bf892065c5f33a2390b81e84bfd146f8cc9b423e230ea8b7ed37dbc432f51e44f913b5a444f6ad4169e31df307a61a69bff3d26fc6f4fdb7191d4183de0c2fa7802ae0c23faba43de1b43f430b84040a90a8f5096a8a382a5d0db6a0c305b817ac1a59f44b1243488e7c3d80cc322506f2f7045a2c937876eff2d5fc2d077ae88fbe7455569cc278b2fec421b80e6bb99c989c57d323976ca99f40785d8aa3e3e2c57489dae2b2d421eee284325b7477231cc38d5d40945f5813119f2263bde664ee72b9c3ad5a8b6622a6415a38e393f8bd815af4fb7ceb4ea28d28939be965f5e6645b36ec726c00fb747d6ab805638cc90d773ad3dc669e771414adb6fcfa9dcabb6e537237dff6883bd39dd56b0a57587f8393aa698c46783616932d038c84139f3483179943a29d217b45c8d80b7f03ff67c3267a7c3316c2c5acd3914359bf9438d5bf93d6a33cfa5f86a142215f87d9becaeaab6173e03d292cf9725cf9117d12a9230b3871aa56dde5e7f9afc6c026d88ffac657444b1b07579bbc488c6f5e97ee1c88e90a6af2cf9f8ef9dd8b08980f9bbf1b2353bb235fe9f16677f20516e2cfbec3d4b2eb3bc1c87dee889ab2789e3f3e78b2da2dcd03644773b88f210bad65a1fe92dc71d2bfb55798c7a3802a5f9d9908b4ebaec5520d09ee1a84ee2c5699c9aeb53916647bc0096f329206ad50308b08aa2a7749e42dda9f8319b29d3f30e0c113d5e3564132860517143362dd48c7487e64065a67ce5922e76614790eea4a9f34dfb22170a6b2eae3590fe32c0764e7b738f1422664d23af10ed6c55f7b4e29c31b50a93b933f860e03192c39fab3dc9a1bd962c279bfa302aa80ec9fb1040d3b1a9265fcfb73f13ef73c4fa12151dbf9704c6f89d3042bf3c27c646bcf3d3b2f3b623f22ad71047c3c5edf248becd4a1064beed0dbcf357a086bcbd7bb40fdfcd792ff2fe3edfbf620e80e816c08e921e1688cffc780959aa2f3a6c3b18386072f17ad9936894e66b0947b3841dd18ed84b26dffc62f3f278617d681fb5f12bbb2b0cf7e6178c28ab32145ff7930365754798ec20664ec52f707908733e25f29980cfc7c3fa152c3a0dc3ffa80c53f1927e78278a5f06c690586ec268aa253aea10b48b49fb2ed1ba4e76e6d096736edd66cdab50c8f18e0c9be6a1a187ad0e7b3ad6facde6935c7bb1c4dff3358b5c73b306557f18f3924d8bf877fab3292d22257ac0098e4c9fa5b2a0380491b9154b450a8f829feff76529671d3b8ba957d9691c8b551ab0faaf6c2e3289149b96f46fe28ecf63fb55e3bd097b4e41fc277de00ab74721df09501e12a95c266a171dd15bc2c29564af4089efab7a478405acc384571e6c02f5b5ac8cc36be77daca524a1f0534f3d2dad60e2b6a54cac6225876820d8ec00ccb301f27724116836577d60fb96fc7f0b58fca0415be3c04e943903b573ff4ed860570a6cfc6ab953a57651060c4b359e1e5ab8aa49c7e571c8bf9a638d03db810ea30e58ac093563f5c675e56bd8ecd7209d13d0837b71c6f033ae89bbe7cc1aae7770e9ba52124fb5ffd929c877eed4e79585b7edff46b8aab917198ddf6a74d573b9ccf47f3b1f7d97cbe7a59bbcb2f0ed438eecae94f7006d5c14eaa14e2598536c37837a071cd6ed9b72c878b9d1e81bb215e76ba0cd4bff039bb2b7c4db87768099268c1b9de5041c3243315209b15ee81dc99cfa2bb034211b89f1a944131583f1b087f72b0a63bc1187511b4f2d8bf339b73faa6162d926dcd77396f0e39b533b657296bcd6e46475dddc33a1436fbf7e2b23e135bf87705f3a76bbd119d9d4c711da75de651cf8f02d8d48f8f7aac3457534cb2c45204ff46ea12190a7661e3cb82b56cdccff9f96c6710653f28c1b2e1ead24e09ef2be6bfce7f1880944fd1b7386e0f70e992fdef00abcfb9b277ff417e054bbc075b79d23dd9418d2bb952db441f0e92712e0a17884a60acd3446127719aa1520321305e2c47d670177d42415500d726dde18bceddc2f4ab17f050dbf20888257bdd859696bd52583acfbb55b62b82470425472b4b64a02677fee8b4c4fb93dc36fc415b08fd0f7bc5186ecaf82b24560cab3a3bb79f91e7d8a22bf8d59efd09426ef012c485bcaab4bbe7c5e42c69ed15557e630c2c97aaded06a18d51aa04ace19bbb97bce583cf66191b94953b0f070b5a32e49f160c5af9855f1ea5e02291f974175c30830e95846e2f3ce2e16050f7109343abcecf018a1cb389549d7c5525106872c74db955e4f33f3f86e38c5dfffe45686bf35a84b986590f33d57530125ea3ce3ed31d4295847c5ed1340a22218bc3e8597bb2739b55eee5a9c3c998b1866da55415a4bddb9cf22bac8dafdba6178eeecf9b9e04154857af97170da61c67d4a4a9f6ddb23258cf6fd1703e7220d7a0d14830cccb0954d9b4921b62dd976bd2522f2b2f86113ce2fa875f26d58f5779b16d42c1d4ffd0738b4489c2b2ccefae55099f8171d9b1b6398476b6be2fa9b789e62a33e66d61a5d7ff10029dd4e10aae05ae40e12e862d2d98ff9f18b923eefce9b696e2a773e2a89ec0fb332816d4349de32911eefb35d715c0fa865e0b0b78777fa08a88ce256ed754443977c3f806da9ca26a54c5823610116460c99afe44a678912915532e6320bc9303ce4f28cc144d1d246970a83385124a9229027c211727dac815eaf9a119fd892a7215fa6509fa232881c80e0a3c6780b928485ceeaba80830d8f9abaf408d1c929a120466e057a4d30130bbee808e25a6d5eb57ef51a581f5322670afb48d40b439ce0b8e756113785037192ba57b4285be38d4670829f863dc33a3fca49c8f58f8953a3e2ed44439b923e5c398b6e790cb79cd8a844450f086e770e6c206ce74968903136f0bbde0d212bd1890239054f257a5b0f81805b0dfa9d27ce6d6b2feecded46ecde172e8699423656ad431c5f6dbd24e2dac50b3449e789fb6e66521756f3753c4422afc49051c7825763599916e04bac0554a9f710642e3e024ce560c7532bb2a3a38073220e7c3ae2fb39e6e0133b7d210a806a9b88f4e13a7b43406405ebca415cd6f363517ec828a5e704b05599623d8fbbd4545516297b8bca5d990bb243c550ded2418292282cceb1c80ef7a706a3aec6e695a3fffc3f5ce37f579b986c27ee81789ae8541d3bebf624ffda6650a27d4aece4f1cb2ef7f13f40c2bde287cbce7c400ce5f508a44782560778409d9cce8698210c38ceaa66d03f8a02e777152068359464742570088ef5c475a5b542bd6c735bbc75f33f30127b0c4a9c4ec179e16fdb2a459dc0dac4256568041a19fc672c8dd2f67ef2d870ea59520dbedbf1e3a64fad80d167da484cb2ce92d7e0828886deeed1b9838140a8a9c0c1a69113679159e23dbd37f3d7779eb721c71b11cef8b14d976849952ebb54245c19b0b228701ef9f951f1e3e024f11b8d63c44a0562d6ba3ff30d6c3c644331c3422d6335072c77b71740c197640d7d5619cdd8e2330527b59ef15d0b96ba9ab8ebd775f45df018db5021e87f73a719ac0be9d36fe02735f9f4f6ce921883a52b05f2d505676cc49492a70284c3c590a89c074edb0cdbc6dafdda6e7123774ee64618eafe99a4dff441b004d32ef408f701cf35748b9c9e60bdf97c4c2bd57c5cfcc67a426fe5ed77cca7678bf50852bb1fed48b7a4aa1bf58f65b6694e79094af25f5d97f96aea0c82ed6be5288632fa5203eaf9521e5e19a13e4f24b1dde4058393be8faab1b077d3f288d0662205cf4226ec21622f81b0aa2867e1a565e4a400de4a98683ae8a445ac65f59b78790636dfbbe77258a8f568b743fa37186658d185740e95b39d3d9756660553458fdec896d65a456b5ab5b96326215fb73830fabd4d4b0442816197992a44eca9f618daf658e090e6e4fa16cc6529e37992e4ed67bfc6d331a6fd2299ded2436e1d086895ada95abd83ee0f1d72601dcf77d36eede5201c8f6eee07cc8b36801b1f5489f4ded0943da3dc349d93832bca8d741eef51ad0f73f1bc9ca8f0a04b053bcdff7a11662660b11c6ebee6a74eb3ebd986ed6a88c48a9f2399d6e80d70c6b9a7e7c0e5f6b805a3b8b6e8bdab6f2a6da910736c208db7938489aacd44e82782994740ff32eb6626a3b7030404ddb1bf5491bc085bfc8c741e7184ec8c470d6affbefc4576263a3166961e1c504eee8637e228c261361fd87a5d420090ad06aa3e39540efaed838556c019970faf1306356fdcfd68b428a818edac3b9dbf16d9ff4b0b8b45fd52d9eaab2dc8e59810050fc88d1ec8ff89e035ebf9ad891aff06f6a9376d229c8d71990b8ed6431674316035cccbb4d5d1749a2fd1b5d66d9b2591a046cf192544440ce064d821f11ad40b2cffe83cc1ac18f4fd1c1c072a4576985ef15f31d5446de6b36a3a0824f13041bfd48079d3ebf543c37142aa6dde5b87e1d4c977638a649dfd07480c85beacffbfd1be7e9a98fae468bbbbeca077216e7946e7f7bd2c17507e05f6f81965837f60c1836e18d8def34b1e8ffa0c2f6cde41da73ad051781038428ed3a0550585c5e1b933ee11046b353020344d681e9d83bcd21158095387ab8ac66b16d920b2dd1f8e4b8ac9dfb594949eafd31b5e3495c5cfd5f9736d95341548ee003a4bad9dd95a4f480e5f61f961122645e11173cef83749121a77f48ed2ff3e4a28158d87c1d4602d53aca09f071942a88a653f9f70c27102030872dfe56f3148ea6cc1f4eee92d45ba7a5dca60aa9c4cbe832ae0184df7922a6a72fc062460081bd2964001db833637b428f7f913d7d7641fa98d76d7eda3656da056135d15f7ae5b2ca75c6f5e606d1796b69893ec828a41236f39da152bb3e742e82fc3ee7b62dec3f5ecbf4f66baee9b3f86ea642fd543283f97128aacec9f54cb132c6ddadf709f2ccac623737a53b1bda6d355e01bff73f1c43124c4484c8fd9c11ad736e442bfa4ca7edafcc1319c22485f04fd8ef2b536dd02bcf1fd241b25c4d4dc7aef109750665b8f9ec0c554bd82de1d5ee6da379d6220cca2eb14c8d3db2617152e448f964b2e5abb0f921dc8bedbfa1ea4cbf922c8a1733865a918b228881443d8fdbc3d5f575dc39c94974da3af4b22b68a5172bda348f27359151096ef041d4d1f8fb3b204ddf0302dc93286dec600088b4d29c6d3f55c1d5154d1e56d454f2a7a22f65a22253abaaf10ad6160c3ffb9f76531045e01b2a4bde5ad042ab30e3fcaf3e35dcd963ffd432724b9f03692c2cc64a31bdfdca3bd8949c1e3377ca332e96f15879eafb95c40db9bdf3dd34bc097feac69523c6c29c423923227abb1cadbeb710dbc2ace43e6831b858fd4eeb8fb2a540349faadce46397c71a7e0ab45c6e8b15f03f43a8fdc68dd0ec475af71acf4b4f7a13bd116e10da73c668e72646ca02946961eddb7565a08f40f738f23bbd84c686c76540e873da89f19e2c33f57a918a1043c4d182b4dad50c86b2f921d93820d3550d12121c8ac9681bf757e64283add0ceb4751d5428632bd24f52eb0de77eafb16e86824bc9c21b518fe1596030f0e27015908cde06bfb3805dfa46a1993c8cb2428433d8ef60c92a9be5c7bfc542a3193bc2cf2784647906761816aab0c31556fc09a603f3d5919f85275591c668eaf161467d68142e5bb0ed0c2ec76d5fd653205270c96eef8f5357196fd3f4b1bb7b2a983c07acc261eba25f2fe3b255b22e7dea596deb2df73fb47bd7cf1070342b0a59c6975c066d5d7b5ee7e068fd3d9a0e0d9d4978bf97caf551000d9cf8b2b14b624d89ea47a92469a61e85e646a6b6a571a37302b13db3657c1d360a2bb336937859aa98607a41771c5f48e762b6e062971334102823d334a40396df9dd8cc4119675df5b8ab3d0965fb5f18a6ba9afd66c1ab91dbc49c25349be57299635b6168a85fd6b682bd3bdca1eb8dbb0816f7702117008e40f7beedd509778eb168eb0bcea8b229547c55048bdfeb9f76324070542130f255badb471011e6d110f459ffe53a2b60c2f2a00ddb272d34a83fb2365bca876b03afa395ae5d2c0f812affcb437a9f84fccf4ff790c2e43991d7a5757696d7ee6e92ce9e0e6e198f2f152e521dccb88a31616be1412100ce6dff66e3ee62b68f7d3891a9f5d938e1e73930d21b56076b9ccb86fed1ebd3311b7874e7a586ac0dc164411765d595c208539ae3dad52c5aaf8b9ff52ec2763eca5e1377dbf172b3de84f6d38beb5dd8a1fa885f5da105fd707dca4f744fe659b096deaf2941d1bb2093634f2ffdf38207a77673cc613bd2d2fc8f61f21fabf960c89b4adc82e9c855aff1315633769efecce87a24fced0c14f3f1e0c60e2a4ae3be7bfe2858721a454bd33c460e8dbb6e2aa85ec47c845cc5a40dc755f78f96827f7bdc4baefc47b251d4f96e0c170fa5bdcf3e1461893bec60a9e937489ab9c2c3af32a333da69af97b516b755048753cc99759cfafb51f4e4aae449bf322ee52b1ed55510a14a29b689c072088aeac0cf45e34b039111406a44bf7162380f35088ba09b8a4697bff4e5f6d1c69c8fad4610b1ef51490ef964c370fb182b47f1863ef451c5022399630776c43f33ab69d5b7d90f38f7e01059e3ddb3f4e89a73af0726a9d5609dc765cfcb5d1047980bfbf82b3914897adf8a3982d516439a38ac1819e6ce1379863878ac97fc4b5f2ff441f5f574e3630acccc51793e952c7e6063fcae352410e04997f577a6ab021725d8e25c1d101d584eb0ce9b5fb547566c906a0a555749f8ead9a9acc791f2f1e4e7233b21657f05ee2d75e4fbc71f269d2ef05615f0c933ab4d7ff3afd64b21adcf7ddb555d2ee6059c41f6a2f57bba943ded97cced510bd02cbbf52f9142223e2b030f8171643ccac365e89f3d322a7205a0aed36e94c1e300f31c9d71b93935d4ce1b3a0e42670eeb76b9b6002e6753bb8747c73fb7a0c702d2df14a75a5d1fd85bc0094f348505454998c50ea1aacfb8a63bc5c77418a103d8b6ecd6d0d4a481237db141fd684e64a0b63142631180e39eb1e5224bdf21a29f576ad84ceed390f3ef1228c204252da76f0e3b15bd426b1ce66727c1e700a0583cd716362607c0c09db433948dab990b445d005c98f6d401242dd831b0bc9edfcc8fe1bceeccdf5ccc45272a45884bcbc957c0f1bb8d2fc3a625eabb2ff61f83a95a99c6ec0e1752ec432205bc248b148d1dfaba0a9cacf8d54d6fa27ab941e350835d64a562f2026a1b29b2f5199782b384c514c19d1a76b20cc824b510c3317100afe3eff9b01a02380e5bf46bcd373bb756337ce8687702f5a4beda1d25a2ccbe3d53fb00c957814318349b4bab4c9211428c867bf42e6c625379eb0ec5b75122b0ce70efb304a9ccd708df5d60753aeefb0bd95f451cadc34900f24e45366753c1efa92131d2effaf41bafa3919db783b2c9d22cc7e1b8f236c2260c9bf2e7a3b9a4ea751b7b55dd47381bcadd544c25728ae62e2d6a96fd51fafa5c76f61b8bf50b5891210e16aea7b8bbea3e73f61029196907e6c62bdfbead62be35e2c714b6f0e5fc8224378988f487fb4799c23e8718274f0ac6881153024e541a02bb392012dfe27f0815e56ac7f02b88dc4205cbb4d036cdfc58c164219ccec2444a4477b7f8a9c15698178bce12e386a82d3920d5811eea072ff302410642ebc1e7120278e14c6643cc5f238ac4765e1b45c239f7e838ee60246e942405c807a17b235465cbb17f03afddc69043ae73ae578f55da41759062d7186199ecdf507d12aba73441ad2e6057bc05b00fddc4feec6781284364a978992eb195e2b27571b15fdd10e9ab8888eb0826bcc76b5534b7f5446474a31b57411c525fda1fa2934022f6462f6851aa1bd7fbba495efd2c275def068c3b2fd3f438f987d95e8a96dece5c18ecf9fad5d953a2c3d38f66a4f0022a74335119698b5f4a6ff428538470d975ae1fe80fa87abba6e1ade85f5e5fbb96b808b4e4a435ee171b838e0a556c23c1b980af93994280ebaaaae79a8b9b0b353344276c687b82d2bbc432672f02c7000ce49870d74a52f8bf66925778dfe1cd0c148d443c903c019e440659ae9fa326de59db3a597b4d208a3d9c4bba2641371603e528311078027ba007e0e5ae077244d3f290939ae6735604ba178c3469df241da9243055fb7bdfcd348091bc29bb7c290cbc2abcb1634de18efe0882f3eb638bddd9f4ea3f8211ca8d23a65767c4b45427a7c424182531bc3a94dc823b2ecfa57484ff6e64d8ed098e94647fe84d9828bd0d1ecee854a92a6bfb411991982f44b3dbb3c71015c8cf6f824d47aaa715e94ecd6e46d3986639d27ca0a9e2635cdc4c52a6a5ccb6a03e24de7aea55c7ee492ac3fa52dda7d306c2010165953c2ac16775be79002e4e68dfca61a052fb1b2fc74ca4f203765ab60ccb296d8adf275bef5ff9e99d554713809412b2fff3adef94965921fb04f2c9cce39bb36a57f61426d7921be06fbd5900e095fe9ef930bfc53cc0489b46145f26af0e1ecfdcf362bef9c0869d277999ef7bfe9e37e1c17084ecf19079863f562b50c653f520a3b5176ce09950d66816e830792bd759b6150ae189d2b0d0c6c03e3b7a36ac41052ae58a7edd85b111100db8a68829706f7cd3d5dcbb7314e8cbce8c80cc011090fdd136a74d807d375b9fddaca0f6a181dacc3bc7bceeccdc3424a339428c0e1bb805a60e8b99337285dc65bdc29f2893c42ef76d7da18700fe3b5006d8d95c532a78fdb7334c6481319058dfcfc2ad2924bc3d4f111bc301ddce84ba64cac72e6d4830d8033d736b830a913c02e338ff106b97d9b48f7f023073dff4cd48b7fc61d338cb4839168881d4224fbf7524d8a6a7c01a13068a19a5f38c7ca034d13d582b2db8421b570b47c656b2d51edbc18cd39643127f5c8e0bf0685bdf6b44f64eb4c07d2e9117ca45afdaef6979d37a7eef70e82ebada130561a257bb63ed5c9c3d3cf101d42c70cda123ea81a9f115f8bb78256450dbb6cb2899ed10684e8e18a1042ad83653e21c4c5f48aa887d399cb9fcf259b1ce5fc659a860a08c5a2c5fb3c126073fff976a57cbfba1074063435fcacb27b0caf0ac19b8e8f8f06fce07482d65d2568f908e93a0d0ef257285103797cc9f88f58eed2cd1717167f1f2dd006f055f27e392705f1ccb650bdfb07d3ab777ab9ba3ac3dffab3b1e663f154c62113da66b2fbd270eedc94a9437012625ce8ba9f00c1c4a83d588e5fca0e5401c66391a4155f3f86f552ccf9b4f0004a4cf1fbbb9760d1812f0c43cb54637b0ebcd7fe167c7700ea0031a5bd318338be50ee2783384e097284b8e59c170e8a156828bc99e773314e6f7a1f5b493ac21d9fe858d48e98b977caf42b95e9d54d4f17bffc28cca75a647263825f129bf12049394a45e75aa0e6c12b23ecb2b3251099a95422f19e447f6d3d337f9437037403c93d6d705c0d5a5d201a8e30d6b48cddea751d9c1dbfd65c04112695feca2dc25e9d9e73e5a5e1b146dd2ffb66f5647dfe44c1dbf502ecad9726812e9ccbf19c72cf32b0418b714995f58742798b624494210de0d2888a3bd6ddb47f9034344d08fde2d6b2ef97815c6a3a6e7617924dc02d70d713daca363a44a9325c4a17d6b7754dd4232c27c2ab9f796cabc49347cd35d2e25f918aa4ef2a775b556a248c5820e606af7e3ed95d06313cf7a07c3b0571b8ebb05b4b9770a047d9916906270959253b71d26a16297d5c6f2ebd84f9140a0e4543052ed2f8561952029286a358d7f1e1ad6650ea206a469e87874d281c226bc29bb5ae95c7c2c1145aa22c2f2c84f1d431f46e94d8e372456e0ae74323e680348d361f89054aa99f90526c1f243f72d908d039753d0a960f7788da707fd1f2cc95ba7be64bef54f395329533938951b7c85aad62a79ffc33f487f803fcf6bf2c26e6f82103a6698d76bf780ef70f3dacfba41418bb55e4a16014c71a9a2e56ebefac29a4804ec152bf89810f07b8acd9c5e697e14d40c3c8502c51182ca9e3870b392de488fc5d74748f700ab286e00db63f8c3e56d59e68a01b9b4866ced3d1e9106d1b7df659a14f59fd54f5a4727ab068889425c07a463da32f69b8bd7e747b08c7bcd323324c7f790a76f4dfa16f26d4242b16b3aa7ccd115f5ea17f5468f29766829fed9bd9d735d82b4faf5aa9dc0e4a577b53d9cfae701a54ebb67c75057053d8a4243cad178b9acf9c087518fdf50103b4ab347eecdf6a1c1b5d0c2a236d429cf78c2d21f0a7d213bac5b95d7d8c8ba71a28a21828b5cc3e87c67afffc37c7daa627343347789bc1316a670b298144283b81e73042039d627404ab5b6cc2001839d1fbe36b8de715a838a24c81d15d6071b04a285823f78f53d99491ecb2842f17de6f508441c8d3e75f6a35027c72c3ea003ed6ffd6c4043bc067c286406b531c0b553eacd468943659a586c17091b975b854dfb8e197bd72768b86458a9eb2e8cef2c6904579e6ef069191a0a2db735c5c8fee1102c0c7acc7c1f0f0b17913559e0f0fe6f19da77f878603d72170c398d11a838a5370edad089b0b0527a5cb07b33d7b38a49713be10f1ee477f867d5600936b6a9c74bed99a4db81e1cd7f959cdfd37116382b2f40d4eb980744772f73e1aa4a93dcfee36268845131c124369db4d0cca54d4f8c3899aace46adca0ce186ca23e2ebbbfb7b19ee441490a4962e5117782ae12c191f6dda42b96473d22cfe1636c460e56e7ab0548070db7a95fd6b3df5aed579b08b5815cfc8a153bcf141253d88c55b5ca968b811c0aad767a439db58677d5bb13696d6376aa6926b8f0acb54363fef2c29d358532eb252208471b146949f0af762f40417ced7bec03ac9752f2e16da680d29d9ccade97546fb9c0f46d911d735e9cc578308cefcfe8f406af2b7239f47643696f24443cfeb9f27259ed77a876822f734b739dbbcb9b72096b1e581e5fd12c957ce71f3c69a0885d02d46503798e7b09749c4247fead044aca5860b2242258763140f706e7509317f1ea81691f9d80d054535d639da733aaeb7cd4a9b0af300ea02d384380d50ac5842dd8fe47b82cda8ce9424ccee49763fe46ecca3e1e9e10f1017e333eb94ff1d20b3e59b92ca10872c482a4c1d1f1fedc95272bef6173a58d94c464cb52f34759dc644d972031a1b5025022e8f85173efb913ea59cfbec4da2586b29308a4d418432a79972b64d9c756905b96e2426f634860c944791ab13cf4010c83ca630d2ba4cbb55505eb0790194d927164ae80c0db21954943c66f5bc89beffbdb3e22a3838406704e1bda3aefb5fdb2a71ed23b4b75352aed0db5c8d60250a49a9e4899b0983efd5662be361fb28288b620666e05953cb031407c0a2605559d8cbc0421cbe61831aba85c5d62c1baafb86b1692456b6f0628289bd57bf9187b40d4aed39013f857d1912e561fa3b5998168662010a287c7e205e4e8a9c13ba68ce1de8561d9afce4b5d57917558e13a7cd3f4ab1fdb2c8fdfa4f61b8ed6d60ead1efeb9216a1fef78fc2099e8716522d3cfa575888823f558bf15e30e1ca995ce19c9069ddbd57c409d52f0706cb3e562fa18405e4181614230acd0c51e39bb7d9621ca50affbd209fa67bdb7193cdb97dcc6e5a7fa717feb917c13aab6c41cb4f2541738b0dca8b2b129e5f631c2a8fc77f366078286c90d83910d1604e805f9c2333b853c14bb4a3d5f22a641fe545121e14b7b1e3ecfcfe3ff8914a716f2428724c3ff13188b5d06c8ac9715d54e81836b2f9405ea8e8515177091afc064922ac4f409fdd1e1359b640f6337c4a3fd4a3fcd3bbe63c984671e15654c1d6621de7b3a95241c1642fb7a713ae1bfe8aac7bc26f613fdd226b19e98987c3041cd84d5ef2c78faba10b0094968f2747d42480a7b8ddb2acf2f87ac4dd22bf23a2da943c35e76dfec22234c0f254adb8e3d32181ff35809f41a619e646ea3ab7d2554cc237eb80aae024aa3616369d00bbd6c62b6e17c9f5d45bf780c721bd49fceef369349f58191a19d468e73dd9fcc6e38e20d3b131a9c67778b4f6cb8d4db5dd09036908119b23de74af79d71abca4869357b9c5e808dc60b6a4323b2d5b8b75e4d8607207334bad78418d6b7287b90d3480ff5946c5c41cc5291487701a08cb436fea3aa7638aa5f4ff7369f526783746600794f28befeeb543a11c3ec5f3245e3e0557abbca2c42ad2dd7f7d4d386884c70dfc1e45d56cef5a086808f3c94bef9881d0e45a98a731ef16a432be8bce4172b4a8b8f12d2ac858542816db541f11baa9f8632fc604dedbbf197c573a293c96465e64eb1e2071be5c060f168700bb789e993264551620303bd5fee285129ffec0eab47ea52f856224839787d2abc159421016c18597649607de74eb86f7454bf2b7dfada50c780449b1d636de6374f7fd9109f5b39ba67fbbc209e37c57610ee7811e26be2dab80005d72d19506a23861b88208a883dc9216c608e7d858e33f58088a05ec626eb3edf9ac3ed7de4ea80b0c23d1f0d6ba248c31b200e28702a3e713a7383bc3b6c660c2e955c39b6afeb4c9e0a72fc4e1e0a8c00183d8123815f0e943a7bae2bcbb1d4eeea175abb5c4b93e85d41542f6b8cb65bdf10c00fee8d8e079ccacea1f3a0912ab7ce1381d821191c7cb4be46bbf8cd07256b0f81be4758f35fb7537e5353080efde7521dde5e9881fc91bd6c7846c77049ac303c32ad9de7754d06e00a9b8feda1abad27192c550955589a6c41cf14bca6cac53527a37f4bc08b9005b42b9c70216c51b337b335fb5a1cfd9cd6b59f76ab90affe4732c7e304b9ccc82ed6af679dc39c91998fa682cfe4a6864c1b79e5e2da85c3211502aae5764a004a3b3d41005d5cbc118deb022a51fc1ca56f0c6f5732266fe215a3cb6e949698bb1ef1a7e67ddeb8b6bacf9aeca16b073309d7a7f8edb56f223c39dd2bd08e669131bd51b8cf9bdeb9988f71d8e553324492790d6a7aea92bb41dff044af0da6b0b403c80c5bc4f6fe92380440372a0e993a4ff3923b327992517041db7ba01280cdbca96667a0f37213c204cd7bfa009c2b4adce2846f9e9eae207cdf5350b30d0ec746bcee5b29b44fbbe3910fc015d164deabc65e8fc44253a7e42c38051fe184408271f8bbe0efc739a24820d97db1a5b351f3c3f02b17ad9984bd4c140972a71680ef1bac678830d5fe38562bcfcbdc268d8feeed8c7da82aee6d12ed0ca88454f2631d86ab6742167eb34eec9360c8227bf96fc1b17b3d0bd5ec8b297c61407c6fdd3d6965dfcb363326a85f0e84773f9fdfbbe3efa72edca1f6cf8c230738e104c15947e8f54dc46a67a40e4787fda23bcf4e4dcfc43a213fd09f1c4e61143d4ceae85fd5237c141d1f521abfff83cf23c624dbef356fccbb880c729664a568d54fcbe1d264deef7ab4d7b9be1d0ccdc4e6e78b324270a7fc806ba7c5c2711a34f43d3fcbda22968dce2372cc3fb35aa6578cee49b7425758be5fa1c3c6729f9669d9d067e56b7024a8ea7eb118be8b65ed817a7a2838ba8959ab9f3cc0c9b4b13945e1ce89b02f86166aa89c504a27503d1f57df0516284b4b4f36265b5bc9d8393d15f6b8d2a18046f78f2ecbcd410bbd2842be4ed69dd70a534490befd3843e85b12f964a12855e2ea18002200c728007d3ba098a7be3afce3608dd533eecd536c4d8d7f4da1ac96ad45c84e811ec3df571c78fdf7f8b9d0a1a45882c53eb2891bfa6f5dbf4c5b81ccbbc1ad6d73847f014841eac73782a1b5ead5cef12bb5a1a4ed82a9f4faa96cf303a5904c5d51b3053b141eaeac0b4b333e4affda6e869472c634dad1f270e1d39dec683b7e84afdedffb1daa22eb3ccbda3380437b67022c83dcdbef46978fe85e4b0e066621c1ac5372b955ad5b9048fd0f7ec567f1cd8e74ec8dfa4d87f553ac3b581ba69735a8d4707cba2d0ee9671db59b2790d43e88390c2ec109b94b1b55179b39f79026c8f1685a50c6cdb84c0770b30c4fc2f4690922757878d607d3d10646725f2c07e8863a96fe35e5a206f39aa74891a643acd4b3e16e95e69118b33c5a0bb16ebc40f8cb25aa3c1ecf83a9fe5c937381e165f273bb0476bbf8cd351510a53138124acd75ac598528d6bb492d1229dd50c1d867181d20fa6e2b00b46f5cfe910b61958484b176a6f168e9161ade81411eab0aee2051d30903af597ab648a2062dc4e2428a6efc01d3100e120ef09578596d0fa3f36721b7423d477bd9c74f77418bde1bb94ca8aadea4027ec2e066ebb5fdb37eb841a8d0522349f71a0c4c9a4ed958b0c76d35e6dde3ad296eac72409ad47574bea30337fb226c335d78f5cdf8612cd1e04e7619c808ecdf2b9a2ac0616a0720d6c3ca856fa8370d202f3e622d547ee3316b3ff1d271970091d00b338871f9b70feac6844c404a9343e4cea8cec59b7be9da09b9d125d73f0e8823d3fa9bd247a1add73a73064ea265bbad9f30aa3424314a48eb710f4d5df40258e9299335443226d4bf7812febb7b2de941ddddfd88ffbfcb5bf7518b8e99933bcbe477bf1303c263133d9ebeb1549bfd552065c783ec284a9ce9b553a20d7b77548f49cf519049ab5783afdbcfcf6c7429e76ab5419ebaaea468f8181d3adaf30528e67950b5be474207c1a7a81f0f3db8aecb28d79d56fda42b955194f6e47ad33ec19f8d8b996fb6d8b1818981aa2af6e069a4608258c5ee64b70c9fb3a0e45cc014e4f9addf951da9a06727dd22005c921dcd79ea3c711615b8a5368be587203fabc96b712bb8b7f7361dd268bd76a26931566a23ba17c56db36e003e6b75a2e756fe979aaad3b304ec8afeda488fb40ab38d3a920264a4f2bf1dbf55620b6093a9b36699b9c32ee344d043a4766184f102196feb205cba518f069952b3bf8f857aa2b16a6e55a1fd0004b7e8a5549a8825708a48bdfe71d2c138bd0de81f7f3686584b3ee09ef695a6fa68c2a2bcbf76da1734fde9ded42e4ee908e1e939c4ebcfc1dd5ebfb50ccf79bc877a396bfe76be7afe123c5538baf0e7c286a0505c63b9b9493960500153751017dd98eaa898110429ec87ab32d6d6d3908a27128463f01da7d7a410182bbc32e667031835e8ae20ae46467a73b1ac2f2a18341dc64a558c75cb831cd3496fbfcf42d88fd609886c90d8a71286aba45f8c7edafe0176eea6050d36f202f7c9e6bb7924396e040428eee610c4abbbe1cba688f508f11e01d4640e6c87c45d29cc3dde93d428b5028ce4c1d9bb95907a557223bfa9e9f6eac9195aa1b4990a9c125a7e116c8e5510f69c8b741836d7c43f13400c894f366a7d22281ff871782173ae78ab8740296aaa999587cc0005d2f4ee7b1b9be642ac1e496bc29946f72cfa6426cb3b07a2e948c18d2a1bac5e5b08562aa5f5407635c18ec0754f92d769a23c5e73f570c23b3d9561840d39b6a7271d9354ed79e26762946397df3ed2b2a692fcfe5109ef1941bc527658891033d97db15a08311c51fee65c8d98723569444e3945fcbc81632d19dcb9373868aaf4a6a3cdabbe97a915f83a386deb483d3dd126a9d1ee7b2b4f386dd32566ca0469aa6c6d80f982f90dd6be7b3e6e5c231998d88951ab0eeb8bcea07f82ad8cf260482365c413d48e7dfe108a91b2cbbe4cbe2f9a52132b4d54fcd36277225c68ac40b5e3b443d543b891476f271d2352b3095bcfb083f2c3a51f248cb4eb3085d0c910741c1ae9dcc1445358a6bf44e626a954dc909ce85c1bf979b88cfac5fdb65d27e65ab08245aab32fe2dc08ac6312e0fb7f408d75e6b01a3ccee722540016b0247df32bf72a767c76008a92e0b11fe9c05004545409ac608e327c0d7dcbbb887c36c33cc9a0e6906c177327f2ccbb43a72d588eef87501112a1b643731d2bcaee89a250663abc668a3cca8abd78c2d23f9e6643df9bc3028fd56b34b21bcdb808492e35de98c316dc7deb4112fcead0ad74937997a397442d38eef00a7b4d31dce64f9bf09b514741bd42dc0d3cb1b310a34bddac411f46a523113d571b4acb991dabd8f1d1525223c5656efc43241574ff51c847fe329ea20c1ae30eef094c0e64c0de95d727a37bbc510214fcb3bf6ce4acc12d76c1931e0efe47399a584a590ec68787b17566ab2e518786e858246e8474afd178e236274819a3dceb7652fd74ce86e7f318d82a25306f43c7be9f6babbe2c96a1b41bf442008065d59f8b055c364700624308332789632a682fe243a74e6626127273ca87c3d172fb12e5f9ac7ddeb4b106108652448dbd15598a4ed3fa649b93c02dea87768131d49656272d1848ab4230369a5f043df758aecab659430d5f1045259d3506fb84ec7aac3ab5b5bfcb9689f3c1b5bb24695ec97687c992d10f2db52e0088e5bb7701e36570bc51d376b249597f030e597a84fc61756b0c17043109b035592c2f6355ed8072f5e8d4c155c4f119e07a67062887d1d5601fcfba1195c8230e69de048544e7153108815f9b64d21dafb1c9f5865887d4bb11e1d4dcae48c91240adf033391e1822c849f38a0a29955e653d069ff4d222ae08c14a8d024d64ef1060e52490cf0377b6a7f957e61764aaf155669c8ef46795f92e931c6bccb0b0125f60d0c557c89e67c0bbd0c5a2569690603495ec1e653a39f3b574cb42df7d84989dd3c57df8420ff18f0210462e652a573251ce56b62b816c4257a2be69165c7209a2e12af189961cbe35b0b14d105cf9c8403021d98344a5372ba79ca588092e418519b8002a2a090bbb843f6adb13933439e422f3d6f0317f49b4c92eda47c065383cf4ba9390dabfd757e63e20aa4f2c5e369b05166f80785899e22a08d074e2535a64b814fc105b1b68e77565da771ac638558a611ea4c27ed209f52eed08e53041e1a5709403c3273ed21e3e714cf12448ae0d69fb10482628bc35b031642c0fdc0346e38cae9872308df9c5f1256da8d40db3a048e42ebafb041662e23affced6e7f32e2d70d0087306fb1237a937b90523dc3d4e3939ae06fcea703a6d5bbae8d99323b121e6de5cf5781fdcd8604c632129b66e9693431e04982ef5803cd1ecc3b2fc6281de955fd5e5f28986ea298524d23fefcc2f30b97b3900e1dff4eb2629de4761f9564d3c3dfeea05c633ab1f689bfa8eb5acdbd97ec6d15c4577ca900b401c2fab73bf704f2833183f1903f2f35dfda0efeaf50cf51b352c3f3b970a6150bac63b27024c6ba7d53d49d3abd9e23e4af60b3e004969706b215188fe2bb911ec4495570bc8511cf378578dd1a1c74ca1979834cce7742b4a6de492eea4cba3e63ebc661d17329ca017479cb3d1a16356b336b03e3a538c63a3f5aaa28ff94ecc31987f838d08b3c82ce7b14846bb930510025d8e514c194bb037dc70c72d56a48731c333d7ac4b4fbd410d408d1b879bf50baee91bb1d48880c20cf11b76a8e06e57fe895a82bf99746c1cbbc64469bc1b059e3a621095f841ea57af815dc34a00ab9cf4d30001c9712665d0f98b64083b177e21901bab8382a39a091917aa9bec1dc7bd11f7d3e1289ea746215636c17871f3267de96584b521e1fa3ef47ce41a6f25aba64a05783ee47f6bb8d3f495500d56ceaef1e3a0f38edefd53da0c6853f1c6c24fa434840e558b6d212f90121db3df0bd4f73b54b3ed9fcad65c5aed7c476f9cb31594d5899a32d979b9e20376b715000f314b7d24f99af72899c65f671e522925bfc966dabecbe3081a5a5d610417519d8237a0d102180329ec3c2708d3298c506f7a9a88b15c251ed48741c4cf67ebe00d5c8cb3d950d943c40f043a9d7ddf671577c5bdee7ad10edf26e1c48d12e99d70e5a1c4642af393c972872cfb1e11315d22dda189a36cd35d9b01733a4993f1cd704c36dcd15eba9cbf252a21e5cb17183b886be2e00d3a32ce09328f60e5c1aa26c97155608419e4429943571752fc53ebef0baf5b672f01346ca0499fdf16df5af75823dfa595872b569eb65a930caddbe9673729ee55efc49b2df0dda031167590d976202b78614bcfcd91735f5afd2a5393dcf192be245a0bdd673c6c81de5ab104c5214d3ada64a84e9dc9616ba71678b6f8a564d956e4bc6aa52e9b92961aeab853bcf7ac1a069ee2b81fdfa2aa85aff86ee3c9ca769dd3bf4da010f08bb9e87f2b9000e0b2cac60e3aec7f2e8cbd63d4509d228ab71ab24afacba832f3791bcb68910ada4d9b588a4410aff25149028975bc71bf36ce82897a796f5d5a98e3057dfa7a8a3a021243467e11303d1d3d9d342d6e6a3238a420d90b018cfb90bc4a68e40b73d3133c613118cb6871339b359e0136d873905daee1817963824c3dd9634edcb4f24b35083d4e72ef28a8cc1dbe04d930f99f567e0cd7fabea8315e8d013042f6008bb0a8e5adefa814f79e2f70cc4171af32c431b0b7e148b071df7575d720973b08646b0312e2a6874689a58430ea112f6fc4b5a56c78534f5809f785e6094ee5bf38be21676e4fd71a193033b0de273c2c1452c1c3e4c6de0f499d9839ba1625640a1b2eea532695613372b1f519bac2c6318d133aebb079f9e26d7f47b5cc410681d09d23f167fc5a43da874b9915249afc5c9195ae2229f21a14a178e66deb6dd765b306d9ded7e511945193194f118bc6e1ab326e2e8cc9c116ee1d6122793663319ea8721704c15eaac549e2ea9ac4e7b9841ab63c5e12f80f5081a4f04b0abd58bcf2c2c6965fedc77cc0222a4003ce7f51c130306f74ef98ff1cbf65e02ec98863d7ff02ea309d417d0e6a75c409be4019db6f99ceee78e39ff4d625b448761b4913b43524af7d7ec0dd0631cb97a8be0ad239c2017e9ead8529c6713c760e7b104869162f38cf4111644be90370dd298bc1a874b567e39f606f394f62fbe9b5c6111ed1f12193168f2af7ee60214171578b6c2181566608a3ff2fe42f7b04cf4674a682c6e2b0db02e4210ca10d7126ff38b68782e702a7978ee7a31bc37db46c714858a7d9fa88f86b435cfbbf2d1505d4075588b0543d246283cc09d789f1ce2a60faebf09e11a41098184d3b716e0d46eb6580208cb74bc0142075f35f2bca241d077560ac7dbbd240ebbedd9437c22c401d6f79656bc1f75a5c2c625714fd73016d4d9d0223c65d76e19e944f92936554eaa3a68b062588824d98f07aef58d533e0dd6a1406f4c6dd59b611e7679cc27736816288d0cd9d92088d00afe5fc7dc1527acd9c5cb25e5ac01092e40b530af711478db5c071546a4c74c429c2c77b69bd7c5397645ba1d0d872273daa6db759df53c0a718fdafb222e6d49c44843a31f3780b0bea398e005f53e430ba2bcec7f5ead0ea36c10c2306cbd9cb928e5d788da1ac27366875a623df30263f7851481657e16782b2a27168c105da4bff690a9cb6cc2306324e1d56823b649d3ca9eadae4ce5e0d6969dce92ecf0c0e81feaed7bfd3fb13f2d4e548cb724ff0b1685646f99f754df6a2302c498633573eabfb2802710dc70edb366be7f343f2476ba19e371ea3e041278ff01801c5de4b057c59bbf251404018631d1270a9ff0a0f0191f3d5797498a9b71854736a945a6f990d967f29f5a0ffc7e20c5b8001b73cbe20d75a668b6961b44aeeda1b57e3520de141e4cf32deebda2e562304339e3715389be537276931d78510f83286be11ec8e8ec14f67f603e18dca9f929726be0c337216b88113f00f4cd5526f40f294d4f72eaa120bab0cf536779903576436d22df5953b87a591b5092fc8e5fc5097233947fb07e6bdaa80e18a028721d76b9a8be32cc4c70552223cd1970abb11d33cb1cda59950e18a767df6aff5fb37488621bec27b9292ea88010c4926bc61f9c0fe20e4187da939ff2beb66ab492b45f183d856be322992a7404361e5122cb8568d8ec53057f0d94fcd2b897fd315267afc7a38a99d105448d900619c7423271686f290433546d98565e5f8bb3cc0aa8cf8870bdaebfcfb4bf45453608d74b8aa0bcdd98e2cd8e04352df3e6cbebd384ca197cceaf4bb5139731ec1126d08d217e292bffc3bee368b9d96f85fdf5935587df107a20d05880c6e8e6a758f14e81077011e636adf6ec01fdfb96db24be9a62c74e47a9360055969fa916bcac2dde45e719cf99729766a27306d7353a3ba7686f9ef0405966fdd77c616470b6c196f0286ef16fe5505b1762102413679e9c91782b7ec6a6d04813257b2427458afd627cdd608d408391e67412278af0daa1018ef8876db102a92c031b5a2aab225d2b84ffb6ce07046e9398ba80f21bc07934b4becc299b1cdc27e9c379801c1c3fe3ac0755cac61f59d044b50525dec796e001677ee39d77705cefc294ff9d8cbc28f7984c2e9b7335723e79855b7e92646d11a61c9cf5468d06b54950ca7c42991f893e91d2b1d1e7e4bf3b8c02c7c0a640bb80c2484d5a55ee001019cba3ee242feed1b0d42fcdd7a18ba1e7c2ccbd318f7d17799dccc93a9bee9fb11410449daf8014417498f4a33af9d0ec4f9f1e8068033b8b452c8f10b8b2f62f431658048f5484956fa0977fd980758bd6dc9785ce1293f702afe545286d8804333cb5ed0f7c1a4b38777523b08db5b09a6bb3addcbbd095dae75cd424e30271ed94630d36803f77f2485a11c2cc2b8e78a164ca1c5d514c262429273bac0865320f4f8b950f0e54db424284bb91e8232df4a47e5bcfd4c17ef96f9f6a94d720cb457ad778ef43ee58773d6a2e125a7727b3fda4faae627c6fc7c6e73aa95dcaa72604fa3d5965ac9caa8a4260bf4d47821de3f261c214d762d8f55f77ead902ce343829166ac0b316b6e5b1b34d8bc3e6d64bbdac9fac806fa4e48c1ce6c1a9bf0e565ded6d15fa472bd1fe688ed56b9ce8940fb62c4ec48d29ab8bd4260bf7bddcc09caa9402fe4a299548ea2738f324d66bdfe3a0cea466c7215d68c028ce7d255e9ef6dff9caa4f99ce74324036328f2d717b55dc3c48239cc0cc359a3725dc849f894f58b6908714eff472aba37ab283ccb7dd5707fd15845328d23309b45393755f28b4fc031777f418a4cd11ccdd0ace104c08dd4faab8b56aa37b51068b8f107fb392f6201028b55137dbc6211a6e67b657176b0a05a20696d496d852249102829f96431837335597ff4294fe667a039aefc268f47b986b22c2338cd639e5cc79e6917df9e8132c6a42df0fee096cb192a7ee8a4508e2642a176e28b60729373b444ecda1ce2da57cb966c1d285173c36f9489b1f08db9d8b4b2dfa0e7de81b499f4bd21765f10904b10b30dbf7e8301572b564b4ca57e8349fa41039712fa9aceb450a3d4339fc2e909a8eb9a3a56ed1b0d5996966e3437d6e2d518746d8f8697ca9f375d76dc06059446f2117b48b2fcd081d196988106b13e5afd4e042ccc20016adf2069d81fb303af0778dcbe05688682527017bca7ae1250055882bdbb5d1f0cc54c70cf3be35fe8507b1b65cec2cbce09495ed7af3816eea9f775b31dfba5e968f9fb6ce23598d8e52687142d867a468b55ad9b7106885a5b5f35f33548bd5001d18a3d4244144666c2081db896732a96d80d219c5b7c4ebb435a6d44086d6c411b8ef85455fbed093e5d168d2217c05ba1e2ca1401286013442c4bb01cd440255c7bd0199701f961bdcad1e376adcc20f96cbe887a24128242f8a7996b18de6d01325632d0d5bd27dae2d0a63a7a34c047b9bfbba9abb267f9f097435a3108a0c2686d9cc6ab4e7100097c45b3e58e2c610802b02d108b04cfd218f346ffcfccfa2be06b2ee9327ed4bae40f6cefa6d0a741c740e0dbd12c2cd77ab4e56150264b0cffffcbb27679f73099731921e38eff187c939587d14518c514fac44e35d77a975d1fdaf34e9ad2334131f26c24bbc13f2df90666341d1f5edd07b8d53b7703d4ef25bdd7a4272c0c17f7f6d5914bad5de0e77afa25af1eb30f18f1c6d52c996463351917de5f612ad6d3b57e1e0d9c3cf7659ec28110534f864087864844ced73b49082b77477be465faac436388dee32dfc3dd0cf5dff1991704c8e8d6aa22b3263b66b23f3180d11d21854bc2ffb2775f7a8b3601e9a6e5685eb265450a222118a5115c8dab86db406d8e4e2f82e7c41214ea54b355082bd153a7106048b72984dc0e01e4b8252d36f1e9c4a1b7179ae2a656fedc990cf54b2c4bd927b034604b04989c76c6782c496c23ef8e7958044d5e2a0caeae787b7303db8594005db1f8127dc7ae3c1617710ca451fcb6ffc9d0e5d34f19d9ffeff61325d4b4524995fe0fdb66dacf9de64458d3a28ab8fc07c9d370edcfda9e9c87416039adebb7c99c447624ba0cb8382d2e4c0cf1e8a70139c4c08c1d5d51548d2789fe71708081f2cfd76a8a897677c0cbacd129df1694941d26387d77d6f1aadb7fd4434121c267211843691651dd228e377256578c3c88ddf0426664e86511a3f8595d7bdf37ccaf396bc9e7cb0fc789cac81f6326c3612b3b2290d07041dd0da180a3f74ff96d82348060900216534c3069100704afb1372d36260432aec3f88fd0a4c4ec7ab7f002397c8ac60758f2df97dda34c302ad5bfcf0c15dfec61fc7cadfba50021d0a813012caf464cd6a16cce4ba49078c4c92b3e049b6d955bd0f99121af65067cbf88fb2c557840e6b50d92ef387ebd93fbbcee39a83749249a6de6174b88ec04850ad88d42e425de196fa9299f637102e4b19a86365df7d462019974ab6e790ee909ba3930916473a3e9d5aa856350126933193c807746e34e2f5451672e08e0718778ab3e3946611834948f192f204a06c363355457535c3eeb8a3bfc9dcf9e2a5bd648891255907995e923114b5581a8d74a60fed02f184ffe5f14fce6eb63f3d2bfaa4f16dffca143ea0e922a1fcd3a9f3a506239191b1c25071332ca3adb17e95c77b6e55fc0494442d0574c3bf54326042313602e661b5824920fc454e54c224d7a92e11059e04aac30e3691246cafcd66624cb17907db1dd0702de2554d2db0fe639b8a49735a59b58393a57acd3be6584394ac36d328e354323a8b9c23c9833b4a1d480b55889ec6f6f4fc64a2e91a98705ce5739a9aef3b977515b9370bc5fc69c5ddef488c40e5064653f6ed2381384292087879988ae37f41b515ffdc01de8da66cb9fc6f0ba1d5d6ef7ec616f575349dac097d141d27036e2bb74b02b7d6fed9c7481a84bdd72e2fdd7946eb6793399ed9f7d2a780769b3933e25691351d3d766a0fab511283e2b818af89a2c40277130c1ab6c85872b20548140d57e0840a23f5ba7428e8b6e9f7f5318cb5a5fc1601c06f3c892a1cebf9f08eb2eaeeffbee2337b820e36797c8d33570106eb31deae4ce2e0b70ee9370dcd6a48b4b6d66684b2e53d0e6c1d41bb28f6c7219010418d88c9d17065a6044b3e247af1d2ae04a40a3b64cca6be89f53c39f81fb9449849e368d220675916f81206e5d3fbe58dd4294f89667eaa849f02624ceaec0eb2431a9bfee29e5adc57") r23 = syz_kvm_add_vcpu$x86(0x0, &(0x7f0000014f40)={0x0, &(0x7f0000014ac0)=[@nested_amd_invlpga={0x17d, 0x20, {0x25000, 0x5591}}, @cpuid={0x64, 0x18, {0x8, 0x57}}, @nested_create_vm={0x12d, 0x18, 0x3}, @cpuid={0x64, 0x18, {0x0, 0x2}}, @in_dx={0x69, 0x20, {0xc003, 0x1}}, @cpuid={0x64, 0x18, {0x10, 0xc}}, @nested_create_vm={0x12d, 0x18}, @nested_load_code={0x12e, 0x7e, {0x1, "362e363e66430f57a90098000066baf80cb8288fc686ef66bafc0cedb971030000b8c7000000ba000000000f30420f01c866b878000f00d0400f01c566ba430066ed401d03000000c744240000000000c7442402493a5664c7442406000000000f011c240f32"}}, @cpuid={0x64, 0x18, {0xf, 0x4}}, @nested_load_code={0x12e, 0x60, {0x0, "c421f8107af00fe7649a4f47fb0f01ca460f08b9800000c00f3235008000000f300f01cb400f01cbc74424008d000000c744240207000000c7442406000000000f011c240f524b00"}}, @uexit={0x0, 0x18, 0x2}, @nested_create_vm={0x12d, 0x18, 0x3}, @nested_amd_clgi={0x17f, 0x10}, @uexit={0x0, 0x18, 0x4}, @nested_vmlaunch={0x12f, 0x18, 0x2}, @nested_load_code={0x12e, 0x56, {0x3, "0f01df0fa866baf80cb882caa98fef66bafc0c66ed670f01ca0ffdca460f01b3904e000066ba200066b8b7ea66ef0f0132c4e161eb5800b9810500000f32"}}, @nested_amd_inject_event={0x180, 0x38, {0x1, 0x17, 0x4, 0x4}}, @nested_amd_vmsave={0x183, 0x18, 0x3}, @wrmsr={0x65, 0x20, {0x32c, 0x10}}, @wr_drn={0x68, 0x20, {0x7, 0x2}}, @code={0xa, 0x56, {"f341af66b83e008ed0c4e13573fae7660f74a60000000047dbc1450f0866410f3882941f0e5839ba470f795500c4015651af4104000066baf80cb8e27ff48def66bafc0cec"}}, @nested_create_vm={0x12d, 0x18, 0x3}, @enable_nested={0x12c, 0x18}, @nested_load_code={0x12e, 0x6f, {0x3, "f3410f221766baf80cb8618ea184ef66bafc0cb000ee36640f2139c46241403266ba430066b80b0066ef66ba4300ec400f23383e0fc732c7442400ac000000c7442402907c03e6ff2c24b805000000b9970000000f01d9"}}, @in_dx={0x69, 0x20, {0xc3e5, 0x2}}, @set_irq_handler={0xc8, 0x20, {0xa1, 0x2}}, @wrmsr={0x65, 0x20, {0x12f, 0x2}}, @enable_nested={0x12c, 0x18}], 0x471}) r24 = mmap$KVM_VCPU(&(0x7f0000fff000/0x1000)=nil, 0x0, 0x1000008, 0x2, r23, 0x0) syz_kvm_assert_syzos_kvm_exit$x86(r24, 0x2) syz_kvm_assert_syzos_uexit$x86(r20, r24, 0x10) syz_kvm_setup_cpu$ppc64(r20, r5, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000015140)=[{0x0, &(0x7f0000014f80)="04eaa0ef0000603c0000636004006378000063640401636014c2803cd1c0846004008478830a8464be018460273ba03c003ca5600400a5782772a5649d4fa5607c62c03cdfa5c6600400c6787811c66430b5c660f2d6e03caccae7600400e7785198e764fb3be760020000440000e03f0000ff630400ff7b0000ff670048ff63607bff1b0000603c000063600400637800006364fcf463607609803c6cdf8460040084787cb584645d858460f3c8a03c8498a5600400a578a16ba5647c44a560020000440000203e000031620400317a00003166980031620000403f00005a6304005a7b00005a67e5135a63aafef97d0000803c00008460040084780000846400808460dc39007c0000403d00004a6104004a7900004a6571994a61a75fc07f0000603c00006360040063780000636408ef636009c6803c1c64846004008478b4f7846466cc84600380a03c458fa5600400a578cf35a5647597a560ae5ac03c1931c6600400c678a96dc6646f30c660220000440000003c000000600400007800000064120000602401007c0000e03f0100ff630400ff7b0000ff670000ff63a7ffa07e", 0x1a4}], 0x1, 0x0, &(0x7f0000015180)=[@featur2={0x1, 0x1}], 0x1) syz_kvm_setup_syzos_vm$x86(r5, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(r21, 0x114, &(0x7f00000151c0)=0x1, 0x0, 0x4) ioctl$NS_GET_OWNER_UID(r5, 0xb704, &(0x7f0000015280)=0x0) syz_mount_image$adfs(&(0x7f0000015200), &(0x7f0000015240)='./file0\x00', 0x40884, &(0x7f00000152c0)={[{@gid={'gid', 0x3d, r16}}, {@uid={'uid', 0x3d, r17}}, {@uid={'uid', 0x3d, r13}}, {@othmask={'othmask', 0x3d, 0x7}}, {@ftsuffix={'ftsuffix', 0x3d, 0x100}}, {@othmask={'othmask', 0x3d, 0x8}}], [{@fowner_lt={'fowner<', r25}}, {@func={'func', 0x3d, 'FIRMWARE_CHECK'}}, {@smackfsdef={'smackfsdef', 0x3d, '\x00'}}, {@hash}]}, 0x0, 0x1c, &(0x7f00000153c0)="$eJxqm+Dw14DJSO1/e8m97d/2AAIAAP//OKcIHw==") syz_open_dev$I2C(&(0x7f0000015400), 0xe, 0x420200) syz_open_procfs(r18, &(0x7f0000015440)='net/mcfilter6\x00') syz_open_pts(0xffffffffffffffff, 0x0) syz_pidfd_open(r8, 0x0) r26 = pkey_alloc(0x0, 0x1) syz_pkey_set(r26, 0x2) syz_read_part_table(0x53, &(0x7f0000015480)="$eJwAQwC8/xqlOy2XIlZYZGJIETVblKDS140J0glR3zwsGkmIykjUUmHMRz5PZfZ25OmzjN5Kq6BcIOpvN6UpQpfiwqdtflUtytgBAAD//9ZjH6U=") syz_socket_connect_nvme_tcp() r27 = syz_usb_connect(0x1, 0xd9f, &(0x7f0000015500)={{0x12, 0x1, 0x310, 0x99, 0x45, 0xdf, 0xff, 0x19d2, 0xfff8, 0xcd35, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xd8d, 0x4, 0xc, 0xd4, 0xb0, 0x8, "", [{{0x9, 0x4, 0x5, 0xe, 0x6, 0xff, 0xff, 0xff, 0x5, [@uac_as={[@format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x82, 0x97, 0x9, 0x9}, @as_header={0x7, 0x24, 0x1, 0x91, 0x10, 0x1}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x64, 0x5, 0x5, 0x9}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x9, 0x1, 0x1, 0x18}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x5, 0x100, 0x0, 0x1f}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x200, 0x2, 0x6, 0x6}]}, @uac_as={[@format_type_i_ext={0x9, 0x24, 0x2, 0x1, 0x0, 0x9, 0x4, 0x1, 0xdc}, @format_type_ii_discrete={0xb, 0x24, 0x2, 0x2, 0x5, 0x9, 0x6, "42e9"}, @format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x2, 0xaecb, 0x0, "e0ff89cc39b242b2b0"}, @as_header={0x7, 0x24, 0x1, 0xc, 0x2, 0x2}]}], [{{0x9, 0x5, 0x1, 0x1d, 0x20, 0x5, 0x9, 0xf}}, {{0x9, 0x5, 0x4, 0x10, 0x10, 0x5, 0x7, 0x1, [@generic={0x49, 0x1, "bedbdc40b657915aeea36befa743bbf476bbcc3a55777437fd0c0862a5591f0b8091626c6564a62b6995d0b1ac34995d442de50d21f30da08f64d3bb0e86086e62968216d8cbfe"}, @generic={0xc, 0xe, "1cca42d0d4c12478dbc7"}]}}, {{0x9, 0x5, 0xc, 0xd, 0x10, 0x4, 0xef, 0xd}}, {{0x9, 0x5, 0x0, 0x2, 0x40, 0x1, 0x92, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0xf, 0x9}, @generic={0x9c, 0x24, "9462e78d67a7938309f893388b585f99ed3cae5aeb241e37eacc73fb040b917d697587fd8885dcc892bfee22871988c70188e9e84546a796e56ea48370dfca689aaa0ffd0841c7e28cbcecbc3beeb254d902498dde373f5e920932acdf3222a561174a85ce36d5f5c709829a0429f48de3266211e3532235cacb3a64fff3e30182cd027ea660bce24cc197bf358f77953c964de4530416907fa1"}]}}, {{0x9, 0x5, 0x6, 0x0, 0x400, 0x4, 0x0, 0x6}}, {{0x9, 0x5, 0x1f, 0xc, 0x20, 0x8, 0x80, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x40, 0xfff}, @generic={0x4a, 0x9, "13df6f0c723d233880c0869f46c9399e148ef0d987297635b6bf6f369cbf8f07b34b9376ff57dcbdf27465eb5153fb8dd7ca2fab2737dd515edef1c966915e0676db831f2b918d82"}]}}]}}, {{0x9, 0x4, 0xe4, 0xb, 0xd, 0xff, 0xde, 0x55, 0x3, [@uac_control={{0xa, 0x24, 0x1, 0x3, 0xa}}], [{{0x9, 0x5, 0x1, 0x3, 0x20, 0x1, 0x66, 0x7, [@generic={0x8c, 0x23, "c344bd7f690e1122d6524ccd0257c1185e61c3ab3ccb366ef9037a58035418728d9aab96717e220d7220fb964b7e928d75ef45859131159097fa85b2d24eeb7fc590e048eb1ba830ac343bfd9a3c32dfc93fadcb90f93a63c737834f5e2d4e7368e02ec5f2106bef935e5e74c3e7d2d3d16ebffa13a829499da442f01726d07a338feb612c3b6e5193b8"}]}}, {{0x9, 0x5, 0x1, 0xc, 0x10, 0x6, 0x73, 0x2}}, {{0x9, 0x5, 0xe, 0x1, 0x40, 0x0, 0x0, 0xe, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0x8, 0x9df1}, @uac_iso={0x7, 0x25, 0x1, 0x4, 0x3, 0x84}]}}, {{0x9, 0x5, 0x7, 0x10, 0x8, 0xd, 0x6, 0x6, [@generic={0x9c, 0x11, "61c2c581bcf0dc3a09ec5465d8b39593b51cb568ad67bf219f28a637f8b8f3aae7b6cf31069da551c5d90a297ab0cfeda543a0f762c8185babc43a4c9bb3b095c0ee1396f8b1fd6219b31613b7560d309f173c80673fb08529fc8f175291f99856af198cf47a32c76df6be449493e5a66eb4664b84226ca1e2c8f2029ade7d75316b104a3480fbf7d4509d748c36f659f8f52743fd077fc7df42"}, @generic={0x4e, 0x4, "57fad147fa12cd27896e4e92ba1ad4058c8d43ec2150d8732fc5ae105a174ed83942dcb79a05b10fd4957dbc1ac027a2df5728b2b2bb9b5bc51f9a8c88e9fa851138c7cdd7626641911cbe0c"}]}}, {{0x9, 0x5, 0x0, 0xc, 0x8, 0x8, 0x20, 0xc, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x6, 0x101}, @uac_iso={0x7, 0x25, 0x1, 0x8, 0xfd, 0x2}]}}, {{0x9, 0x5, 0xb, 0xc, 0x10, 0xf0, 0x3, 0x9}}, {{0x9, 0x5, 0x2, 0x2, 0x7b7, 0x9, 0x2, 0x78, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x2, 0x6e8}]}}, {{0x9, 0x5, 0xe, 0x0, 0x8, 0xb6, 0x47, 0x1, [@generic={0xea, 0xd, "d7eef8adff593fef601257eb29f1123c0f04cf50d2f065a52ab835d40454ac46b6638738e9753c66062b76d457d6b363f7b7634feaac719c3e900cceb8d969210b573a62d4516498d598a61e6fa5bbd0fd386f9f1d7afef4ddbe39495d6e555d24555bf1bffe21fc472ab2a8d5d0f8a611ab5a46ae9b23bb6a6b363946dafbb2e741d34fe456f5816332d72d435fbd1fae4763325dac58c2de0a67277e2d74fef5d8ba6de17c31d5c7fb01a13d3bf00c3113416b72b3e2e0b80b4ab9cda77d2de3ed368fab4841fd62acf66e432121b5f5d7c8c036660d7a351033155e3eef2ff20f2aed8241d176"}]}}, {{0x9, 0x5, 0xe, 0x3, 0x200, 0xff, 0x62, 0x5, [@generic={0x55, 0x23, "d522b56c6dde6a698a23e10e4fc0798f87c946fa2848c717a9a33138fdb3475793c1b4d1722b3bcc36384d2589a27e5f22b289727e23f039ffdf2ab25da62c092ed01cb151b0ad8ba7758c32abd07f79514eba"}, @generic={0x96, 0x8, "70f4e5b83374f7b0de44ec45105ac31402140e176214641e3797ba0aea4013e3e7c2871f78528a256a2249dcad684fd577a428a14f446ce9d7de49364aa163c68dd1e4e20c0aa98a263547f07dae9c3e45ffec5bdccfb90b1ad9054da62866626bfbc394a1e9aec6b300420a6167e6e6ef4396dffb6bfc18d3b2537789270423867535f75b1454cc3b8a6aef5b65b9774139adcf"}]}}, {{0x9, 0x5, 0xc, 0x10, 0x20, 0x8, 0x1, 0x8}}, {{0x9, 0x5, 0xd, 0x10, 0x400, 0x3, 0x6d, 0x7, [@generic={0x85, 0xe, "1a54b4a07976e16cec507f7cfe00c93599f9fdefaf8bf86cb9ae60f5e7426c78b3e01cc8cab0aaf09debbacd785c9de3bb89551d0a241f2d65830f5364754991feead87fe8c8b928ac16853ae959eac27b59ccc86d22442ca629d120b1a09cf14184a9c4873f74ae748201f5f4e649e3724c7ddb89f458472b285f9c10ea40393f3060"}]}}, {{0x9, 0x5, 0x9, 0x0, 0x8, 0xa, 0x7, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x4, 0x4fb3}]}}, {{0x9, 0x5, 0x7, 0x10, 0x3ff, 0x1, 0x88, 0x6}}]}}, {{0x9, 0x4, 0x10, 0x8, 0x10, 0xff, 0x5d, 0x81, 0x3, [@generic={0xb7, 0x0, "bea8fdb50e624b763ddddaf5ed85d8170ca858cf74ac678eb54d2045e5fbb2772140e2cf1895cb693a914ffb891cd2c90d4827bcd34359d70107462ead889a6e4ed6968935a81a147ac0ccc81c38d62d6a84cf504552ec37d609b5475018bda124c09ea9f21303865fe464abc38cd84ae42de33e4691127e2b8553837d58cda51f11a05a1538ecff55e90f34a1c566c234c006d00b50b4b29e49b8d090f5a274ae37e03e49682c44c2b1d9db62f63233f9670cb2ac"}], [{{0x9, 0x5, 0xc, 0x10, 0x40, 0x9, 0x8, 0x2}}, {{0x9, 0x5, 0x6, 0x2, 0x8, 0x3, 0x18, 0x1c, [@generic={0xf6, 0xc, "d7729711236eb7896991e6ffe3dd7622e96e2e7d1760ab6452472bbac1d06861d9d49e4100606a227d342c6175945ade9cc3f46ec4627f92caa5d73227fae7a360d25fac9e5744073f0c054c9a5b8258dd279b736876584b904d943b23c26d9e6bc2dd3b98f36244158c760f0bf975029142b3f58bb63ec376d7f5d9611820d380efd7de6163ac8dc27144e21d92c93ffecc2d8c7b3bc5ead181863cd96a0abf2889eb10b687913fa8214b89de11f52b7d1936ad9c1c45da86a15e86b6c9060291d85b48ebc2344db8ad8cc52f79d4f0377a893b3da61cfc1513d2ba9536d6190de886a2d18ff8ab1f463f15471d7f96dc92d0ac"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x20, 0x9, 0x2, 0x37}}, {{0x9, 0x5, 0xf, 0x12, 0x8, 0xd, 0x6, 0xf, [@generic={0x40, 0x5, "71afb2617a61e75529dde0f32fa6ca4b857a84b3120b936168642c34048f292fc27a3a8f1f74580cdc36e9a40b4ff692f13224b914a89fb73085793a5c22"}]}}, {{0x9, 0x5, 0xd, 0xc, 0x36fb25d4600df5f1, 0x4, 0x1, 0x0, [@generic={0x50, 0x3, "17ffd473ba28c360591f571dc60f1324d4a34ab8d9d3c0686c13a61bda2464e1635423ebf4ed34037bab62fd30a8dd0a89f1bcbff3af4f0c989ddb6f03760ae76f63ffdcbfbbfee9a135257314aa"}]}}, {{0x9, 0x5, 0x6, 0x0, 0x8, 0x2d, 0x10, 0xba}}, {{0x9, 0x5, 0xe, 0x0, 0x10, 0x8, 0x7, 0xac}}, {{0x9, 0x5, 0xa, 0x8, 0x20, 0x9, 0x7c, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0x9, 0x4}]}}, {{0x9, 0x5, 0xb, 0x10, 0x3ff, 0x1, 0x4, 0xbd}}, {{0x9, 0x5, 0x7, 0x3, 0x20, 0x6, 0xf, 0xe}}, {{0x9, 0x5, 0xd, 0x10, 0x7f7, 0x4, 0x1c, 0x1}}, {{0x9, 0x5, 0x0, 0x0, 0xaead6ee2ff2b5f33, 0x40, 0x6, 0x81, [@generic={0x54, 0x9, "22a03d117edd7ff802cdb509b49cf07b1884a5d06a2872ffdd1f6a974c0574871d68b2fd80b9dde557da7eec4d7f2778a5c3a4bbef519d158a59f152fe19f598e43360f8a24aa973c56f46c4a68a273a1fc4"}]}}, {{0x9, 0x5, 0xf, 0x10, 0x8, 0x5, 0x38, 0x1}}, {{0x9, 0x5, 0x4, 0x10, 0x10, 0x4, 0x2, 0x7, [@generic={0xda, 0x26, "32162d9cffd7548ddc1524c6651fa112cb8399eb7daa746af4a3f458159bd8a487dade3217ae3224615d50ba5643301952fdd082ab52f64eb38bddcf02b06728a3bf4f73d3b780a3a5804bad04ecc22787690f67257674f728b10231ba2db83cb4eb841e5523eb43f3482d3ec33cb8187b87aa08a21e94e0394a1ee8d8f0cc088910aba4dbe5feefc245380ff1443e3a97bd4d5addd01f1126d4b70abcbbe140716a1c66dac61f66514fcebe67647b43bbd8e848333ff9957ebaace9d057b627a667e6f51daeac302b2129c26d415bc9a2ee7495b331b7da"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x7, 0x1}]}}, {{0x9, 0x5, 0x3, 0x1, 0x40, 0x8, 0x7, 0x5}}, {{0x9, 0x5, 0xb, 0x10, 0x40, 0xfe, 0x0, 0xd, [@generic={0xe1, 0x24, "66c968f67f56d0ab89d6819c67d1d6c215d2f3cf615b37028db269d93608cdf0704118e0ddbf97166c27afb51a132cd70f0fa3b7ad5ee3a441027a74122781ab0f1ce5fe7bd1153c8ffccd3ef109213f20d2bafd0e331abc5cd1fb54809a06c8fa60a9f0fc8e113f318c3a7f7bc6fabe193094ec493d246cbd702bf019796a8872b3c40234d8e90731b2dff88a1f0c4f1786a190eb16651e3ac45edb14d9fb898644bed61576bd7a9fd90c5217217f6b9aed19d4a22bff482d058e603d2a0cdc48b1b271b79b1e25d7fe6bb820506e48579a78af99e7e9429bcd4b07bc0134"}, @generic={0x40, 0x5, "8f82cc05df67734141e356e936a6e0a7247ac23b30900c5fc4148a14990b5004686de6cace04ade350f04a3d078c3910f7dba492af85da649432e26a7854"}]}}]}}, {{0x9, 0x4, 0x88, 0x1, 0x8, 0xeb, 0x43, 0x23, 0x4, [], [{{0x9, 0x5, 0xc, 0x0, 0x40, 0x8, 0x8, 0x5}}, {{0x9, 0x5, 0x0, 0x10, 0x20, 0x9a, 0x5f, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x81, 0x4}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0xf9, 0x2}]}}, {{0x9, 0x5, 0xb, 0x10, 0x40, 0x7, 0x1, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x6, 0x1}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0xd, 0x103}]}}, {{0x9, 0x5, 0xb, 0xc, 0x3ff, 0xa9, 0x1, 0x6, [@generic={0xfb, 0x2c, "df60d233063867e638f4ac474e685fef8f861557d0a31566d58bde1f04a113f6cb64c96056a81685a6dfa2978a60c2d94e450f6675e38b44c96bfbff6c5f3746609346497483dfc8ac2127362cdbdaa0253951a182272183f456aae2bd12b292c609e8e14b4f8c1853e0d87e0c3179c8be7b0730721bb30159040826f093510ce022587691627b236a66215620418df334d28d1d14f0ca3b9f4fcff06ba249dd19508198503a2c2cd4f3abdadbd4f1ace4e627bec97299a00228e09c064e5f342e00d8c8f2d5b1fb56485e736a87dcfe510c218632729122a4eb5d5b5d81df8be58527183e48f760b85c599f8813f89d706af7b22f77d68dc1"}, @generic={0x6b, 0x4, "07ece06586e01505f126e0db2ed1ac18b57549f080d741f38b0ccec6ba034d096429405619d01af435c8092be0e9c4a93c1b647e7c7f14f05efff305d2b85d51fedff750b87e5990d028fd338645029bd9ed95e00305acce8b899a786dbf30895be03148a7a1e3bf25"}]}}, {{0x9, 0x5, 0x6, 0x8, 0x400, 0x3, 0x5, 0xff}}, {{0x9, 0x5, 0xa, 0x10, 0x200, 0x6, 0x14, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0xc, 0x9, 0x4}]}}, {{0x9, 0x5, 0x5, 0x8, 0x210, 0xe8, 0x5, 0x3}}, {{0x9, 0x5, 0xa, 0x8, 0x10, 0x64, 0x8, 0xe, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x5, 0x2}]}}]}}]}}]}}, &(0x7f0000016780)={0xa, &(0x7f00000162c0)={0xa, 0x6, 0x201, 0x3, 0x8, 0xff, 0x20, 0x10}, 0x28, &(0x7f0000016300)={0x5, 0xf, 0x28, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x1, 0x7, 0x7, 0x6, 0xff}, @ptm_cap={0x3}, @wireless={0xb, 0x10, 0x1, 0x2, 0x61, 0xff, 0xf, 0x6, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x1, 0x3, 0xb, 0x100}]}, 0x7, [{0x4, &(0x7f0000016340)=@lang_id={0x4, 0x3, 0x457}}, {0xff, &(0x7f0000016380)=@string={0xff, 0x3, "85a764d829532917b6647a68a249b252f01a99f88767a2e9f13aeefab39cf6a405497e3244294b1bd485c0ec99338640a508fabbf11e0fd6a03bcc9cebaf83037aa77397cbdf0911c8dfb842f62f94766aa445925773c4f7c6701be8a05673afe95cf19c279ac62fd2720ed2dae689371c5151bf6b9e7727f8f497091c3aaa902f81e44c5173acf22152fcbc4d72a75e9ab4badc6788b2fdbb7e34b202e0e71feb1cc9b1ca791e92374cfc63cc7db5648591778bfc1948f9dad9b7fe74a588ddc9ad499993062666b3e0df0acaa67802ad37a86fcb411a2230bdd43fe8610f29c15179bf429f81876ee90b7d35a2263f91eb8d3c7c87c46600b45282ee"}}, {0x4, &(0x7f0000016480)=@lang_id={0x4, 0x3, 0x8406}}, {0x49, &(0x7f00000164c0)=@string={0x49, 0x3, "cb9d5f1c5fbc9474d59ffa54a92ba7aff97b2f65abf48aad8e2b09b60a5dc2744b250fe7529097bfbb2bcf99d0548a034fb7aecaf8dd808495be132e1b8c84abe53375dcf540d5"}}, {0x4, &(0x7f0000016540)=@lang_id={0x4, 0x3, 0x407}}, {0x102, &(0x7f0000016580)=@string={0x102, 0x3, "04ddeb57b5072b0dc9dc624cf2792daac535b02570dbb701e1db0e6c25d680f07b517f6582125baa7a7849eb0b11130e0024efe8a1c951363bf47a68fb5bd9acf185aea1627381f50343cb4bb8d7175131f2ae52a842db753904d3051a0ab082608560e8ac66b87dddbb9fa3514a31e5595170e3d21c018b37855992a2a4b348de99469b63f5438e240e23cfe0a26d30a91d953691d741b9d5d85dab27d40da71fc9d8677b0dc3e1d6060d0d98a71300d374e7bd550f6a57b6fcd444313f37367f5b55c20f1a2d44861e8a1a36bcdc769ffc146bb71ab5846dcb8231247f1636483dabb710d074fd2b8018d4c356d1825bb17bf96327e96ee867583243e8254e"}}, {0x9e, &(0x7f00000166c0)=@string={0x9e, 0x3, "ef2a4e829a0f6cdb32a449bba1d48f5dfe865e51f2287e2177391a43f9bbf1ca78d573f200eae40c60a21ddc2ad482df2a85f27559815bb4ebca560530b86553450ee38eaeb8712f6b77c14d47f85d8bbf641e1d9e09fa1e2be5e92c187ce56ef9949ae1d87cfbfe0ea1ba9f9b2ff0182d4b05ce506891c5a347ee33ccf9ce7d86d7ddf2bf38574d21d9654bbe80658680bef5589e2db6072d9fd0fd"}}]}) r28 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000016800)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r28, &(0x7f0000016b40)={0x2c, &(0x7f0000016880)={0x20, 0xb, 0xc8, {0xc8, 0x21, "01f48fe831d8d1992472173ea819a3a2ade96121341354e85ca198ec1fcf8590c939f727aa0e85856b357c23bc068f24a22cc6b71bd4add3ae66955e3ceb2a8f155c4feaf36d9c4802968a53b086a4a50dc35475e75c1851e7d408540774e8982191e50606991f3f33fa708ef6a94041511098b0267e737b9f399fad65b7cc2efa80eafc734bd5ab1fdc3decc026fa7675ef45a1d17ffe1c0b1e00b10273d7c57d183c74a3d9b1471322b59a98cebd12d16c2834b226cecaeaf960e3d90776c23923eae68d1e"}}, &(0x7f0000016980)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x280a}}, &(0x7f00000169c0)={0x0, 0xf, 0xc8, {0x5, 0xf, 0xc8, 0x5, [@ssp_cap={0x14, 0x10, 0xa, 0x3, 0x2, 0x9, 0xf, 0x0, [0xc0cf, 0xf]}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0x30ec, 0xf0f, 0x82, [0xc00f]}, @ext_cap={0x7, 0x10, 0x2, 0x0, 0xb, 0x8, 0xf}, @generic={0x8d, 0x10, 0xa, "422d46fc73f84b4dd0c3d24d79f270975a978d736a0aa3e586ae4e9a232483cf25269718cbb9df730362ce6b7cf0e3d10079c328ee2be8f5ffc242a07e20f7c3db607c73e2cac82f1c73c8fcaceb151e2022fe0c73ad6619a4dace08659699ed7660d45202749cda47dfa1e0db87664d1eff73f0606d30b778cb8808dfa6b24cc18add579f29e81b12e3"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x48, 0x6, 0xf2, 0x0, 0x2}]}}, &(0x7f0000016ac0)={0x20, 0x29, 0xf, {0xf, 0x29, 0x1, 0x3, 0xf6, 0x5, "d7db758c", "cb024e33"}}, &(0x7f0000016b00)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x2, 0x2, 0x80, 0x5, 0x7, 0x7, 0xff24}}}, &(0x7f0000016f40)={0x84, &(0x7f0000016b80)={0x20, 0x13, 0x2a, "b3644b33a496f2187a5863e64c407cecd2d6d13ae23ecf1c3c53f78ff217cff021e4718cea7fbe4c3ba3"}, 0xfffffffffffffffd, &(0x7f0000016bc0)={0x0, 0x8, 0x1, 0x6}, &(0x7f0000016c00)={0x20, 0x0, 0x4, {0x2, 0x1}}, &(0x7f0000016c40)={0x20, 0x0, 0x4, {0x40, 0x20}}, &(0x7f0000016c80)={0x40, 0x7, 0x2, 0x2}, &(0x7f0000016cc0)={0x40, 0x9, 0x1, 0x3}, &(0x7f0000016d00)={0x40, 0xb, 0x2, '{*'}, &(0x7f0000016d40)={0x40, 0xf, 0x2, 0x9}, &(0x7f0000016d80)={0x40, 0x13, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x2}}, &(0x7f0000016dc0)={0x40, 0x17, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0xe}}, &(0x7f0000016e00)={0x40, 0x19, 0x2, "1ac5"}, &(0x7f0000016e40)={0x40, 0x1a, 0x2, 0x100}, &(0x7f0000016e80)={0x40, 0x1c, 0x1, 0x7}, &(0x7f0000016ec0)={0x40, 0x1e, 0x1, 0xc8}, &(0x7f0000016f00)={0x40, 0x21, 0x1, 0x4f}}) syz_usb_disconnect(r27) syz_usb_ep_read(r27, 0x0, 0x4, &(0x7f0000017000)=""/4) syz_usb_ep_write(r28, 0x4, 0x9a, &(0x7f0000017040)="dd9c6225175b3c37dc1963b4d0f463d6e382d956edabd131d419ff0b343494a2c3c8bd5e321a506b68c9621ab544dc8bd17c2f62f3c56caecb3908a6430e4d9eafd02ca13dfdcc2d07c531313862ad4271ecb07f10143f48ff7e738a4a77623d0d4b8921084f7c7a9114220624e8f12287c7369f8b9193de6e3a67ff4bf7596fd6c107e477fc1df67c16fec951a212d960cd48e3a1758e8ec8e7") syz_usbip_server_init(0x3) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_getfd #define __NR_pidfd_getfd 438 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define always_inline __attribute__((always_inline)) inline #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_BOOT_ARGS 0x2F000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x400000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_ADDR_GLOBALS 0x17F000 #define X86_SYZOS_ADDR_PT_POOL 0x180000 #define X86_SYZOS_PT_POOL_SIZE 64 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x1000000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 9) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_PHYSICAL_ADDRESS 0x00002400 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_EXITINFO2 0x080 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define VMCB_RAX 0x5f8 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_TSS_BUSY 0x008b #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_MAX_L2_VMS 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static always_inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1) { struct kvm_run* run = (struct kvm_run*)a0; uint64_t expect = a1; if (!run) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered: run is NULL\n"); errno = EINVAL; return -1; } if (run->exit_reason != expect) { fprintf(stderr, "[SYZOS-DEBUG] KVM Exit Reason Mismatch\n"); fprintf(stderr, " is_write: %d\n", run->mmio.is_write); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)run->exit_reason); errno = EDOM; return -1; } return 0; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_LOAD_SYZOS = 310, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_nested_load_syzos { struct api_call_header header; uint64_t vm_id; uint64_t unused_pages; uint8_t program[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) #define MEM_REGION_FLAG_REMAINING (1 << 7) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; struct syzos_boot_args { uint32_t region_count; uint32_t reserved; struct mem_region regions[]; }; struct syzos_globals { uint64_t alloc_offset; uint64_t total_size; uint64_t text_sizes[KVM_MAX_VCPU]; struct l2_guest_regs l2_ctx[KVM_MAX_VCPU][KVM_MAX_L2_VMS]; uint64_t active_vm_id[KVM_MAX_VCPU]; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, UEXIT_INVALID_MAIN = (uint64_t)-4, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t cpu) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t size = globals->text_sizes[cpu]; uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; volatile uint64_t call = cmd->call; if ((call >= SYZOS_API_STOP) || (cmd->size > size)) { guest_uexit(UEXIT_INVALID_MAIN); return; } if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_SYZOS) { guest_handle_nested_load_syzos((struct api_call_nested_load_syzos*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit(UEXIT_END); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; asm volatile("movq %0, (%1)" ::"a"(exit_code), "r"(ptr) : "memory"); } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static uint64_t get_unused_memory_size() { volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { if (args->regions[i].gpa == X86_SYZOS_ADDR_UNUSED) return args->regions[i].pages * KVM_PAGE_SIZE; } return 0; } GUEST_CODE static uint64_t guest_alloc_page() { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (globals->total_size == 0) { uint64_t size = get_unused_memory_size(); __sync_val_compare_and_swap(&globals->total_size, 0, size); } uint64_t offset = __sync_fetch_and_add(&globals->alloc_offset, KVM_PAGE_SIZE); if (offset >= globals->total_size) guest_uexit(UEXIT_ASSERT); uint64_t ptr = X86_SYZOS_ADDR_UNUSED + offset; guest_memset((void*)ptr, 0, KVM_PAGE_SIZE); return ptr; } GUEST_CODE static void l2_map_page(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa, uint64_t host_pa, uint64_t flags) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pml4[pml4_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pdpt[pdpt_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pd[pd_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) pt[pt_idx] = (host_pa & ~0xFFF) | flags; } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id, uint64_t unused_pages) { uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; if (vendor == CPU_VENDOR_INTEL) { flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { struct mem_region r; r.gpa = args->regions[i].gpa; r.pages = args->regions[i].pages; r.flags = args->regions[i].flags; if (r.flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r.flags & MEM_REGION_FLAG_REMAINING) { r.pages = (unused_pages < 16) ? 16 : unused_pages; } for (int p = 0; p < r.pages; p++) { uint64_t gpa = r.gpa + (p * KVM_PAGE_SIZE); uint64_t backing; if (r.gpa == X86_SYZOS_ADDR_USER_CODE && p == 0) { backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); } else if (r.gpa == X86_SYZOS_ADDR_STACK_BOTTOM) { backing = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); } else { backing = gpa; } l2_map_page(cpu_id, vm_id, gpa, backing, flags); } } } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION = 6, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void handle_nested_uexit(uint64_t exit_code) { uint64_t level = (exit_code >> 56) + 1; exit_code = (exit_code & 0x00FFFFFFFFFFFFFFULL) | (level << 56); guest_uexit(exit_code); } GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_EPT_VIOLATION 0x30 #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == EXIT_REASON_EPT_VIOLATION) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 7 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == EXIT_REASON_EPT_VIOLATION) { uint64_t gpa = vmread(VMCS_GUEST_PHYSICAL_ADDRESS); if ((gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); vmwrite(VMCS_GUEST_RIP, vmread(VMCS_GUEST_RIP) + 3); return; } } syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx push %%rax mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[l2_regs_size], %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp jmp after_vmentry_label )" : : [l2_regs_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_NPF 0x400 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == VMEXIT_NPF) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 8 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); volatile uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == VMEXIT_NPF) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t fault_gpa = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_EXITINFO2); if ((fault_gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip + 3); return; } } syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, X86_SYZOS_ADDR_VAR_TSS); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id, 0); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, SVM_ATTR_TSS_BUSY); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, X86_EFER_LME | X86_EFER_LMA | X86_EFER_SVME); vmcb_write64(vmcb_addr, VMCB_RAX, 0); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id, 0); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static uint64_t l2_gpa_to_pa(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) return 0; return (pt[pt_idx] & ~0xFFF) + (gpa & 0xFFF); } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_backing = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_USER_CODE); if (!l2_code_backing) { guest_uexit(0xE2BAD4); return; } uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t prog_size = cmd->header.size - __builtin_offsetof(struct api_call_nested_load_syzos, program); uint64_t l2_code_backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (prog_size > KVM_PAGE_SIZE) prog_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->program, prog_size); uint64_t globals_pa = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_GLOBALS); if (!globals_pa) { guest_uexit(0xE2BAD3); return; } volatile struct syzos_globals* l2_globals = (volatile struct syzos_globals*)globals_pa; for (int i = 0; i < KVM_MAX_VCPU; i++) { l2_globals->text_sizes[i] = prog_size; globals->l2_ctx[i][vm_id].rdi = i; globals->l2_ctx[i][vm_id].rax = 0; } uint64_t entry_rip = executor_fn_guest_addr(guest_main); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, entry_rip); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { uint64_t vmcb = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); vmcb_write64(vmcb, VMCB_GUEST_RIP, entry_rip); vmcb_write64(vmcb, VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint64_t vmx_error_code = 0; uint64_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); globals->active_vm_id[cpu_id] = vm_id; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[launch] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[host_rsp_field], %%r10 mov %%rsp, %%r11 vmwrite %%r11, %%r10 mov %[l2_regs], %%rax mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 mov 0(%%rax), %%rax cmpq $0, 48(%%rsp) je 1f vmlaunch jmp 2f 1: vmresume 2: pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp mov $1, %[ret] jmp 3f .globl after_vmentry_label after_vmentry_label: xor %[ret], %[ret] 3: )" : [ret] "=&r"(fail_flag) : [launch] "r"((uint64_t)is_launch), [host_rsp_field] "i"(VMCS_HOST_RSP), [cpu_id] "r"(cpu_id), [l2_regs] "r"(l2_regs) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; globals->active_vm_id[cpu_id] = vm_id; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint8_t fail_flag = 0; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[vmcb_addr] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[l2_regs], %%rax mov 0(%%rax), %%rbx mov %[vmcb_addr], %%rcx mov %%rbx, 0x5f8(%%rcx) mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 clgi mov 48(%%rsp), %%rax vmrun 1: mov 48(%%rsp), %%rax setc %[fail_flag] pushq 0x70(%%rax) push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx mov 176(%%rsp), %%rax pushq 0x5f8(%%rax) mov 120(%%rsp), %%rdi mov %%rsp, %%rsi call nested_vm_exit_handler_amd add $128, %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp stgi after_vmentry_label_amd: )" : [fail_flag] "=m"(fail_flag) : [cpu_id] "r"(cpu_id), [vmcb_addr] "r"(vmcb_addr), [l2_regs] "r"(l2_regs), [l2_regs_size] "i"(sizeof(struct l2_guest_regs)) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 5, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_VAR_IDT, 10, 0}, {X86_SYZOS_ADDR_BOOT_ARGS, 1, 0}, {X86_SYZOS_ADDR_PT_POOL, X86_SYZOS_PT_POOL_SIZE, 0}, {X86_SYZOS_ADDR_GLOBALS, 1, 0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, {X86_SYZOS_ADDR_UNUSED, 0, MEM_REGION_FLAG_REMAINING}, }; #define SYZOS_REGION_COUNT (sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0])) struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; void* pt_pool_mem; void* globals_mem; void* region_base[SYZOS_REGION_COUNT]; }; static inline void* gpa_to_hva(struct kvm_syz_vm* vm, uint64_t gpa) { for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r->gpa == X86_SYZOS_ADDR_UNUSED) break; size_t region_size = r->pages * KVM_PAGE_SIZE; if (gpa >= r->gpa && gpa < r->gpa + region_size) return (void*)((char*)vm->region_base[i] + (gpa - r->gpa)); } return NULL; } #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(uint64_t)gpa_to_hva(vm, sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static uint64_t* get_host_pte_ptr(struct kvm_syz_vm* vm, uint64_t gpa) { if (gpa >= X86_SYZOS_ADDR_PT_POOL && gpa < X86_SYZOS_ADDR_PT_POOL + (X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE)) { uint64_t offset = gpa - X86_SYZOS_ADDR_PT_POOL; return (uint64_t*)((char*)vm->pt_pool_mem + offset); } return (uint64_t*)((char*)vm->gpa0_mem + gpa); } static void map_4k_page(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)((char*)vm->gpa0_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = get_host_pte_ptr(vm, pml4[pml4_idx] & PAGE_MASK); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = get_host_pte_ptr(vm, pdpt[pdpt_idx] & PAGE_MASK); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = get_host_pte_ptr(vm, pd[pd_idx] & PAGE_MASK); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(vm, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE}; memset(vm->pt_pool_mem, 0, X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE); memset(vm->gpa0_mem, 0, 5 * KVM_PAGE_SIZE); for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { int pages = syzos_mem_regions[i].pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) { if (total < 0) exit(1); pages = total; } map_4k_region(vm, &alloc, syzos_mem_regions[i].gpa, pages); if (!(syzos_mem_regions[i].flags & MEM_REGION_FLAG_NO_HOST_MEM)) total -= pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) break; } } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = 0}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = SVM_ATTR_TSS_BUSY, .limit_high_and_flags = 0, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[(X86_SYZOS_SEL_TSS64 >> 3) + 1] = (struct gdt_entry){ .limit_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 32), .base_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 48), .base_mid = 0, .access = 0, .limit_high_and_flags = 0, .base_high = 0}; } static void get_cpuid(uint32_t eax, uint32_t ecx, uint32_t* a, uint32_t* b, uint32_t* c, uint32_t* d) { *a = *b = *c = *d = 0; asm volatile("cpuid" : "=a"(*a), "=b"(*b), "=c"(*c), "=d"(*d) : "a"(eax), "c"(ecx)); } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd, int cpu_id) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)(uint64_t)gpa_to_hva(vm, sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_pg_table(vm); setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0; get_cpuid(0, 0, &eax, &ebx, &ecx, &edx); if (ebx == 0x68747541 && edx == 0x69746e65 && ecx == 0x444d4163) { sregs.efer |= X86_EFER_SVME; void* hsave_host = (void*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id)); memset(hsave_host, 0, KVM_PAGE_SIZE); } sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, uint64_t rip, uint64_t cpu_id) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = rip; regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd, cpu_id); setup_cpuid(cpufd); uint64_t entry_rip = executor_fn_guest_addr(guest_main); reset_cpu_regs(cpufd, entry_rip, cpu_id); if (vm->globals_mem) { struct syzos_globals* globals = (struct syzos_globals*)vm->globals_mem; globals->text_sizes[cpu_id] = text_size; } } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; struct syzos_boot_args* boot_args = NULL; for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) { vm->region_base[i] = NULL; continue; } size_t pages = r->pages; if (r->flags & MEM_REGION_FLAG_REMAINING) pages = allocator.size / KVM_PAGE_SIZE; struct addr_size next = alloc_guest_mem(&allocator, pages * KVM_PAGE_SIZE); vm->region_base[i] = next.addr; uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_PT_POOL) vm->pt_pool_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_GLOBALS) vm->globals_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_BOOT_ARGS) { boot_args = (struct syzos_boot_args*)next.addr; boot_args->region_count = SYZOS_REGION_COUNT; for (size_t k = 0; k < boot_args->region_count; k++) boot_args->regions[k] = syzos_mem_regions[k]; } if ((r->flags & MEM_REGION_FLAG_REMAINING) && boot_args) boot_args->regions[i].pages = pages; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); if (r->flags & MEM_REGION_FLAG_REMAINING) break; } } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void dump_vcpu_state(int cpufd, struct kvm_run* run) { struct kvm_regs regs; ioctl(cpufd, KVM_GET_REGS, ®s); struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); fprintf(stderr, "KVM_RUN structure:\n"); fprintf(stderr, " exit_reason: %d\n", run->exit_reason); fprintf(stderr, " hardware_entry_failure_reason: 0x%llx\n", run->fail_entry.hardware_entry_failure_reason); fprintf(stderr, "VCPU registers:\n"); fprintf(stderr, " rip: 0x%llx, rsp: 0x%llx, rflags: 0x%llx\n", regs.rip, regs.rsp, regs.rflags); fprintf(stderr, " rax: 0x%llx, rbx: 0x%llx, rcx: 0x%llx, rdx: 0x%llx\n", regs.rax, regs.rbx, regs.rcx, regs.rdx); fprintf(stderr, " rsi: 0x%llx, rdi: 0x%llx\n", regs.rsi, regs.rdi); fprintf(stderr, "VCPU sregs:\n"); fprintf(stderr, " cr0: 0x%llx, cr2: 0x%llx, cr3: 0x%llx, cr4: 0x%llx\n", sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4); fprintf(stderr, " efer: 0x%llx (LME=%d)\n", sregs.efer, (sregs.efer & X86_EFER_LME) ? 1 : 0); fprintf(stderr, " cs: s=0x%x, b=0x%llx, limit=0x%x, type=%d, l=%d, db=%d\n", sregs.cs.selector, sregs.cs.base, sregs.cs.limit, sregs.cs.type, sregs.cs.l, sregs.cs.db); fprintf(stderr, " ds: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.ds.selector, sregs.ds.base, sregs.ds.limit, sregs.ds.type, sregs.ds.db); fprintf(stderr, " tr: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.tr.selector, sregs.tr.base, sregs.tr.limit, sregs.tr.type, sregs.tr.db); fprintf(stderr, " idt: b=0x%llx, limit=0x%x\n", sregs.idt.base, sregs.idt.limit); } static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1, volatile long a2) { int cpufd = (int)a0; struct kvm_run* run = (struct kvm_run*)a1; uint64_t expect = a2; if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != X86_SYZOS_ADDR_UEXIT)) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered on VCPU %d\n", cpufd); dump_vcpu_state(cpufd, run); errno = EINVAL; return -1; } uint64_t actual_code = ((uint64_t*)(run->mmio.data))[0]; if (actual_code != expect) { fprintf(stderr, "[SYZOS-DEBUG] Exit Code Mismatch on VCPU %d\n", cpufd); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)actual_code); dump_vcpu_state(cpufd, run); errno = EDOM; return -1; } return 0; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define KMEMLEAK_FILE "/sys/kernel/debug/kmemleak" static const char* setup_leak() { if (!write_file(KMEMLEAK_FILE, "scan=off")) { if (errno == EBUSY) return "KMEMLEAK disabled: increase CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE" " or unset CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF"; return "failed to write(kmemleak, \"scan=off\")"; } if (!write_file(KMEMLEAK_FILE, "scan")) return "failed to write(kmemleak, \"scan\")"; sleep(5); if (!write_file(KMEMLEAK_FILE, "scan")) return "failed to write(kmemleak, \"scan\")"; if (!write_file(KMEMLEAK_FILE, "clear")) return "failed to write(kmemleak, \"clear\")"; return NULL; } static void check_leaks(void) { int fd = open(KMEMLEAK_FILE, O_RDWR); if (fd == -1) exit(1); uint64_t start = current_time_ms(); if (write(fd, "scan", 4) != 4) exit(1); sleep(1); while (current_time_ms() - start < 4 * 1000) sleep(1); if (write(fd, "scan", 4) != 4) exit(1); static char buf[128 << 10]; ssize_t n = read(fd, buf, sizeof(buf) - 1); if (n < 0) exit(1); int nleaks = 0; if (n != 0) { sleep(1); if (write(fd, "scan", 4) != 4) exit(1); if (lseek(fd, 0, SEEK_SET) < 0) exit(1); n = read(fd, buf, sizeof(buf) - 1); if (n < 0) exit(1); buf[n] = 0; char* pos = buf; char* end = buf + n; while (pos < end) { char* next = strstr(pos + 1, "unreferenced object"); if (!next) next = end; char prev = *next; *next = 0; fprintf(stderr, "BUG: memory leak\n%s\n", pos); *next = prev; pos = next; nleaks++; } } if (write(fd, "clear", 5) != 5) exit(1); close(fd); if (nleaks) exit(1); } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 57; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 41 ? 4000 : 0) + (call == 48 ? 200 : 0) + (call == 50 ? 3000 : 0) + (call == 51 ? 3000 : 0) + (call == 52 ? 300 : 0) + (call == 53 ? 300 : 0) + (call == 54 ? 300 : 0) + (call == 55 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); check_leaks(); } } uint64_t r[29] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x200000000000, "/dev/admmidi#\000", 14); inject_fault(1); res = -1; res = syz_open_dev(/*dev=*/0x200000000000, /*id=*/0x302d694, /*flags=O_NOFOLLOW|O_DIRECTORY|FASYNC|O_APPEND*/0x32400); if (res != -1) r[0] = res; break; case 1: syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x80045700, /*arg=*/0x200000000040ul); break; case 2: memcpy((void*)0x200000000080, "/dev/hpet\000", 10); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000080ul, /*flags=*/0, /*mode=*/0); for (int i = 0; i < 4; i++) { syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000080ul, /*flags=*/0, /*mode=*/0); } if (res != -1) r[1] = res; break; case 3: syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x40045436, /*arg=*/0x17ul); break; case 4: *(uint32_t*)0x200000000100 = 0x14; syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/6, /*optname=*/0x1d, /*optval=*/0x2000000000c0ul, /*optlen=*/0x200000000100ul); break; case 5: *(uint64_t*)0x200000000340 = 0x8800000; *(uint64_t*)0x200000000348 = 0x200000000140; *(uint64_t*)0x200000000350 = 0x200000000180; *(uint64_t*)0x200000000358 = 0x2000000001c0; *(uint32_t*)0x200000000360 = 0; *(uint64_t*)0x200000000368 = 0x200000000200; *(uint64_t*)0x200000000370 = 0x72; *(uint64_t*)0x200000000378 = 0x200000000280; *(uint64_t*)0x200000000380 = 0x200000000300; *(uint32_t*)0x200000000300 = 0; *(uint32_t*)0x200000000304 = -1; *(uint32_t*)0x200000000308 = 0; *(uint32_t*)0x20000000030c = -1; *(uint32_t*)0x200000000310 = 0; *(uint32_t*)0x200000000314 = 0; *(uint32_t*)0x200000000318 = -1; *(uint32_t*)0x20000000031c = 0; *(uint64_t*)0x200000000388 = 8; *(uint32_t*)0x200000000390 = r[1]; res = -1; res = syz_clone3(/*args=*/0x200000000340, /*size=*/0x58); if (res != -1) r[2] = *(uint32_t*)0x200000000180; break; case 6: syscall(__NR_kcmp, /*pid1=*/r[2], /*pid2=*/0, /*type=KCMP_FILES*/2ul, /*fd1=*/r[0], /*fd2=*/(intptr_t)-1); break; case 7: *(uint32_t*)0x2000000003c0 = 0; *(uint32_t*)0x2000000003c4 = 4; *(uint32_t*)0x2000000003c8 = 0; *(uint32_t*)0x2000000003cc = 8; *(uint32_t*)0x200000000400 = 0x10; res = syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/0x84, /*opt=*/0, /*val=*/0x2000000003c0ul, /*len=*/0x200000000400ul); if (res != -1) r[3] = *(uint32_t*)0x2000000003c0; break; case 8: *(uint16_t*)0x200000000440 = 6; *(uint16_t*)0x200000000442 = 0x8207; *(uint32_t*)0x200000000444 = 0x96d; *(uint32_t*)0x200000000448 = 0x10; *(uint32_t*)0x20000000044c = r[3]; *(uint32_t*)0x200000000480 = 0x10; syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/0x84, /*opt=*/0x22, /*val=*/0x200000000440ul, /*len=*/0x200000000480ul); break; case 9: syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc04c6100, /*arg=*/0x200000000500ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 1, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xa, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 6); *(uint16_t*)0x200000000042 = 0x8000; memcpy((void*)0x200000000044, "\x63\x44\x8e\xdb\x2f\xb0", 6); *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 0; syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x10); break; case 11: memcpy((void*)0x200000000080, "wlan0\000", 6); memset((void*)0x2000000000c0, 2, 6); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/6, /*join_mode=JOIN_IBSS_BG_NO_SCAN*/2); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_kernel_create_files_as\000", 31); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\x28\x03\x83\x7c\xbc\xf3\x7b\xce\x72\xc1\xa7\x3b\x90\x9c\x68\xfe\x5b\xf7\xa6\x36\x3c\xdc\x90\xc0\x0d\xc6\x01\x3b\x35\xda\x02\xa6\x6a\x05\x91\x66\x71\x54\xa5\x56\x7c\x0e\x5e\xe6\x93\x3d\x6d\xa8\xbf\xed\xac\x5d\x27\x8a\x29\x1e\xfa\x30\x20\xba\x15\xe3\x90\xeb\x38\xda\x76\x26\x1c\x3a\xef\xf9\xee\xa8\xab\xea\xce", 77); memcpy((void*)0x200000000240, "\x6a\x0b\x56\xff\x4b\x8f\xac\x28\x77\x3c\xa1\x37\x65\x2b\x5b\x0f\xd8\x03\xa0\x41\x3c\x28\x20\x37\xf7\x21\xcb\x96\xec\xf2\xbb\x1a\x61\x6d\xc3\xd5\x6e\xee\xa2\x6f\x6b\x16\xf4\x56\x2d\x17\xc6\xd8\xb8\x83\x8f\x18\x44\xb5\x85\xeb\xcc\x0b\x56\x2f\x05\x57\xb2\xc7\xe9\xf0\xdd\xa1\xce\x4c\xc6\x1d", 72); res = -1; res = syz_clone(/*flags=CLONE_NEWCGROUP|CLONE_SETTLS*/0x2080000, /*stack=*/0x200000000140, /*stack_len=*/0x4d, /*parentid=*/0x2000000001c0, /*childtid=*/0x200000000200, /*tls=*/0x200000000240); if (res != -1) r[4] = res; break; case 14: *(uint64_t*)0x200000000480 = 0xc2e0; res = syscall(__NR_socketcall, /*call=*/8ul, /*args=*/0x200000000480ul); if (res != -1) r[5] = res; break; case 15: *(uint64_t*)0x2000000004c0 = 0x18000000; *(uint64_t*)0x2000000004c8 = 0x2000000002c0; *(uint64_t*)0x2000000004d0 = 0x200000000300; *(uint64_t*)0x2000000004d8 = 0x200000000340; *(uint32_t*)0x2000000004e0 = 9; *(uint64_t*)0x2000000004e8 = 0x200000000380; *(uint64_t*)0x2000000004f0 = 0x29; *(uint64_t*)0x2000000004f8 = 0x2000000003c0; *(uint64_t*)0x200000000500 = 0x200000000440; *(uint32_t*)0x200000000440 = r[4]; *(uint32_t*)0x200000000444 = r[4]; *(uint32_t*)0x200000000448 = r[4]; *(uint64_t*)0x200000000508 = 3; *(uint32_t*)0x200000000510 = r[5]; res = -1; res = syz_clone3(/*args=*/0x2000000004c0, /*size=*/0x58); if (res != -1) { r[6] = *(uint32_t*)0x2000000002c0; r[7] = *(uint32_t*)0x200000000300; r[8] = *(uint32_t*)0x200000000340; } break; case 16: memcpy((void*)0x200000000540, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000540); break; case 17: memcpy((void*)0x2000000006c0, "/dev/fuse\000", 10); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x2000000006c0ul, /*flags=*/2, /*mode=*/0); if (res != -1) r[9] = res; break; case 18: *(uint32_t*)0x200000002b00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/r[5], /*level=*/0, /*optname=*/0x11, /*optval=*/0x200000002a00ul, /*optlen=*/0x200000002b00ul); if (res != -1) r[10] = *(uint32_t*)0x200000002a34; break; case 19: *(uint32_t*)0x200000002b40 = 5; *(uint32_t*)0x200000002b44 = 0xee00; *(uint64_t*)0x200000002b48 = 1; *(uint64_t*)0x200000002b50 = 5; res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0x4018aee3, /*arg=*/0x200000002b40ul); if (res != -1) r[11] = *(uint32_t*)0x200000002b44; break; case 20: *(uint32_t*)0x200000002c00 = 0xee00; *(uint64_t*)0x200000002c08 = 0; *(uint64_t*)0x200000002c10 = 8; *(uint64_t*)0x200000002c18 = 1; *(uint32_t*)0x200000002c20 = 6; *(uint16_t*)0x200000002c24 = 5; *(uint16_t*)0x200000002c26 = 0; res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0x40286608, /*arg=*/0x200000002c00ul); if (res != -1) r[12] = *(uint32_t*)0x200000002c00; break; case 21: *(uint32_t*)0x200000002f00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/r[5], /*level=*/0x29, /*optname=*/0x23, /*optval=*/0x200000002e00ul, /*optlen=*/0x200000002f00ul); if (res != -1) r[13] = *(uint32_t*)0x200000002e34; break; case 22: *(uint32_t*)0x200000004040 = 8; *(uint32_t*)0x200000004044 = 0; *(uint32_t*)0x200000004048 = -1; *(uint32_t*)0x20000000404c = 2; *(uint32_t*)0x200000004050 = 0x10; *(uint32_t*)0x200000004054 = 4; *(uint16_t*)0x200000004058 = 7; *(uint32_t*)0x20000000405c = 0x7f; *(uint64_t*)0x200000004060 = 0xbb; *(uint64_t*)0x200000004068 = 0xf; *(uint64_t*)0x200000004070 = 4; *(uint32_t*)0x200000004078 = 0x800; *(uint32_t*)0x20000000407c = 2; *(uint16_t*)0x200000004080 = 5; *(uint16_t*)0x200000004082 = 0; *(uint64_t*)0x200000004088 = 0x200000002f40; memcpy((void*)0x200000002f40, "\xa0\xfc\x03\x37\xfa\xea\x63\x1f\x70\x4d\x04\xb5\xa5\x94\xdd\x3a\x87\xe2\x74\x7c\x38\x74\x0f\x43\x57\xe5\xcb\x22\x1b\xf4\x40\x57\x95\xc2\x99\x06\x22\x7d\x36\x4e\x04\x46\xeb\xf7\x7d\x11\x1a\xb6\x66\x81\x06\xa0\x02\x14\x0a\x81\x07\x1b\x6d\x28\xcf\xab\xb3\x7a\xea\x4e\x26\xc4\x65\x7d\xb3\x19\x16\xf1\x71\x81\xef\x2f\xbb\xa8\xcf\x19\x4a\x98\xc4\x35\xa1\x00\x7c\x27\x0c\xd6\xef\xf5\xc6\x42\x45\x37\x19\x7a\x13\x02\x02\xf2\x8c\xe2\x58\x6b\xe0\xce\xff\x0d\xb4\x7a\x35\x35\x12\x18\xf4\x9a\x45\x99\xa9\x8e\x93\xfd\x6f\xa6\xbe\x92\x17\x67\x82\xd2\x9c\xcf\xc9\x00\xc7\x67\xf4\xde\x10\x2c\x3a\x77\x79\x57\x7f\xf3\x6f\x42\x7d\xca\xed\x1e\x8d\xd3\x89\x65\x0f\xbe\x9c\xc0\xca\xb5\xb4\x39\x0e\x80\x5e\xc3\x0a\xd6\x41\x1c\xff\x60\x65\xa8\xa5\x76\x10\xab\x7c\x61\x01\x32\xa2\xa1\xbf\x37\xc8\x71\xd0\x6a\x9d\x78\xcc\x27\x68\x8f\x4b\xef\xa7\xbd\x11\x2a\x69\xdf\x64\xb5\x51\xe3", 214); *(uint64_t*)0x200000004090 = 0x200000003040; memcpy((void*)0x200000003040, "\x64\xb9\x52\x0e\xb1\x74\x93\x9e\xc8\x76\x43\xa2\xfd\xaf\xfe\xa4\x52\x7b\xbf\xd5\x1b\x07\xac\x94\x67\x16\x9d\x3c\x7b\xaa\x5d\xc6\x5b\x8a\x38\xd9\x50\xc8\x58\xff\x99\x23\x7e\x6e\xc0\x6b\x46\x56\xa5\x2a\xcb\x76\xc7\x55\xc1\xcf\xf1\xc0\xa6\x5e\x3d\x16\x32\xfa\xbd\x9e\x1b\x38\x18\x52\xb6\xfc\xfc\x05\x87\x44\x85\x6a\x80\xa2\x9f\xb4\xdb\xdd\x71\x5b\x3c\xd0\x8e\x15\xa5\x34\x05\xd0\xfd\x2f\xf7\xea\xc8\x36\x33\x8c\x4e\xca\x04\x56\xff\x78\xcc\x57\x12\x33\x21\x46\xb6\x71\xbc\x42\x86\x1c\xd8\xbb\x43\x20\x09\x85\xa3\x62\xf3\x9f\x15\xbd\x43\x7f\x06\x45\x8b\x86\x7d\x4b\xea\x22\x27\x49\x32\x50\xd8\x3f\xb4\x6f\x72\x97\xb8\xf8\xc2\x73\x51\xcc\xbe\xc4\xff\xd0\x71\x75\xa7\xc5\xe2\x31\x9e\x94\x21\x0d\x4a\xf5\x06\x1e\x74\x3f\x05\x0f\x2e\xa5\x38\xa3\xed\x9d\x03\x59\xf5\xa7\x54\x6c\x3d\x01\x13\xe2\x55\x26\x8c\xd0\x48\x3a\xb1\x86\xf9\xc5\x55\x02\x02\xa9\xfa\x3f\xa0\xc4\xa2\xa5\x80\x52\x41\x81\x9c\xf9\xc3\x45\xce\xcc\x6b\x77\xdd\x7c\x29\x97\x50\xb6\x7f\xf8\xcb\x5d\x9a\x6b\x0d\x3d\x98\x16\xdb\xeb\x6f\xdb\xc5\xea\x9f\xae\x4a\x25\xe1\x9b\x48\xe5\x10\xdd\xb5\xd4\xd1\x27\x1b\xa0\xc4\xa0\x83\xd0\x4c\xc5\x09\xb4\x0f\x1a\x84\x91\x95\xf3\xbc\x3e\x9f\x63\xb7\xcc\x74\x73\xff\xc7\x40\xcf\x1a\x97\x9b\xd1\xd7\xe9\x31\x7f\x6f\xc7\x7a\x62\xe5\xac\xab\x36\xc4\xa0\x63\x06\x9c\xfb\x20\x7d\xcc\x7a\xf7\x0b\x77\xa7\x43\xb3\x62\xd9\xd9\xfa\xe0\xdb\xc6\x80\x92\x3a\x0e\x34\x54\x02\x6b\x6d\xa9\x57\x9f\x35\x2a\xfe\xf7\xab\xbc\xa7\xbf\xc1\x4a\xef\x0f\xb3\xd1\x30\x55\x06\xb9\x79\x40\xea\x12\x7f\xfe\xd1\x3e\xee\xa6\xca\xe0\xbe\x96\xf5\xbe\x73\x85\xe8\xe9\xba\x4f\x00\xfd\xc5\x18\x59\xd8\x25\x19\x27\x18\xdc\xf2\x3e\x0b\x6d\xa4\x13\xaf\xf8\x54\xba\x52\x21\xba\x8d\x27\xff\x02\xb6\xc0\xf9\x66\x7f\x2f\xfe\x72\xf4\x34\xf4\xc7\x08\x5a\x52\xfe\xe5\xf0\x87\x1b\xc2\x0a\xeb\xc8\xef\x87\xc1\x7c\x49\xb2\xa4\x34\x24\x21\x54\x77\x0e\x3a\xe2\x68\xd5\xba\xe1\x1f\x22\xf2\x14\x61\x69\xd7\xa9\xc1\x6b\x5d\xaf\x83\x03\x11\x11\xce\x5c\xe9\x92\xd2\x75\xbb\x9b\xc5\xd1\x29\x0f\x7f\xea\x35\x66\x07\xe8\xdd\x9a\xcc\x55\x84\x9e\xeb\x50\x28\x27\x37\x4c\x45\xdc\x89\xdd\x11\x86\xec\x92\x10\xbf\xf8\xe0\x05\xb7\xcb\x2c\x13\x4a\x92\x2d\x6d\xdc\x51\x22\x81\xe6\xf5\xaa\x9b\x10\x4d\x04\xbc\xc6\x00\x0b\x9f\x95\xf7\x43\x93\xf3\x12\xc9\x90\xf7\xd2\x9d\xee\x0e\xf7\xa4\xb1\x58\xfe\x69\x19\x6b\x06\x83\xf3\x5e\x8b\x4b\xa6\x5b\xb4\x9b\x31\x3d\x92\xd6\xf6\x7f\x72\xf7\xc3\xe7\xde\x4d\xd8\x84\xd7\x2c\x78\x6d\x66\xbd\xf5\x98\xa1\x5f\x9a\xc2\x96\xea\x70\x74\x03\x43\xd9\x45\x91\x18\x64\x48\xae\x73\xee\xa6\x10\x1d\xe1\x3d\xf6\x67\xab\x6e\xa1\xf5\x5a\xba\x4c\x11\x3d\x0a\xc4\x2b\xba\x7e\xc5\xbd\x1d\x56\xb6\xbc\x94\x70\x45\x59\x5c\x76\xc8\xf6\x93\x39\xbd\x2f\x19\x3d\xe2\x46\x53\x30\x10\xf4\x2a\xc9\x3c\xe0\xaf\x99\xf4\x0a\xe8\xbf\x3a\x30\x54\x3d\x68\x61\xb2\xca\x30\x6c\x0c\x08\x1d\xb7\x92\xaf\x44\x88\x20\x40\x9c\x05\x33\x0b\xdb\xe4\x4f\x70\xc5\x56\x1d\xff\x87\x04\xb5\xee\xb7\x12\xac\xd3\x21\xfb\x7b\xd5\x8c\x80\x9f\xb1\x1d\x01\x7c\x34\x87\x98\x54\xf1\x53\x24\x17\x41\xfd\xf8\xde\x35\x35\x6b\xee\x7a\x0c\xb4\x0a\x72\x6c\xc7\x83\x17\x57\x59\xe2\x66\xdd\xbc\x98\xe3\xe5\xf8\x22\x02\x4e\x33\x59\xa7\xfe\xc0\xe0\x9f\x0d\x1e\x21\x42\x62\xea\x20\x9a\x9d\xdf\x12\x28\x0e\x28\x72\x33\x93\x36\x88\x17\xde\x6d\x20\x0a\xc6\xf9\xd1\x4c\xee\x80\xcb\x71\x35\x47\xca\xd5\x53\x33\xac\xaf\xf3\xa3\x2b\x48\x96\x48\x45\x50\x1b\xf1\x08\xe8\xf5\x15\x72\x8b\x36\x72\x62\x90\xb4\x78\xf7\xf3\xda\x9a\x62\xdd\xb1\xd4\x4f\x5e\xd5\x69\xc7\xcf\xf3\x04\x51\xb1\x35\x5d\x34\x91\xeb\x80\x34\x5c\xfd\xb9\x38\x47\x5f\x9d\x16\x18\x1c\xb1\xe3\xd7\x33\xea\x45\xab\xa0\x4c\xbe\x41\x9b\x1f\xe3\x9d\xe5\x14\xe8\xb0\x0d\xb8\x27\xfe\xc1\x95\xae\x77\x31\xb2\xa6\x4a\xd2\x58\xc1\xcf\x2d\x4c\xd9\x7d\xd9\xde\xc3\x56\x4f\x9c\xa7\x4e\xd6\x25\x83\x0e\xd3\x2b\x05\x07\xad\x8c\x97\xf6\x3f\x5a\x2b\x39\xbb\xae\xc0\x4b\x3b\x88\x9b\x6d\x7c\x9f\xb9\x89\x93\xd5\xe5\xae\x40\xcd\x6b\x63\x72\xbc\x63\x1d\x37\xda\xc4\xab\x3d\x48\xb5\x89\x5b\x00\x30\xe0\x02\xe7\xf4\x43\xbe\xad\x14\xa5\x77\x7e\xcf\x5e\xe9\x99\x83\xb3\xc0\xf5\x00\x53\x9d\x02\xba\x11\xcb\x4b\xf3\x25\x99\x06\xbb\xcc\x34\x85\x5e\x6d\x4b\x2c\x49\x31\x68\x16\xd4\xd1\x73\x40\xd8\x93\x8d\xbb\xad\x5f\x2c\xbf\xe8\x3d\xa5\x7f\x59\xe5\x1c\x9e\xb6\xff\x62\x15\xf7\x94\xf6\x82\x28\x20\xb0\x59\x12\xdf\x85\xfe\xa5\x3c\x04\x6d\xd6\xe8\x89\x24\xa1\x8e\x71\xc0\xcd\xa6\x58\xb5\x8a\xff\x26\x19\x4f\x88\xdf\x81\xda\xf0\x6e\xe0\x94\x2c\xda\x0d\xf1\x8b\x41\xb0\xe2\x30\xb3\x05\xb4\xf9\xa4\x7f\xdb\x18\xc6\xd6\x8c\xce\xba\x1f\x24\xf2\x75\x6b\xd9\x6a\x79\x91\x12\xc3\x48\x5e\x39\x4d\x2d\xd9\xfc\x87\xab\x1b\x46\x51\xad\x05\x8a\x3e\x44\x46\x1d\x2c\x72\xf0\x38\xff\x88\x11\x04\xcb\x75\xcc\x79\x68\x3a\x9d\x97\xd8\x81\xcf\xfb\x92\xb0\x5c\x12\xbf\x4d\x3a\xb4\xdb\xe1\x79\x08\xfb\x79\x9e\xaf\xfa\x9c\xaf\xa4\xa6\x1c\xe2\x0a\xa4\xb3\xeb\xc3\xc7\x52\x20\xaa\x65\xc9\x80\x3a\x77\xf1\x81\xda\x39\x24\xcc\xa5\xf6\x05\x96\x12\xe4\x54\x86\x10\x6f\x22\xb8\xc8\x91\xf7\xb1\x46\x62\xab\xd6\x4b\x32\x58\xed\x13\xbd\xcd\x6d\x1a\x77\xc6\xa4\x15\x19\xd6\x60\x63\x74\x3a\x19\x18\xbb\x13\xe9\xb7\x57\x7f\xb6\xbb\x7d\xf2\x3f\xf1\xb9\x6e\x78\x2b\xda\x63\x94\xd4\x86\x1a\x7e\x0a\xc8\x0d\x1c\x6c\xc8\x4a\x30\x3b\x78\x41\xe5\x89\xd6\x6b\xed\x37\xcc\xc0\x5f\x4e\x9b\x4d\xfb\xc5\x3d\x3b\x50\xd5\x0e\x02\xc8\x7d\x41\xf5\x3f\x86\xde\xcb\x39\xc7\x06\xf5\x37\x2e\x9d\x6e\x3d\xde\x53\x05\x96\x20\xd2\x78\x45\xf3\xed\x77\xcd\x58\x99\xe3\x3a\xed\x5c\x4f\xb1\x40\xf8\xe4\x05\xfa\x2e\x0e\x11\x72\xea\xa7\xd4\xe9\x12\x98\x7a\x0a\xa3\xac\xf7\xc2\xd8\xe9\x4d\x16\xc9\x98\xc9\x87\xfd\x40\x4b\x23\x4e\xf7\x36\x1d\x0c\x53\x87\xe6\xb9\xd5\x5f\xb9\x72\xc7\xdc\x21\x72\x26\xce\x13\xd8\x2a\x59\x31\x1f\xe2\x69\xa0\x9c\x38\x4e\x73\x9a\x66\xbe\x43\x54\x79\x1f\x38\x1e\x74\xcc\x5d\xfb\x9a\x92\xfb\xff\xf8\x59\x5d\xf2\x4b\x40\x3e\xaf\xb0\x04\x73\xeb\x0b\x2e\x7f\xee\x36\xdb\xa4\xa9\x08\x93\x8b\xcf\xcc\xe9\x61\xfd\x10\xec\x29\xe5\x6d\xfe\x40\x59\x1e\x13\xd5\xe5\x3f\x16\xc8\x75\x9c\xa2\x7f\x80\xce\x90\x4f\x2d\x7c\x43\x32\x10\x97\x59\x5e\x90\x76\x39\xf2\x0f\x9e\x8d\xce\x70\x0c\x39\xd0\xe4\x42\xda\x88\x7a\x4d\xf0\x82\xeb\x7e\x17\x2f\xaf\xdc\xb0\x0b\x00\x8c\xaf\x55\x23\xd1\xfe\x5f\x24\x0a\xe9\x91\x49\x6d\xb9\x33\x89\xaf\x41\x85\xe9\xc9\xcc\xbd\xcb\x97\x31\xce\x7a\x77\x0a\xe2\xab\xac\x9d\x8c\xdd\xf3\x13\x23\x1a\x55\xe1\x27\x7b\xd3\x6c\x1e\x44\x84\x2b\x38\x72\x55\x5c\xcd\xcb\x3a\x06\x84\x59\x13\x21\xff\x15\xdc\x6d\x2c\xef\xfd\x58\x5d\xbe\xb9\x90\xe4\x05\x4f\xab\xc1\x8a\x9e\x9f\x1d\xe1\x3b\xfa\xd9\xde\x7f\x8d\xeb\x6b\x6c\x47\x2c\x42\x33\x67\xee\xad\x52\x50\x04\xde\xfa\x9e\x17\xc6\x79\x02\x36\x0b\xf1\x63\xa0\x1e\x98\xf6\xe7\x55\xcf\xf6\x28\x2a\xee\xbd\x1e\x8a\x09\x71\x5c\x15\xb9\xed\xaa\x50\x0d\xe0\x74\xc2\x8b\xad\x6d\x03\x57\x8c\x5e\x1c\x87\xbe\x71\x17\xf5\x4e\xef\xc3\x31\x3c\x38\xb6\x1d\x88\xa6\xa5\x0a\x0f\x36\xfd\xbf\x08\x4c\xb4\x14\x47\xc6\x90\xd3\xff\xcc\x83\x14\xe9\x1a\xda\x81\xd3\x4a\xcc\xd3\xe0\x6d\x19\xbc\xa2\x8f\xb4\x9b\xed\x5e\x32\xf4\xeb\xd5\x49\x29\xe4\xab\x51\xa6\x59\xb8\x1c\x1c\x35\xdf\x9e\x51\x47\x69\xb9\xeb\x31\xd7\x1d\x43\x78\x64\xf5\x4e\x99\x2a\x2b\x9b\x15\xe2\xfd\x32\x07\x81\x77\x56\xb4\x86\xd0\x81\xaf\x39\x7b\x21\xa2\x58\x44\x3d\x86\xa2\x0a\x82\xda\xb3\x09\x4a\x48\x83\x32\x47\x91\xd6\x7c\xea\x91\x8b\xec\x79\x94\xab\xce\xc1\x80\xf8\xfb\xd4\xae\x90\xad\x2c\x78\x5d\xe7\x74\x73\x08\xd8\x0a\x73\x31\x86\x4b\xd1\xa9\xbf\xfb\x51\x44\x07\x78\x51\x93\x92\x74\x05\xf7\x78\xa1\x66\x51\x4a\x33\x9b\xfe\x16\xf5\xcb\x8e\xe3\x49\xa0\x8e\x25\xb9\x4d\xc3\x51\xc7\x2e\x98\xc6\xba\xf1\x86\x02\x50\x60\xcd\x98\xd7\xd1\x4b\xf8\xee\x06\x02\x40\x40\x5a\x1c\x10\x20\x2c\xb3\x48\x57\xab\x67\x4e\xff\x41\xcd\x46\xc0\x3d\x2f\xfc\xca\xbf\x19\x4e\x0f\x35\x16\x58\xab\x02\xd9\xa1\xf9\x28\x30\x61\x7d\xe6\x91\x35\x50\x95\x34\x64\x7b\xc4\xcc\x20\x52\x87\xb2\x51\x55\x3f\xcc\x76\x89\xd5\xe6\x69\xf9\xba\x4b\xdb\x40\x36\xe0\x64\xb2\xa7\x91\xea\x5d\xe9\x3c\x66\x91\x8a\xd6\x1c\xf1\x0b\xe4\xf5\x56\x4a\x07\x1b\x02\xb9\x36\x5b\xc5\x87\x31\x6e\x65\xbd\x12\x64\xfe\x1f\x8d\xc7\xd2\x44\xab\x33\x19\xe9\xa9\x05\xe2\x44\xa0\xd0\x00\xbf\x3c\x56\x68\x11\xf7\x29\xd1\x0f\x9d\x81\xb0\x60\xcb\x7f\xf9\x3d\xa8\x05\x6d\x64\x1f\x93\x12\x1c\x50\xb9\x87\xe4\x14\x9d\x44\xc2\x34\x91\xe9\xde\x6a\x5c\x1d\x6b\x26\xf6\x44\xb3\xb0\x20\x62\x7c\xaf\x32\xd4\x7f\x95\xa4\x85\x7b\x36\x53\x0f\xf5\xc5\xbe\x38\xca\x37\xb9\x0d\xec\x3b\xde\x10\x75\x61\x58\xd6\xdb\x91\xbc\xbb\xea\x66\x65\xfa\x14\x08\xae\xc0\x02\x5d\x9d\xfe\x3d\xe8\xa5\x7b\x8a\xf3\x00\x17\x9b\xff\x26\x03\x2e\x61\xdb\x60\xd6\xe2\x0a\xcb\x67\x15\x95\x05\x6f\xd6\x5e\x84\x03\x80\x40\xf0\x7d\x46\xdb\xd4\xcb\x8c\x0d\x3c\xe9\xfd\xa0\x02\xd2\x2e\x24\x75\x0f\x14\x58\x01\xaf\x85\xd7\x82\x68\x1b\xb9\xb1\x22\x8f\xb2\x81\xc5\x43\xe5\xdc\xde\xf8\x4b\x7a\x26\x26\xde\x59\xe1\xec\x79\xe4\x4d\x1a\x23\x0f\xed\xda\x6e\x30\x37\xb0\xe9\xc4\xca\x47\x5d\xcd\x31\x9b\x86\xbd\x4a\xb2\xcc\x3c\xd5\xee\x47\x85\x7a\xda\xa8\x8e\x7e\x77\xaf\xaa\xb3\xfd\x85\x07\x6e\xdb\x36\x15\xba\x44\xe9\x7b\x5e\x18\x1b\x5e\x8c\x86\x11\x78\x48\x54\xa8\xae\xbd\xcc\x09\x83\xe0\xb8\x37\x45\x5a\x29\x01\xb9\x19\x80\xb0\x5e\xfc\x92\x23\xd2\x06\xdc\xaa\x5b\xe6\x74\x5c\xbd\xfb\x6f\x9a\xf1\x38\x73\xb3\x77\x3f\x5a\x59\xbe\xaa\x0f\x4a\x36\xdd\xd3\x83\xd6\x3e\x12\xf5\x0e\x0f\x7c\x53\x3e\x6a\x55\x9e\x54\x5d\x28\x51\xd0\x4b\xd3\x6e\x41\x2d\x89\x1e\xac\x7b\xbf\xf3\x99\x36\x93\x7f\xa3\xe4\xfb\xfa\xf5\x10\x37\xc5\x0a\x7d\x57\x30\x05\x1e\x4c\x69\x84\xf3\x94\xf3\xf5\x9f\xaa\x61\xac\x96\xfc\x2b\xa4\xe3\x35\x64\xc2\xbb\xc6\x07\xb1\x8e\xf8\xae\xf1\x9b\x88\xb7\xac\x63\xce\xf3\xe0\x97\x1f\xa1\x15\x62\x33\x37\x3f\xa5\xb5\x8f\x16\xfa\x99\x31\x2d\x84\xa6\xb7\x90\xe7\xa6\x63\xba\x05\xe2\x37\x38\x5e\xb4\x13\xe4\x26\x0e\x02\x1b\xa3\x87\x91\x23\x57\xfe\xd3\x9f\x13\x66\xe7\x31\x8e\xbe\xa7\xb9\x21\xde\xd5\xd9\xf9\xab\x5a\x86\x12\x16\x48\x31\x0f\x09\x04\x25\x8a\x9e\x4d\x59\x0d\x65\x43\x1d\x23\xe6\x22\x30\x9d\xe9\x64\xcb\x77\xdf\x8f\x28\x07\x66\x7b\xd5\x81\x81\xe4\x85\xc2\xe0\x3c\x29\x5c\x15\xe5\x27\x4c\x70\x6c\x1a\x00\x27\xb6\x75\x1e\x40\x95\x9a\x15\x81\xc7\x10\x77\x4b\xd5\x57\x53\x67\xc9\x3c\x17\xfb\x84\x44\x97\x6e\x38\x47\x11\xd4\xde\xbc\xe0\x97\x54\xe9\x7b\x04\x8d\x47\xb3\xdd\x82\xf7\x5f\xa9\x39\x37\xd0\x72\x2c\xb2\x37\x9e\x8b\x4b\x02\x67\x59\x91\xed\x1b\xc5\xf1\xf1\x5f\xea\x5f\xbe\x59\xc6\x3a\x29\x91\xaf\x99\x8a\x21\x99\x1f\x1d\x46\xcd\x3d\x21\x1a\x53\x2c\xee\x73\x2f\xfb\xcf\x55\xb2\x87\x90\xc4\xba\xdb\xa7\x68\xc5\x7a\x26\x23\xdf\x69\xb3\x96\xc2\xac\xcf\x92\x58\x06\xd5\x52\x61\xb7\x08\x74\x35\xe4\x97\x45\x29\x75\xb1\x52\x66\x52\x2e\xf9\x76\x37\x95\x6f\xaa\x20\xe8\xec\x65\x3c\x9c\x0c\x07\x73\x60\x3d\x77\x67\x7d\x0e\xf1\xec\x99\xa0\xf6\x1c\xcc\xf7\xe1\x10\x30\x51\xa7\x85\x2a\x00\x77\xf9\x73\x36\x9f\x6d\x80\x56\xb7\x9c\x53\x7a\xea\x6b\x41\x07\x09\xdf\x69\x37\xb6\xb7\xce\x03\x39\x8e\x1a\x7a\x1e\xf8\xe0\x62\xbf\x5b\x5a\x11\x0b\xc0\xda\xf2\x76\x5c\x92\xe6\x95\x83\x4a\xdd\x9a\xc0\x3f\x5e\xa5\x6f\x8e\xc1\xd6\x4a\x8f\xad\x07\x41\x0e\x30\x19\xd8\x4c\x0e\x7c\xdf\x1c\x49\xe9\x50\x91\x79\x4a\x3a\xad\x82\xab\xf6\x3e\x9c\x6c\xeb\xab\xdf\x05\xe8\x05\x03\xd1\xba\x70\x37\xe9\xb0\xb3\x5a\xad\x55\x17\xa0\x29\x88\xa3\x43\xb6\xa4\xaf\x6d\x82\x77\x96\x4f\xcd\x3e\x72\x0c\x19\xeb\xcb\xca\x7c\x4a\x87\x7c\x4b\x17\x40\x5d\x4e\x04\xe2\xbf\xf0\x36\xd6\xf5\xe8\xda\x62\xd6\xec\x70\xd1\xcd\xd9\x70\xe8\xba\x36\xf7\xfa\x95\x6c\xbd\xe7\x89\x25\xa4\x43\xb9\x57\x9b\xe0\x39\xe5\x65\x39\x66\xe7\x45\xb1\xd9\x3c\x62\x97\x0f\x29\x07\xfb\x53\x5c\x88\x82\x0b\x95\xb2\x44\x09\xd1\xbb\x81\xe0\xcd\xfb\xdc\x39\x72\x78\xa8\xb1\xeb\xa6\x32\x5e\x69\x3a\x93\xb5\x50\xdc\x2d\x7f\xf0\x55\x98\xf8\x24\x67\x94\xb2\xd0\x1b\x58\xf3\x03\x24\xe4\x4c\x43\x9e\xc6\xe1\x70\xb6\x92\xef\x2d\x55\x2f\x33\x22\x42\x10\x1f\xe2\x45\x86\x56\x4b\x87\xe4\xd0\x4c\x5c\x41\x37\xf4\x53\x45\x1d\xc8\x2c\xe4\x9f\x93\xd5\x0e\x49\xac\xf2\xb9\x66\xd0\xd5\x00\xff\xf9\x9b\x98\x4d\x70\xfa\xa2\x06\x11\x87\x36\x9a\x3d\xd5\x03\x37\x87\x2c\x23\x0e\x6f\xbd\xa2\x42\x0e\x56\x58\x86\xb6\xee\xf5\x3e\xb5\x32\x23\x9a\x98\x23\x7b\xf8\xcf\x35\x49\xf6\x0b\x08\x3d\x81\xa1\x6e\x6a\x30\xc2\x6a\x74\x45\x6f\xbf\x8d\xdc\x24\x76\x78\x4e\x77\x6d\xf7\x49\x0a\x31\xe1\x11\x3c\xb0\xd8\x76\xd5\xca\x9f\xbf\xc3\x2c\xf6\x08\x1f\x75\x42\x01\x5b\x41\xae\x86\xf9\xc0\xbb\xfe\xd2\xb8\x47\x4b\xfc\xd7\x82\x84\x46\x7c\x22\xf1\xd6\xdf\x54\xbb\x3e\x28\xf5\xcf\xf0\x07\xe9\xd5\xd5\x59\x7c\x83\x7a\x72\xeb\x04\xef\x8d\x1f\x3a\xc0\x60\xb9\xf1\xff\xf3\xd7\x4d\xa3\x5b\xf1\xcc\x3f\xf9\xd8\x36\xbf\xc8\xd2\xcc\xb0\x72\x14\xaf\xd3\x57\xc2\x96\xae\x04\xa5\xce\x01\xfd\xc7\x79\xe9\xb4\xae\x6d\x67\x7c\x6f\xc4\x8f\x73\x83\x06\x4f\x2d\x21\x7d\x51\xe3\x90\x60\x9d\xad\x93\x30\x22\xed\x7c\x35\xf8\x9e\x83\xb5\x55\xc8\xe3\xcc\xec\x20\x4e\x59\x32\x28\xf3\x24\x44\x27\xcf\xed\x43\xbd\x37\x1e\xe5\xf5\x84\xce\xab\x01\xf8\x8d\x1c\x99\x47\x41\x89\xb8\x76\xc9\x53\x40\x89\xdd\x5d\x04\x60\xda\x83\x3a\xfb\x14\xcb\x1c\xb1\xf4\xbf\x85\x17\xff\xf8\x6f\x94\xa9\x19\xb9\xf8\xee\xb3\x60\x88\x7b\x13\x9f\x67\x59\x05\xce\xee\xfa\x05\x78\x6f\xd7\xea\xa8\xcc\x60\x10\xee\x28\x69\x89\xb6\x26\x9a\x45\x05\x2d\x4c\x62\xf7\x42\xbd\xc2\x52\xfb\xfd\xb2\x16\x6f\x9b\x02\x15\x31\x6c\xe5\x69\xd5\x3f\x12\xd7\xff\x1e\x92\xd2\xbf\x11\xb6\xed\x6a\xec\x3f\xe3\xf6\x2c\x49\xa4\xcd\x2f\xeb\xca\xe8\xe1\xb4\x4b\x38\xea\xf1\xa6\xe7\x8f\x2d\xa3\xcd\xd9\x4e\xde\xa7\x15\x00\x00\xd7\x01\x5c\xb6\x52\xba\x46\xd3\xb2\x31\x5b\x64\x9e\xdc\xcf\x47\xb5\x1d\x45\x85\xdb\xc7\x60\x64\xa1\x2b\x05\xce\xd6\xfd\x11\xfe\x37\x03\xad\x22\x67\xf9\x62\x97\xbc\xd4\x55\x81\x07\x69\x74\x6e\xe2\x64\xe7\x3d\x90\x43\x38\x4e\x3a\xf7\xb4\x45\xfd\xa9\xf1\x2f\xff\xbc\x7d\x63\xcd\xc1\x05\xeb\xf8\xec\x1f\x52\x47\x5c\x73\xb0\x6b\x4a\xf0\x80\x03\x7b\xab\xda\x88\x88\xb0\x5b\x3d\x00\x51\xd7\xaa\x6c\x94\x91\x40\xdf\x65\x80\x6c\x83\x66\xf8\xe3\x64\x0f\x5a\x74\x70\x26\x26\x96\xbd\x3c\xd4\xdb\x85\x50\x2c\xbd\x5f\xe2\x2b\xb0\xf5\x92\x87\x76\x8f\xb9\xc5\x2e\x69\x33\xe5\x68\xe0\xd3\xce\x72\x83\xa4\x20\xc8\x9f\xd0\x4e\x93\xe5\x65\xdf\x0f\xf6\x8c\xc7\x43\xcd\xcf\x4d\xfc\x7f\xf0\x9c\xbe\x8a\x77\xa0\x20\x80\x4f\x4c\x17\x61\x28\x46\x16\xd9\x58\x40\x1f\x57\xaf\x9d\xc7\x13\x62\x99\x2b\x3f\xf3\x43\x9c\xcf\x85\xf4\x3b\x6c\x08\x50\x98\x96\x50\xd8\xf5\x5b\xa1\x92\x2a\x65\x00\xd2\x72\xdd\x42\x38\x6c\xbb\x23\xe6\xe6\x7e\xc9\x26\xa1\xca\x93\x57\xf4\xc8\x4b\x76\x71\x52\xe6\xc4\x36\x17\xde\xf9\x4a\xc6\x01\x4a\xa3\xc6\xca\x84\x18\x59\xdc\x57\x52\x4a\x72\x27\x41\x24\x65\x30\xda\x55\x06\x71\xec\x17\xd2\xa3\x42\xe5\x57\xb4\x3c\x08\xa9\x3c\x12\x67\x63\x7f\xff\x37\xff\x4a\x40\x85\x52\x8e\x7c\xe6\xd0\x9d\xe6\x42\x99\x6f\xff\x98\x68\x85\x44\xa7\xc2\x3b\xff\x8b\x6f\xdb\xe5\x33\x42\x4c\xcb\x11\x9a\x56\x7f\x1f\x15\xc0\xb4\x65\x0e\xd8\x0e\xfe\x24\xab\x4d\x1c\x1e\x33\x30\x5a\xfd\x2c\xea\xc6\x82\xc0\xea\xca\xa5\x66\x9e\x44\x34\xf6\x34\xb1\xc6\x12\x71\xd9\x5b\x00\x95\xc7\xb1\xa6\x2a\x2d\x07\x3a\xad\x80\xc5\x10\x15\xbb\x51\x50\x84\x5c\x11\x86\x33\xa3\xc4\xc9\x4b\x74\x63\xfe\x73\x39\x18\x2e\xa0\x1a\x7e\x28\x63\x7c\x27\xb5\xf8\x60\x68\xa7\x37\x4a\xe7\x7c\x5c\xdd\x6d\xd9\xb4\x69\xdd\x9a\x47\x5c\x37\x52\x8e\x2f\x1c\x40\x13\x23\x59\xe9\xe6\x5e\x23\xad\x45\x95\xb1\x60\xad\x9a\x2d\x83\xcc\xe0\x78\xf4\xd6\x18\x1f\xd3\x02\x6c\x2a\x0b\x13\x02\xfa\xa6\x9a\x51\x80\xa2\xc2\x0b\x3a\x32\x87\x6e\xfc\x2a\x62\x81\xc4\x09\xc2\xe6\x6e\x00\xde\xb5\x30\x98\x19\x7f\x13\x18\x5b\x7d\xa5\x89\xb0\xcf\xe2\xa3\x12\xf0\xf6\x1e\xfa\xb2\x9a\x7b\x1b\x61\x4f\xaa\x57\xed\x37\xe0\x1f\x8b\x0c\xdf\xb2\xea\x78\x67\x74\x5d\x66\x69\xa4\xa8\x95\xb9\x7e\x1e\xd2\x4c\x2f\x3c\xf2\x3e\x88\x51\x13\x8d\x9a\x64\x0c\x2c\x0b\x32\x1d\x00\xf0\xa4\xdd\x9a\x72\xfe\x5b\xa4\x3a\xc4\x7d\xd3\x1a\x01\x4d\x31\xb7\x25\xee\x28\xcd\x8f\xbe\xd0\xbc\x78\x14\x59\x80\xb5\x86\xd3\x71\x84\x8b\xb9\x67\x48\x30\x3d\x0a\xd1\xfe\x2a\x2e\x7f\x5d\xd3\x40\x70\xc6\xfc\x50\xe1\x09\xdb\xb1\x5c\xdd\xcb\xc0\x4e\x1c\xf6\x35\x8d\x10\x50\xe6\x31\x9a\x34\xf1\x45\x2f\x44\x43\x6d\x8c\xea\x13\x7a\x37\xa1\xda\xd1\x3e\xfc\x2b\x9a\x95\x87\xa4\x3c\x2c\x3f\x3d\x5a\xa3\x2c\x09\x78\x52\x0d\x24\xda\xdd\x18\xef\xa8\x12\xa7\x2d\x33\xb2\xf4\x41\xac\x88\x52\x26\x55\x5f\x7c\xd2\x54\xab\x27\x71\x75\xc4\x35\x68\x3c\x36\xdf\x69\x7c\x2f\xb5\x36\x27\x19\x48\xe5\x38\xdd\x3b\xce\x39\x09\xa5\xc8\xc3\x7e\x97\xea\x37\x36\xcd\x1a\xda\x26\xf1\x3f\x12\x1a\x99\x06\x33\xd9\x5b\x59\xe6\x73\x93\x43\x29\x93\xc0\xc8\x4f\xd6\xd5\x2b\xeb\x7e\x3d\x02\xa4\x37\xeb\x28\x1a\xf5\x73\xba\x1c\x47\xf3\x73\xf6\xcc\xd6\xe0\xb1\x83\xa2\x1c\xbe\x9f\xdb\xb8\x2c\xcc\x39\x6f\x16\xaf\xf1\x99\x9f\xb8\x39\xeb\xca\xff\x97\xfa\x0b\xfd\x0d\x34\xcf\x8e\x57\x60\x6f\xd8\x23\x41\xdb\x31\x8e\x40\xcd\x9e\x85\xc1\x54\x46\x5d\xcc\xe1\xb7\xfd\x8b\x22\x80\x8f\x0e\x0d\x45\x4e\xf9\xa2\xb5\xa4\xc3\x5c\x0a\x12\x5b\x92\x37\x07\x00\x72\xd1\xcd\x82\x7c\xfd\xea\x8e\x3d\xe8\x33\xb0\x81\x4c\x8f\xf2\x60\xe6\xb3\x98\x07\xef\x86\xac\x67\x7a\xbd\xeb\x50\x7d\xd5\x7f\x69\x93\xd3\x03\xd5\x55\x17\x84\x0b\xd7\xaf\x1d\xb3\x98\x08\x21", 4096); res = syscall(__NR_shmctl, /*shmid=*/2, /*cmd=*/6, /*buf=*/0x200000004040ul); if (res != -1) r[14] = *(uint32_t*)0x200000004048; break; case 23: *(uint32_t*)0x2000000042c0 = 2; *(uint32_t*)0x2000000042c4 = 0; *(uint32_t*)0x2000000042c8 = 0; *(uint32_t*)0x2000000042cc = 3; *(uint32_t*)0x2000000042d0 = 0x44; *(uint32_t*)0x2000000042d4 = 7; *(uint16_t*)0x2000000042d8 = 0xff00; *(uint32_t*)0x2000000042dc = 0x80; *(uint64_t*)0x2000000042e0 = 0xe5; *(uint64_t*)0x2000000042e8 = 0; *(uint64_t*)0x2000000042f0 = 8; *(uint32_t*)0x2000000042f8 = r[7]; *(uint32_t*)0x2000000042fc = r[4]; *(uint16_t*)0x200000004300 = 0x800; *(uint16_t*)0x200000004302 = 0; *(uint64_t*)0x200000004308 = 0x200000004180; memcpy((void*)0x200000004180, "\xb8\x47\x2d\xa7\x63\xb7\xf2\x33\xe5\xd2\x38\x7c\x99\x8e\xd4\x35\x56\x57", 18); *(uint64_t*)0x200000004310 = 0x2000000041c0; memcpy((void*)0x2000000041c0, "\x10\xf1\x21\x59\x35\x43\xac\x48\x3e\xe5\xd9\xfc\x00\x93\xe2\x03\xb9\x27\xb4\x4b\xb5\x34\xa8\x71\x1a\x28\xdf\x30\xc8\x75\x70\xf2\x5d\x8d\xd6\x43\x46\x7a\x2c\x9e\x53\x1e\x8a\x4a\xa6\xe0\x33\xf5\x71\xb9\xfe\xea\xe8\xb6\x5d\x09\x3f\x91\x56\x28\x88\x5d\x3f\x02\x8c\x3f\x44\x47\x63\x2b\x36\xf2\x2e\x16\xc1\xfc\xb5\xe7\xbd\x69\x92\xc0\x89\xdf\x96\x1f\xee\x65\xda\x52\x26\x3c\x86\x54\x31\xc8\x32\x4d\x25\x20\x54\x27\x65\x39\x02\x00\x0e\xe5\xf2\x31\xb0\x3d\xf0\x0c\xf5\xb4\xff\x9f\x87\x79\xd3\x31\xa8\xb5\x11\xc4\xdd\xf3\xba\x9b\x68\xb4\x81\x33\xa4\xcd\x4f\x26\xe7\x37\x66\x50\xcb\xa6\x10\xc6\x2a\x68\xf4\x81\x02\x20\x00\x97\x06\xa8\x5a\x06\x31\x03\xdc\x90\xdf\x67\x13\x7a\x34\xa2\xdc\x60\xea\xcd\x86\x8a\x66\xd7\xf6\x8e\x69\xc0\x4c\xc1\x95\xfd\xc8\x08\x1c\x4b\xe4\x14\x86\x03\x24\x2c\xaf\x94\x67\x0f\x9e\x25\x55\x7e\xf9\xad\xa0\xf2\x3c\x59\x61\xfc\x07\xfe\x58\xc7\x8b\xff\x01\x3f\x83\x44\xdd\x96\x11\xe2\x31\x49\x63\xbf\x51\xdf\x6c\x98\x4c\x56\xb9\xaf", 236); res = syscall(__NR_shmctl, /*shmid=*/0x10000, /*cmd=*/2ul, /*buf=*/0x2000000042c0ul); if (res != -1) { r[15] = *(uint32_t*)0x2000000042c4; r[16] = *(uint32_t*)0x2000000042c8; } break; case 24: *(uint32_t*)0x200000004540 = 0x9732; *(uint32_t*)0x200000004544 = 0xee01; *(uint32_t*)0x200000004548 = 0xee01; *(uint32_t*)0x20000000454c = 5; *(uint32_t*)0x200000004550 = 4; *(uint32_t*)0x200000004554 = -1; *(uint16_t*)0x200000004558 = 5; *(uint32_t*)0x20000000455c = 0x80000000; *(uint64_t*)0x200000004560 = 9; *(uint64_t*)0x200000004568 = 5; *(uint64_t*)0x200000004570 = 0x8001; *(uint32_t*)0x200000004578 = r[7]; *(uint32_t*)0x20000000457c = 2; *(uint16_t*)0x200000004580 = 0xffc; *(uint16_t*)0x200000004582 = 0; *(uint64_t*)0x200000004588 = 0x200000004440; memcpy((void*)0x200000004440, "\xae\xb6\xd5\x07\x3a\xfa\xa3\x1c\x2e\x2b\x2c\x26\x91\x12\xdf\xff\x49\x39\x37\x39\x22\x07\xd1\x3f\xcd\x1a\x8e\xba\xa9\x97\xfd\x97\x6c\xcf\x81\x7f\x42\x90\xa8\x95\x65\xf4\x5f\x54\x38\x2b\x31\x3d\x34\x98\xe2\xa6\x76\xfb\x90\x8e\xe4\xd8\x92\x13\x1f\x01\xb8\x3d\xed\xd0\x94\x98\xc8\xc2\xc5\x6d\xf4\xef\x1c\x82\x32\x32\x0b\x42\xd5\x83\xcc\x60\x61\xc9\x2c\xc0\x6c\x76\x4f\xb0\xd4\x46\xa8\xb9\xa5\xf1\x90\x3c\x9b\x2b\x2b\xa4\x5c\x1e\xce\x47\xcd\x24\x9f\x20\x1b\x45\x7e\xe0\x3c\x79\xfb\xe2\x6f\xee\xa6\xde\xc1\x42\x68\x9a\xe2\x1b\x9c\xed\x84\x39\xf1\x0a\x2e\x3b\x65\x7a\x1e\x3a\xb7\x38\x54\xc1\x33\x8b\x6d\xb9\x05\x24\x8a\xe4\xbc\xee\x97\x3d\x06\x8e\x9b\xd4\x9b\xf4\xf9\xe8\xd0\x17\x7c\x72\x61\x2b\xce\x4e\xf6\xb4\xd7\x6c\x09\x39\x96\xde\x65", 183); *(uint64_t*)0x200000004590 = 0x200000004500; memcpy((void*)0x200000004500, "\x24\xa7\x29\x1c\x4a\xbc\x17\xba\x4a\xcd\xe1\xc6\xfb\xdb\x58\x89\x6a\xd2\x7d\xad\x25\x64\x40\x20\x7f\xf6\xa5\xe4\x8f\xf2\xa6\x18\x5f\x2c", 34); res = syscall(__NR_shmctl, /*shmid=*/0xfa95, /*cmd=*/0xbul, /*buf=*/0x200000004540ul); if (res != -1) { r[17] = *(uint32_t*)0x200000004544; r[18] = *(uint32_t*)0x200000004578; } break; case 25: memcpy((void*)0x200000000700, "\x2b\xce\x17\x78\xfe\xc9\xa1\x28\x6b\xf6\xab\xa5\x3c\x3a\xc4\x02\x86\xad\x6a\xa7\x11\x2d\x6f\x2f\xca\xbf\xd2\xba\x71\x3e\xaa\xdc\x81\x39\xe1\x4f\x61\x80\x70\x12\x6a\xc3\xa3\x8a\xd9\xcd\x7b\x5c\x94\xb1\x78\x3b\x26\x11\x52\x07\x29\x35\x3d\x56\xfc\x5b\xd5\xcb\xd4\xf1\x1d\x01\x35\x9c\xa9\xeb\x2e\x0c\x4c\xc6\x60\x95\x84\x6c\x2b\x10\xd4\x1e\xb8\x46\x77\xf1\xc3\x52\xbd\x90\xeb\xfa\x66\x12\x3a\x7a\x19\xf4\x5c\xae\xa8\x4f\x12\xe7\x76\x57\x93\x32\x46\xc4\x4a\x20\x9a\x4b\x9f\x15\x56\x87\xe2\xa4\xfd\x90\x2f\x57\xea\x49\x08\x5f\xaa\x76\x01\x19\x40\x68\x27\xdb\x2e\x6a\xde\x20\x29\xf8\x20\x1d\xe4\x7e\x97\xb1\x33\x85\x3a\xe7\x32\x14\xa7\x96\xe4\x81\x8d\x39\xcf\x10\xa8\xe6\xa6\xf1\x1a\x88\xe0\x82\xc9\xaa\x25\x85\x7a\x67\xa3\x2f\x35\xbc\x8f\x86\x7f\x04\x4d\x0f\x32\x99\x53\xdc\x06\x02\x24\x9d\x83\x19\x7e\x0e\xf5\xc9\x83\xb9\xd5\x56\xbd\x52\x7a\x6a\x59\x9f\x52\xa2\x11\xf9\xc7\x11\x3e\xdc\xc0\xe9\x3f\xc1\x8e\x79\xed\x69\xfb\x2a\x7f\xde\x97\xc9\xc3\x5e\x31\xe3\x5f\x07\x71\x37\xc8\xfd\x8b\xec\x40\x18\x14\xfb\x99\x81\x6d\x1e\xe5\xa5\xe7\xed\xc2\x10\xc6\x10\x97\x0d\xaf\x8a\xea\x89\xac\xbb\x75\x40\x82\xd8\xf6\x8e\xb4\xa0\x01\x06\x53\xc7\x06\x84\xa8\xdd\x7c\x00\x2b\xa7\xe4\x61\xc8\xdc\xc4\x5c\x22\x86\xda\x34\x27\x35\x14\x18\xcb\x24\xa9\x4d\x65\x56\xd6\x9e\x2a\x31\x9b\x5c\x0e\x69\xe6\xbf\x11\x1a\x9c\x45\x46\x7c\x41\x57\x5f\xdb\xfc\x26\x46\xda\xfd\xa3\x17\x9b\x0f\xca\xcc\x14\x9b\x45\xef\x10\xdc\x13\xf5\xfc\xe2\xe4\xa2\xc2\x2c\x2a\xe9\x92\xbc\x6b\xd5\x13\x23\xe7\x24\xe4\x66\xc7\x36\xdb\x1d\x34\x57\xee\x0f\x7d\xe1\x47\x66\x1d\xba\xdc\x94\x2b\xf0\xdf\x2f\x08\x9e\x98\x03\x81\xae\x88\x8a\xb0\x22\xfb\x54\x5c\x03\x43\xc4\x08\x7f\x2c\x1b\x6a\xe0\xcd\x21\xd0\xfd\x65\x65\x79\x09\x58\xc9\x3a\x67\x59\xa5\x75\x4b\x70\x0a\x6f\x53\xab\xbc\xa7\xd2\x2c\xdd\xcd\xd7\x09\xb2\x79\xd1\x11\xd6\xce\x1f\xd7\x91\xeb\xca\xf2\x60\x48\x09\x86\xb3\x21\xce\xcc\xf9\x55\x61\x8b\xbe\xa2\x78\x1d\x33\x14\x90\xcd\xe5\x73\x47\x93\xab\x07\x5f\x5a\x72\x93\x21\xae\xe1\x77\xfc\x3c\x20\xef\xd0\x79\x74\x46\xe5\x12\xc6\x25\xa3\xbc\x1a\x56\xf4\xc0\x18\x89\xf5\x74\x93\x3b\x72\x6f\x74\x37\xee\x04\x94\x91\xbc\xb9\x1f\x1c\x63\xa0\xb1\x75\xe2\xce\x56\x75\x07\xdd\x35\x4b\xf2\x6b\x08\x05\x9a\xc2\x29\x04\x6a\x6e\x75\xd3\xd3\x21\xee\x63\xc5\xab\xc1\xa7\x40\x9e\x20\x7e\x6f\xc5\x16\x79\xdf\x37\xbc\x7b\xa3\x39\xcb\xce\x32\xd4\x5a\x96\x09\x06\x88\x51\xb0\xa7\xf5\x81\xaa\xed\x7e\x99\x5c\x36\x77\x9d\x07\xc3\x57\xe5\xd9\x76\xf6\xde\xee\x4f\x36\x84\xf9\x7e\x7c\x61\x9d\x3c\xcc\x28\x72\x2f\x13\x0d\x93\x6d\x3c\x07\x3b\x9b\xb5\x19\x4e\xb9\xff\x69\x91\x0c\x6a\x3d\x58\x58\xc2\x86\x2b\xa8\xce\x94\x25\xce\xc1\xe8\x01\x18\x2a\x7f\xb5\xc7\x01\x7a\x41\x85\xd1\x3f\xeb\x35\x38\x29\xdc\x68\x1a\x56\x19\xf0\xa0\x2d\xb6\xeb\xde\x86\x0c\xf7\xc6\x29\x4d\x21\x45\xf9\xa5\x29\x18\x49\x76\x2d\x93\x81\x66\x82\xd1\x91\x89\xdd\x76\x82\x80\xdf\x4a\x68\xc8\x08\x01\xf6\x6a\xba\xbd\xf7\x22\xec\x21\x3a\x7b\x7f\x58\xc4\x61\x48\x68\x69\x00\x66\x9b\xdb\x0c\x64\x3d\x00\x5d\x60\x0d\x95\xc5\xcb\x5d\x28\xac\x4c\xd4\xc7\x02\x22\x94\x35\x2e\xd1\x35\x0c\x4e\x75\xfe\x89\x27\x89\x53\x92\xb0\x06\x2c\x78\x29\x2f\xc1\x5a\xd7\x03\x8d\x1b\xdd\xc9\x94\x53\x5e\x73\xcc\xc3\x3c\x9a\xb2\x33\x11\xd6\xf6\x5d\xe5\x98\xf5\xee\x9f\x91\x34\xca\x4e\x4b\x40\x9f\x21\xb0\xb0\xe4\x0f\x36\xaa\x5c\x78\x2b\x7b\xb8\x64\x70\x7a\xfd\xce\x1e\x7c\xfe\x5a\x27\xc1\xef\x3d\x2d\xc1\x41\x05\xd6\xa4\x89\xb8\x7e\x7a\xe1\x67\xae\x87\xa5\xf3\xcd\xa0\xb8\xa6\x22\x17\x62\x97\xf5\x32\x8b\x79\x69\x0d\xf9\x89\x79\xa4\x80\x6d\xea\x06\x93\x95\xf5\xb8\xe5\xbc\xec\x68\x3f\xd3\x9b\x86\xbc\xef\x86\x5d\xe6\x0f\xe4\x07\x29\x1d\x12\x7c\x4f\x00\x68\xbe\xc8\xae\x95\x73\x8f\xce\x42\x20\x5e\xf7\xcb\xba\x2a\x10\x76\x6e\x32\x19\x1c\xb4\xe5\x0c\x06\xdc\xf6\xca\x3a\xe7\x8c\x0c\xaa\x65\x8f\xd5\x8b\x65\x2c\xab\xdd\xe1\xdf\xa9\xd1\xf5\x4a\x44\x79\xad\x61\xd2\x5a\x47\xff\x08\xb3\x12\x25\x60\x09\x9b\xde\xc5\x5d\xeb\x11\x0e\x40\x6e\x08\x59\x53\x40\x88\x7e\x49\x67\x74\x54\xb6\x08\x60\x15\x3c\x4b\x1f\x7c\xeb\xef\x25\xda\xd0\x82\xf4\xd3\x40\x20\x78\x29\x8b\xfd\x39\x0b\xc7\x66\x23\x45\x95\x91\x8c\xbb\x3b\x6c\xdb\x99\x61\xe1\xbb\x1d\x4f\x7c\x7f\x24\x01\xa8\xd8\x0a\xc6\x2b\x14\x62\x4a\x3b\x16\xd9\x70\x46\xfc\xef\x8d\x02\x5d\xeb\x79\x40\x94\xd2\xce\xa5\x0c\xcb\xe2\x72\xe1\xc7\x9a\x71\x67\x80\x3c\x40\xa4\xcc\xee\x13\x84\x44\xe7\xa4\x15\x34\x77\x83\xbf\xe0\xff\xda\x3d\x50\x01\x6d\x0f\x6b\x1b\x06\x12\x6f\xcd\xd9\x23\x7a\xac\x40\x0b\x85\x49\xe4\xc1\x91\x7a\x25\xdb\x59\xcd\xba\xe2\x9d\x1e\xa5\xbd\x7d\x25\xc5\x75\x02\x2d\xc5\x5f\xf3\x2e\xd4\x2a\x61\x0e\x23\x94\x79\xbe\xab\x0d\xd6\x2a\x30\xa4\xfb\xed\xa0\xfc\xfe\x1d\x0b\x61\x3a\x8d\x06\x69\x33\x46\x6a\x9a\xb3\x12\x62\x70\x1d\x08\xe7\x79\x28\xf8\x8c\xf8\xa8\x38\xe9\x72\x98\x93\xe5\x50\x70\xef\xcc\x83\x73\x6f\x3c\xb3\x2e\xef\xc0\x8f\x24\x0d\x44\x9a\x61\xcd\xf2\x11\x6c\xe4\xea\xe7\xb9\x66\x9c\xe6\xfc\x52\x8b\x98\x34\x01\x2b\x0f\x7c\x54\x25\xc2\x62\x23\x7a\xe8\xa3\x01\xb6\xcf\xc0\x3a\x57\x9c\xb1\x09\xdf\x41\x7d\x85\x14\xaf\x61\x2d\x32\x0d\x0e\xd9\x6b\x7f\x7e\x4a\x48\xaa\xa3\x0f\x6c\x8f\x42\x7d\xb2\xf9\x81\xbe\xf3\x60\xb9\xd8\xc2\x77\xc8\x4a\x80\x15\xf4\x9b\xb8\x84\x0d\xfd\xbf\xd5\x40\x2a\x05\x3f\xbe\xdc\x07\x51\x58\x7e\xbf\x6d\xf4\xd6\x92\x85\xcc\x39\x8e\x98\xa7\xfc\xd6\x88\x76\xeb\x2b\xf6\xf9\x4f\xc0\xd0\x3d\x7a\x93\xb1\x44\x6c\xf2\xac\x7e\xc1\x1f\x8c\x3b\x62\xfc\xc0\x74\x1c\x37\x6d\x15\xcc\xd8\xdc\x9c\x85\x92\x94\x53\xa1\x77\xbc\x24\x24\xb3\x74\xcc\xad\x51\xa5\x7b\xd0\x52\x90\x24\x1e\x00\x38\x9e\x5d\x97\x33\xda\xc8\x43\xb2\x5f\x43\x94\xdb\x45\x0f\xe1\x6f\xdc\xbb\x56\x33\x37\x90\x04\x4d\x65\xad\x60\x6a\xe8\xca\x97\xce\xec\x3f\x80\x9d\x78\x90\x49\xa3\x29\x88\x81\x33\x9d\x2e\xd1\x60\x2f\x2b\xf2\xbd\xe3\xcc\x87\x16\x3c\xf1\xdc\x3f\x8e\x32\xe8\x59\xac\x7b\x2d\x27\x1a\xe4\x2a\x7a\xd0\x5e\x6f\xda\x9b\x98\xc1\x4b\xe9\xa3\xf6\x5b\x16\x25\x37\x43\x99\x59\x82\x23\x7d\x31\x30\xd1\x5a\x18\xf8\xf5\x32\xa8\xd0\x27\x3e\xab\xb3\x38\x67\x02\x85\x98\x33\x84\x47\x81\xdc\xeb\xf2\x16\x4f\x0a\x4b\x14\x11\xd8\x82\x99\xfa\x82\xe7\xba\xb7\x1a\x08\x36\xd5\x0b\x41\x8a\x6a\x47\xf7\x47\x22\x0f\xef\xee\x26\x85\xaf\x32\xc2\xde\x7c\x33\x75\xcc\xa1\x19\x14\xf2\xda\x17\xec\xc4\x6e\x63\x5a\xfd\xa8\xc3\x6f\xef\xf1\x0c\x7d\x6e\xbd\xcf\x7d\xa4\x41\x4b\x4f\xdb\x28\xc4\x2f\x73\x8c\x95\x61\xa6\x56\xb0\x1c\xa0\xbc\xb0\x22\x4e\xc8\x03\xe6\xa2\x38\x64\xe0\x14\x38\x97\x4b\xba\x22\x36\x92\x12\xca\xf0\x53\xe5\x60\xcf\x11\xac\x83\xec\x04\x85\xf5\x70\xf6\xe5\x36\x74\x42\x43\xc2\x11\xfd\xc0\x3c\xb3\x59\x04\xf1\xb3\xad\x1e\x79\x65\xd4\x73\x1a\xa0\x48\x21\x5d\xbe\x3b\x33\xd0\x96\x3b\x0d\x5c\x0e\xcc\x90\xfa\x99\x99\x7f\x19\xb5\x83\x57\x48\x68\xb4\x08\x1c\x9e\xa2\x71\x23\x43\xb9\x18\xd2\x2f\xa3\x7e\x8d\xf4\xdb\x67\x0a\x4b\xe4\x29\x5f\x69\x9c\x92\x4c\x4b\x7f\xeb\x71\x10\x3d\x9a\xef\x02\x70\xde\xd2\x9d\x4f\x42\xaf\x37\xa4\x87\xe2\xbc\x8d\xc0\xb0\xbd\x3f\x68\x70\x38\x5a\x1a\x8a\x98\x42\x20\xf7\x9a\x47\xa9\x81\xe9\x87\xdc\xa4\x46\x95\xce\x64\x87\xd5\x3c\x01\x90\x10\x54\x3b\x20\x42\x22\xef\xae\xf7\x20\x8d\xfa\x23\xf8\x08\xc4\x56\x13\xd5\x14\x46\x8b\x97\xfe\x57\xdf\x91\x1e\xac\x0c\x90\xed\x04\xf0\x06\x49\x32\x1c\x3a\xbd\x27\x01\xec\x1a\x01\x22\xb4\xbb\x48\x37\x7b\x5e\x92\x51\xc0\x20\x3f\xaf\x08\x98\x26\x0f\xf7\x47\xc5\xa8\x2e\xed\x23\x42\x50\x15\x88\x51\xa5\x09\x06\xac\x54\x92\x71\x9f\x97\x0a\x90\x62\x00\x5e\xf1\x67\x55\x76\x35\x1a\x8b\x3d\x9d\xda\x73\x5c\xc6\x5b\x82\x09\xe9\x86\x68\xb8\xd4\x97\x88\x5f\xb1\xd9\x1d\x89\x3e\x3e\x3f\xe9\x6d\xbf\x56\xb6\x1c\x60\x6a\x84\x63\xc4\x1f\xd8\xc9\xbe\x64\xdf\x1a\x59\x56\x27\xfc\x71\x14\x38\xee\xa8\xdf\xb7\x32\x35\xa4\x7b\xe9\xc0\x37\x04\xfe\xda\x19\xe5\x4f\x65\xa2\x87\x62\x94\x49\x5a\xca\x4d\x61\x1c\x9b\x43\x84\x29\x15\xfa\x7a\x51\xe4\x5e\x16\xc7\xd2\x28\x17\xc1\xb1\x59\xe0\xbf\x53\xdf\xfe\x16\xed\x63\x41\x61\xbe\x4c\xc9\x16\x9c\x95\x2b\x0b\xb5\xfb\xf4\x45\xae\xe0\xe9\xd3\x86\xd3\x00\x61\x18\x57\xc7\x0e\x95\xcf\x2e\x42\xa3\xe7\x9b\xf7\xc2\x02\xb7\x7c\xe4\xf5\x2d\x5e\x8d\xdf\x50\xd5\xdb\x3f\xa1\x0e\x95\xf2\x4d\x65\x61\x86\xd3\x56\xde\xdc\x85\xc6\xf8\x68\x4b\x81\x02\xeb\x01\x9c\x18\xda\x8a\x66\x3d\x70\xbe\x24\xea\xd9\xf1\xdc\xed\x78\xbd\x06\x8a\x6c\x9b\x32\x4d\xd7\x47\x73\x43\x18\xeb\xc6\x2a\x4a\x9c\x74\xeb\x34\x22\xcc\xde\xe0\x2f\x94\x7c\x1a\x76\xe7\x38\x54\x28\x06\xff\x2c\x9c\x85\x1a\xb7\x12\x17\xf7\x53\x9d\xa9\xc3\x35\x0a\x1f\xbd\x5e\x53\x90\xa0\x48\xcc\xac\x1f\x54\x13\xab\x2d\x81\x47\xd7\xb2\xd7\xd4\x93\x3e\x24\xd7\xff\x0d\x16\xfa\x34\xe2\x38\xe9\x31\x62\x27\x30\xda\x47\xe8\xee\x85\x35\x49\xf5\x7d\x8c\xd0\x41\x1f\xd3\xdd\xcd\x5d\x6b\xf3\x63\x88\xd0\x36\x86\x62\xf9\x5d\xae\x7d\x3b\xcb\x93\x2d\x62\xe0\xf8\x95\xa5\x6b\xd8\x79\xd1\xf5\x70\x43\xeb\x6a\xd4\x6e\x35\x97\x6c\x4f\xa6\x24\x42\x21\xe9\xa6\x8f\xb5\xa9\x3f\x25\x68\xc1\x77\x2a\xd1\xfa\xef\x2a\xab\x00\x21\xfe\x7d\xbc\x57\xf3\xa7\x77\xdd\xfe\x61\xf4\x1c\xc3\xf7\xdb\x0b\xbf\x63\x7b\xd4\x8f\x72\xd1\x1d\xd0\x52\xfb\x4e\x32\x52\x0d\x41\x39\xce\x9b\x92\x06\x21\xf1\xeb\x6f\x37\x88\x71\xf1\xe7\x94\xc3\x87\x59\x65\x0a\x0a\x74\x2c\x0e\x34\x03\xb6\xbe\x88\xe3\x19\x20\xc0\xf3\xaf\xb5\x8c\x68\x6b\xea\xee\x1d\x65\xd6\xd8\x3b\x8e\xaf\xa7\xd0\xbc\xaa\xef\x87\x5e\xfa\x7a\x27\x37\x1c\xac\x05\x99\xd4\x1b\xa5\x1a\xa5\xce\x65\xce\x48\xbc\xa2\x4d\x4a\x43\x8e\x6e\x3a\xc3\x3c\xf1\xfc\x7c\xd8\xcc\x3c\xd9\xb7\x51\x16\xb5\x3a\x09\xd9\x81\x41\xfc\xcd\xf0\xb0\x8d\x8f\x9d\x6e\xfd\xed\x52\xd1\x01\xc3\xed\x6b\x27\xf6\xc6\xe4\x2f\x9b\xa1\x99\xf3\x9c\x9a\x33\x77\x28\xbd\xe0\x5b\xbe\xee\x63\xe4\xdc\x68\x0e\xcf\x0f\x02\x0b\xcb\xbb\x7b\x6a\xd0\xba\x9b\x2a\xa6\x14\x39\x1e\x8a\xa4\x15\x52\x13\x73\x56\x95\x3e\xf2\x15\x35\xca\x4e\x32\x20\xa2\x6f\x06\x1c\x7e\x78\xeb\x42\x42\x88\x98\x16\x95\xe6\x51\xf6\xda\x90\x57\xc6\x11\x02\xf5\xd5\x8d\x33\x13\x58\xd6\x91\xce\x1b\xd7\xf6\x81\x60\xcb\x76\xfe\x77\xf0\x3f\xfd\x46\x0e\xcd\xa1\xfd\xb1\xa7\x83\x33\x89\x3f\x1d\xc5\xd0\x35\x7d\xc2\x43\x35\xd3\xf1\x2d\x7d\xf9\x13\x31\x69\xd9\xd2\x14\x45\xb6\xa5\x81\x95\x66\x3d\xa0\x33\x06\x31\xb7\x32\xc1\xdc\xc3\xe6\x58\xf2\x37\xf0\xf6\x9a\x11\x60\x2d\x4c\xac\x64\x68\x35\x3f\xaf\xcb\xf4\xca\xd1\xa3\xa2\x6d\x2d\xed\xdb\xa7\xcc\xc8\x86\x34\x7f\xf0\x59\xda\xcf\x96\x96\x98\x00\x18\x53\x30\x7a\x3c\x5b\x36\x34\xde\xa1\x62\xe6\x3b\xd2\x7b\x7c\x9d\xab\x63\xa6\x70\x59\x29\x9d\x69\x42\x67\x5d\x10\x68\x8a\x79\x7d\x6b\x51\x63\xea\xb8\x3b\x45\xb1\x84\x60\xc2\x8d\x6a\x83\x37\x1e\xca\x62\x6e\x9b\xdb\x94\xb9\x0a\x11\xa7\xfb\x7f\x7d\x9f\xec\x0d\x77\x3c\xc0\x56\x66\x36\x29\x2c\x7d\x90\xde\x64\x79\xae\x9f\xfc\xe8\xc3\x4e\x28\x4f\xf2\xfb\x4d\xa4\xc0\xb4\x62\x9a\x02\x3f\x1e\x9c\x1e\x79\xc5\xd6\xba\xe6\x25\x2c\xd4\xa3\x01\x53\xe8\xc1\xeb\xf0\x83\x89\xc2\x06\xd6\x6b\xec\xe9\x02\xed\x87\x7c\x36\x75\x6b\x3f\x9c\xaf\xe8\x41\xca\x61\xbf\xf3\x15\xfa\xe3\xaf\x3a\x18\x56\x3f\x71\xa7\x7e\xeb\x6f\xde\x0d\xb2\xce\xa7\xfe\x49\x4a\x78\x39\x1a\xfc\x1b\x21\xb2\x33\xe0\xc4\xb4\xa1\xa2\x3e\xee\x6f\xeb\xa1\xae\xe1\x12\x4e\xb0\x4e\xc4\xd2\x3b\x6a\xe5\xcc\xaf\x13\xac\xdb\x65\x6c\x72\x70\x7f\xed\x01\x0f\xc4\xab\x31\xba\x09\x3a\x22\xfa\x85\xe4\x73\x89\xac\xaf\xe2\xa2\x22\x98\xe5\x1d\x36\x73\x26\x95\x00\x8e\x65\xaf\xfd\xa7\x56\x13\xbb\xd2\x2f\x86\x9b\x05\xe9\xda\xfe\x41\x1d\xa8\x54\x9f\x14\x1e\x01\x8b\x36\x20\x49\xc6\xaf\x4e\xd7\x82\x37\x81\x72\xc5\x5a\xe7\xb1\xd0\x05\xa1\x90\x86\xc2\xab\x19\x74\x2f\xf7\xf9\xb3\x29\xdc\x56\x7f\x61\x47\x30\xef\x3e\x74\x78\xb6\x22\x09\xec\x2d\xb9\x0f\x3a\x60\x37\xaf\x0c\xb7\xbd\xcc\x8b\xad\x8b\x32\x86\x4a\x41\x67\xa3\x70\xd0\xf9\x16\xdc\x75\x1f\xb2\x8e\xe9\xc8\x00\xe5\x9e\x2e\x37\x20\xdb\xff\x36\x3b\x28\xcf\x26\x98\xfd\xb3\x06\x1b\xc3\x91\x97\x67\x7e\xfb\xca\x4f\x86\xda\x8a\x97\x6a\x1f\xe5\xf9\xe1\x83\xab\x9f\x3b\xdc\x9a\xb6\xae\x44\xb8\x71\x3a\x1e\xe0\x7b\x89\x4b\xf3\x74\x90\x46\x4f\x9d\x2c\x4f\x5a\x2a\x46\xc6\xb3\x03\x53\x43\xb9\x26\xdc\xa5\xd9\x93\xec\xb0\x74\x19\x1d\xf0\xe5\x0f\xbb\x11\x4c\x82\xb3\x69\xe1\x9d\x8c\xe9\x58\x02\x5e\x12\xa6\xe1\x35\xc3\x3c\x4e\x70\x40\xf2\xe5\xe4\xab\xb1\x43\xba\xfb\x7c\x71\x21\x44\xa9\x91\x09\xb0\x0d\xfd\x72\xf6\x6d\x6a\x5d\x7d\x1e\x6a\xea\xef\x79\x4f\xa4\x04\x57\x53\x28\xfe\xef\xd9\xc2\x08\xae\x71\x02\x36\xda\x12\xde\x52\x5c\x78\x40\x3e\x78\xfd\xcf\xb5\xcb\x34\x48\xf9\x38\x09\xea\xdb\xf8\xc6\xca\xec\xa7\x02\x83\x3a\x3d\x30\xbb\xaf\xe9\x4c\xa1\x4b\x5e\x91\x86\x4a\xa5\x75\x40\x94\x98\x93\x9c\x5b\x2c\xce\x2d\x33\xd1\xf1\x4a\xe3\xd7\x16\x9f\xfd\x51\xa7\x42\x1d\x2b\xe6\xa4\xf6\xce\x0d\x7f\xd5\xdd\x83\x4e\x02\x0c\x3e\x69\xcf\x5d\xeb\xe6\x9e\xe8\x63\xf5\x70\x2b\xab\x78\xfe\xcc\xd2\x85\xab\x47\x2b\x56\xd1\xc0\x6c\xe4\x0a\x79\xef\x15\xc0\x72\x36\x16\x36\x31\x74\x13\x72\x66\x43\xc9\x50\xc6\x7e\x57\x6f\xfd\x80\xd5\xf8\x08\x07\xb6\x72\x97\x36\x54\x7b\x00\xa0\xd4\x58\xe9\x3b\xf9\x64\xf4\x7d\xa3\x50\x77\x47\xec\x32\x3d\x31\x08\xc4\x49\x82\x62\x24\xea\x09\xaf\xa3\x66\x13\x33\x1a\x96\x1c\x5c\xf2\x59\x25\x2d\x0d\xac\xb5\x02\xfb\xc9\x87\xbb\xf6\xb1\xc8\xc6\x22\x5a\x6c\x0e\x65\xeb\xb5\xa5\x59\x45\xc5\xa0\x64\xec\x34\x6f\x84\x27\x0e\x3b\x38\xa1\x2a\xe7\x2c\x17\x80\x99\x75\xad\xa7\x2b\xad\x05\xa1\x2f\xda\x83\xf1\xb0\x0a\x42\x31\x04\x81\xca\x2a\x09\x90\xb6\x63\x96\x4e\x19\x4c\x92\x5c\x99\xce\xe8\x62\x79\xf6\x2c\x64\x54\x8a\x57\xd3\xf1\x67\xd6\x21\x3a\xcc\xbe\x67\x9a\x9f\xc2\x04\xd2\x10\x31\xf6\x4b\xd5\xf6\x8e\x8c\x75\xcf\x80\xaf\x20\x7c\xba\x25\xaa\x42\xfb\xc7\xdf\x07\x34\x25\x70\x00\xe5\xe9\xc2\x23\x36\x6d\x1d\xf4\x6f\x50\x8b\x8a\x8f\xba\x49\x33\x35\x2c\xb7\xc3\xf0\xe2\x5d\x66\xd8\xc5\x12\x9b\xdc\x46\x7d\xcd\xaf\x4f\x4a\x87\x1f\xea\x52\xb7\x07\xc8\x5c\xa1\xad\x30\xf0\x08\x04\xba\x50\x0c\xfb\xb2\xee\xe1\x8c\x68\x42\x09\x1c\x12\x0f\xf9\xf5\xfe\x91\x5a\x75\xa6\x23\xe5\x40\x7e\x77\xb2\xf2\xd7\xaa\x46\xe2\x4c\x96\x98\x6a\x60\x86\x55\x17\xc2\x67\x94\x5d\x39\x16\x92\xa1\xd3\xfe\xff\xc9\x35\x57\x67\x87\xc9\x0d\xa8\x46\xf9\x59\xe2\x6e\xef\x2f\x98\xce\x0b\x13\x17\x4f\xe4\x56\xc5\xd3\x3f\xb6\xbb\x65\xe8\x60\x3a\xf4\xf1\x02\x92\x9d\x84\x22\xb8\xbb\x5a\x24\xe0\xbe\xc7\x21\x4e\xe2\x3d\x9b\x8d\xd0\x7e\x7d\xaf\x18\xd8\x3f\xa6\x6d\x84\x9b\x91\xc7\x08\xf9\x9b\x46\x85\xc7\xb5\xdc\x95\x6d\x95\xc7\xfc\xea\xe7\x75\x9f\xea\xa0\xd2\xa0\x1f\x26\xb1\x7b\x9e\x5a\x23\x0c\x18\xc6\x10\xa7\xe7\x24\xdb\x79\xbe\xcd\x4a\xc0\xf1\x76\xbc\xf2\x04\x49\xe9\x0c\x3f\xae\x89\xc3\xa9\x93\xe2\xf9\xc5\x1e\x42\x8d\xc0\xbd\xdf\x67\xa7\xcd\x11\xf9\xce\x0d\xaf\xb4\x27\x7c\x32\x81\xb8\x8f\xa7\x13\x8d\x21\x7d\x79\xfe\x3e\xd7\x2b\x19\x5f\x27\x82\x0e\x33\x22\x9c\x5a\x6d\x7f\x49\x37\x20\xf9\x19\x0a\x1c\xb2\x29\xa3\xbe\xa0\xa7\x8f\x62\x9d\x00\x59\x3c\x98\x8c\x2d\x3f\xa0\x9f\x89\x35\xe2\x5b\xcd\x4c\xe0\x27\x6a\x16\xf2\x30\x6f\x7c\xbc\x89\x12\x52\x35\x91\xed\x88\x92\x1a\xa7\xae\xfe\x26\x71\x2f\x81\x02\x89\x06\xd7\x30\xfb\xe8\x19\x95\x52\x1e\x02\xe3\xdd\xfc\xa0\xf8\x81\xcb\x98\xa6\x61\xd2\xcf\x8d\x1f\xc3\x10\x84\x5d\xf4\xec\x58\x8c\x2b\x30\xfd\xfc\xe1\x81\xe6\xef\x9a\x65\x4e\x83\xfa\x69\xb7\x73\xfb\x51\x71\x77\x74\x93\x6e\x6d\x03\x77\x54\x78\x2f\xbf\xf1\x3d\x32\xa5\x0c\x75\xe2\x75\x3b\xca\xf4\xae\x37\x35\x26\xe6\x10\x60\x5f\x07\xc6\x77\xae\xda\xc8\xda\xf3\x79\x28\x3f\x2e\x59\xae\xdd\xe2\xc0\x19\x53\xd1\xbe\x45\x91\xef\x16\x5c\xa1\x90\x6d\xeb\xdc\x0b\x8e\x47\xde\xf1\xa3\x4d\x3c\x3a\x4c\x12\xea\xe8\x96\x68\xd1\x43\xd1\xb0\x98\x4f\x94\x50\x44\x70\x9d\xf8\x68\xd0\x97\x55\x14\xdc\x10\x93\x09\x0b\x0f\xe4\x29\x62\x34\x5e\xf4\x0b\x0d\xd8\x4f\xf7\xa2\x0f\x39\x4d\x5b\x3f\xc5\xa5\x5d\x69\xb4\xbb\xd0\x0b\x53\xe3\x17\x4c\x76\x0c\xb9\xc7\x9f\x27\x52\x75\x55\x8c\x69\x67\xf0\x3c\xb7\xb5\x4e\xc6\xc2\xa8\x60\x2a\x55\x57\xc4\x8e\x0c\xce\xae\xbc\x38\xc4\xcb\x35\xf1\x71\xfa\x42\x62\x2b\x1e\x8b\xe6\xdd\x32\x33\x75\x03\x3e\xde\x7b\xea\x93\xb6\xd6\x67\x75\x8f\xb9\x97\xcc\xee\x89\x6c\xb3\xa0\x3e\x47\xfe\x8b\x51\xbf\xef\xd7\x16\x5b\x4b\x16\x25\x46\xc2\xe4\xd4\x67\x10\x35\x3b\x73\xf6\xf1\xde\xa1\x7e\x44\x2b\x82\x72\xf6\xaf\xf9\x9c\x86\x43\x72\xe4\xc3\xe5\x63\x1b\xb7\x39\xb5\x9a\xd1\x23\x5a\x18\xaf\x7d\x59\xb7\x93\x20\xa4\x1b\x7c\x0e\x8d\x64\xd5\xa7\x94\x81\xcc\xe1\xe3\x1b\x33\x4a\xb3\x3e\x92\xe6\xa4\x29\x7f\x3d\xef\x0f\x1b\x34\x67\x5c\x7d\xe9\x10\xfe\x38\xe4\x94\xee\x01\x4b\xb8\x44\xe7\x07\xbd\x30\x2b\x24\x78\x6b\xd6\x06\x2b\xac\xb8\x2d\x52\x7a\xcd\xca\x23\x6f\x21\x7b\xf0\x47\x47\x42\x47\x6e\x6a\x93\x25\xd9\xee\x28\x2d\xee\x43\x63\x6b\xeb\xa5\x41\xe6\xaf\x65\xba\xb1\xf5\x82\x33\xa6\xf5\x58\xd8\xc6\x01\x9f\x4e\xe4\xc8\xe8\x33\xea\x16\x18\xb0\x53\xb3\xcd\xb8\xf8\x8f\x09\xce\x12\x25\xa6\x8f\x31\x9d\xe5\xbc\x58\x3e\xb3\xd2\x2f\x27\x32\x34\x3e\x9c\x0a\xcb\xd8\xef\xde\x7d\x9c\x0f\x22\x40\x6b\x9d\x1b\xeb\x10\xe7\xbc\x92\x80\x7c\x7b\xbd\xc0\x0b\x1d\x88\x53\x4e\x65\xdb\xa2\x56\x21\x67\xe2\xcf\x12\xa6\xf4\xb1\xe8\x9b\x24\x95\xbe\x63\x1f\xe9\xa7\xaf\xaf\x3e\x44\x02\x54\xa2\xda\x7e\xeb\x26\x1b\x40\xb4\xb2\xc8\xa2\x25\x7d\x75\xb0\x9b\x85\xb8\x1d\x79\x54\xac\x55\x31\x3a\xc4\x99\x0c\x54\xae\x40\x79\x3c\x21\x58\xcf\xeb\xf3\x29\xb2\x67\x40\x5d\xd2\xa5\xe7\x61\x54\xd2\x1d\x74\xed\xd4\xa1\xe0\x86\xf0\xf2\x40\xe7\x19\x96\xa0\x4e\x8f\x96\xec\x88\x22\xbc\x5f\xc9\x18\x38\xd1\x7d\x97\xb0\x3c\xab\x99\x58\x33\xaa\xd9\xfe\xd8\xdb\xd9\x44\xfc\x11\xab\x74\xfc\x51\x5f\xd8\xbc\x5c\x06\x74\x24\xd3\x2d\xbb\x99\xe4\x9e\x0d\x42\xa5\x97\xdd\x80\x73\x17\xd6\x69\xdf\x7c\x08\x97\x9d\xd6\x47\xca\xe4\xb9\xd1\x23\xa6\x44\x03\x7c\x68\xfd\x7b\x45\x4d\x15\x8b\x51\x28\x18\x5b\x7a\x07\x1b\x77\x45\x3e\x29\xef\x51\x83\xc0\x3f\x3d\xac\x27\x58\xfa\xd6\x67\x3d\x17\xb9\x5a\x42\xd4\x28\xb5\x6d\xd7\xac\xd6\xb4\x4a\x15\xf8\xa6\xac\xc4\xc7\x3d\x23\xfd\xdf\xc4\x4f\xe5\x7a\x9a\xdd\x19\x57\x96\xcf\x45\xc0\x00\x6f\x6a\x24\x16\x0d\xfb\x87\x98\x62\xb0\x11\xe7\x4b\x88\x0f\x5a\x4f\x5d\xc8\x05\x3a\x1f\x2c\x7d\x0e\x1d\x77\x2c\x62\xca\x02\x8b\x09\xce\xba\xc8\x8e\xa7\xa8\xa1\x85\x59\x96\x20\x16\x74\xf2\xeb\x71\xac\x52\x6c\x0a\x0e\xc4\x49\x3d\xaf\x01\xa5\x51\x6d\x2b\xf8\x8b\xd8\x11\x72\xa2\xf7\x5f\xaf\xb3\xcd\xe2\xc9\x2b\x7a\x02\x0e\x07\x67\xcb\xda\xdf\x65\x57\x55\xc3\x71\x5c\x6b\xf9\xcc\x3d\xf3\x8c\x38\x34\xa7\x24\x95\x05\xa6\x89\x48\x0c\xa3\xa9\x78\x79\x2a\xe9\xbe\xfd\xfb\x3f\x25\xe3\xdf\xec\x22\xa9\x0d\x66\xac\xbc\xe1\x63\x3a\x29\x7c\xc2\xbe\xd9\x75\x73\x1f\xbc\x97\xc0\x9d\xa8\x94\x22\x65\x33\x6d\x17\xb1\x3a\x52\xef\xff\x98\x62\x6a\x8b\x7b\x18\x8c\xfb\x9d\xfd\x33\xeb\x28\x76\x34\x08\x73\x2b\xba\xe7\xb8\x01\x22\xa9\x1a\xd9\x81\x38\x97\x75\x7e\xff\xb8\x43\x58\xdb\xd6\x2b\x01\x33\x24\x1a\xb9\xaf\xa7\x9e\x35\x3f\x5e\x7d\xb9\x16\x39\x21\xd6\x5e\xfc\x93\xe4\x08\xbc\x38\xff\x95\x84\x29\x05\xa9\x13\xd0\x84\xd2\x4f\xa2\x23\x59\xdf\x71\x0b\x39\x69\x4d\xe2\x40\x38\x98\x31\xe3\x44\xe9\xd5\x33\x2a\xc0\xc5\x48\x4e\xdc\x3a\x9a\xc6\x12\xf6\x68\xe4\xe7\x81\x80\x10\x9e\x12\x49\xef\x5d\xc2\x7c\xfd\xed\x52\xea\x37\xef\x3a\x7d\x1d\x02\x88\xa9\xf7\x53\x2f\xb9\xf3\xa3\x80\x29\x4c\xf0\x33\x29\x62\x8f\xe8\xfa\xc3\xb8\x12\x11\x30\xbc\x3d\xff\x51\xed\x6f\x83\x00\x80\x67\x86\xf9\xe5\x05\xde\x5d\x25\xd6\x87\xc4\x02\xc0\xbe\xdb\x7d\x41\xcd\xb9\xcf\xb8\x77\x14\xba\x29\x28\xbe\xce\xcb\xe1\xaa\x32\xdf\xda\x00\x17\x07\xc7\x84\xce\xe7\xf6\x46\x48\x77\xef\x87\x98\xc1\x60\x8c\x48\x7c\xe0\x88\xd0\x73\x08\xb4\xf1\x67\x2f\xb2\x8e\xfa\xd8\xae\xe8\x45\xff\x99\xe0\x0d\xb8\xd0\xa4\xef\xf1\x0e\x7e\x04\x82\xe1\x0d\x2d\x4f\x53\x6b\x90\xa1\x7f\x2c\xd0\x64\x99\x58\x61\x9a\x3b\xfc\x4c\x72\x65\x4a\xb9\xa0\xda\xe3\x09\x9d\x69\x58\xcc\x43\xac\xee\x94\xa4\x50\x15\x24\xe0\xa9\xdd\x76\x70\x0d\x81\x46\x1f\xfc\x9c\xde\x22\x27\x15\xd4\xc8\x91\x7c\x2e\x53\x56\x0b\x63\x53\xa0\x98\xc9\x48\xce\x16\x13\x1b\xca\xc5\x69\x48\x46\x94\x26\x57\xfb\xbd\x47\xd1\x4f\x0b\x9e\x6e\x0e\x38\x3e\x7d\x60\xef\xe2\xd9\x93\x5c\x04\xdf\xee\x10\xe2\x2f\x47\x4c\xf3\x82\x32\x9c\xce\x12\xae\x8d\x21\x0f\xfb\xd1\x7d\xd0\xf1\x86\x8f\x6c\x10\xaa\x34\xdc\x1f\xb7\xbb\xb7\xa2\x5d\xb0\xcd\xb0\xaf\xcb\x3a\x52\x34\x45\x56\x4c\x6b\xc6\xc0\xf8\x43\x3a\x67\x75\x88\x18\x52\xd9\x97\x0a\xa4\x20\x3c\x92\x58\xa9\x44\x27\x41\x68\x89\x9d\x5a\x81\x5d\x66\x50\x37\xda\x71\x6d\x53\x04\xe4\xf2\x6c\x28\x9a\x46\x38\x4b\x96\x5f\x2c\xa5\xaa\xcc\x1c\x81\x23\xb5\x4c\x14\xe8\x3a\x59\xb9\x97\x99\x64\x88\x14\x79\x77\x84\x25\x4e\x3f\xcc\xca\x53\x79\x0c\xe3\xf0\xc2\x4b\xa0\x17\x22\xd4\x2b\xaf\xfc\x81\x68\xa3\x6c\x95\xb5\x38\x8d\xef\x13\x7e\x6c\x92\x9e\x2e\xd1\x42\x99\x10\xd1\x38\xe7\x91\xf8\xc4\x5c\x37\xea\x0b\x8d\x5f\x25\xdb\xb2\xb4\x3a\x4c\x2e\x05\x27\x32\x7a\x58\x47\xdf\x44\xa2\x14\x22\x23\x30\x14\x4d\x26\x44\x63\x66\x76\x4f\x81\x6d\xb2\x84\x7b\xba\x48\x60\xf2\x2d\xca\x28\xae\xa5\xba\xd2\x98\xdc\x4e\x58\x88\xce\x73\x7b\x16\x96\xc9\x52\xc2\xa5\x15\x57\x4d\x10\xd4\xd2\xc3\xd0\xa2\x12\x32\x42\x2d\x0d\x60\x07\x45\x86\x2a\x31\x51\x3c\x97\x8c\x84\x42\xbe\xba\xb3\xe3\xef\xbc\x5b\xf0\x65\x72\x70\xd1\xdb\x26\xe9\x79\xcf\x50\xef\x7a\x3c\xfe\xe8\x80\xf7\x7a\x0b\x80\x2c\x7b\x37\x1b\xf9\x66\xa5\x41\x3d\x68\x74\xd9\x11\x1e\x7b\x98\xa9\x72\xbe\x26\xe2\x8f\xa9\xec\x1f\x77\x93\x91\xe3\xa4\x91\xd5\xe8\x69\x5f\x73\xd8\x87\x73\xa3\xd4\x06\x82\xff\xe1\xce\xa2\x37\xfa\x5a\x91\xd4\x8b\xd8\x2d\x8e\xcd\x25\xe6\xa6\x29\x2d\x17\x77\xe3\x8b\xe3\x7c\xcc\x8d\x96\xcf\x9d\x19\x1b\xa9\x05\x85\xe7\x28\xdc\x41\x5b\xc4\x06\xfd\x94\xe5\x3c\x67\x40\x71\xdf\x12\xea\x08\x9d\xcd\x94\xf9\xd9\x6b\x03\x86\xf7\x26\x05\x12\x67\xc9\x6e\x5c\x3d\x79\x49\xe8\x55\x02\xb5\xda\x43\xf1\x04\x93\xba\xa2\xfd\x77\xa0\x2f\xaa\xca\x33\x55\x8f\x78\xf0\x9f\x00\x43\x3b\xa9\x91\xef\x1b\x40\xc5\x99\x90\x39\xbe\xe1\x77\xfd\xa3\xba\x5d\xc0\x92\x51\x62\xe5\x9a\x8e\x32\x7c\x19\xe7\xd4\xe0\xaa\x8f\x13\x71\x07\x02\x71\xe0\x03\xce\x63\xf4\x27\x26\x5b\x6a\x2d\xfb\x1d\x68\x64\xf8\xcd\xf2\xa9\xd0\xf8\xb3\x8e\x57\x71\x2b\x85\x43\xa2\x0b\xe5\x02\x4a\xef\xfd\x25\x0a\x10\x6e\x78\x3a\x08\xa5\xae\x38\x5a\xc9\xa5\x76\xb3\xc1\xb0\x90\x36\xc5\x0f\x1a\x8d\x56\x99\xf1\xba\xd3\xd1\x69\x68\xf1\x1e\x9b\x1f\x54\xef\xdf\x3c\x2e\xc0\x3a\x1f\x12\x4a\xb5\xe5\xc4\x53\xd1\x9b\x93\x9b\x68\xd0\xa3\x39\x95\x1b\x5b\xb5\x5d\xa3\xeb\x45\x9c\x3f\x86\xa1\xde\x1b\x8b\x9c\xef\xe6\xe6\x0d\x14\xd8\xc6\x14\x31\x45\xe2\x4a\x85\xe9\xc0\x62\xa8\xf6\xbf\x5c\x9a\x51\xb2\xa5\x07\xff\xdf\x6f\x60\x1c\xd7\xd1\x0a\x7f\x3c\xb1\x6f\x38\xd7\xf2\xc4\x6e\xb2\xc1\xeb\xd2\x05\xd5\xb6\x0c\x5d\x5e\xc3\xd6\x0e\x15\x18\x9b\x9f\x44\x5c\xbf\x29\x17\x7b\x83\x55\xd8\xaf\x6b\xad\x6c\x6e\x3a\xda\xb3\x9d\xf7\x1e\xe2\xcf\x90\xdf\x9a\xb8\x68\x08\xe6\x2d\x1e\xc2\x4f\xf2\xbd\xe6\xfd\x56\xa2\x31\xe4\xe5\x56\xcc\x22\x7f\x5f\xa6\xd6\x17\xd5\x49\xae\xd8\xe2\xe3\x66\x01\x3d\x8a\x2c\x28\x99\xa5\xc7\x52\x62\x0d\x54\x47\x1f\x9c\xfe\x17\xb6\x87\xfe\xe4\x27\x99\xeb\x86\x21\xca\xbf\x3b\x81\x76\xdf\x65\x4b\x20\xf3\x48\xc9\x16\x7d\x70\xe9\x59\x22\x13\x38\xbf\x47\xcf\x3b\x34\x7d\xdb\x46\xe4\xea\x71\xfc\x82\x50\xcf\x48\x18\x60\x7a\x35\x95\x16\x65\xae\xec\x1b\x46\x84\xa9\xf2\xd5\x40\x39\xb6\x44\xe3\xff\xcf\x5e\xf2\xa2\x67\x3d\x97\x40\x8f\xb9\xc5\xb9\xee\x80\x28\x67\xfc\xfc\xbf\x3c\xed\x42\x95\xe5\x9e\x78\x36\x5d\xe8\xf3\x8d\x98\x06\x6b\xc1\x63\xb7\x55\x56\x8b\xb0\x2e\xec\xa3\x8e\x04\xfe\x45\xb7\x80\x9c\xc4\x42\x40\x23\xa2\x3b\x15\xe3\x74\xe3\x83\xd0\x1e\x02\xdc\x66\x92\x48\x47\xf3\x72\xd8\xad\xc3\xb8\xaa\xdd\xb6\xea\xf9\x57\x5f\x52\x42\x51\xca\x6f\xea\x93\xfa\x33\x57\xe8\x1e\x94\x71\x5f\xbb\xe3\xce\x2b\xbc\x0c\x3d\x44\x7a\x51\x18\xd8\x59\xb1\xa7\x43\xb3\xe8\xee\xbf\xd3\x52\xfc\x50\xc2\x8c\x89\xd9\xfb\xf2\x08\x7c\xbe\xdc\xdd\xad\xd1\x99\x3a\x35\xf7\x1b\xff\x4b\x6e\x91\x90\xfb\x18\x26\xfa\x2b\x30\x89\x01\x87\x61\x65\xc7\x04\x17\xdc\xe1\x6e\xa0\xc1\x97\x55\x74\xbd\xc7\xcc\xf8\xd9\x2b\x3e\x77\x2b\x57\xfb\xad\xee\x74\xfc\xfe\x7b\x73\xdb\xef\x59\xc7\xf2\xe5\xba\x57\xb9\xbe\x68\x43\xe0\x6d\x0c\x13\xda\x2f\x48\x78\x40\x73\x7a\x8d\xfc\x79\x0c\xd5\x53\xc6\x93\xa9\xd1\x26\x8a\x13\xac\xfa\x44\xfa\x5e\x4b\x4f\x0d\xa3\x76\xfc\xc0\xec\x82\x94\xfd\xc0\x18\x23\x89\x7f\x91\x21\x27\xdb\x76\x90\x3d\xf2\xcd\xbf\xb9\x90\x24\x00\xc8\x6b\xf5\x26\xdd\xbb\x47\xc8\xe4\x9b\x67\x30\x55\xf7\x0a\x7d\x90\x08\x1c\xd3\x19\x64\xe0\x51\x9d\x50\x4c\x17\x1c\xd4\x1a\xb7\x99\x79\x16\xa7\x11\xcd\xec\x24\xf8\x0f\x80\x39\xce\xc9\xf6\x5b\xfb\xfa\x93\xe7\xbf\x22\x83\x51\xa8\x18\x92\xe5\x71\x80\xae\xce\x3e\x6b\x0f\xf3\x36\x6d\xc6\x66\x44\x47\xfa\xe5\xbe\xd3\x81\xf6\x29\x13\x4a\xdf\xcc\x51\xec\xa2\xab\x32\x76\x68\x2e\x5d\x9f\x67\x7b\x30\x1d\x6e\x6d\xcf\xa8\x64\x61\xa5\x67\xcb\x9c\xbf\xda\x3d\x2f\x91\xb3\xab\xc2\x0a\x5a\x7d\x46\x5d\x57\xc5\x07\xfe\x9c\xad\x83\x43\xd6\x4f\x51\xbe\x63\x0c\xe8\x18\xab\x78\xe9\x2c\xc5\x40\x8f\x48\x02\x5f\xbb\xf8\x39\x6d\x88\x20\x1c\x04\x2f\xd7\x11\x82\xc3\xd5\xdd\x62\xac\xe3\xec\x92\x31\xf8\x47\xbd\xff\x19\xb7\xbc\xe4\xe0\x4d\x10\x22\xb3\x2d\x46\xc7\x47\x09\xaa\x49\x63\x16\x6a\xef\xc5\xad\x6e\xd9\x47\x01\xd4\x32\x7f\x39\x4e\x1c\x9d\x01\xfb\xd3\xf2\x59\x03\xc5\x02\x0a\x84\x87\x96\x30\x08\xf8\xe4\xee\xdf\xe9\xc8\xd6\x2c\xa9\xcd\x72\xa9\x62\x39\xb1\xc0\x42\x7c\xb4\xe1\x71\x18\x21\x9b\x42\xcb\x89\x73\x53\x62\x1d\x66\x7a\x53\x8d\x3b\xa3\xe9\x26\x67\x38\xfd\x25\x24\x68\x1f\xd6\x33\xc1\xf7\x1a\x51\x28\x62\x10\xbc\x79\x3f\xc8\x9c\x0f\x04\x38\x66\x48\x0b\x7e\x08\x62\xb7\xa1\x08\x59\x3b\x2e\x9f\x8d\x1f\xc6\x2b\x7c\x67\xf5\x0d\xff\x63\x8f\x93\x18\xfa\x26\x0f\x37\x30\xce\xc7\x08\x0a\xfd\x74\x36\x41\xde\x7d\x59\xbc\xa4\xd3\x21\xf0\x31\xf3\x5f\xa6\x16\xc4\x33\xed\x57\x2a\x39\xbb\x17\xb9\x3c\x85\x81\xb1\x2a\xa1\xd2\x51\x54\x1b\xb5\xb2\x1c\x63\x91\x7c\x5b\x70\xec\x65\xe9\x57\xc5\x9c\x64\x3a\x6c\x0a\xb0\x02\xb5\x46\xdd\x97\x03\x50\xbe\x2a\x57\xe1\xa8\xf0\xf4\x6b\x01\x19\x95\x0a\xab\x33\x01\xe5\xca\x05\x43\x53\x2e\x1f\x08\x19\x90\x75\x60\x9f\x22\xcb\x8c\x8f\xfc\xba\x4b\xc8\x1d\xf5\xda\x4b\xa7\xae\x6b\x11\x1b\x4c\xd9\xc6\xe2\xe6\xc2\x0a\xda\x23\x28\x20\xb4\x77\x53\xd6\x26\x2c\x2b\x9e\xa6\x1e\xad\x28\x1b\xa0\xc3\x1c\x3b\xdf\xc0\x6b\x8a\x42\x98\x22\x82\xa2\x15\xbe\xad\xa3\xae\x9b\x2e\xad\x9a\xfd\x24\xf5\x0b\xc2\x28\x18\x90\x09\x77\x91\xcf\x37\xb1\x96\x9b\x45\xba\x7e\xb1\x30\x53\x66\x76\x7e\xda\x01\xef\xd0\x57\xda\x56\x74\x31\xc4\x9e\x79\xc5\x5a\x58\x95\x4f\x12\xda\xb8\xf1\xb6\x88\x51\x3f\x4c\x3c\x49\xa5\xf2\x7e\xe5\x37\x50\xd8\x9b\x63\x37\x79\x98\x00\x58\x78\x9d\x26\xa6\xb1\x72\x0b\xe7\xca\x54\x9d\xe7\x4b\xdb\x76\x3f\x4d\xb1\xa6\xbb\x86\x0b\x05\xdb\xc4\x77\x5b\x20\xce\xd8\x71\xb4\xa9\xd9\xd8\x77\xab\xef\x6c\x4b\xb3\x9d\x36\x8e\xf7\xe7\xfb\xba\xc5\xcb\x88\x21\x2d\x87\xf3\xc7\x62\x06\x59\xcf\x4c\xe1\xc6\xee\xb0\xea\x83\x84\xa6\xdf\x2f\x29\x13\x34\xe5\x80\x84\xfc\x55\xa3\xb6\xd7\xa8\x35\x1f\x62\x5a\x71\xee\xce\x16\xfc\xb5\x2f\xcc\xa8\x88\x09\x3a\x04\x0f\x5f\x15\x7a\xe2\x7d\xd7\x9d\x26\xae\x55\x5d\xd0\xd2\x19\xb5\x85\x53\xdb\x3b\xd8\xb4\x8d\x85\x6b\x3e\x23\x3d\x19\x72\x65\x78\xd3\x82\xbe\x3d\x12\x3f\x86\x56\xdb\xa5\xe6\x1d\xb1\x4b\x62\x7e\xb0\x74\xdb\x68\xd5\xa6\x9c\x93\x51\x17\x44\x92\xb5\x08\x24\x82\x4d\x3d\x3a\xf7\x92\x95\xf0\x5c\xdb\xb4\x7c\x8e\xf7\xc8\x5d\x81\x5b\xdc\xba\xcf\x4b\x86\x27\x96\x5c\x07\xc8\xe1\x07\x9f\x20\x1e\x50\x98\x02\x84\xf2\x00\x5a\x92\xba\x82\x15\xd0\x6e\xf5\xef\xed\x59\x1f\x52\x79\xf1\x8a\x2f\xea\x04\x24\x66\xd7\x83\xe1\x08\x64\xe9\x3a\x54\xb8\x64\x9b\xb4\x43\x6d\x88\x6c\x78\x81\x9e\x92\x7c\x16\x3c\x76\x9c\x22\xfd\x6c\x1f\xfc\x50\x98\x49\xf6\x85\xac\xbc\x5c\x6e\xab\xe4\xbf\xb2\xe2\x65\x0b\xab\x17\x39\xa6\x95\x3b\x27\xa1\x84\x64\x64\xea\x8f\x56\xa7\x6c\xd3\x71\xa7\x47\x45\x95\x94\x9b\x6f\xd4\xdb\x07\x6d\x44\xce\xca\x31\x12\x22\x74\xec\x56\x8c\x58\x1d\x08\x8e\xe7\xf5\x68\xc0\x02\x4a\x49\x19\x20\x40\x1f\x16\x5d\xd1\x71\x1a\x2f\x9b\x03\x7e\xf4\xb4\x01\x9d\x22\x72\xe1\x9e\xd5\xcf\x41\x40\xe5\x8d\x74\xae\x1d\x93\x01\x8d\x09\xfe\xe3\x26\x3e\x81\x19\xfc\x7a\x48\x09\x45\x9c\x43\x4e\x93\xd3\x04\x70\x2f\x11\x0f\xc3\xa4\x0d\xfa\x78\xfd\xac\x5e\xdf\x24\x25\xd8\xdc\x16\x29\xbc\x95\xba\xb9\x32\x70\x32\x59\x8c\x2f\x55\x30\x78\x18\x7c\x3d\x07\x6f\x15\x67\x4c\xfb\x9e\x0f\x18\x2b\x68\xce\xdc\xec\x34\xcf\x04\x90\x90\x1a\xf1\x0a\x2d\x10\xac\x87\x31\xf7\x9e\x60\xea\x1e\xb1\x78\xa6\x01\x42\x97\xa5\xa3\xb8\x4b\x80\xde\xb5\xf3\xb5\x62\x04\xcd\xaf\x3a\x4c\xa0\xbc\xa0\x08\x3a\xca\xc6\xd2\xa5\x63\x71\x7e\xb7\x0b\x9d\x82\x75\xbb\x31\xdd\x4d\xa2\x5f\x6a\xaf\x3b\xb5\x76\x15\x2c\xc5\x98\x39\x9b\xfc\x1f\x70\x3f\x9d\x65\xc7\xca\x6f\xc4\x5d\x7c\xd8\x19\x12\x07\x1a\x94\xb4\x98\x17\x28\xbd\x3f\xa5\x32\xdd\x3a\xb9\x5e\xdc\x2c\x8a\x87\x92\x31\x6b\x78\x28\xc1\x7a\x0a\x11\x5a\x80\xee\x5f\x7c\x63\x2f\xa1\x23\xfc\xce\xae\xcb\x31\x19\x15\x34\x9c\x9b\x26\xf2\xed\x27\x52\x23\xd7\x9b\xac\x0c\x13\x76\x71\xc3\xac\x5f\x48\x9b\x42\xfb\xf5\xb1\x9b\x3a\x46\xae\x22\xa7\x2f\xe3\x47\xd8\xab\xf1\x11\x42\x96\x85\x62\xc6\x32\x9d\xfb\x94\x22\x49\xb5\x93\xd3\x7d\x17\xf4\x0d\x79\x3a\x48\x18\x92\x10\xe0\xb6\x0b\x95\x83\x75\xc0\x89\x93\xd3\x4e\x3e\xb0\xba\x69\x32\x43\x5c\xde\x73\xd5\x68\xd8\x1e\x0d\xf7\xf7\x6d\xab\x7c\x1c\x1f\x7e\x5b\x76\x41\x44\x89\x6f\xe5\xa8\x19\xa4\xf0\xae\xfa\x09\x9e\x1d\x84\xf8\xc1\x12\x02\xbc\x14\x1f\x7a\xe0\x3f\xb4\xfd\xbf\x5b\x6c\x30\x83\x4a\x4d\xcc\x7f\x9a\x64\xbb\xe1\x40\x76\x11\x0b\x97\x29\x76\x7e\x5f\x31\xed\xbf\x5d\xdc\x54\x0f\x3a\x31\xa3\x6f\x4a\x33\x2b\x5a\x24\xd9\xe0\xbe\x54\xf8\x16\x1b\x52\xf7\x6b\x78\x08\x3e\x40\xa6\x63\xc8\xd2\x0b\xfb\xc4\x46\x53\x3c\x2c\x4b\x78\xe6\x30\xbb\xc9\x4a\x24\xd9\x51\x60\x18\xfa\xff\xed\xc2\xe8\x5f\xb0\x91\xde\xea\xd3\x61\x2c\x8a\xb2\x41\xb1\x26\x47\xc2\xe7\x14\x07\xa9\xbb\xef\x11\xc9\x75\xed\xbb\x97\x22\xab\x61\x74\xa9\x19\x1c\x5f\x01\x28\xc1\xe0\xf4\x39\x33\x53\x68\x9a\xd1\x8b\x96\x78\x5a\x7d\x8e\x04\x5a\xdb\x80\x1a\xfe\x79\x00\x0f\x18\xec\xbc\x07\xea\x83\x93\x06\xbe\xcb\x86\x2b\x17\x53\xfe\xd5\x04\xdf\x00\x95\x46\x67\x2f\xd6\x5e\x60\xa2\xb5\x23\xae\x74\x77\x50\x2d\xb7\x5d\xeb\x99\x44\x52\xe0\xb3\xf7\xa8\x41\xa9\x8b\x8c\x0b\x0e\x82\x8f\x0c\xa6\x79\xe1\xfb\x97\xf8\xdf\x29\x2e\x2d\xb3\x0f\x75\x6f\xba\x17\x75\x45\xa0\x9b\xeb\x2b\xe1\x93\xfb\x3a\x1a\x94\xd3\x44\x56\xd9\x07\x1e\x63\x4b\xb8\xa4\x33\x09\x30\x2f\x6c\xe4\xc3\x38\xd4\x39\x27\x0c\x42\x6b\xaa\x04\x8b\xb9\x2e\xc1\x39\xe5\x0f\xc4\x57\xdb\x0f\x37\xb4\x94\xc5\x91\xf6\x71\x15\xbc\x9c\x52\x21\x52\xd2\x8f\x9c\xad\x16\x10\xbf\xfc\xea\x13\x9b\xf2\xc5\xe0\x23\x9d\x4f\x8d\xb1\x25\xf0\xc6\x68\x76\x8a\x02\xab\x70\x28\x14\xab\x61\xb5\x7e\x0d\xd8\x39\x54\x9c\xd7\x8c\x1d\x33\x1d\x3c\xf4\x2e\x0e\x94\x35\x9d\xf9\xf9\xd8\xd4\xfa\x2b\x98\x2a\x19\x77\xcc\x55\xa8\x88\x80\x56\x46\x23\x15\x45\xc2\xe9\x6a\x8b\x80\xc9\xdb\xda\xf7\xb7\x64\x40\x21\xf8\xdb\xdd\x8f\x3c\x37\x3a\x72\xa9\xc5\xa8\xad\x05\xc6\x7f\x50\xbd\x32\xa9\x6e\x19\xa6\x06\x17\x00\x61\x54\x2a\x0b\x1e\xe9\x0e\x3c\x75\x61\x9d\x95\x41\x6e\x1d\x2f\x6c\x76\xef\x08\xf6\x11\x88\x2c\x87\xd0\x96\xb2\xf8\x4c\x1b\x5f\x79\xc7\x28\x72\x7e\x00\xb0\x58\x9f\xf8\x67\x82\x4b\x88\x93\x9c\x3a\xcb\xa9\x6f\x59\xa3\xe3\x08\xef\x70\x68\xbd\x4a\xd8\x47\x8b\x9f\x0d\x6d\x5c\x90\xc8\xd3\xfd\xb1\xbc\xe0\x82\x2f\xd4\xdb\xf6\x04\x33\xd0\xfd\x9a\x1d\x00\xfa\xd0\x5b\x13\x5b\x0f\xca\x52\x29\x82\xbd\x41\xa1\xd3\x2c\xa9\xe1\x3c\xc2\xde\x18\x09\xe5\x1e\x12\xb5\x40\xdf\x58\xcc\x4b\xca\xcb\xc3\x94\x53\xe6\x2e\xff\xe1\xcb\xa6\x2a\x72\x5b\x7b\x69\x0a\x53\x1a\x16\x9b\x16\xcd\x4f\xb4\x23\x00\x18\xad\xbf\xeb\xfd\x58\xec\x47\x67\x42\xa8\xea\x7e\x8f\xf7\xe5\x6a\xb4\x63\xb3\x45\xa8\x42\x99\x86\x7f\x85\x7d\xe6\xea\x30\x75\x9a\x8d\xd0\x93\xe9\x8f\x99\xc6\x2f\x40\x95\x97\xf9\xa3\xdd\xd4\x90\xc8\x81\x33\xd9\x83\x1a\x7d\xdd\x0b\xbc\x35\x36\xd8\x0d\xea\xee\x38\xac\xb1\xba\x95\xba\x0c\xda\x91\x0f\x4b\x12\x0a\x59\x2b\xc9\x15\x04\xf4\xb0\xd9\x91\x71\xe2\xc4\x5d\x4e\x25\x6d\xc0\x3f\xed\xe6\x8e\xe1\xda\xbf\x80\x29\xc9\x9d\xec\x19\x8c\x4a\xad\xdb\x68\x17\xf8\x39\xf1\xda\x74\x97\x12\x67\xc2\x12\xbd\x22\x69\xf8\xcc\xcd\x32\x49\x5e\x8f\x72\x04\x48\x6d\x98\x59\x87\xc2\x5a\x5c\xb7\xef\xd6\x39\xb1\xdb\xd2\x50\x60\x22\xf6\xca\xf2\x4b\x09\x22\x62\x27\xd8\x03\x5c\xea\x83\xb9\xcb\x82\x1a\xc3\xfd\xae\xda\x5f\x22\xdf\xb1\x19\x15\x93\xf4\xd1\x65\x5e\x23\x54\x6c\x84\xa8\xff\x48\x27\x89\xbc\x92\xf1\x94\xdd\xa5\xf6\x14\xd6\x98\x6e\xac\x82\x9b\xab\x2b\x7a\x29\x22\x5b\xd5\x51\x76\x12\xd4\x0f\xda\x6a\x15\x3f\xc5\x2b\x24\x66\x33\x68\xad\xc2\xed\xf5\x6b\x07\xbb\x22\xf1\xb5\xd5\x26\xbf\xfb\x21\x28\x2c\x65\x4a\x77\x95\xa2\x76\x31\xf9\x5d\x88\x5d\xf4\xc0\xbc\xeb\x07\x12\xbf\xdd\xc0\x58\xdc\xbf\x32\x83\xa8\xb9\x66\x64\xdf\x54\x83\x40\x46\x6b\xd7\x17\x32\x9e\x6d\x54\x25\xcb\xd8\xf9\xe6\x44\x2e\xc4\x67\x13\x81\xb8\x01\x7e\x04\xba\xf1\x66\xd7\xb1\x4d\xdb\x51\x6a\x62\x4a\xc5\xc7\x65\x87\xa0\x0c\x65\x02\xa9\x40\x1c\xee\xc4\x82\x69\xc4\xeb\xf6\x70\xbd\x1c\xaf\x46\x13\xbc\xe8\x6e\x29\x7f\x9d\xd0\x02\x24\x08\xaf\x5c\x7a\x7e\x9c\xa4\xa1\xa2\xc7\xea\x50\x6d\xcc\xd7\xf8\x40\xeb\x4d\xe4\xdd\x3c\x73\x40\x06\xcb\x85\xe9\xa0\x53\x9f\x98\x8a\xb4\x5f\x59\x3d\x1d\x96\x06\x12\x2a\x2f\x10\x6e\x9f\x84\xf5\x2f\xf9\x17\x97\x07\x61\x03\xd0\x42\x58\x68\x46\xff\x73\x05\xc2\x73\xfe\x8e\xaf\x05\x3f\x6f\x2c\x7f\xd4\xf1\x18\x13\x4a\x8c\x82\x4b\xbb\x27\xe3\x19\x1a\x8b\x19\x25\x55\xc6\x61\x49\x08\xba\x54\x36\xa6\x73\x83\x0c\x27\xa6\x31\x69\xd3\xc6\x9d\x3f\x7e\x05\x2a\x6b\x6d\xe6\xfd\x2a\x54\x45\x72\xcb\xce\x67\xf6\x7a\x3b\x37\x83\xf4\xc8\xdb\x22\x71\xa4\xa1\x3c\x03\x55\xa9\x2c\x6b\x03\x6e\x5e\xf0\x6f\x53\x32\x3d\xb1\x43\x2b\xd5\xbe\xd2\x60\x15\x44\x38\x7d\xfe\xa3\xf5\xed\x9b\x25\x2f\xc9\xa2\x04\x11\x99\x94\x23\x94\x4f\xdc\x2d\x16\x3f\x66\xba\x18\x26\xc7\xbd\x6d\xa8\xe8\x95\xef\xb1\x9b\x4f\xe0\xf2\x03\x81\x42\xd7\x66\x5f\xaf\xaf\x97\x9c\x56\x35\x29\x40\xb5\x5c\xae\xf5\xf8\xf8\x81\xdb\x23\x06\x0d\xdd\x71\xf9\x9f\xca\xb6\xbf\xe4\x12\xbe\xb2\xa1\x7d\x10\x6f\xa4\x50\x91\x4a\xa7\x92\x0c\xb2\x12\x67\xe1\x6c\xb4\x94\x36\x05\x60\x98\x36\x14\x9f\x19\x70\xd5\xca\x6f\x31\x10\x14\xd5\xb6\x91\xc1\x45\xba\x81\xb4\xff\x94\xc7\x2f\xe1\x50\xea\x49\xe5\x60\x70\xcf\xf3\x4a\xbe\xe3\x70\x61\xe8\x71\xae\xcf\x5d\xcf\x9f\x91\xb5\x2a\x36\xeb\x99\x3c\x67\x89\xf0\x21\xbe\x51\x70\x89\x2c\xa8\x0d\x1c\x2a\xd5\xbb\xce\x3c\xe4\x06\xcf\xb4\x12\xbd\x66\xfd\x64\x42\xd7\x0e\xbe\x18\xcd\xcc\x29\x58\xc5\x09\x34\x1f\x05\x10", 8192); *(uint64_t*)0x200000004700 = 0x200000002700; *(uint32_t*)0x200000002700 = 0x50; *(uint32_t*)0x200000002704 = 0xfffffff5; *(uint64_t*)0x200000002708 = 6; *(uint32_t*)0x200000002710 = 7; *(uint32_t*)0x200000002714 = 0x2d; *(uint32_t*)0x200000002718 = 2; *(uint32_t*)0x20000000271c = 0x400000c; *(uint16_t*)0x200000002720 = 7; *(uint16_t*)0x200000002722 = 0x6b; *(uint32_t*)0x200000002724 = 0x80; *(uint32_t*)0x200000002728 = 3; *(uint16_t*)0x20000000272c = 0; *(uint16_t*)0x20000000272e = 0; *(uint32_t*)0x200000002730 = 1; *(uint32_t*)0x200000002734 = 4; memset((void*)0x200000002738, 0, 24); *(uint64_t*)0x200000004708 = 0x200000002780; *(uint32_t*)0x200000002780 = 0x18; *(uint32_t*)0x200000002784 = 0xfffffffe; *(uint64_t*)0x200000002788 = 4; *(uint64_t*)0x200000002790 = 5; *(uint64_t*)0x200000004710 = 0x2000000027c0; *(uint32_t*)0x2000000027c0 = 0x18; *(uint32_t*)0x2000000027c4 = 0; *(uint64_t*)0x2000000027c8 = 8; *(uint64_t*)0x2000000027d0 = 0x101; *(uint64_t*)0x200000004718 = 0x200000002800; *(uint32_t*)0x200000002800 = 0x18; *(uint32_t*)0x200000002804 = 0xfffffffe; *(uint64_t*)0x200000002808 = 4; *(uint32_t*)0x200000002810 = 0x50bf; *(uint32_t*)0x200000002814 = 0; *(uint64_t*)0x200000004720 = 0x200000002840; *(uint32_t*)0x200000002840 = 0x18; *(uint32_t*)0x200000002844 = 0; *(uint64_t*)0x200000002848 = 3; *(uint32_t*)0x200000002850 = 0xffff; *(uint32_t*)0x200000002854 = 0; *(uint64_t*)0x200000004728 = 0x200000002880; *(uint32_t*)0x200000002880 = 0x28; *(uint32_t*)0x200000002884 = 0; *(uint64_t*)0x200000002888 = 6; *(uint64_t*)0x200000002890 = 0xfffffffffffffff7; *(uint64_t*)0x200000002898 = 0; *(uint32_t*)0x2000000028a0 = 0; *(uint32_t*)0x2000000028a4 = r[4]; *(uint64_t*)0x200000004730 = 0x2000000028c0; *(uint32_t*)0x2000000028c0 = 0x60; *(uint32_t*)0x2000000028c4 = 0; *(uint64_t*)0x2000000028c8 = 0xa2; *(uint64_t*)0x2000000028d0 = 0xfffffffffffffffb; *(uint64_t*)0x2000000028d8 = 0; *(uint64_t*)0x2000000028e0 = 0x2867; *(uint64_t*)0x2000000028e8 = 0xd7f; *(uint64_t*)0x2000000028f0 = 2; *(uint32_t*)0x2000000028f8 = 0x28; *(uint32_t*)0x2000000028fc = 0xafb; *(uint32_t*)0x200000002900 = 7; *(uint32_t*)0x200000002904 = 0; memset((void*)0x200000002908, 0, 24); *(uint64_t*)0x200000004738 = 0x200000002940; *(uint32_t*)0x200000002940 = 0x18; *(uint32_t*)0x200000002944 = 0; *(uint64_t*)0x200000002948 = 0; *(uint32_t*)0x200000002950 = 0xb; *(uint32_t*)0x200000002954 = 0; *(uint64_t*)0x200000004740 = 0x200000002980; *(uint32_t*)0x200000002980 = 0x13; *(uint32_t*)0x200000002984 = 0; *(uint64_t*)0x200000002988 = 0x80000000; memcpy((void*)0x200000002990, "&,\000", 3); *(uint64_t*)0x200000004748 = 0x2000000029c0; *(uint32_t*)0x2000000029c0 = 0x20; *(uint32_t*)0x2000000029c4 = 0; *(uint64_t*)0x2000000029c8 = 0x41f; *(uint64_t*)0x2000000029d0 = 0; *(uint32_t*)0x2000000029d8 = 0; *(uint32_t*)0x2000000029dc = 0; *(uint64_t*)0x200000004750 = 0x200000002b80; *(uint32_t*)0x200000002b80 = 0x78; *(uint32_t*)0x200000002b84 = 0xfffffff5; *(uint64_t*)0x200000002b88 = 5; *(uint64_t*)0x200000002b90 = 0; *(uint32_t*)0x200000002b98 = 0x30; *(uint32_t*)0x200000002b9c = 0; *(uint64_t*)0x200000002ba0 = 0; *(uint64_t*)0x200000002ba8 = 0; *(uint64_t*)0x200000002bb0 = 0x9cb; *(uint64_t*)0x200000002bb8 = 6; *(uint64_t*)0x200000002bc0 = 0x45ff; *(uint64_t*)0x200000002bc8 = 8; *(uint32_t*)0x200000002bd0 = 0x7fffffff; *(uint32_t*)0x200000002bd4 = -1; *(uint32_t*)0x200000002bd8 = 2; *(uint32_t*)0x200000002bdc = 0x8000; *(uint32_t*)0x200000002be0 = 0xffff0001; *(uint32_t*)0x200000002be4 = r[10]; *(uint32_t*)0x200000002be8 = r[11]; *(uint32_t*)0x200000002bec = 0xb; *(uint32_t*)0x200000002bf0 = 7; *(uint32_t*)0x200000002bf4 = 0; *(uint64_t*)0x200000004758 = 0x200000002c40; *(uint32_t*)0x200000002c40 = 0x90; *(uint32_t*)0x200000002c44 = 0xffffffda; *(uint64_t*)0x200000002c48 = 0xfffffffffffffc00; *(uint64_t*)0x200000002c50 = 3; *(uint64_t*)0x200000002c58 = 0; *(uint64_t*)0x200000002c60 = 6; *(uint64_t*)0x200000002c68 = 4; *(uint32_t*)0x200000002c70 = 7; *(uint32_t*)0x200000002c74 = 6; *(uint64_t*)0x200000002c78 = 6; *(uint64_t*)0x200000002c80 = 0x5d; *(uint64_t*)0x200000002c88 = 8; *(uint64_t*)0x200000002c90 = 0; *(uint64_t*)0x200000002c98 = 0xfffffffffffffffc; *(uint64_t*)0x200000002ca0 = 1; *(uint32_t*)0x200000002ca8 = 3; *(uint32_t*)0x200000002cac = 8; *(uint32_t*)0x200000002cb0 = 8; *(uint32_t*)0x200000002cb4 = 0xa000; *(uint32_t*)0x200000002cb8 = 2; *(uint32_t*)0x200000002cbc = 0xee01; *(uint32_t*)0x200000002cc0 = r[12]; *(uint32_t*)0x200000002cc4 = 6; *(uint32_t*)0x200000002cc8 = 7; *(uint32_t*)0x200000002ccc = 0; *(uint64_t*)0x200000004760 = 0x200000002d00; *(uint32_t*)0x200000002d00 = 0xc8; *(uint32_t*)0x200000002d04 = 0xfffffffe; *(uint64_t*)0x200000002d08 = 1; *(uint64_t*)0x200000002d10 = 6; *(uint64_t*)0x200000002d18 = 5; *(uint32_t*)0x200000002d20 = 5; *(uint32_t*)0x200000002d24 = -1; memset((void*)0x200000002d28, 170, 5); *(uint64_t*)0x200000002d30 = 2; *(uint64_t*)0x200000002d38 = -1; *(uint32_t*)0x200000002d40 = 6; *(uint32_t*)0x200000002d44 = 7; memset((void*)0x200000002d48, 255, 6); *(uint64_t*)0x200000002d50 = 5; *(uint64_t*)0x200000002d58 = 5; *(uint32_t*)0x200000002d60 = 6; *(uint32_t*)0x200000002d64 = 0xc828; memset((void*)0x200000002d68, 2, 6); *(uint64_t*)0x200000002d70 = 3; *(uint64_t*)0x200000002d78 = 0xa; *(uint32_t*)0x200000002d80 = 0x1f; *(uint32_t*)0x200000002d84 = 2; memcpy((void*)0x200000002d88, "bpf_lsm_kernel_create_files_as\000", 31); *(uint64_t*)0x200000002da8 = 5; *(uint64_t*)0x200000002db0 = 0x100; *(uint32_t*)0x200000002db8 = 5; *(uint32_t*)0x200000002dbc = 9; memset((void*)0x200000002dc0, 170, 5); *(uint64_t*)0x200000004768 = 0x2000000040c0; *(uint32_t*)0x2000000040c0 = 0xb0; *(uint32_t*)0x2000000040c4 = 0; *(uint64_t*)0x2000000040c8 = 0xffffffffffff51c6; *(uint64_t*)0x2000000040d0 = 0; *(uint64_t*)0x2000000040d8 = 1; *(uint64_t*)0x2000000040e0 = 0x7fffffff; *(uint64_t*)0x2000000040e8 = 4; *(uint32_t*)0x2000000040f0 = 0x80; *(uint32_t*)0x2000000040f4 = 0xe; *(uint64_t*)0x2000000040f8 = 5; *(uint64_t*)0x200000004100 = 6; *(uint64_t*)0x200000004108 = 9; *(uint64_t*)0x200000004110 = 0; *(uint64_t*)0x200000004118 = 0x80; *(uint64_t*)0x200000004120 = 3; *(uint32_t*)0x200000004128 = 7; *(uint32_t*)0x20000000412c = 0xffffff01; *(uint32_t*)0x200000004130 = 5; *(uint32_t*)0x200000004134 = 0x6000; *(uint32_t*)0x200000004138 = 5; *(uint32_t*)0x20000000413c = r[13]; *(uint32_t*)0x200000004140 = r[14]; *(uint32_t*)0x200000004144 = 9; *(uint32_t*)0x200000004148 = 4; *(uint32_t*)0x20000000414c = 0; *(uint64_t*)0x200000004150 = 1; *(uint64_t*)0x200000004158 = 0x7fffffff; *(uint32_t*)0x200000004160 = 6; *(uint32_t*)0x200000004164 = 7; memset((void*)0x200000004168, 2, 6); *(uint64_t*)0x200000004770 = 0x200000004340; *(uint32_t*)0x200000004340 = 0xa0; *(uint32_t*)0x200000004344 = 0xfffffffe; *(uint64_t*)0x200000004348 = 0x4f4; *(uint64_t*)0x200000004350 = 0; *(uint64_t*)0x200000004358 = 3; *(uint64_t*)0x200000004360 = 0x58be8e49; *(uint64_t*)0x200000004368 = 0x88; *(uint32_t*)0x200000004370 = 0x80; *(uint32_t*)0x200000004374 = 2; *(uint64_t*)0x200000004378 = 0; *(uint64_t*)0x200000004380 = 7; *(uint64_t*)0x200000004388 = 0x8000000000000000; *(uint64_t*)0x200000004390 = 6; *(uint64_t*)0x200000004398 = 2; *(uint64_t*)0x2000000043a0 = 0; *(uint32_t*)0x2000000043a8 = 0x81; *(uint32_t*)0x2000000043ac = 0xb; *(uint32_t*)0x2000000043b0 = 0xfff; *(uint32_t*)0x2000000043b4 = 0x8000; *(uint32_t*)0x2000000043b8 = 0xc093; *(uint32_t*)0x2000000043bc = r[15]; *(uint32_t*)0x2000000043c0 = 0; *(uint32_t*)0x2000000043c4 = -1; *(uint32_t*)0x2000000043c8 = 0x9e9; *(uint32_t*)0x2000000043cc = 0; *(uint64_t*)0x2000000043d0 = 0; *(uint32_t*)0x2000000043d8 = 4; *(uint32_t*)0x2000000043dc = 0; *(uint64_t*)0x200000004778 = 0x200000004400; *(uint32_t*)0x200000004400 = 0x20; *(uint32_t*)0x200000004404 = 0xfffffffe; *(uint64_t*)0x200000004408 = 4; *(uint32_t*)0x200000004410 = 0x1000; *(uint32_t*)0x200000004414 = 4; *(uint32_t*)0x200000004418 = 7; *(uint32_t*)0x20000000441c = 3; *(uint64_t*)0x200000004780 = 0x2000000045c0; *(uint32_t*)0x2000000045c0 = 0x130; *(uint32_t*)0x2000000045c4 = 0; *(uint64_t*)0x2000000045c8 = 6; *(uint64_t*)0x2000000045d0 = 7; *(uint32_t*)0x2000000045d8 = 0xf; *(uint32_t*)0x2000000045dc = 0; memset((void*)0x2000000045e0, 0, 16); *(uint32_t*)0x2000000045f0 = 4; *(uint32_t*)0x2000000045f4 = 0xfffffffb; *(uint64_t*)0x2000000045f8 = 0xc3f; *(uint32_t*)0x200000004600 = 0xc6; *(uint32_t*)0x200000004604 = r[17]; *(uint32_t*)0x200000004608 = 0xee01; *(uint16_t*)0x20000000460c = 0x1000; memset((void*)0x20000000460e, 0, 2); *(uint64_t*)0x200000004610 = 0xc42b; *(uint64_t*)0x200000004618 = 0xfffffffffffffffb; *(uint64_t*)0x200000004620 = 8; *(uint64_t*)0x200000004628 = 0xfffffffffffff3f4; *(uint64_t*)0x200000004630 = 7; *(uint32_t*)0x200000004638 = 9; *(uint32_t*)0x20000000463c = 0; *(uint64_t*)0x200000004640 = 0x893b; *(uint32_t*)0x200000004648 = 0xc160; *(uint32_t*)0x20000000464c = 0; *(uint64_t*)0x200000004650 = 3; *(uint32_t*)0x200000004658 = 0x6a48; *(uint32_t*)0x20000000465c = 0; *(uint64_t*)0x200000004660 = 0x40; *(uint32_t*)0x200000004668 = 6; *(uint32_t*)0x20000000466c = 0; *(uint32_t*)0x200000004670 = 5; *(uint32_t*)0x200000004674 = 0; *(uint32_t*)0x200000004678 = 9; *(uint32_t*)0x20000000467c = 3; memset((void*)0x200000004680, 0, 112); syz_fuse_handle_req(/*fd=*/r[9], /*buf=*/0x200000000700, /*len=*/0x2000, /*res=*/0x200000004700); break; case 26: res = syscall(__NR_pidfd_getfd, /*pidfd=*/r[6], /*fd=*/r[9], /*flags=*/0ul); if (res != -1) r[19] = res; break; case 27: memcpy((void*)0x2000000047c0, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x2000000047c0, /*fd=*/r[19]); break; case 28: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 29: res = -1; res = syz_io_uring_complete(/*ring_ptr=*/0); if (res != -1) r[20] = res; break; case 30: *(uint32_t*)0x200000004804 = 0x87d1; *(uint32_t*)0x200000004808 = 0x200; *(uint32_t*)0x20000000480c = 3; *(uint32_t*)0x200000004810 = 0x92; *(uint32_t*)0x200000004818 = r[19]; memset((void*)0x20000000481c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x70d3, /*params=*/0x200000004800, /*ring_ptr=*/0x200000004880, /*sqes_ptr=*/0x2000000048c0); if (res != -1) { r[21] = *(uint64_t*)0x200000004880; r[22] = *(uint64_t*)0x2000000048c0; } break; case 31: *(uint8_t*)0x200000004980 = 0x1c; *(uint8_t*)0x200000004981 = 0x40; *(uint16_t*)0x200000004982 = 0; *(uint32_t*)0x200000004984 = r[20]; *(uint64_t*)0x200000004988 = 0x200000004900; *(uint64_t*)0x200000004900 = 0x8000; *(uint64_t*)0x200000004908 = 0x190; *(uint64_t*)0x200000004910 = 0x10; *(uint64_t*)0x200000004990 = 0x200000004940; memcpy((void*)0x200000004940, "./file0\000", 8); *(uint32_t*)0x200000004998 = 0x18; *(uint32_t*)0x20000000499c = 0; *(uint64_t*)0x2000000049a0 = 0x23456; *(uint16_t*)0x2000000049a8 = 0; *(uint16_t*)0x2000000049aa = 0; memset((void*)0x2000000049ac, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[21], /*sqes_ptr=*/r[22], /*sqe=*/0x200000004980); break; case 32: memcpy((void*)0x2000000049c0, "*(z,\000", 5); memcpy((void*)0x200000004ac0, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x8a\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x7e\xf6\xbf\x4c\x19\xc0\x4a\xa5\x7c\x4c\x2f\xf9\x2e\xe1\x46\x0e\xbf\x0e\x57\x59\x5c\xc3\x55\xaa\x22\x67\x95\x47\xef\x84\x49\x9e\xf9\x9d\x9b\xdd\x69\x1a\x9a\x0e\xe1\x9f\xba\x5f\xee\x97\xd9\xa9\x2b\xb7\xae\x3d\x75\x4a\x98\x45\x6c\xdb\xfd\x27\xda\x20\xf9\x77\xf4\xbf\x46\x30\xc3\xca\x42\x1a\x6a\xcf\x8d\x9f\x81\xd2\x93\xd3\xa0\xb0\x23\x27\xe4\x06\x32\x3e\x77\x3c\x64\xb8\x65\xc2\xc7\xa1\x02\x36\xfb\xbb\xb9\xc9\xea\xc5\xd1\x4f\x18\x75\x2a\x03\x89\xa5\x81\x59\x64\x04\x1b\x84\x4f\x71\x45\x5e\xa1\x2d\xdc\x9d\xcf\xb6\xe9\x00\xa3\x66\x57\x58\xcb\xa3\xc7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 192); syz_kfuzztest_run(/*name=*/0x2000000049c0, /*data=*/0x200000004a00, /*len=*/0xc0, /*buf=*/0x200000004ac0); break; case 33: *(uint64_t*)0x200000014f40 = 0; *(uint64_t*)0x200000014f48 = 0x200000014ac0; *(uint64_t*)0x200000014ac0 = 0x17d; *(uint64_t*)0x200000014ac8 = 0x20; *(uint64_t*)0x200000014ad0 = 0x25000; *(uint64_t*)0x200000014ad8 = 0x5591; *(uint64_t*)0x200000014ae0 = 0x64; *(uint64_t*)0x200000014ae8 = 0x18; *(uint32_t*)0x200000014af0 = 8; *(uint32_t*)0x200000014af4 = 0x57; *(uint64_t*)0x200000014af8 = 0x12d; *(uint64_t*)0x200000014b00 = 0x18; *(uint64_t*)0x200000014b08 = 3; *(uint64_t*)0x200000014b10 = 0x64; *(uint64_t*)0x200000014b18 = 0x18; *(uint32_t*)0x200000014b20 = 0; *(uint32_t*)0x200000014b24 = 2; *(uint64_t*)0x200000014b28 = 0x69; *(uint64_t*)0x200000014b30 = 0x20; *(uint64_t*)0x200000014b38 = 0xc003; *(uint64_t*)0x200000014b40 = 1; *(uint64_t*)0x200000014b48 = 0x64; *(uint64_t*)0x200000014b50 = 0x18; *(uint32_t*)0x200000014b58 = 0x10; *(uint32_t*)0x200000014b5c = 0xc; *(uint64_t*)0x200000014b60 = 0x12d; *(uint64_t*)0x200000014b68 = 0x18; *(uint64_t*)0x200000014b70 = 0; *(uint64_t*)0x200000014b78 = 0x12e; *(uint64_t*)0x200000014b80 = 0x7e; *(uint64_t*)0x200000014b88 = 1; memcpy((void*)0x200000014b90, "\x36\x2e\x36\x3e\x66\x43\x0f\x57\xa9\x00\x98\x00\x00\x66\xba\xf8\x0c\xb8\x28\x8f\xc6\x86\xef\x66\xba\xfc\x0c\xed\xb9\x71\x03\x00\x00\xb8\xc7\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x30\x42\x0f\x01\xc8\x66\xb8\x78\x00\x0f\x00\xd0\x40\x0f\x01\xc5\x66\xba\x43\x00\x66\xed\x40\x1d\x03\x00\x00\x00\xc7\x44\x24\x00\x00\x00\x00\x00\xc7\x44\x24\x02\x49\x3a\x56\x64\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\x0f\x32", 102); *(uint64_t*)0x200000014bf6 = 0x64; *(uint64_t*)0x200000014bfe = 0x18; *(uint32_t*)0x200000014c06 = 0xf; *(uint32_t*)0x200000014c0a = 4; *(uint64_t*)0x200000014c0e = 0x12e; *(uint64_t*)0x200000014c16 = 0x60; *(uint64_t*)0x200000014c1e = 0; memcpy((void*)0x200000014c26, "\xc4\x21\xf8\x10\x7a\xf0\x0f\xe7\x64\x9a\x4f\x47\xfb\x0f\x01\xca\x46\x0f\x08\xb9\x80\x00\x00\xc0\x0f\x32\x35\x00\x80\x00\x00\x0f\x30\x0f\x01\xcb\x40\x0f\x01\xcb\xc7\x44\x24\x00\x8d\x00\x00\x00\xc7\x44\x24\x02\x07\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\x0f\x52\x4b\x00", 72); *(uint64_t*)0x200000014c6e = 0; *(uint64_t*)0x200000014c76 = 0x18; *(uint64_t*)0x200000014c7e = 2; *(uint64_t*)0x200000014c86 = 0x12d; *(uint64_t*)0x200000014c8e = 0x18; *(uint64_t*)0x200000014c96 = 3; *(uint64_t*)0x200000014c9e = 0x17f; *(uint64_t*)0x200000014ca6 = 0x10; *(uint64_t*)0x200000014cae = 0; *(uint64_t*)0x200000014cb6 = 0x18; *(uint64_t*)0x200000014cbe = 4; *(uint64_t*)0x200000014cc6 = 0x12f; *(uint64_t*)0x200000014cce = 0x18; *(uint64_t*)0x200000014cd6 = 2; *(uint64_t*)0x200000014cde = 0x12e; *(uint64_t*)0x200000014ce6 = 0x56; *(uint64_t*)0x200000014cee = 3; memcpy((void*)0x200000014cf6, "\x0f\x01\xdf\x0f\xa8\x66\xba\xf8\x0c\xb8\x82\xca\xa9\x8f\xef\x66\xba\xfc\x0c\x66\xed\x67\x0f\x01\xca\x0f\xfd\xca\x46\x0f\x01\xb3\x90\x4e\x00\x00\x66\xba\x20\x00\x66\xb8\xb7\xea\x66\xef\x0f\x01\x32\xc4\xe1\x61\xeb\x58\x00\xb9\x81\x05\x00\x00\x0f\x32", 62); *(uint64_t*)0x200000014d34 = 0x180; *(uint64_t*)0x200000014d3c = 0x38; *(uint64_t*)0x200000014d44 = 1; *(uint64_t*)0x200000014d4c = 0x17; *(uint64_t*)0x200000014d54 = 4; *(uint64_t*)0x200000014d5c = 4; *(uint64_t*)0x200000014d64 = 0; *(uint64_t*)0x200000014d6c = 0x183; *(uint64_t*)0x200000014d74 = 0x18; *(uint64_t*)0x200000014d7c = 3; *(uint64_t*)0x200000014d84 = 0x65; *(uint64_t*)0x200000014d8c = 0x20; *(uint64_t*)0x200000014d94 = 0x32c; *(uint64_t*)0x200000014d9c = 0x10; *(uint64_t*)0x200000014da4 = 0x68; *(uint64_t*)0x200000014dac = 0x20; *(uint64_t*)0x200000014db4 = 7; *(uint64_t*)0x200000014dbc = 2; *(uint64_t*)0x200000014dc4 = 0xa; *(uint64_t*)0x200000014dcc = 0x56; memcpy((void*)0x200000014dd4, "\xf3\x41\xaf\x66\xb8\x3e\x00\x8e\xd0\xc4\xe1\x35\x73\xfa\xe7\x66\x0f\x74\xa6\x00\x00\x00\x00\x47\xdb\xc1\x45\x0f\x08\x66\x41\x0f\x38\x82\x94\x1f\x0e\x58\x39\xba\x47\x0f\x79\x55\x00\xc4\x01\x56\x51\xaf\x41\x04\x00\x00\x66\xba\xf8\x0c\xb8\xe2\x7f\xf4\x8d\xef\x66\xba\xfc\x0c\xec", 69); *(uint8_t*)0x200000014e19 = 0xc3; *(uint64_t*)0x200000014e1a = 0x12d; *(uint64_t*)0x200000014e22 = 0x18; *(uint64_t*)0x200000014e2a = 3; *(uint64_t*)0x200000014e32 = 0x12c; *(uint64_t*)0x200000014e3a = 0x18; *(uint64_t*)0x200000014e42 = 0; *(uint64_t*)0x200000014e4a = 0x12e; *(uint64_t*)0x200000014e52 = 0x6f; *(uint64_t*)0x200000014e5a = 3; memcpy((void*)0x200000014e62, "\xf3\x41\x0f\x22\x17\x66\xba\xf8\x0c\xb8\x61\x8e\xa1\x84\xef\x66\xba\xfc\x0c\xb0\x00\xee\x36\x64\x0f\x21\x39\xc4\x62\x41\x40\x32\x66\xba\x43\x00\x66\xb8\x0b\x00\x66\xef\x66\xba\x43\x00\xec\x40\x0f\x23\x38\x3e\x0f\xc7\x32\xc7\x44\x24\x00\xac\x00\x00\x00\xc7\x44\x24\x02\x90\x7c\x03\xe6\xff\x2c\x24\xb8\x05\x00\x00\x00\xb9\x97\x00\x00\x00\x0f\x01\xd9", 87); *(uint64_t*)0x200000014eb9 = 0x69; *(uint64_t*)0x200000014ec1 = 0x20; *(uint64_t*)0x200000014ec9 = 0xc3e5; *(uint64_t*)0x200000014ed1 = 2; *(uint64_t*)0x200000014ed9 = 0xc8; *(uint64_t*)0x200000014ee1 = 0x20; *(uint64_t*)0x200000014ee9 = 0xa1; *(uint64_t*)0x200000014ef1 = 2; *(uint64_t*)0x200000014ef9 = 0x65; *(uint64_t*)0x200000014f01 = 0x20; *(uint64_t*)0x200000014f09 = 0x12f; *(uint64_t*)0x200000014f11 = 2; *(uint64_t*)0x200000014f19 = 0x12c; *(uint64_t*)0x200000014f21 = 0x18; *(uint64_t*)0x200000014f29 = 0; *(uint64_t*)0x200000014f50 = 0x471; res = -1; res = syz_kvm_add_vcpu(/*vm=*/0, /*text=*/0x200000014f40); if (res != -1) r[23] = res; break; case 34: res = syscall(__NR_mmap, /*addr=*/0x200000fff000ul, /*len=*/0ul, /*prot=PROT_GROWSDOWN|PROT_SEM*/0x1000008ul, /*flags=MAP_PRIVATE*/2ul, /*cpufd=*/r[23], /*offset=*/0ul); if (res != -1) r[24] = res; break; case 35: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[24], /*exitcode=*/2); break; case 36: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[20], /*run=*/r[24], /*exitcode=*/0x10); break; case 37: *(uint64_t*)0x200000015140 = 0; *(uint64_t*)0x200000015148 = 0x200000014f80; memcpy((void*)0x200000014f80, "\x04\xea\xa0\xef\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x04\x01\x63\x60\x14\xc2\x80\x3c\xd1\xc0\x84\x60\x04\x00\x84\x78\x83\x0a\x84\x64\xbe\x01\x84\x60\x27\x3b\xa0\x3c\x00\x3c\xa5\x60\x04\x00\xa5\x78\x27\x72\xa5\x64\x9d\x4f\xa5\x60\x7c\x62\xc0\x3c\xdf\xa5\xc6\x60\x04\x00\xc6\x78\x78\x11\xc6\x64\x30\xb5\xc6\x60\xf2\xd6\xe0\x3c\xac\xca\xe7\x60\x04\x00\xe7\x78\x51\x98\xe7\x64\xfb\x3b\xe7\x60\x02\x00\x00\x44\x00\x00\xe0\x3f\x00\x00\xff\x63\x04\x00\xff\x7b\x00\x00\xff\x67\x00\x48\xff\x63\x60\x7b\xff\x1b\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\xfc\xf4\x63\x60\x76\x09\x80\x3c\x6c\xdf\x84\x60\x04\x00\x84\x78\x7c\xb5\x84\x64\x5d\x85\x84\x60\xf3\xc8\xa0\x3c\x84\x98\xa5\x60\x04\x00\xa5\x78\xa1\x6b\xa5\x64\x7c\x44\xa5\x60\x02\x00\x00\x44\x00\x00\x20\x3e\x00\x00\x31\x62\x04\x00\x31\x7a\x00\x00\x31\x66\x98\x00\x31\x62\x00\x00\x40\x3f\x00\x00\x5a\x63\x04\x00\x5a\x7b\x00\x00\x5a\x67\xe5\x13\x5a\x63\xaa\xfe\xf9\x7d\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x00\x80\x84\x60\xdc\x39\x00\x7c\x00\x00\x40\x3d\x00\x00\x4a\x61\x04\x00\x4a\x79\x00\x00\x4a\x65\x71\x99\x4a\x61\xa7\x5f\xc0\x7f\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x08\xef\x63\x60\x09\xc6\x80\x3c\x1c\x64\x84\x60\x04\x00\x84\x78\xb4\xf7\x84\x64\x66\xcc\x84\x60\x03\x80\xa0\x3c\x45\x8f\xa5\x60\x04\x00\xa5\x78\xcf\x35\xa5\x64\x75\x97\xa5\x60\xae\x5a\xc0\x3c\x19\x31\xc6\x60\x04\x00\xc6\x78\xa9\x6d\xc6\x64\x6f\x30\xc6\x60\x22\x00\x00\x44\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x12\x00\x00\x60\x24\x01\x00\x7c\x00\x00\xe0\x3f\x01\x00\xff\x63\x04\x00\xff\x7b\x00\x00\xff\x67\x00\x00\xff\x63\xa7\xff\xa0\x7e", 420); *(uint64_t*)0x200000015150 = 0x1a4; *(uint64_t*)0x200000015180 = 1; *(uint64_t*)0x200000015188 = 1; syz_kvm_setup_cpu(/*fd=*/r[20], /*cpufd=*/r[5], /*usermem=*/0x200000fe8000, /*text=*/0x200000015140, /*ntext=*/1, /*flags=*/0, /*opts=*/0x200000015180, /*nopt=*/1); break; case 38: syz_kvm_setup_syzos_vm(/*fd=*/r[5], /*usermem=*/0x200000c00000); break; case 39: *(uint32_t*)0x2000000151c0 = 1; syz_memcpy_off(/*ring_ptr=*/r[21], /*flag_off=SQ_FLAGS_OFFSET*/0x114, /*src=*/0x2000000151c0, /*src_off=*/0, /*nbytes=*/4); break; case 40: res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0xb704, /*arg=*/0x200000015280ul); if (res != -1) r[25] = *(uint32_t*)0x200000015280; break; case 41: memcpy((void*)0x200000015200, "adfs\000", 5); memcpy((void*)0x200000015240, "./file0\000", 8); memcpy((void*)0x2000000152c0, "gid", 3); *(uint8_t*)0x2000000152c3 = 0x3d; sprintf((char*)0x2000000152c4, "0x%016llx", (long long)r[16]); *(uint8_t*)0x2000000152d6 = 0x2c; memcpy((void*)0x2000000152d7, "uid", 3); *(uint8_t*)0x2000000152da = 0x3d; sprintf((char*)0x2000000152db, "0x%016llx", (long long)r[17]); *(uint8_t*)0x2000000152ed = 0x2c; memcpy((void*)0x2000000152ee, "uid", 3); *(uint8_t*)0x2000000152f1 = 0x3d; sprintf((char*)0x2000000152f2, "0x%016llx", (long long)r[13]); *(uint8_t*)0x200000015304 = 0x2c; memcpy((void*)0x200000015305, "othmask", 7); *(uint8_t*)0x20000001530c = 0x3d; sprintf((char*)0x20000001530d, "%023llo", (long long)7); *(uint8_t*)0x200000015324 = 0x2c; memcpy((void*)0x200000015325, "ftsuffix", 8); *(uint8_t*)0x20000001532d = 0x3d; sprintf((char*)0x20000001532e, "%020llu", (long long)0x100); *(uint8_t*)0x200000015342 = 0x2c; memcpy((void*)0x200000015343, "othmask", 7); *(uint8_t*)0x20000001534a = 0x3d; sprintf((char*)0x20000001534b, "%023llo", (long long)8); *(uint8_t*)0x200000015362 = 0x2c; memcpy((void*)0x200000015363, "fowner<", 7); sprintf((char*)0x20000001536a, "%020llu", (long long)r[25]); *(uint8_t*)0x20000001537e = 0x2c; memcpy((void*)0x20000001537f, "func", 4); *(uint8_t*)0x200000015383 = 0x3d; memcpy((void*)0x200000015384, "FIRMWARE_CHECK", 14); *(uint8_t*)0x200000015392 = 0x2c; memcpy((void*)0x200000015393, "smackfsdef", 10); *(uint8_t*)0x20000001539d = 0x3d; memset((void*)0x20000001539e, 0, 1); *(uint8_t*)0x20000001539f = 0x2c; memcpy((void*)0x2000000153a0, "hash", 4); *(uint8_t*)0x2000000153a4 = 0x2c; *(uint8_t*)0x2000000153a5 = 0; memcpy((void*)0x2000000153c0, "\x78\x9c\x6a\x9b\xe0\xf0\xd7\x80\xc9\x48\xed\x7f\x7b\xc9\xbd\xed\xdf\xf6\x00\x02\x00\x00\xff\xff\x38\xa7\x08\x1f", 28); syz_mount_image(/*fs=*/0x200000015200, /*dir=*/0x200000015240, /*flags=MS_PRIVATE|MS_NODIRATIME|MS_NODEV|MS_DIRSYNC*/0x40884, /*opts=*/0x2000000152c0, /*chdir=*/0, /*size=*/0x1c, /*img=*/0x2000000153c0); break; case 42: memcpy((void*)0x200000015400, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000015400, /*id=*/0xe, /*flags=__O_TMPFILE|O_TRUNC|O_NOFOLLOW*/0x420200); break; case 43: memcpy((void*)0x200000015440, "net/mcfilter6\000", 14); syz_open_procfs(/*pid=*/r[18], /*file=*/0x200000015440); break; case 44: syz_open_pts(/*fd=*/-1, /*flags=*/0); break; case 45: syz_pidfd_open(/*pid=*/r[8], /*flags=*/0); break; case 46: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=PKEY_DISABLE_ACCESS*/1ul); if (res != -1) r[26] = res; break; case 47: syz_pkey_set(/*key=*/r[26], /*val=PKEY_DISABLE_WRITE*/2); break; case 48: memcpy((void*)0x200000015480, "\x78\x9c\x00\x43\x00\xbc\xff\x1a\xa5\x3b\x2d\x97\x22\x56\x58\x64\x62\x48\x11\x35\x5b\x94\xa0\xd2\xd7\x8d\x09\xd2\x09\x51\xdf\x3c\x2c\x1a\x49\x88\xca\x48\xd4\x52\x61\xcc\x47\x3e\x4f\x65\xf6\x76\xe4\xe9\xb3\x8c\xde\x4a\xab\xa0\x5c\x20\xea\x6f\x37\xa5\x29\x42\x97\xe2\xc2\xa7\x6d\x7e\x55\x2d\xca\xd8\x01\x00\x00\xff\xff\xd6\x63\x1f\xa5", 83); syz_read_part_table(/*size=*/0x53, /*img=*/0x200000015480); break; case 49: syz_socket_connect_nvme_tcp(); break; case 50: *(uint8_t*)0x200000015500 = 0x12; *(uint8_t*)0x200000015501 = 1; *(uint16_t*)0x200000015502 = 0x310; *(uint8_t*)0x200000015504 = 0x99; *(uint8_t*)0x200000015505 = 0x45; *(uint8_t*)0x200000015506 = 0xdf; *(uint8_t*)0x200000015507 = -1; *(uint16_t*)0x200000015508 = 0x19d2; *(uint16_t*)0x20000001550a = 0xfff8; *(uint16_t*)0x20000001550c = 0xcd35; *(uint8_t*)0x20000001550e = 1; *(uint8_t*)0x20000001550f = 2; *(uint8_t*)0x200000015510 = 3; *(uint8_t*)0x200000015511 = 1; *(uint8_t*)0x200000015512 = 9; *(uint8_t*)0x200000015513 = 2; *(uint16_t*)0x200000015514 = 0xd8d; *(uint8_t*)0x200000015516 = 4; *(uint8_t*)0x200000015517 = 0xc; *(uint8_t*)0x200000015518 = 0xd4; *(uint8_t*)0x200000015519 = 0xb0; *(uint8_t*)0x20000001551a = 8; *(uint8_t*)0x20000001551b = 9; *(uint8_t*)0x20000001551c = 4; *(uint8_t*)0x20000001551d = 5; *(uint8_t*)0x20000001551e = 0xe; *(uint8_t*)0x20000001551f = 6; *(uint8_t*)0x200000015520 = -1; *(uint8_t*)0x200000015521 = -1; *(uint8_t*)0x200000015522 = -1; *(uint8_t*)0x200000015523 = 5; *(uint8_t*)0x200000015524 = 0xa; *(uint8_t*)0x200000015525 = 0x24; *(uint8_t*)0x200000015526 = 2; *(uint8_t*)0x200000015527 = 2; *(uint16_t*)0x200000015528 = 0x82; *(uint16_t*)0x20000001552a = 0x97; *(uint8_t*)0x20000001552c = 9; *(uint8_t*)0x20000001552d = 9; *(uint8_t*)0x20000001552e = 7; *(uint8_t*)0x20000001552f = 0x24; *(uint8_t*)0x200000015530 = 1; *(uint8_t*)0x200000015531 = 0x91; *(uint8_t*)0x200000015532 = 0x10; *(uint16_t*)0x200000015533 = 1; *(uint8_t*)0x200000015535 = 0xa; *(uint8_t*)0x200000015536 = 0x24; *(uint8_t*)0x200000015537 = 2; *(uint8_t*)0x200000015538 = 2; *(uint16_t*)0x200000015539 = 0x64; *(uint16_t*)0x20000001553b = 5; *(uint8_t*)0x20000001553d = 5; *(uint8_t*)0x20000001553e = 9; *(uint8_t*)0x20000001553f = 0xa; *(uint8_t*)0x200000015540 = 0x24; *(uint8_t*)0x200000015541 = 2; *(uint8_t*)0x200000015542 = 2; *(uint16_t*)0x200000015543 = 9; *(uint16_t*)0x200000015545 = 1; *(uint8_t*)0x200000015547 = 1; *(uint8_t*)0x200000015548 = 0x18; *(uint8_t*)0x200000015549 = 0xa; *(uint8_t*)0x20000001554a = 0x24; *(uint8_t*)0x20000001554b = 2; *(uint8_t*)0x20000001554c = 2; *(uint16_t*)0x20000001554d = 5; *(uint16_t*)0x20000001554f = 0x100; *(uint8_t*)0x200000015551 = 0; *(uint8_t*)0x200000015552 = 0x1f; *(uint8_t*)0x200000015553 = 0xa; *(uint8_t*)0x200000015554 = 0x24; *(uint8_t*)0x200000015555 = 2; *(uint8_t*)0x200000015556 = 2; *(uint16_t*)0x200000015557 = 0x200; *(uint16_t*)0x200000015559 = 2; *(uint8_t*)0x20000001555b = 6; *(uint8_t*)0x20000001555c = 6; *(uint8_t*)0x20000001555d = 9; *(uint8_t*)0x20000001555e = 0x24; *(uint8_t*)0x20000001555f = 2; *(uint8_t*)0x200000015560 = 1; *(uint8_t*)0x200000015561 = 0; *(uint8_t*)0x200000015562 = 9; *(uint8_t*)0x200000015563 = 4; *(uint8_t*)0x200000015564 = 1; *(uint8_t*)0x200000015565 = 0xdc; *(uint8_t*)0x200000015566 = 0xb; *(uint8_t*)0x200000015567 = 0x24; *(uint8_t*)0x200000015568 = 2; *(uint8_t*)0x200000015569 = 2; *(uint16_t*)0x20000001556a = 5; *(uint16_t*)0x20000001556c = 9; *(uint8_t*)0x20000001556e = 6; memcpy((void*)0x20000001556f, "\x42\xe9", 2); *(uint8_t*)0x200000015571 = 0x12; *(uint8_t*)0x200000015572 = 0x24; *(uint8_t*)0x200000015573 = 2; *(uint8_t*)0x200000015574 = 2; *(uint16_t*)0x200000015575 = 2; *(uint16_t*)0x200000015577 = 0xaecb; *(uint8_t*)0x200000015579 = 0; memcpy((void*)0x20000001557a, "\xe0\xff\x89\xcc\x39\xb2\x42\xb2\xb0", 9); *(uint8_t*)0x200000015583 = 7; *(uint8_t*)0x200000015584 = 0x24; *(uint8_t*)0x200000015585 = 1; *(uint8_t*)0x200000015586 = 0xc; *(uint8_t*)0x200000015587 = 2; *(uint16_t*)0x200000015588 = 2; *(uint8_t*)0x20000001558a = 9; *(uint8_t*)0x20000001558b = 5; *(uint8_t*)0x20000001558c = 1; *(uint8_t*)0x20000001558d = 0x1d; *(uint16_t*)0x20000001558e = 0x20; *(uint8_t*)0x200000015590 = 5; *(uint8_t*)0x200000015591 = 9; *(uint8_t*)0x200000015592 = 0xf; *(uint8_t*)0x200000015593 = 9; *(uint8_t*)0x200000015594 = 5; *(uint8_t*)0x200000015595 = 4; *(uint8_t*)0x200000015596 = 0x10; *(uint16_t*)0x200000015597 = 0x10; *(uint8_t*)0x200000015599 = 5; *(uint8_t*)0x20000001559a = 7; *(uint8_t*)0x20000001559b = 1; *(uint8_t*)0x20000001559c = 0x49; *(uint8_t*)0x20000001559d = 1; memcpy((void*)0x20000001559e, "\xbe\xdb\xdc\x40\xb6\x57\x91\x5a\xee\xa3\x6b\xef\xa7\x43\xbb\xf4\x76\xbb\xcc\x3a\x55\x77\x74\x37\xfd\x0c\x08\x62\xa5\x59\x1f\x0b\x80\x91\x62\x6c\x65\x64\xa6\x2b\x69\x95\xd0\xb1\xac\x34\x99\x5d\x44\x2d\xe5\x0d\x21\xf3\x0d\xa0\x8f\x64\xd3\xbb\x0e\x86\x08\x6e\x62\x96\x82\x16\xd8\xcb\xfe", 71); *(uint8_t*)0x2000000155e5 = 0xc; *(uint8_t*)0x2000000155e6 = 0xe; memcpy((void*)0x2000000155e7, "\x1c\xca\x42\xd0\xd4\xc1\x24\x78\xdb\xc7", 10); *(uint8_t*)0x2000000155f1 = 9; *(uint8_t*)0x2000000155f2 = 5; *(uint8_t*)0x2000000155f3 = 0xc; *(uint8_t*)0x2000000155f4 = 0xd; *(uint16_t*)0x2000000155f5 = 0x10; *(uint8_t*)0x2000000155f7 = 4; *(uint8_t*)0x2000000155f8 = 0xef; *(uint8_t*)0x2000000155f9 = 0xd; *(uint8_t*)0x2000000155fa = 9; *(uint8_t*)0x2000000155fb = 5; *(uint8_t*)0x2000000155fc = 0; *(uint8_t*)0x2000000155fd = 2; *(uint16_t*)0x2000000155fe = 0x40; *(uint8_t*)0x200000015600 = 1; *(uint8_t*)0x200000015601 = 0x92; *(uint8_t*)0x200000015602 = 1; *(uint8_t*)0x200000015603 = 7; *(uint8_t*)0x200000015604 = 0x25; *(uint8_t*)0x200000015605 = 1; *(uint8_t*)0x200000015606 = 8; *(uint8_t*)0x200000015607 = 0xf; *(uint16_t*)0x200000015608 = 9; *(uint8_t*)0x20000001560a = 0x9c; *(uint8_t*)0x20000001560b = 0x24; memcpy((void*)0x20000001560c, "\x94\x62\xe7\x8d\x67\xa7\x93\x83\x09\xf8\x93\x38\x8b\x58\x5f\x99\xed\x3c\xae\x5a\xeb\x24\x1e\x37\xea\xcc\x73\xfb\x04\x0b\x91\x7d\x69\x75\x87\xfd\x88\x85\xdc\xc8\x92\xbf\xee\x22\x87\x19\x88\xc7\x01\x88\xe9\xe8\x45\x46\xa7\x96\xe5\x6e\xa4\x83\x70\xdf\xca\x68\x9a\xaa\x0f\xfd\x08\x41\xc7\xe2\x8c\xbc\xec\xbc\x3b\xee\xb2\x54\xd9\x02\x49\x8d\xde\x37\x3f\x5e\x92\x09\x32\xac\xdf\x32\x22\xa5\x61\x17\x4a\x85\xce\x36\xd5\xf5\xc7\x09\x82\x9a\x04\x29\xf4\x8d\xe3\x26\x62\x11\xe3\x53\x22\x35\xca\xcb\x3a\x64\xff\xf3\xe3\x01\x82\xcd\x02\x7e\xa6\x60\xbc\xe2\x4c\xc1\x97\xbf\x35\x8f\x77\x95\x3c\x96\x4d\xe4\x53\x04\x16\x90\x7f\xa1", 154); *(uint8_t*)0x2000000156a6 = 9; *(uint8_t*)0x2000000156a7 = 5; *(uint8_t*)0x2000000156a8 = 6; *(uint8_t*)0x2000000156a9 = 0; *(uint16_t*)0x2000000156aa = 0x400; *(uint8_t*)0x2000000156ac = 4; *(uint8_t*)0x2000000156ad = 0; *(uint8_t*)0x2000000156ae = 6; *(uint8_t*)0x2000000156af = 9; *(uint8_t*)0x2000000156b0 = 5; *(uint8_t*)0x2000000156b1 = 0x1f; *(uint8_t*)0x2000000156b2 = 0xc; *(uint16_t*)0x2000000156b3 = 0x20; *(uint8_t*)0x2000000156b5 = 8; *(uint8_t*)0x2000000156b6 = 0x80; *(uint8_t*)0x2000000156b7 = 4; *(uint8_t*)0x2000000156b8 = 7; *(uint8_t*)0x2000000156b9 = 0x25; *(uint8_t*)0x2000000156ba = 1; *(uint8_t*)0x2000000156bb = 4; *(uint8_t*)0x2000000156bc = 0x40; *(uint16_t*)0x2000000156bd = 0xfff; *(uint8_t*)0x2000000156bf = 0x4a; *(uint8_t*)0x2000000156c0 = 9; memcpy((void*)0x2000000156c1, "\x13\xdf\x6f\x0c\x72\x3d\x23\x38\x80\xc0\x86\x9f\x46\xc9\x39\x9e\x14\x8e\xf0\xd9\x87\x29\x76\x35\xb6\xbf\x6f\x36\x9c\xbf\x8f\x07\xb3\x4b\x93\x76\xff\x57\xdc\xbd\xf2\x74\x65\xeb\x51\x53\xfb\x8d\xd7\xca\x2f\xab\x27\x37\xdd\x51\x5e\xde\xf1\xc9\x66\x91\x5e\x06\x76\xdb\x83\x1f\x2b\x91\x8d\x82", 72); *(uint8_t*)0x200000015709 = 9; *(uint8_t*)0x20000001570a = 4; *(uint8_t*)0x20000001570b = 0xe4; *(uint8_t*)0x20000001570c = 0xb; *(uint8_t*)0x20000001570d = 0xd; *(uint8_t*)0x20000001570e = -1; *(uint8_t*)0x20000001570f = 0xde; *(uint8_t*)0x200000015710 = 0x55; *(uint8_t*)0x200000015711 = 3; *(uint8_t*)0x200000015712 = 0xa; *(uint8_t*)0x200000015713 = 0x24; *(uint8_t*)0x200000015714 = 1; *(uint16_t*)0x200000015715 = 3; *(uint16_t*)0x200000015717 = 0xa; *(uint8_t*)0x200000015719 = 2; *(uint8_t*)0x20000001571a = 1; *(uint8_t*)0x20000001571b = 2; *(uint8_t*)0x20000001571c = 9; *(uint8_t*)0x20000001571d = 5; *(uint8_t*)0x20000001571e = 1; *(uint8_t*)0x20000001571f = 3; *(uint16_t*)0x200000015720 = 0x20; *(uint8_t*)0x200000015722 = 1; *(uint8_t*)0x200000015723 = 0x66; *(uint8_t*)0x200000015724 = 7; *(uint8_t*)0x200000015725 = 0x8c; *(uint8_t*)0x200000015726 = 0x23; memcpy((void*)0x200000015727, "\xc3\x44\xbd\x7f\x69\x0e\x11\x22\xd6\x52\x4c\xcd\x02\x57\xc1\x18\x5e\x61\xc3\xab\x3c\xcb\x36\x6e\xf9\x03\x7a\x58\x03\x54\x18\x72\x8d\x9a\xab\x96\x71\x7e\x22\x0d\x72\x20\xfb\x96\x4b\x7e\x92\x8d\x75\xef\x45\x85\x91\x31\x15\x90\x97\xfa\x85\xb2\xd2\x4e\xeb\x7f\xc5\x90\xe0\x48\xeb\x1b\xa8\x30\xac\x34\x3b\xfd\x9a\x3c\x32\xdf\xc9\x3f\xad\xcb\x90\xf9\x3a\x63\xc7\x37\x83\x4f\x5e\x2d\x4e\x73\x68\xe0\x2e\xc5\xf2\x10\x6b\xef\x93\x5e\x5e\x74\xc3\xe7\xd2\xd3\xd1\x6e\xbf\xfa\x13\xa8\x29\x49\x9d\xa4\x42\xf0\x17\x26\xd0\x7a\x33\x8f\xeb\x61\x2c\x3b\x6e\x51\x93\xb8", 138); *(uint8_t*)0x2000000157b1 = 9; *(uint8_t*)0x2000000157b2 = 5; *(uint8_t*)0x2000000157b3 = 1; *(uint8_t*)0x2000000157b4 = 0xc; *(uint16_t*)0x2000000157b5 = 0x10; *(uint8_t*)0x2000000157b7 = 6; *(uint8_t*)0x2000000157b8 = 0x73; *(uint8_t*)0x2000000157b9 = 2; *(uint8_t*)0x2000000157ba = 9; *(uint8_t*)0x2000000157bb = 5; *(uint8_t*)0x2000000157bc = 0xe; *(uint8_t*)0x2000000157bd = 1; *(uint16_t*)0x2000000157be = 0x40; *(uint8_t*)0x2000000157c0 = 0; *(uint8_t*)0x2000000157c1 = 0; *(uint8_t*)0x2000000157c2 = 0xe; *(uint8_t*)0x2000000157c3 = 7; *(uint8_t*)0x2000000157c4 = 0x25; *(uint8_t*)0x2000000157c5 = 1; *(uint8_t*)0x2000000157c6 = 8; *(uint8_t*)0x2000000157c7 = 8; *(uint16_t*)0x2000000157c8 = 0x9df1; *(uint8_t*)0x2000000157ca = 7; *(uint8_t*)0x2000000157cb = 0x25; *(uint8_t*)0x2000000157cc = 1; *(uint8_t*)0x2000000157cd = 4; *(uint8_t*)0x2000000157ce = 3; *(uint16_t*)0x2000000157cf = 0x84; *(uint8_t*)0x2000000157d1 = 9; *(uint8_t*)0x2000000157d2 = 5; *(uint8_t*)0x2000000157d3 = 7; *(uint8_t*)0x2000000157d4 = 0x10; *(uint16_t*)0x2000000157d5 = 8; *(uint8_t*)0x2000000157d7 = 0xd; *(uint8_t*)0x2000000157d8 = 6; *(uint8_t*)0x2000000157d9 = 6; *(uint8_t*)0x2000000157da = 0x9c; *(uint8_t*)0x2000000157db = 0x11; memcpy((void*)0x2000000157dc, "\x61\xc2\xc5\x81\xbc\xf0\xdc\x3a\x09\xec\x54\x65\xd8\xb3\x95\x93\xb5\x1c\xb5\x68\xad\x67\xbf\x21\x9f\x28\xa6\x37\xf8\xb8\xf3\xaa\xe7\xb6\xcf\x31\x06\x9d\xa5\x51\xc5\xd9\x0a\x29\x7a\xb0\xcf\xed\xa5\x43\xa0\xf7\x62\xc8\x18\x5b\xab\xc4\x3a\x4c\x9b\xb3\xb0\x95\xc0\xee\x13\x96\xf8\xb1\xfd\x62\x19\xb3\x16\x13\xb7\x56\x0d\x30\x9f\x17\x3c\x80\x67\x3f\xb0\x85\x29\xfc\x8f\x17\x52\x91\xf9\x98\x56\xaf\x19\x8c\xf4\x7a\x32\xc7\x6d\xf6\xbe\x44\x94\x93\xe5\xa6\x6e\xb4\x66\x4b\x84\x22\x6c\xa1\xe2\xc8\xf2\x02\x9a\xde\x7d\x75\x31\x6b\x10\x4a\x34\x80\xfb\xf7\xd4\x50\x9d\x74\x8c\x36\xf6\x59\xf8\xf5\x27\x43\xfd\x07\x7f\xc7\xdf\x42", 154); *(uint8_t*)0x200000015876 = 0x4e; *(uint8_t*)0x200000015877 = 4; memcpy((void*)0x200000015878, "\x57\xfa\xd1\x47\xfa\x12\xcd\x27\x89\x6e\x4e\x92\xba\x1a\xd4\x05\x8c\x8d\x43\xec\x21\x50\xd8\x73\x2f\xc5\xae\x10\x5a\x17\x4e\xd8\x39\x42\xdc\xb7\x9a\x05\xb1\x0f\xd4\x95\x7d\xbc\x1a\xc0\x27\xa2\xdf\x57\x28\xb2\xb2\xbb\x9b\x5b\xc5\x1f\x9a\x8c\x88\xe9\xfa\x85\x11\x38\xc7\xcd\xd7\x62\x66\x41\x91\x1c\xbe\x0c", 76); *(uint8_t*)0x2000000158c4 = 9; *(uint8_t*)0x2000000158c5 = 5; *(uint8_t*)0x2000000158c6 = 0; *(uint8_t*)0x2000000158c7 = 0xc; *(uint16_t*)0x2000000158c8 = 8; *(uint8_t*)0x2000000158ca = 8; *(uint8_t*)0x2000000158cb = 0x20; *(uint8_t*)0x2000000158cc = 0xc; *(uint8_t*)0x2000000158cd = 7; *(uint8_t*)0x2000000158ce = 0x25; *(uint8_t*)0x2000000158cf = 1; *(uint8_t*)0x2000000158d0 = 4; *(uint8_t*)0x2000000158d1 = 6; *(uint16_t*)0x2000000158d2 = 0x101; *(uint8_t*)0x2000000158d4 = 7; *(uint8_t*)0x2000000158d5 = 0x25; *(uint8_t*)0x2000000158d6 = 1; *(uint8_t*)0x2000000158d7 = 8; *(uint8_t*)0x2000000158d8 = 0xfd; *(uint16_t*)0x2000000158d9 = 2; *(uint8_t*)0x2000000158db = 9; *(uint8_t*)0x2000000158dc = 5; *(uint8_t*)0x2000000158dd = 0xb; *(uint8_t*)0x2000000158de = 0xc; *(uint16_t*)0x2000000158df = 0x10; *(uint8_t*)0x2000000158e1 = 0xf0; *(uint8_t*)0x2000000158e2 = 3; *(uint8_t*)0x2000000158e3 = 9; *(uint8_t*)0x2000000158e4 = 9; *(uint8_t*)0x2000000158e5 = 5; *(uint8_t*)0x2000000158e6 = 2; *(uint8_t*)0x2000000158e7 = 2; *(uint16_t*)0x2000000158e8 = 0x7b7; *(uint8_t*)0x2000000158ea = 9; *(uint8_t*)0x2000000158eb = 2; *(uint8_t*)0x2000000158ec = 0x78; *(uint8_t*)0x2000000158ed = 7; *(uint8_t*)0x2000000158ee = 0x25; *(uint8_t*)0x2000000158ef = 1; *(uint8_t*)0x2000000158f0 = 4; *(uint8_t*)0x2000000158f1 = 2; *(uint16_t*)0x2000000158f2 = 0x6e8; *(uint8_t*)0x2000000158f4 = 9; *(uint8_t*)0x2000000158f5 = 5; *(uint8_t*)0x2000000158f6 = 0xe; *(uint8_t*)0x2000000158f7 = 0; *(uint16_t*)0x2000000158f8 = 8; *(uint8_t*)0x2000000158fa = 0xb6; *(uint8_t*)0x2000000158fb = 0x47; *(uint8_t*)0x2000000158fc = 1; *(uint8_t*)0x2000000158fd = 0xea; *(uint8_t*)0x2000000158fe = 0xd; memcpy((void*)0x2000000158ff, "\xd7\xee\xf8\xad\xff\x59\x3f\xef\x60\x12\x57\xeb\x29\xf1\x12\x3c\x0f\x04\xcf\x50\xd2\xf0\x65\xa5\x2a\xb8\x35\xd4\x04\x54\xac\x46\xb6\x63\x87\x38\xe9\x75\x3c\x66\x06\x2b\x76\xd4\x57\xd6\xb3\x63\xf7\xb7\x63\x4f\xea\xac\x71\x9c\x3e\x90\x0c\xce\xb8\xd9\x69\x21\x0b\x57\x3a\x62\xd4\x51\x64\x98\xd5\x98\xa6\x1e\x6f\xa5\xbb\xd0\xfd\x38\x6f\x9f\x1d\x7a\xfe\xf4\xdd\xbe\x39\x49\x5d\x6e\x55\x5d\x24\x55\x5b\xf1\xbf\xfe\x21\xfc\x47\x2a\xb2\xa8\xd5\xd0\xf8\xa6\x11\xab\x5a\x46\xae\x9b\x23\xbb\x6a\x6b\x36\x39\x46\xda\xfb\xb2\xe7\x41\xd3\x4f\xe4\x56\xf5\x81\x63\x32\xd7\x2d\x43\x5f\xbd\x1f\xae\x47\x63\x32\x5d\xac\x58\xc2\xde\x0a\x67\x27\x7e\x2d\x74\xfe\xf5\xd8\xba\x6d\xe1\x7c\x31\xd5\xc7\xfb\x01\xa1\x3d\x3b\xf0\x0c\x31\x13\x41\x6b\x72\xb3\xe2\xe0\xb8\x0b\x4a\xb9\xcd\xa7\x7d\x2d\xe3\xed\x36\x8f\xab\x48\x41\xfd\x62\xac\xf6\x6e\x43\x21\x21\xb5\xf5\xd7\xc8\xc0\x36\x66\x0d\x7a\x35\x10\x33\x15\x5e\x3e\xef\x2f\xf2\x0f\x2a\xed\x82\x41\xd1\x76", 232); *(uint8_t*)0x2000000159e7 = 9; *(uint8_t*)0x2000000159e8 = 5; *(uint8_t*)0x2000000159e9 = 0xe; *(uint8_t*)0x2000000159ea = 3; *(uint16_t*)0x2000000159eb = 0x200; *(uint8_t*)0x2000000159ed = -1; *(uint8_t*)0x2000000159ee = 0x62; *(uint8_t*)0x2000000159ef = 5; *(uint8_t*)0x2000000159f0 = 0x55; *(uint8_t*)0x2000000159f1 = 0x23; memcpy((void*)0x2000000159f2, "\xd5\x22\xb5\x6c\x6d\xde\x6a\x69\x8a\x23\xe1\x0e\x4f\xc0\x79\x8f\x87\xc9\x46\xfa\x28\x48\xc7\x17\xa9\xa3\x31\x38\xfd\xb3\x47\x57\x93\xc1\xb4\xd1\x72\x2b\x3b\xcc\x36\x38\x4d\x25\x89\xa2\x7e\x5f\x22\xb2\x89\x72\x7e\x23\xf0\x39\xff\xdf\x2a\xb2\x5d\xa6\x2c\x09\x2e\xd0\x1c\xb1\x51\xb0\xad\x8b\xa7\x75\x8c\x32\xab\xd0\x7f\x79\x51\x4e\xba", 83); *(uint8_t*)0x200000015a45 = 0x96; *(uint8_t*)0x200000015a46 = 8; memcpy((void*)0x200000015a47, "\x70\xf4\xe5\xb8\x33\x74\xf7\xb0\xde\x44\xec\x45\x10\x5a\xc3\x14\x02\x14\x0e\x17\x62\x14\x64\x1e\x37\x97\xba\x0a\xea\x40\x13\xe3\xe7\xc2\x87\x1f\x78\x52\x8a\x25\x6a\x22\x49\xdc\xad\x68\x4f\xd5\x77\xa4\x28\xa1\x4f\x44\x6c\xe9\xd7\xde\x49\x36\x4a\xa1\x63\xc6\x8d\xd1\xe4\xe2\x0c\x0a\xa9\x8a\x26\x35\x47\xf0\x7d\xae\x9c\x3e\x45\xff\xec\x5b\xdc\xcf\xb9\x0b\x1a\xd9\x05\x4d\xa6\x28\x66\x62\x6b\xfb\xc3\x94\xa1\xe9\xae\xc6\xb3\x00\x42\x0a\x61\x67\xe6\xe6\xef\x43\x96\xdf\xfb\x6b\xfc\x18\xd3\xb2\x53\x77\x89\x27\x04\x23\x86\x75\x35\xf7\x5b\x14\x54\xcc\x3b\x8a\x6a\xef\x5b\x65\xb9\x77\x41\x39\xad\xcf", 148); *(uint8_t*)0x200000015adb = 9; *(uint8_t*)0x200000015adc = 5; *(uint8_t*)0x200000015add = 0xc; *(uint8_t*)0x200000015ade = 0x10; *(uint16_t*)0x200000015adf = 0x20; *(uint8_t*)0x200000015ae1 = 8; *(uint8_t*)0x200000015ae2 = 1; *(uint8_t*)0x200000015ae3 = 8; *(uint8_t*)0x200000015ae4 = 9; *(uint8_t*)0x200000015ae5 = 5; *(uint8_t*)0x200000015ae6 = 0xd; *(uint8_t*)0x200000015ae7 = 0x10; *(uint16_t*)0x200000015ae8 = 0x400; *(uint8_t*)0x200000015aea = 3; *(uint8_t*)0x200000015aeb = 0x6d; *(uint8_t*)0x200000015aec = 7; *(uint8_t*)0x200000015aed = 0x85; *(uint8_t*)0x200000015aee = 0xe; memcpy((void*)0x200000015aef, "\x1a\x54\xb4\xa0\x79\x76\xe1\x6c\xec\x50\x7f\x7c\xfe\x00\xc9\x35\x99\xf9\xfd\xef\xaf\x8b\xf8\x6c\xb9\xae\x60\xf5\xe7\x42\x6c\x78\xb3\xe0\x1c\xc8\xca\xb0\xaa\xf0\x9d\xeb\xba\xcd\x78\x5c\x9d\xe3\xbb\x89\x55\x1d\x0a\x24\x1f\x2d\x65\x83\x0f\x53\x64\x75\x49\x91\xfe\xea\xd8\x7f\xe8\xc8\xb9\x28\xac\x16\x85\x3a\xe9\x59\xea\xc2\x7b\x59\xcc\xc8\x6d\x22\x44\x2c\xa6\x29\xd1\x20\xb1\xa0\x9c\xf1\x41\x84\xa9\xc4\x87\x3f\x74\xae\x74\x82\x01\xf5\xf4\xe6\x49\xe3\x72\x4c\x7d\xdb\x89\xf4\x58\x47\x2b\x28\x5f\x9c\x10\xea\x40\x39\x3f\x30\x60", 131); *(uint8_t*)0x200000015b72 = 9; *(uint8_t*)0x200000015b73 = 5; *(uint8_t*)0x200000015b74 = 9; *(uint8_t*)0x200000015b75 = 0; *(uint16_t*)0x200000015b76 = 8; *(uint8_t*)0x200000015b78 = 0xa; *(uint8_t*)0x200000015b79 = 7; *(uint8_t*)0x200000015b7a = 2; *(uint8_t*)0x200000015b7b = 7; *(uint8_t*)0x200000015b7c = 0x25; *(uint8_t*)0x200000015b7d = 1; *(uint8_t*)0x200000015b7e = 0; *(uint8_t*)0x200000015b7f = 4; *(uint16_t*)0x200000015b80 = 0x4fb3; *(uint8_t*)0x200000015b82 = 9; *(uint8_t*)0x200000015b83 = 5; *(uint8_t*)0x200000015b84 = 7; *(uint8_t*)0x200000015b85 = 0x10; *(uint16_t*)0x200000015b86 = 0x3ff; *(uint8_t*)0x200000015b88 = 1; *(uint8_t*)0x200000015b89 = 0x88; *(uint8_t*)0x200000015b8a = 6; *(uint8_t*)0x200000015b8b = 9; *(uint8_t*)0x200000015b8c = 4; *(uint8_t*)0x200000015b8d = 0x10; *(uint8_t*)0x200000015b8e = 8; *(uint8_t*)0x200000015b8f = 0x10; *(uint8_t*)0x200000015b90 = -1; *(uint8_t*)0x200000015b91 = 0x5d; *(uint8_t*)0x200000015b92 = 0x81; *(uint8_t*)0x200000015b93 = 3; *(uint8_t*)0x200000015b94 = 0xb7; *(uint8_t*)0x200000015b95 = 0; memcpy((void*)0x200000015b96, "\xbe\xa8\xfd\xb5\x0e\x62\x4b\x76\x3d\xdd\xda\xf5\xed\x85\xd8\x17\x0c\xa8\x58\xcf\x74\xac\x67\x8e\xb5\x4d\x20\x45\xe5\xfb\xb2\x77\x21\x40\xe2\xcf\x18\x95\xcb\x69\x3a\x91\x4f\xfb\x89\x1c\xd2\xc9\x0d\x48\x27\xbc\xd3\x43\x59\xd7\x01\x07\x46\x2e\xad\x88\x9a\x6e\x4e\xd6\x96\x89\x35\xa8\x1a\x14\x7a\xc0\xcc\xc8\x1c\x38\xd6\x2d\x6a\x84\xcf\x50\x45\x52\xec\x37\xd6\x09\xb5\x47\x50\x18\xbd\xa1\x24\xc0\x9e\xa9\xf2\x13\x03\x86\x5f\xe4\x64\xab\xc3\x8c\xd8\x4a\xe4\x2d\xe3\x3e\x46\x91\x12\x7e\x2b\x85\x53\x83\x7d\x58\xcd\xa5\x1f\x11\xa0\x5a\x15\x38\xec\xff\x55\xe9\x0f\x34\xa1\xc5\x66\xc2\x34\xc0\x06\xd0\x0b\x50\xb4\xb2\x9e\x49\xb8\xd0\x90\xf5\xa2\x74\xae\x37\xe0\x3e\x49\x68\x2c\x44\xc2\xb1\xd9\xdb\x62\xf6\x32\x33\xf9\x67\x0c\xb2\xac", 181); *(uint8_t*)0x200000015c4b = 9; *(uint8_t*)0x200000015c4c = 5; *(uint8_t*)0x200000015c4d = 0xc; *(uint8_t*)0x200000015c4e = 0x10; *(uint16_t*)0x200000015c4f = 0x40; *(uint8_t*)0x200000015c51 = 9; *(uint8_t*)0x200000015c52 = 8; *(uint8_t*)0x200000015c53 = 2; *(uint8_t*)0x200000015c54 = 9; *(uint8_t*)0x200000015c55 = 5; *(uint8_t*)0x200000015c56 = 6; *(uint8_t*)0x200000015c57 = 2; *(uint16_t*)0x200000015c58 = 8; *(uint8_t*)0x200000015c5a = 3; *(uint8_t*)0x200000015c5b = 0x18; *(uint8_t*)0x200000015c5c = 0x1c; *(uint8_t*)0x200000015c5d = 0xf6; *(uint8_t*)0x200000015c5e = 0xc; memcpy((void*)0x200000015c5f, "\xd7\x72\x97\x11\x23\x6e\xb7\x89\x69\x91\xe6\xff\xe3\xdd\x76\x22\xe9\x6e\x2e\x7d\x17\x60\xab\x64\x52\x47\x2b\xba\xc1\xd0\x68\x61\xd9\xd4\x9e\x41\x00\x60\x6a\x22\x7d\x34\x2c\x61\x75\x94\x5a\xde\x9c\xc3\xf4\x6e\xc4\x62\x7f\x92\xca\xa5\xd7\x32\x27\xfa\xe7\xa3\x60\xd2\x5f\xac\x9e\x57\x44\x07\x3f\x0c\x05\x4c\x9a\x5b\x82\x58\xdd\x27\x9b\x73\x68\x76\x58\x4b\x90\x4d\x94\x3b\x23\xc2\x6d\x9e\x6b\xc2\xdd\x3b\x98\xf3\x62\x44\x15\x8c\x76\x0f\x0b\xf9\x75\x02\x91\x42\xb3\xf5\x8b\xb6\x3e\xc3\x76\xd7\xf5\xd9\x61\x18\x20\xd3\x80\xef\xd7\xde\x61\x63\xac\x8d\xc2\x71\x44\xe2\x1d\x92\xc9\x3f\xfe\xcc\x2d\x8c\x7b\x3b\xc5\xea\xd1\x81\x86\x3c\xd9\x6a\x0a\xbf\x28\x89\xeb\x10\xb6\x87\x91\x3f\xa8\x21\x4b\x89\xde\x11\xf5\x2b\x7d\x19\x36\xad\x9c\x1c\x45\xda\x86\xa1\x5e\x86\xb6\xc9\x06\x02\x91\xd8\x5b\x48\xeb\xc2\x34\x4d\xb8\xad\x8c\xc5\x2f\x79\xd4\xf0\x37\x7a\x89\x3b\x3d\xa6\x1c\xfc\x15\x13\xd2\xba\x95\x36\xd6\x19\x0d\xe8\x86\xa2\xd1\x8f\xf8\xab\x1f\x46\x3f\x15\x47\x1d\x7f\x96\xdc\x92\xd0\xac", 244); *(uint8_t*)0x200000015d53 = 9; *(uint8_t*)0x200000015d54 = 5; *(uint8_t*)0x200000015d55 = 7; *(uint8_t*)0x200000015d56 = 4; *(uint16_t*)0x200000015d57 = 0x20; *(uint8_t*)0x200000015d59 = 9; *(uint8_t*)0x200000015d5a = 2; *(uint8_t*)0x200000015d5b = 0x37; *(uint8_t*)0x200000015d5c = 9; *(uint8_t*)0x200000015d5d = 5; *(uint8_t*)0x200000015d5e = 0xf; *(uint8_t*)0x200000015d5f = 0x12; *(uint16_t*)0x200000015d60 = 8; *(uint8_t*)0x200000015d62 = 0xd; *(uint8_t*)0x200000015d63 = 6; *(uint8_t*)0x200000015d64 = 0xf; *(uint8_t*)0x200000015d65 = 0x40; *(uint8_t*)0x200000015d66 = 5; memcpy((void*)0x200000015d67, "\x71\xaf\xb2\x61\x7a\x61\xe7\x55\x29\xdd\xe0\xf3\x2f\xa6\xca\x4b\x85\x7a\x84\xb3\x12\x0b\x93\x61\x68\x64\x2c\x34\x04\x8f\x29\x2f\xc2\x7a\x3a\x8f\x1f\x74\x58\x0c\xdc\x36\xe9\xa4\x0b\x4f\xf6\x92\xf1\x32\x24\xb9\x14\xa8\x9f\xb7\x30\x85\x79\x3a\x5c\x22", 62); *(uint8_t*)0x200000015da5 = 9; *(uint8_t*)0x200000015da6 = 5; *(uint8_t*)0x200000015da7 = 0xd; *(uint8_t*)0x200000015da8 = 0xc; *(uint16_t*)0x200000015da9 = 0xf5f1; *(uint8_t*)0x200000015dab = 4; *(uint8_t*)0x200000015dac = 1; *(uint8_t*)0x200000015dad = 0; *(uint8_t*)0x200000015dae = 0x50; *(uint8_t*)0x200000015daf = 3; memcpy((void*)0x200000015db0, "\x17\xff\xd4\x73\xba\x28\xc3\x60\x59\x1f\x57\x1d\xc6\x0f\x13\x24\xd4\xa3\x4a\xb8\xd9\xd3\xc0\x68\x6c\x13\xa6\x1b\xda\x24\x64\xe1\x63\x54\x23\xeb\xf4\xed\x34\x03\x7b\xab\x62\xfd\x30\xa8\xdd\x0a\x89\xf1\xbc\xbf\xf3\xaf\x4f\x0c\x98\x9d\xdb\x6f\x03\x76\x0a\xe7\x6f\x63\xff\xdc\xbf\xbb\xfe\xe9\xa1\x35\x25\x73\x14\xaa", 78); *(uint8_t*)0x200000015dfe = 9; *(uint8_t*)0x200000015dff = 5; *(uint8_t*)0x200000015e00 = 6; *(uint8_t*)0x200000015e01 = 0; *(uint16_t*)0x200000015e02 = 8; *(uint8_t*)0x200000015e04 = 0x2d; *(uint8_t*)0x200000015e05 = 0x10; *(uint8_t*)0x200000015e06 = 0xba; *(uint8_t*)0x200000015e07 = 9; *(uint8_t*)0x200000015e08 = 5; *(uint8_t*)0x200000015e09 = 0xe; *(uint8_t*)0x200000015e0a = 0; *(uint16_t*)0x200000015e0b = 0x10; *(uint8_t*)0x200000015e0d = 8; *(uint8_t*)0x200000015e0e = 7; *(uint8_t*)0x200000015e0f = 0xac; *(uint8_t*)0x200000015e10 = 9; *(uint8_t*)0x200000015e11 = 5; *(uint8_t*)0x200000015e12 = 0xa; *(uint8_t*)0x200000015e13 = 8; *(uint16_t*)0x200000015e14 = 0x20; *(uint8_t*)0x200000015e16 = 9; *(uint8_t*)0x200000015e17 = 0x7c; *(uint8_t*)0x200000015e18 = 1; *(uint8_t*)0x200000015e19 = 7; *(uint8_t*)0x200000015e1a = 0x25; *(uint8_t*)0x200000015e1b = 1; *(uint8_t*)0x200000015e1c = 8; *(uint8_t*)0x200000015e1d = 9; *(uint16_t*)0x200000015e1e = 4; *(uint8_t*)0x200000015e20 = 9; *(uint8_t*)0x200000015e21 = 5; *(uint8_t*)0x200000015e22 = 0xb; *(uint8_t*)0x200000015e23 = 0x10; *(uint16_t*)0x200000015e24 = 0x3ff; *(uint8_t*)0x200000015e26 = 1; *(uint8_t*)0x200000015e27 = 4; *(uint8_t*)0x200000015e28 = 0xbd; *(uint8_t*)0x200000015e29 = 9; *(uint8_t*)0x200000015e2a = 5; *(uint8_t*)0x200000015e2b = 7; *(uint8_t*)0x200000015e2c = 3; *(uint16_t*)0x200000015e2d = 0x20; *(uint8_t*)0x200000015e2f = 6; *(uint8_t*)0x200000015e30 = 0xf; *(uint8_t*)0x200000015e31 = 0xe; *(uint8_t*)0x200000015e32 = 9; *(uint8_t*)0x200000015e33 = 5; *(uint8_t*)0x200000015e34 = 0xd; *(uint8_t*)0x200000015e35 = 0x10; *(uint16_t*)0x200000015e36 = 0x7f7; *(uint8_t*)0x200000015e38 = 4; *(uint8_t*)0x200000015e39 = 0x1c; *(uint8_t*)0x200000015e3a = 1; *(uint8_t*)0x200000015e3b = 9; *(uint8_t*)0x200000015e3c = 5; *(uint8_t*)0x200000015e3d = 0; *(uint8_t*)0x200000015e3e = 0; *(uint16_t*)0x200000015e3f = 0x5f33; *(uint8_t*)0x200000015e41 = 0x40; *(uint8_t*)0x200000015e42 = 6; *(uint8_t*)0x200000015e43 = 0x81; *(uint8_t*)0x200000015e44 = 0x54; *(uint8_t*)0x200000015e45 = 9; memcpy((void*)0x200000015e46, "\x22\xa0\x3d\x11\x7e\xdd\x7f\xf8\x02\xcd\xb5\x09\xb4\x9c\xf0\x7b\x18\x84\xa5\xd0\x6a\x28\x72\xff\xdd\x1f\x6a\x97\x4c\x05\x74\x87\x1d\x68\xb2\xfd\x80\xb9\xdd\xe5\x57\xda\x7e\xec\x4d\x7f\x27\x78\xa5\xc3\xa4\xbb\xef\x51\x9d\x15\x8a\x59\xf1\x52\xfe\x19\xf5\x98\xe4\x33\x60\xf8\xa2\x4a\xa9\x73\xc5\x6f\x46\xc4\xa6\x8a\x27\x3a\x1f\xc4", 82); *(uint8_t*)0x200000015e98 = 9; *(uint8_t*)0x200000015e99 = 5; *(uint8_t*)0x200000015e9a = 0xf; *(uint8_t*)0x200000015e9b = 0x10; *(uint16_t*)0x200000015e9c = 8; *(uint8_t*)0x200000015e9e = 5; *(uint8_t*)0x200000015e9f = 0x38; *(uint8_t*)0x200000015ea0 = 1; *(uint8_t*)0x200000015ea1 = 9; *(uint8_t*)0x200000015ea2 = 5; *(uint8_t*)0x200000015ea3 = 4; *(uint8_t*)0x200000015ea4 = 0x10; *(uint16_t*)0x200000015ea5 = 0x10; *(uint8_t*)0x200000015ea7 = 4; *(uint8_t*)0x200000015ea8 = 2; *(uint8_t*)0x200000015ea9 = 7; *(uint8_t*)0x200000015eaa = 0xda; *(uint8_t*)0x200000015eab = 0x26; memcpy((void*)0x200000015eac, "\x32\x16\x2d\x9c\xff\xd7\x54\x8d\xdc\x15\x24\xc6\x65\x1f\xa1\x12\xcb\x83\x99\xeb\x7d\xaa\x74\x6a\xf4\xa3\xf4\x58\x15\x9b\xd8\xa4\x87\xda\xde\x32\x17\xae\x32\x24\x61\x5d\x50\xba\x56\x43\x30\x19\x52\xfd\xd0\x82\xab\x52\xf6\x4e\xb3\x8b\xdd\xcf\x02\xb0\x67\x28\xa3\xbf\x4f\x73\xd3\xb7\x80\xa3\xa5\x80\x4b\xad\x04\xec\xc2\x27\x87\x69\x0f\x67\x25\x76\x74\xf7\x28\xb1\x02\x31\xba\x2d\xb8\x3c\xb4\xeb\x84\x1e\x55\x23\xeb\x43\xf3\x48\x2d\x3e\xc3\x3c\xb8\x18\x7b\x87\xaa\x08\xa2\x1e\x94\xe0\x39\x4a\x1e\xe8\xd8\xf0\xcc\x08\x89\x10\xab\xa4\xdb\xe5\xfe\xef\xc2\x45\x38\x0f\xf1\x44\x3e\x3a\x97\xbd\x4d\x5a\xdd\xd0\x1f\x11\x26\xd4\xb7\x0a\xbc\xbb\xe1\x40\x71\x6a\x1c\x66\xda\xc6\x1f\x66\x51\x4f\xce\xbe\x67\x64\x7b\x43\xbb\xd8\xe8\x48\x33\x3f\xf9\x95\x7e\xba\xac\xe9\xd0\x57\xb6\x27\xa6\x67\xe6\xf5\x1d\xae\xac\x30\x2b\x21\x29\xc2\x6d\x41\x5b\xc9\xa2\xee\x74\x95\xb3\x31\xb7\xda", 216); *(uint8_t*)0x200000015f84 = 7; *(uint8_t*)0x200000015f85 = 0x25; *(uint8_t*)0x200000015f86 = 1; *(uint8_t*)0x200000015f87 = 0; *(uint8_t*)0x200000015f88 = 7; *(uint16_t*)0x200000015f89 = 1; *(uint8_t*)0x200000015f8b = 9; *(uint8_t*)0x200000015f8c = 5; *(uint8_t*)0x200000015f8d = 3; *(uint8_t*)0x200000015f8e = 1; *(uint16_t*)0x200000015f8f = 0x40; *(uint8_t*)0x200000015f91 = 8; *(uint8_t*)0x200000015f92 = 7; *(uint8_t*)0x200000015f93 = 5; *(uint8_t*)0x200000015f94 = 9; *(uint8_t*)0x200000015f95 = 5; *(uint8_t*)0x200000015f96 = 0xb; *(uint8_t*)0x200000015f97 = 0x10; *(uint16_t*)0x200000015f98 = 0x40; *(uint8_t*)0x200000015f9a = 0xfe; *(uint8_t*)0x200000015f9b = 0; *(uint8_t*)0x200000015f9c = 0xd; *(uint8_t*)0x200000015f9d = 0xe1; *(uint8_t*)0x200000015f9e = 0x24; memcpy((void*)0x200000015f9f, "\x66\xc9\x68\xf6\x7f\x56\xd0\xab\x89\xd6\x81\x9c\x67\xd1\xd6\xc2\x15\xd2\xf3\xcf\x61\x5b\x37\x02\x8d\xb2\x69\xd9\x36\x08\xcd\xf0\x70\x41\x18\xe0\xdd\xbf\x97\x16\x6c\x27\xaf\xb5\x1a\x13\x2c\xd7\x0f\x0f\xa3\xb7\xad\x5e\xe3\xa4\x41\x02\x7a\x74\x12\x27\x81\xab\x0f\x1c\xe5\xfe\x7b\xd1\x15\x3c\x8f\xfc\xcd\x3e\xf1\x09\x21\x3f\x20\xd2\xba\xfd\x0e\x33\x1a\xbc\x5c\xd1\xfb\x54\x80\x9a\x06\xc8\xfa\x60\xa9\xf0\xfc\x8e\x11\x3f\x31\x8c\x3a\x7f\x7b\xc6\xfa\xbe\x19\x30\x94\xec\x49\x3d\x24\x6c\xbd\x70\x2b\xf0\x19\x79\x6a\x88\x72\xb3\xc4\x02\x34\xd8\xe9\x07\x31\xb2\xdf\xf8\x8a\x1f\x0c\x4f\x17\x86\xa1\x90\xeb\x16\x65\x1e\x3a\xc4\x5e\xdb\x14\xd9\xfb\x89\x86\x44\xbe\xd6\x15\x76\xbd\x7a\x9f\xd9\x0c\x52\x17\x21\x7f\x6b\x9a\xed\x19\xd4\xa2\x2b\xff\x48\x2d\x05\x8e\x60\x3d\x2a\x0c\xdc\x48\xb1\xb2\x71\xb7\x9b\x1e\x25\xd7\xfe\x6b\xb8\x20\x50\x6e\x48\x57\x9a\x78\xaf\x99\xe7\xe9\x42\x9b\xcd\x4b\x07\xbc\x01\x34", 223); *(uint8_t*)0x20000001607e = 0x40; *(uint8_t*)0x20000001607f = 5; memcpy((void*)0x200000016080, "\x8f\x82\xcc\x05\xdf\x67\x73\x41\x41\xe3\x56\xe9\x36\xa6\xe0\xa7\x24\x7a\xc2\x3b\x30\x90\x0c\x5f\xc4\x14\x8a\x14\x99\x0b\x50\x04\x68\x6d\xe6\xca\xce\x04\xad\xe3\x50\xf0\x4a\x3d\x07\x8c\x39\x10\xf7\xdb\xa4\x92\xaf\x85\xda\x64\x94\x32\xe2\x6a\x78\x54", 62); *(uint8_t*)0x2000000160be = 9; *(uint8_t*)0x2000000160bf = 4; *(uint8_t*)0x2000000160c0 = 0x88; *(uint8_t*)0x2000000160c1 = 1; *(uint8_t*)0x2000000160c2 = 8; *(uint8_t*)0x2000000160c3 = 0xeb; *(uint8_t*)0x2000000160c4 = 0x43; *(uint8_t*)0x2000000160c5 = 0x23; *(uint8_t*)0x2000000160c6 = 4; *(uint8_t*)0x2000000160c7 = 9; *(uint8_t*)0x2000000160c8 = 5; *(uint8_t*)0x2000000160c9 = 0xc; *(uint8_t*)0x2000000160ca = 0; *(uint16_t*)0x2000000160cb = 0x40; *(uint8_t*)0x2000000160cd = 8; *(uint8_t*)0x2000000160ce = 8; *(uint8_t*)0x2000000160cf = 5; *(uint8_t*)0x2000000160d0 = 9; *(uint8_t*)0x2000000160d1 = 5; *(uint8_t*)0x2000000160d2 = 0; *(uint8_t*)0x2000000160d3 = 0x10; *(uint16_t*)0x2000000160d4 = 0x20; *(uint8_t*)0x2000000160d6 = 0x9a; *(uint8_t*)0x2000000160d7 = 0x5f; *(uint8_t*)0x2000000160d8 = 7; *(uint8_t*)0x2000000160d9 = 7; *(uint8_t*)0x2000000160da = 0x25; *(uint8_t*)0x2000000160db = 1; *(uint8_t*)0x2000000160dc = 0; *(uint8_t*)0x2000000160dd = 0x81; *(uint16_t*)0x2000000160de = 4; *(uint8_t*)0x2000000160e0 = 7; *(uint8_t*)0x2000000160e1 = 0x25; *(uint8_t*)0x2000000160e2 = 1; *(uint8_t*)0x2000000160e3 = 0xc; *(uint8_t*)0x2000000160e4 = 0xf9; *(uint16_t*)0x2000000160e5 = 2; *(uint8_t*)0x2000000160e7 = 9; *(uint8_t*)0x2000000160e8 = 5; *(uint8_t*)0x2000000160e9 = 0xb; *(uint8_t*)0x2000000160ea = 0x10; *(uint16_t*)0x2000000160eb = 0x40; *(uint8_t*)0x2000000160ed = 7; *(uint8_t*)0x2000000160ee = 1; *(uint8_t*)0x2000000160ef = 2; *(uint8_t*)0x2000000160f0 = 7; *(uint8_t*)0x2000000160f1 = 0x25; *(uint8_t*)0x2000000160f2 = 1; *(uint8_t*)0x2000000160f3 = 4; *(uint8_t*)0x2000000160f4 = 6; *(uint16_t*)0x2000000160f5 = 1; *(uint8_t*)0x2000000160f7 = 7; *(uint8_t*)0x2000000160f8 = 0x25; *(uint8_t*)0x2000000160f9 = 1; *(uint8_t*)0x2000000160fa = 0xc; *(uint8_t*)0x2000000160fb = 0xd; *(uint16_t*)0x2000000160fc = 0x103; *(uint8_t*)0x2000000160fe = 9; *(uint8_t*)0x2000000160ff = 5; *(uint8_t*)0x200000016100 = 0xb; *(uint8_t*)0x200000016101 = 0xc; *(uint16_t*)0x200000016102 = 0x3ff; *(uint8_t*)0x200000016104 = 0xa9; *(uint8_t*)0x200000016105 = 1; *(uint8_t*)0x200000016106 = 6; *(uint8_t*)0x200000016107 = 0xfb; *(uint8_t*)0x200000016108 = 0x2c; memcpy((void*)0x200000016109, "\xdf\x60\xd2\x33\x06\x38\x67\xe6\x38\xf4\xac\x47\x4e\x68\x5f\xef\x8f\x86\x15\x57\xd0\xa3\x15\x66\xd5\x8b\xde\x1f\x04\xa1\x13\xf6\xcb\x64\xc9\x60\x56\xa8\x16\x85\xa6\xdf\xa2\x97\x8a\x60\xc2\xd9\x4e\x45\x0f\x66\x75\xe3\x8b\x44\xc9\x6b\xfb\xff\x6c\x5f\x37\x46\x60\x93\x46\x49\x74\x83\xdf\xc8\xac\x21\x27\x36\x2c\xdb\xda\xa0\x25\x39\x51\xa1\x82\x27\x21\x83\xf4\x56\xaa\xe2\xbd\x12\xb2\x92\xc6\x09\xe8\xe1\x4b\x4f\x8c\x18\x53\xe0\xd8\x7e\x0c\x31\x79\xc8\xbe\x7b\x07\x30\x72\x1b\xb3\x01\x59\x04\x08\x26\xf0\x93\x51\x0c\xe0\x22\x58\x76\x91\x62\x7b\x23\x6a\x66\x21\x56\x20\x41\x8d\xf3\x34\xd2\x8d\x1d\x14\xf0\xca\x3b\x9f\x4f\xcf\xf0\x6b\xa2\x49\xdd\x19\x50\x81\x98\x50\x3a\x2c\x2c\xd4\xf3\xab\xda\xdb\xd4\xf1\xac\xe4\xe6\x27\xbe\xc9\x72\x99\xa0\x02\x28\xe0\x9c\x06\x4e\x5f\x34\x2e\x00\xd8\xc8\xf2\xd5\xb1\xfb\x56\x48\x5e\x73\x6a\x87\xdc\xfe\x51\x0c\x21\x86\x32\x72\x91\x22\xa4\xeb\x5d\x5b\x5d\x81\xdf\x8b\xe5\x85\x27\x18\x3e\x48\xf7\x60\xb8\x5c\x59\x9f\x88\x13\xf8\x9d\x70\x6a\xf7\xb2\x2f\x77\xd6\x8d\xc1", 249); *(uint8_t*)0x200000016202 = 0x6b; *(uint8_t*)0x200000016203 = 4; memcpy((void*)0x200000016204, "\x07\xec\xe0\x65\x86\xe0\x15\x05\xf1\x26\xe0\xdb\x2e\xd1\xac\x18\xb5\x75\x49\xf0\x80\xd7\x41\xf3\x8b\x0c\xce\xc6\xba\x03\x4d\x09\x64\x29\x40\x56\x19\xd0\x1a\xf4\x35\xc8\x09\x2b\xe0\xe9\xc4\xa9\x3c\x1b\x64\x7e\x7c\x7f\x14\xf0\x5e\xff\xf3\x05\xd2\xb8\x5d\x51\xfe\xdf\xf7\x50\xb8\x7e\x59\x90\xd0\x28\xfd\x33\x86\x45\x02\x9b\xd9\xed\x95\xe0\x03\x05\xac\xce\x8b\x89\x9a\x78\x6d\xbf\x30\x89\x5b\xe0\x31\x48\xa7\xa1\xe3\xbf\x25", 105); *(uint8_t*)0x20000001626d = 9; *(uint8_t*)0x20000001626e = 5; *(uint8_t*)0x20000001626f = 6; *(uint8_t*)0x200000016270 = 8; *(uint16_t*)0x200000016271 = 0x400; *(uint8_t*)0x200000016273 = 3; *(uint8_t*)0x200000016274 = 5; *(uint8_t*)0x200000016275 = -1; *(uint8_t*)0x200000016276 = 9; *(uint8_t*)0x200000016277 = 5; *(uint8_t*)0x200000016278 = 0xa; *(uint8_t*)0x200000016279 = 0x10; *(uint16_t*)0x20000001627a = 0x200; *(uint8_t*)0x20000001627c = 6; *(uint8_t*)0x20000001627d = 0x14; *(uint8_t*)0x20000001627e = 6; *(uint8_t*)0x20000001627f = 7; *(uint8_t*)0x200000016280 = 0x25; *(uint8_t*)0x200000016281 = 1; *(uint8_t*)0x200000016282 = 0xc; *(uint8_t*)0x200000016283 = 9; *(uint16_t*)0x200000016284 = 4; *(uint8_t*)0x200000016286 = 9; *(uint8_t*)0x200000016287 = 5; *(uint8_t*)0x200000016288 = 5; *(uint8_t*)0x200000016289 = 8; *(uint16_t*)0x20000001628a = 0x210; *(uint8_t*)0x20000001628c = 0xe8; *(uint8_t*)0x20000001628d = 5; *(uint8_t*)0x20000001628e = 3; *(uint8_t*)0x20000001628f = 9; *(uint8_t*)0x200000016290 = 5; *(uint8_t*)0x200000016291 = 0xa; *(uint8_t*)0x200000016292 = 8; *(uint16_t*)0x200000016293 = 0x10; *(uint8_t*)0x200000016295 = 0x64; *(uint8_t*)0x200000016296 = 8; *(uint8_t*)0x200000016297 = 0xe; *(uint8_t*)0x200000016298 = 7; *(uint8_t*)0x200000016299 = 0x25; *(uint8_t*)0x20000001629a = 1; *(uint8_t*)0x20000001629b = 4; *(uint8_t*)0x20000001629c = 5; *(uint16_t*)0x20000001629d = 2; *(uint32_t*)0x200000016780 = 0xa; *(uint64_t*)0x200000016784 = 0x2000000162c0; *(uint8_t*)0x2000000162c0 = 0xa; *(uint8_t*)0x2000000162c1 = 6; *(uint16_t*)0x2000000162c2 = 0x201; *(uint8_t*)0x2000000162c4 = 3; *(uint8_t*)0x2000000162c5 = 8; *(uint8_t*)0x2000000162c6 = -1; *(uint8_t*)0x2000000162c7 = 0x20; *(uint8_t*)0x2000000162c8 = 0x10; *(uint8_t*)0x2000000162c9 = 0; *(uint32_t*)0x20000001678c = 0x28; *(uint64_t*)0x200000016790 = 0x200000016300; *(uint8_t*)0x200000016300 = 5; *(uint8_t*)0x200000016301 = 0xf; *(uint16_t*)0x200000016302 = 0x28; *(uint8_t*)0x200000016304 = 4; *(uint8_t*)0x200000016305 = 0xb; *(uint8_t*)0x200000016306 = 0x10; *(uint8_t*)0x200000016307 = 1; *(uint8_t*)0x200000016308 = 0xc; *(uint16_t*)0x200000016309 = 1; *(uint8_t*)0x20000001630b = 7; *(uint8_t*)0x20000001630c = 7; *(uint16_t*)0x20000001630d = 6; *(uint8_t*)0x20000001630f = -1; *(uint8_t*)0x200000016310 = 3; *(uint8_t*)0x200000016311 = 0x10; *(uint8_t*)0x200000016312 = 0xb; *(uint8_t*)0x200000016313 = 0xb; *(uint8_t*)0x200000016314 = 0x10; *(uint8_t*)0x200000016315 = 1; *(uint8_t*)0x200000016316 = 2; *(uint16_t*)0x200000016317 = 0x61; *(uint8_t*)0x200000016319 = -1; *(uint8_t*)0x20000001631a = 0xf; *(uint16_t*)0x20000001631b = 6; *(uint8_t*)0x20000001631d = 5; *(uint8_t*)0x20000001631e = 0xa; *(uint8_t*)0x20000001631f = 0x10; *(uint8_t*)0x200000016320 = 3; *(uint8_t*)0x200000016321 = 2; *(uint16_t*)0x200000016322 = 1; *(uint8_t*)0x200000016324 = 3; *(uint8_t*)0x200000016325 = 0xb; *(uint16_t*)0x200000016326 = 0x100; *(uint32_t*)0x200000016798 = 7; *(uint32_t*)0x20000001679c = 4; *(uint64_t*)0x2000000167a0 = 0x200000016340; *(uint8_t*)0x200000016340 = 4; *(uint8_t*)0x200000016341 = 3; *(uint16_t*)0x200000016342 = 0x457; *(uint32_t*)0x2000000167a8 = 0xff; *(uint64_t*)0x2000000167ac = 0x200000016380; *(uint8_t*)0x200000016380 = -1; *(uint8_t*)0x200000016381 = 3; memcpy((void*)0x200000016382, "\x85\xa7\x64\xd8\x29\x53\x29\x17\xb6\x64\x7a\x68\xa2\x49\xb2\x52\xf0\x1a\x99\xf8\x87\x67\xa2\xe9\xf1\x3a\xee\xfa\xb3\x9c\xf6\xa4\x05\x49\x7e\x32\x44\x29\x4b\x1b\xd4\x85\xc0\xec\x99\x33\x86\x40\xa5\x08\xfa\xbb\xf1\x1e\x0f\xd6\xa0\x3b\xcc\x9c\xeb\xaf\x83\x03\x7a\xa7\x73\x97\xcb\xdf\x09\x11\xc8\xdf\xb8\x42\xf6\x2f\x94\x76\x6a\xa4\x45\x92\x57\x73\xc4\xf7\xc6\x70\x1b\xe8\xa0\x56\x73\xaf\xe9\x5c\xf1\x9c\x27\x9a\xc6\x2f\xd2\x72\x0e\xd2\xda\xe6\x89\x37\x1c\x51\x51\xbf\x6b\x9e\x77\x27\xf8\xf4\x97\x09\x1c\x3a\xaa\x90\x2f\x81\xe4\x4c\x51\x73\xac\xf2\x21\x52\xfc\xbc\x4d\x72\xa7\x5e\x9a\xb4\xba\xdc\x67\x88\xb2\xfd\xbb\x7e\x34\xb2\x02\xe0\xe7\x1f\xeb\x1c\xc9\xb1\xca\x79\x1e\x92\x37\x4c\xfc\x63\xcc\x7d\xb5\x64\x85\x91\x77\x8b\xfc\x19\x48\xf9\xda\xd9\xb7\xfe\x74\xa5\x88\xdd\xc9\xad\x49\x99\x93\x06\x26\x66\xb3\xe0\xdf\x0a\xca\xa6\x78\x02\xad\x37\xa8\x6f\xcb\x41\x1a\x22\x30\xbd\xd4\x3f\xe8\x61\x0f\x29\xc1\x51\x79\xbf\x42\x9f\x81\x87\x6e\xe9\x0b\x7d\x35\xa2\x26\x3f\x91\xeb\x8d\x3c\x7c\x87\xc4\x66\x00\xb4\x52\x82\xee", 253); *(uint32_t*)0x2000000167b4 = 4; *(uint64_t*)0x2000000167b8 = 0x200000016480; *(uint8_t*)0x200000016480 = 4; *(uint8_t*)0x200000016481 = 3; *(uint16_t*)0x200000016482 = 0x8406; *(uint32_t*)0x2000000167c0 = 0x49; *(uint64_t*)0x2000000167c4 = 0x2000000164c0; *(uint8_t*)0x2000000164c0 = 0x49; *(uint8_t*)0x2000000164c1 = 3; memcpy((void*)0x2000000164c2, "\xcb\x9d\x5f\x1c\x5f\xbc\x94\x74\xd5\x9f\xfa\x54\xa9\x2b\xa7\xaf\xf9\x7b\x2f\x65\xab\xf4\x8a\xad\x8e\x2b\x09\xb6\x0a\x5d\xc2\x74\x4b\x25\x0f\xe7\x52\x90\x97\xbf\xbb\x2b\xcf\x99\xd0\x54\x8a\x03\x4f\xb7\xae\xca\xf8\xdd\x80\x84\x95\xbe\x13\x2e\x1b\x8c\x84\xab\xe5\x33\x75\xdc\xf5\x40\xd5", 71); *(uint32_t*)0x2000000167cc = 4; *(uint64_t*)0x2000000167d0 = 0x200000016540; *(uint8_t*)0x200000016540 = 4; *(uint8_t*)0x200000016541 = 3; *(uint16_t*)0x200000016542 = 0x407; *(uint32_t*)0x2000000167d8 = 0x102; *(uint64_t*)0x2000000167dc = 0x200000016580; *(uint8_t*)0x200000016580 = 2; *(uint8_t*)0x200000016581 = 3; memcpy((void*)0x200000016582, "\x04\xdd\xeb\x57\xb5\x07\x2b\x0d\xc9\xdc\x62\x4c\xf2\x79\x2d\xaa\xc5\x35\xb0\x25\x70\xdb\xb7\x01\xe1\xdb\x0e\x6c\x25\xd6\x80\xf0\x7b\x51\x7f\x65\x82\x12\x5b\xaa\x7a\x78\x49\xeb\x0b\x11\x13\x0e\x00\x24\xef\xe8\xa1\xc9\x51\x36\x3b\xf4\x7a\x68\xfb\x5b\xd9\xac\xf1\x85\xae\xa1\x62\x73\x81\xf5\x03\x43\xcb\x4b\xb8\xd7\x17\x51\x31\xf2\xae\x52\xa8\x42\xdb\x75\x39\x04\xd3\x05\x1a\x0a\xb0\x82\x60\x85\x60\xe8\xac\x66\xb8\x7d\xdd\xbb\x9f\xa3\x51\x4a\x31\xe5\x59\x51\x70\xe3\xd2\x1c\x01\x8b\x37\x85\x59\x92\xa2\xa4\xb3\x48\xde\x99\x46\x9b\x63\xf5\x43\x8e\x24\x0e\x23\xcf\xe0\xa2\x6d\x30\xa9\x1d\x95\x36\x91\xd7\x41\xb9\xd5\xd8\x5d\xab\x27\xd4\x0d\xa7\x1f\xc9\xd8\x67\x7b\x0d\xc3\xe1\xd6\x06\x0d\x0d\x98\xa7\x13\x00\xd3\x74\xe7\xbd\x55\x0f\x6a\x57\xb6\xfc\xd4\x44\x31\x3f\x37\x36\x7f\x5b\x55\xc2\x0f\x1a\x2d\x44\x86\x1e\x8a\x1a\x36\xbc\xdc\x76\x9f\xfc\x14\x6b\xb7\x1a\xb5\x84\x6d\xcb\x82\x31\x24\x7f\x16\x36\x48\x3d\xab\xb7\x10\xd0\x74\xfd\x2b\x80\x18\xd4\xc3\x56\xd1\x82\x5b\xb1\x7b\xf9\x63\x27\xe9\x6e\xe8\x67\x58\x32\x43\xe8\x25\x4e", 256); *(uint32_t*)0x2000000167e4 = 0x9e; *(uint64_t*)0x2000000167e8 = 0x2000000166c0; *(uint8_t*)0x2000000166c0 = 0x9e; *(uint8_t*)0x2000000166c1 = 3; memcpy((void*)0x2000000166c2, "\xef\x2a\x4e\x82\x9a\x0f\x6c\xdb\x32\xa4\x49\xbb\xa1\xd4\x8f\x5d\xfe\x86\x5e\x51\xf2\x28\x7e\x21\x77\x39\x1a\x43\xf9\xbb\xf1\xca\x78\xd5\x73\xf2\x00\xea\xe4\x0c\x60\xa2\x1d\xdc\x2a\xd4\x82\xdf\x2a\x85\xf2\x75\x59\x81\x5b\xb4\xeb\xca\x56\x05\x30\xb8\x65\x53\x45\x0e\xe3\x8e\xae\xb8\x71\x2f\x6b\x77\xc1\x4d\x47\xf8\x5d\x8b\xbf\x64\x1e\x1d\x9e\x09\xfa\x1e\x2b\xe5\xe9\x2c\x18\x7c\xe5\x6e\xf9\x94\x9a\xe1\xd8\x7c\xfb\xfe\x0e\xa1\xba\x9f\x9b\x2f\xf0\x18\x2d\x4b\x05\xce\x50\x68\x91\xc5\xa3\x47\xee\x33\xcc\xf9\xce\x7d\x86\xd7\xdd\xf2\xbf\x38\x57\x4d\x21\xd9\x65\x4b\xbe\x80\x65\x86\x80\xbe\xf5\x58\x9e\x2d\xb6\x07\x2d\x9f\xd0\xfd", 156); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_LOW*/1, /*dev_len=*/0xd9f, /*dev=*/0x200000015500, /*conn_descs=*/0x200000016780); if (res != -1) r[27] = res; break; case 51: *(uint8_t*)0x200000016800 = 0x12; *(uint8_t*)0x200000016801 = 1; *(uint16_t*)0x200000016802 = 0x200; *(uint8_t*)0x200000016804 = -1; *(uint8_t*)0x200000016805 = -1; *(uint8_t*)0x200000016806 = -1; *(uint8_t*)0x200000016807 = 0x40; *(uint16_t*)0x200000016808 = 0xcf3; *(uint16_t*)0x20000001680a = 0x9271; *(uint16_t*)0x20000001680c = 0x108; *(uint8_t*)0x20000001680e = 1; *(uint8_t*)0x20000001680f = 2; *(uint8_t*)0x200000016810 = 3; *(uint8_t*)0x200000016811 = 1; *(uint8_t*)0x200000016812 = 9; *(uint8_t*)0x200000016813 = 2; *(uint16_t*)0x200000016814 = 0x48; *(uint8_t*)0x200000016816 = 1; *(uint8_t*)0x200000016817 = 1; *(uint8_t*)0x200000016818 = 0; *(uint8_t*)0x200000016819 = 0x80; *(uint8_t*)0x20000001681a = 0xfa; *(uint8_t*)0x20000001681b = 9; *(uint8_t*)0x20000001681c = 4; *(uint8_t*)0x20000001681d = 0; *(uint8_t*)0x20000001681e = 0; *(uint8_t*)0x20000001681f = 6; *(uint8_t*)0x200000016820 = -1; *(uint8_t*)0x200000016821 = 0; *(uint8_t*)0x200000016822 = 0; *(uint8_t*)0x200000016823 = 0; *(uint8_t*)0x200000016824 = 9; *(uint8_t*)0x200000016825 = 5; *(uint8_t*)0x200000016826 = 1; *(uint8_t*)0x200000016827 = 2; *(uint16_t*)0x200000016828 = 0x200; *(uint8_t*)0x20000001682a = 0; *(uint8_t*)0x20000001682b = 0; *(uint8_t*)0x20000001682c = 0; *(uint8_t*)0x20000001682d = 9; *(uint8_t*)0x20000001682e = 5; *(uint8_t*)0x20000001682f = 0x82; *(uint8_t*)0x200000016830 = 2; *(uint16_t*)0x200000016831 = 0x200; *(uint8_t*)0x200000016833 = 0; *(uint8_t*)0x200000016834 = 0; *(uint8_t*)0x200000016835 = 0; *(uint8_t*)0x200000016836 = 9; *(uint8_t*)0x200000016837 = 5; *(uint8_t*)0x200000016838 = 0x83; *(uint8_t*)0x200000016839 = 3; *(uint16_t*)0x20000001683a = 0x40; *(uint8_t*)0x20000001683c = 1; *(uint8_t*)0x20000001683d = 0; *(uint8_t*)0x20000001683e = 0; *(uint8_t*)0x20000001683f = 9; *(uint8_t*)0x200000016840 = 5; *(uint8_t*)0x200000016841 = 4; *(uint8_t*)0x200000016842 = 3; *(uint16_t*)0x200000016843 = 0x40; *(uint8_t*)0x200000016845 = 1; *(uint8_t*)0x200000016846 = 0; *(uint8_t*)0x200000016847 = 0; *(uint8_t*)0x200000016848 = 9; *(uint8_t*)0x200000016849 = 5; *(uint8_t*)0x20000001684a = 5; *(uint8_t*)0x20000001684b = 2; *(uint16_t*)0x20000001684c = 0x200; *(uint8_t*)0x20000001684e = 0; *(uint8_t*)0x20000001684f = 0; *(uint8_t*)0x200000016850 = 0; *(uint8_t*)0x200000016851 = 9; *(uint8_t*)0x200000016852 = 5; *(uint8_t*)0x200000016853 = 6; *(uint8_t*)0x200000016854 = 2; *(uint16_t*)0x200000016855 = 0x200; *(uint8_t*)0x200000016857 = 0; *(uint8_t*)0x200000016858 = 0; *(uint8_t*)0x200000016859 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000016800, /*conn_descs=*/0); if (res != -1) r[28] = res; break; case 52: *(uint32_t*)0x200000016b40 = 0x2c; *(uint64_t*)0x200000016b44 = 0x200000016880; *(uint8_t*)0x200000016880 = 0x20; *(uint8_t*)0x200000016881 = 0xb; *(uint32_t*)0x200000016882 = 0xc8; *(uint8_t*)0x200000016886 = 0xc8; *(uint8_t*)0x200000016887 = 0x21; memcpy((void*)0x200000016888, "\x01\xf4\x8f\xe8\x31\xd8\xd1\x99\x24\x72\x17\x3e\xa8\x19\xa3\xa2\xad\xe9\x61\x21\x34\x13\x54\xe8\x5c\xa1\x98\xec\x1f\xcf\x85\x90\xc9\x39\xf7\x27\xaa\x0e\x85\x85\x6b\x35\x7c\x23\xbc\x06\x8f\x24\xa2\x2c\xc6\xb7\x1b\xd4\xad\xd3\xae\x66\x95\x5e\x3c\xeb\x2a\x8f\x15\x5c\x4f\xea\xf3\x6d\x9c\x48\x02\x96\x8a\x53\xb0\x86\xa4\xa5\x0d\xc3\x54\x75\xe7\x5c\x18\x51\xe7\xd4\x08\x54\x07\x74\xe8\x98\x21\x91\xe5\x06\x06\x99\x1f\x3f\x33\xfa\x70\x8e\xf6\xa9\x40\x41\x51\x10\x98\xb0\x26\x7e\x73\x7b\x9f\x39\x9f\xad\x65\xb7\xcc\x2e\xfa\x80\xea\xfc\x73\x4b\xd5\xab\x1f\xdc\x3d\xec\xc0\x26\xfa\x76\x75\xef\x45\xa1\xd1\x7f\xfe\x1c\x0b\x1e\x00\xb1\x02\x73\xd7\xc5\x7d\x18\x3c\x74\xa3\xd9\xb1\x47\x13\x22\xb5\x9a\x98\xce\xbd\x12\xd1\x6c\x28\x34\xb2\x26\xce\xca\xea\xf9\x60\xe3\xd9\x07\x76\xc2\x39\x23\xea\xe6\x8d\x1e", 198); *(uint64_t*)0x200000016b4c = 0x200000016980; *(uint8_t*)0x200000016980 = 0; *(uint8_t*)0x200000016981 = 3; *(uint32_t*)0x200000016982 = 4; *(uint8_t*)0x200000016986 = 4; *(uint8_t*)0x200000016987 = 3; *(uint16_t*)0x200000016988 = 0x280a; *(uint64_t*)0x200000016b54 = 0x2000000169c0; *(uint8_t*)0x2000000169c0 = 0; *(uint8_t*)0x2000000169c1 = 0xf; *(uint32_t*)0x2000000169c2 = 0xc8; *(uint8_t*)0x2000000169c6 = 5; *(uint8_t*)0x2000000169c7 = 0xf; *(uint16_t*)0x2000000169c8 = 0xc8; *(uint8_t*)0x2000000169ca = 5; *(uint8_t*)0x2000000169cb = 0x14; *(uint8_t*)0x2000000169cc = 0x10; *(uint8_t*)0x2000000169cd = 0xa; *(uint8_t*)0x2000000169ce = 3; STORE_BY_BITMASK(uint32_t, , 0x2000000169cf, 2, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000169cf, 9, 5, 27); *(uint16_t*)0x2000000169d3 = 0xf; *(uint16_t*)0x2000000169d5 = 0; *(uint32_t*)0x2000000169d7 = 0xc0cf; *(uint32_t*)0x2000000169db = 0xf; *(uint8_t*)0x2000000169df = 0x10; *(uint8_t*)0x2000000169e0 = 0x10; *(uint8_t*)0x2000000169e1 = 0xa; *(uint8_t*)0x2000000169e2 = 4; STORE_BY_BITMASK(uint32_t, , 0x2000000169e3, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000169e3, 0x30ec, 5, 27); *(uint16_t*)0x2000000169e7 = 0xf0f; *(uint16_t*)0x2000000169e9 = 0x82; *(uint32_t*)0x2000000169eb = 0xc00f; *(uint8_t*)0x2000000169ef = 7; *(uint8_t*)0x2000000169f0 = 0x10; *(uint8_t*)0x2000000169f1 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000169f2, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000169f3, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000169f3, 8, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000169f4, 0xf, 0, 16); *(uint8_t*)0x2000000169f6 = 0x8d; *(uint8_t*)0x2000000169f7 = 0x10; *(uint8_t*)0x2000000169f8 = 0xa; memcpy((void*)0x2000000169f9, "\x42\x2d\x46\xfc\x73\xf8\x4b\x4d\xd0\xc3\xd2\x4d\x79\xf2\x70\x97\x5a\x97\x8d\x73\x6a\x0a\xa3\xe5\x86\xae\x4e\x9a\x23\x24\x83\xcf\x25\x26\x97\x18\xcb\xb9\xdf\x73\x03\x62\xce\x6b\x7c\xf0\xe3\xd1\x00\x79\xc3\x28\xee\x2b\xe8\xf5\xff\xc2\x42\xa0\x7e\x20\xf7\xc3\xdb\x60\x7c\x73\xe2\xca\xc8\x2f\x1c\x73\xc8\xfc\xac\xeb\x15\x1e\x20\x22\xfe\x0c\x73\xad\x66\x19\xa4\xda\xce\x08\x65\x96\x99\xed\x76\x60\xd4\x52\x02\x74\x9c\xda\x47\xdf\xa1\xe0\xdb\x87\x66\x4d\x1e\xff\x73\xf0\x60\x6d\x30\xb7\x78\xcb\x88\x08\xdf\xa6\xb2\x4c\xc1\x8a\xdd\x57\x9f\x29\xe8\x1b\x12\xe3", 138); *(uint8_t*)0x200000016a83 = 0xb; *(uint8_t*)0x200000016a84 = 0x10; *(uint8_t*)0x200000016a85 = 1; *(uint8_t*)0x200000016a86 = 2; *(uint16_t*)0x200000016a87 = 0x48; *(uint8_t*)0x200000016a89 = 6; *(uint8_t*)0x200000016a8a = 0xf2; *(uint16_t*)0x200000016a8b = 0; *(uint8_t*)0x200000016a8d = 2; *(uint64_t*)0x200000016b5c = 0x200000016ac0; *(uint8_t*)0x200000016ac0 = 0x20; *(uint8_t*)0x200000016ac1 = 0x29; *(uint32_t*)0x200000016ac2 = 0xf; *(uint8_t*)0x200000016ac6 = 0xf; *(uint8_t*)0x200000016ac7 = 0x29; *(uint8_t*)0x200000016ac8 = 1; *(uint16_t*)0x200000016ac9 = 3; *(uint8_t*)0x200000016acb = 0xf6; *(uint8_t*)0x200000016acc = 5; memcpy((void*)0x200000016acd, "\xd7\xdb\x75\x8c", 4); memcpy((void*)0x200000016ad1, "\xcb\x02\x4e\x33", 4); *(uint64_t*)0x200000016b64 = 0x200000016b00; *(uint8_t*)0x200000016b00 = 0x20; *(uint8_t*)0x200000016b01 = 0x2a; *(uint32_t*)0x200000016b02 = 0xc; *(uint8_t*)0x200000016b06 = 0xc; *(uint8_t*)0x200000016b07 = 0x2a; *(uint8_t*)0x200000016b08 = 2; *(uint16_t*)0x200000016b09 = 2; *(uint8_t*)0x200000016b0b = 0x80; *(uint8_t*)0x200000016b0c = 5; *(uint8_t*)0x200000016b0d = 7; *(uint16_t*)0x200000016b0e = 7; *(uint16_t*)0x200000016b10 = 0xff24; *(uint32_t*)0x200000016f40 = 0x84; *(uint64_t*)0x200000016f44 = 0x200000016b80; *(uint8_t*)0x200000016b80 = 0x20; *(uint8_t*)0x200000016b81 = 0x13; *(uint32_t*)0x200000016b82 = 0x2a; memcpy((void*)0x200000016b86, "\xb3\x64\x4b\x33\xa4\x96\xf2\x18\x7a\x58\x63\xe6\x4c\x40\x7c\xec\xd2\xd6\xd1\x3a\xe2\x3e\xcf\x1c\x3c\x53\xf7\x8f\xf2\x17\xcf\xf0\x21\xe4\x71\x8c\xea\x7f\xbe\x4c\x3b\xa3", 42); *(uint64_t*)0x200000016f4c = 0xffffffff81000000; *(uint64_t*)0x200000016f54 = 0x200000016bc0; *(uint8_t*)0x200000016bc0 = 0; *(uint8_t*)0x200000016bc1 = 8; *(uint32_t*)0x200000016bc2 = 1; *(uint8_t*)0x200000016bc6 = 6; *(uint64_t*)0x200000016f5c = 0x200000016c00; *(uint8_t*)0x200000016c00 = 0x20; *(uint8_t*)0x200000016c01 = 0; *(uint32_t*)0x200000016c02 = 4; *(uint16_t*)0x200000016c06 = 2; *(uint16_t*)0x200000016c08 = 1; *(uint64_t*)0x200000016f64 = 0x200000016c40; *(uint8_t*)0x200000016c40 = 0x20; *(uint8_t*)0x200000016c41 = 0; *(uint32_t*)0x200000016c42 = 4; *(uint16_t*)0x200000016c46 = 0x40; *(uint16_t*)0x200000016c48 = 0x20; *(uint64_t*)0x200000016f6c = 0x200000016c80; *(uint8_t*)0x200000016c80 = 0x40; *(uint8_t*)0x200000016c81 = 7; *(uint32_t*)0x200000016c82 = 2; *(uint16_t*)0x200000016c86 = 2; *(uint64_t*)0x200000016f74 = 0x200000016cc0; *(uint8_t*)0x200000016cc0 = 0x40; *(uint8_t*)0x200000016cc1 = 9; *(uint32_t*)0x200000016cc2 = 1; *(uint8_t*)0x200000016cc6 = 3; *(uint64_t*)0x200000016f7c = 0x200000016d00; *(uint8_t*)0x200000016d00 = 0x40; *(uint8_t*)0x200000016d01 = 0xb; *(uint32_t*)0x200000016d02 = 2; memcpy((void*)0x200000016d06, "{*", 2); *(uint64_t*)0x200000016f84 = 0x200000016d40; *(uint8_t*)0x200000016d40 = 0x40; *(uint8_t*)0x200000016d41 = 0xf; *(uint32_t*)0x200000016d42 = 2; *(uint16_t*)0x200000016d46 = 9; *(uint64_t*)0x200000016f8c = 0x200000016d80; *(uint8_t*)0x200000016d80 = 0x40; *(uint8_t*)0x200000016d81 = 0x13; *(uint32_t*)0x200000016d82 = 6; *(uint8_t*)0x200000016d86 = 1; *(uint8_t*)0x200000016d87 = 0x80; *(uint8_t*)0x200000016d88 = 0xc2; *(uint8_t*)0x200000016d89 = 0; *(uint8_t*)0x200000016d8a = 0; *(uint8_t*)0x200000016d8b = 2; *(uint64_t*)0x200000016f94 = 0x200000016dc0; *(uint8_t*)0x200000016dc0 = 0x40; *(uint8_t*)0x200000016dc1 = 0x17; *(uint32_t*)0x200000016dc2 = 6; *(uint8_t*)0x200000016dc6 = 1; *(uint8_t*)0x200000016dc7 = 0x80; *(uint8_t*)0x200000016dc8 = 0xc2; *(uint8_t*)0x200000016dc9 = 0; *(uint8_t*)0x200000016dca = 0; *(uint8_t*)0x200000016dcb = 0xe; *(uint64_t*)0x200000016f9c = 0x200000016e00; *(uint8_t*)0x200000016e00 = 0x40; *(uint8_t*)0x200000016e01 = 0x19; *(uint32_t*)0x200000016e02 = 2; memcpy((void*)0x200000016e06, "\x1a\xc5", 2); *(uint64_t*)0x200000016fa4 = 0x200000016e40; *(uint8_t*)0x200000016e40 = 0x40; *(uint8_t*)0x200000016e41 = 0x1a; *(uint32_t*)0x200000016e42 = 2; *(uint16_t*)0x200000016e46 = 0x100; *(uint64_t*)0x200000016fac = 0x200000016e80; *(uint8_t*)0x200000016e80 = 0x40; *(uint8_t*)0x200000016e81 = 0x1c; *(uint32_t*)0x200000016e82 = 1; *(uint8_t*)0x200000016e86 = 7; *(uint64_t*)0x200000016fb4 = 0x200000016ec0; *(uint8_t*)0x200000016ec0 = 0x40; *(uint8_t*)0x200000016ec1 = 0x1e; *(uint32_t*)0x200000016ec2 = 1; *(uint8_t*)0x200000016ec6 = 0xc8; *(uint64_t*)0x200000016fbc = 0x200000016f00; *(uint8_t*)0x200000016f00 = 0x40; *(uint8_t*)0x200000016f01 = 0x21; *(uint32_t*)0x200000016f02 = 1; *(uint8_t*)0x200000016f06 = 0x4f; syz_usb_control_io(/*fd=*/r[28], /*descs=*/0x200000016b40, /*resps=*/0x200000016f40); break; case 53: syz_usb_disconnect(/*fd=*/r[27]); break; case 54: syz_usb_ep_read(/*fd=*/r[27], /*ep=*/0, /*len=*/4, /*data=*/0x200000017000); break; case 55: memcpy((void*)0x200000017040, "\xdd\x9c\x62\x25\x17\x5b\x3c\x37\xdc\x19\x63\xb4\xd0\xf4\x63\xd6\xe3\x82\xd9\x56\xed\xab\xd1\x31\xd4\x19\xff\x0b\x34\x34\x94\xa2\xc3\xc8\xbd\x5e\x32\x1a\x50\x6b\x68\xc9\x62\x1a\xb5\x44\xdc\x8b\xd1\x7c\x2f\x62\xf3\xc5\x6c\xae\xcb\x39\x08\xa6\x43\x0e\x4d\x9e\xaf\xd0\x2c\xa1\x3d\xfd\xcc\x2d\x07\xc5\x31\x31\x38\x62\xad\x42\x71\xec\xb0\x7f\x10\x14\x3f\x48\xff\x7e\x73\x8a\x4a\x77\x62\x3d\x0d\x4b\x89\x21\x08\x4f\x7c\x7a\x91\x14\x22\x06\x24\xe8\xf1\x22\x87\xc7\x36\x9f\x8b\x91\x93\xde\x6e\x3a\x67\xff\x4b\xf7\x59\x6f\xd6\xc1\x07\xe4\x77\xfc\x1d\xf6\x7c\x16\xfe\xc9\x51\xa2\x12\xd9\x60\xcd\x48\xe3\xa1\x75\x8e\x8e\xc8\xe7", 154); syz_usb_ep_write(/*fd=*/r[28], /*ep=*/4, /*len=*/0x9a, /*data=*/0x200000017040); break; case 56: syz_usbip_server_init(/*speed=USB_SPEED_HIGH*/3); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_leak())) printf("the reproducer may not work as expected: leak checking setup failed: %s\n", reason); if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :6217:17: error: '__NR_socketcall' undeclared (first use in this function) :6217:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor2097985214 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/6 (1.38s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = syz_open_dev$admmidi(&(0x7f0000000000), 0x302d694, 0x32400) (fail_nth: 1) ioctl$SNDRV_RAWMIDI_IOCTL_PVERSION(r0, 0x80045700, &(0x7f0000000040)) (async) r1 = openat$hpet(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) (rerun: 4) ioctl$TIOCSIG(r1, 0x40045436, 0x17) getsockopt$inet6_tcp_TCP_REPAIR_WINDOW(r1, 0x6, 0x1d, &(0x7f00000000c0), &(0x7f0000000100)=0x14) syz_clone3(&(0x7f0000000340)={0x8800000, &(0x7f0000000140), &(0x7f0000000180)=0x0, &(0x7f00000001c0), {}, &(0x7f0000000200)=""/114, 0x72, &(0x7f0000000280)=""/109, &(0x7f0000000300)=[0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0], 0x8, {r1}}, 0x58) kcmp(r2, 0x0, 0x2, r0, 0xffffffffffffffff) getsockopt$inet_sctp6_SCTP_RTOINFO(r1, 0x84, 0x0, &(0x7f00000003c0)={0x0, 0x4, 0x0, 0x8}, &(0x7f0000000400)=0x10) getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r1, 0x84, 0x22, &(0x7f0000000440)={0x6, 0x8207, 0x96d, 0x10, r3}, &(0x7f0000000480)=0x10) ioctl$CEC_ADAP_G_CAPS(0xffffffffffffffff, 0xc04c6100, &(0x7f0000000500)) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@ctrl_frame=@pspoll={{}, @random=0x8000, @random="63448edb2fb0"}, 0x10) syz_80211_join_ibss(&(0x7f0000000080)='wlan0\x00', &(0x7f00000000c0)=@default_ap_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_kernel_create_files_as\x00') r4 = syz_clone(0x2080000, &(0x7f0000000140)="2803837cbcf37bce72c1a73b909c68fe5bf7a6363cdc90c00dc6013b35da02a66a0591667154a5567c0e5ee6933d6da8bfedac5d278a291efa3020ba15e390eb38da76261c3aeff9eea8abeace", 0x4d, &(0x7f00000001c0), &(0x7f0000000200), &(0x7f0000000240)="6a0b56ff4b8fac28773ca137652b5b0fd803a0413c282037f721cb96ecf2bb1a616dc3d56eeea26f6b16f4562d17c6d8b8838f1844b585ebcc0b562f0557b2c7e9f0dda1ce4cc61d") r5 = socketcall$auto_SYS_SOCKETPAIR(0x8, &(0x7f0000000480)=0xc2e0) syz_clone3(&(0x7f00000004c0)={0x18000000, &(0x7f00000002c0)=0xffffffffffffffff, &(0x7f0000000300)=0x0, &(0x7f0000000340)=0x0, {0x9}, &(0x7f0000000380)=""/41, 0x29, &(0x7f00000003c0)=""/107, &(0x7f0000000440)=[r4, r4, r4], 0x3, {r5}}, 0x58) syz_create_resource$binfmt(&(0x7f0000000540)='./file0\x00') syz_emit_ethernet(0x63, &(0x7f0000000580)={@remote, @link_local, @val={@void, {0x8100, 0x6, 0x0, 0x2}}, {@x25={0x805, {0x0, 0x0, 0x27, "ed9d0de7c64477f8a5d951f792474cf5075158244f9b1731f0f24acbf5389ee283a5851cd5cf33761e5cea7eddd7b163070852dce6e12da0688ac4ee0a17dcca77143e90d7e7935dc9bf2e32db4a"}}}}, &(0x7f0000000600)={0x1, 0x2, [0x9b6, 0xffa, 0x777, 0x5fe]}) syz_emit_vhci(&(0x7f0000000640)=@HCI_EVENT_PKT={0x4, @hci_ev_clock_offset={{0x1c, 0x5}, {0x80, 0xc8, 0x2}}}, 0x8) syz_extract_tcp_res(&(0x7f0000000680), 0x10001, 0xffff0001) r9 = openat$fuse(0xffffffffffffff9c, &(0x7f00000006c0), 0x2, 0x0) getsockopt$inet_IP_XFRM_POLICY(r5, 0x0, 0x11, &(0x7f0000002a00)={{{@in6=@local, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast1}, 0x0, @in=@empty}}, &(0x7f0000002b00)=0xe8) ioctl$auto_KVM_HAS_DEVICE_ATTR(r5, 0x4018aee3, &(0x7f0000002b40)={0x5, 0xee00, 0x1, 0x5}) ioctl$auto_EXT4_IOC_GROUP_ADD(r5, 0x40286608, &(0x7f0000002c00)={0xee00, 0x0, 0x8, 0x1, 0x6, 0x5}) getsockopt$inet6_IPV6_XFRM_POLICY(r5, 0x29, 0x23, &(0x7f0000002e00)={{{@in6=@private2, @in=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@dev}, 0x0, @in6=@ipv4={""/10, ""/2, @multicast2}}}, &(0x7f0000002f00)=0xe8) shmctl$auto(0x2, 0x6, &(0x7f0000004040)={{0x8, 0x0, 0xffffffffffffffff, 0x2, 0x10, 0x4, 0x7}, 0x7f, 0xbb, 0xf, 0x4, @raw=0x800, @raw=0x2, 0x5, 0x0, &(0x7f0000002f40)="a0fc0337faea631f704d04b5a594dd3a87e2747c38740f4357e5cb221bf4405795c29906227d364e0446ebf77d111ab6668106a002140a81071b6d28cfabb37aea4e26c4657db31916f17181ef2fbba8cf194a98c435a1007c270cd6eff5c6424537197a130202f28ce2586be0ceff0db47a35351218f49a4599a98e93fd6fa6be92176782d29ccfc900c767f4de102c3a7779577ff36f427dcaed1e8dd389650fbe9cc0cab5b4390e805ec30ad6411cff6065a8a57610ab7c610132a2a1bf37c871d06a9d78cc27688f4befa7bd112a69df64b551e3", &(0x7f0000003040)="64b9520eb174939ec87643a2fdaffea4527bbfd51b07ac9467169d3c7baa5dc65b8a38d950c858ff99237e6ec06b4656a52acb76c755c1cff1c0a65e3d1632fabd9e1b381852b6fcfc058744856a80a29fb4dbdd715b3cd08e15a53405d0fd2ff7eac836338c4eca0456ff78cc5712332146b671bc42861cd8bb43200985a362f39f15bd437f06458b867d4bea2227493250d83fb46f7297b8f8c27351ccbec4ffd07175a7c5e2319e94210d4af5061e743f050f2ea538a3ed9d0359f5a7546c3d0113e255268cd0483ab186f9c5550202a9fa3fa0c4a2a5805241819cf9c345cecc6b77dd7c299750b67ff8cb5d9a6b0d3d9816dbeb6fdbc5ea9fae4a25e19b48e510ddb5d4d1271ba0c4a083d04cc509b40f1a849195f3bc3e9f63b7cc7473ffc740cf1a979bd1d7e9317f6fc77a62e5acab36c4a063069cfb207dcc7af70b77a743b362d9d9fae0dbc680923a0e3454026b6da9579f352afef7abbca7bfc14aef0fb3d1305506b97940ea127ffed13eeea6cae0be96f5be7385e8e9ba4f00fdc51859d825192718dcf23e0b6da413aff854ba5221ba8d27ff02b6c0f9667f2ffe72f434f4c7085a52fee5f0871bc20aebc8ef87c17c49b2a434242154770e3ae268d5bae11f22f2146169d7a9c16b5daf83031111ce5ce992d275bb9bc5d1290f7fea356607e8dd9acc55849eeb502827374c45dc89dd1186ec9210bff8e005b7cb2c134a922d6ddc512281e6f5aa9b104d04bcc6000b9f95f74393f312c990f7d29dee0ef7a4b158fe69196b0683f35e8b4ba65bb49b313d92d6f67f72f7c3e7de4dd884d72c786d66bdf598a15f9ac296ea70740343d94591186448ae73eea6101de13df667ab6ea1f55aba4c113d0ac42bba7ec5bd1d56b6bc947045595c76c8f69339bd2f193de246533010f42ac93ce0af99f40ae8bf3a30543d6861b2ca306c0c081db792af448820409c05330bdbe44f70c5561dff8704b5eeb712acd321fb7bd58c809fb11d017c34879854f153241741fdf8de35356bee7a0cb40a726cc783175759e266ddbc98e3e5f822024e3359a7fec0e09f0d1e214262ea209a9ddf12280e28723393368817de6d200ac6f9d14cee80cb713547cad55333acaff3a32b48964845501bf108e8f515728b36726290b478f7f3da9a62ddb1d44f5ed569c7cff30451b1355d3491eb80345cfdb938475f9d16181cb1e3d733ea45aba04cbe419b1fe39de514e8b00db827fec195ae7731b2a64ad258c1cf2d4cd97dd9dec3564f9ca74ed625830ed32b0507ad8c97f63f5a2b39bbaec04b3b889b6d7c9fb98993d5e5ae40cd6b6372bc631d37dac4ab3d48b5895b0030e002e7f443bead14a5777ecf5ee99983b3c0f500539d02ba11cb4bf3259906bbcc34855e6d4b2c49316816d4d17340d8938dbbad5f2cbfe83da57f59e51c9eb6ff6215f794f6822820b05912df85fea53c046dd6e88924a18e71c0cda658b58aff26194f88df81daf06ee0942cda0df18b41b0e230b305b4f9a47fdb18c6d68cceba1f24f2756bd96a799112c3485e394d2dd9fc87ab1b4651ad058a3e44461d2c72f038ff881104cb75cc79683a9d97d881cffb92b05c12bf4d3ab4dbe17908fb799eaffa9cafa4a61ce20aa4b3ebc3c75220aa65c9803a77f181da3924cca5f6059612e45486106f22b8c891f7b14662abd64b3258ed13bdcd6d1a77c6a41519d66063743a1918bb13e9b7577fb6bb7df23ff1b96e782bda6394d4861a7e0ac80d1c6cc84a303b7841e589d66bed37ccc05f4e9b4dfbc53d3b50d50e02c87d41f53f86decb39c706f5372e9d6e3dde53059620d27845f3ed77cd5899e33aed5c4fb140f8e405fa2e0e1172eaa7d4e912987a0aa3acf7c2d8e94d16c998c987fd404b234ef7361d0c5387e6b9d55fb972c7dc217226ce13d82a59311fe269a09c384e739a66be4354791f381e74cc5dfb9a92fbfff8595df24b403eafb00473eb0b2e7fee36dba4a908938bcfcce961fd10ec29e56dfe40591e13d5e53f16c8759ca27f80ce904f2d7c43321097595e907639f20f9e8dce700c39d0e442da887a4df082eb7e172fafdcb00b008caf5523d1fe5f240ae991496db93389af4185e9c9ccbdcb9731ce7a770ae2abac9d8cddf313231a55e1277bd36c1e44842b3872555ccdcb3a0684591321ff15dc6d2ceffd585dbeb990e4054fabc18a9e9f1de13bfad9de7f8deb6b6c472c423367eead525004defa9e17c67902360bf163a01e98f6e755cff6282aeebd1e8a09715c15b9edaa500de074c28bad6d03578c5e1c87be7117f54eefc3313c38b61d88a6a50a0f36fdbf084cb41447c690d3ffcc8314e91ada81d34accd3e06d19bca28fb49bed5e32f4ebd54929e4ab51a659b81c1c35df9e514769b9eb31d71d437864f54e992a2b9b15e2fd3207817756b486d081af397b21a258443d86a20a82dab3094a4883324791d67cea918bec7994abcec180f8fbd4ae90ad2c785de7747308d80a7331864bd1a9bffb514407785193927405f778a166514a339bfe16f5cb8ee349a08e25b94dc351c72e98c6baf186025060cd98d7d14bf8ee060240405a1c10202cb34857ab674eff41cd46c03d2ffccabf194e0f351658ab02d9a1f92830617de69135509534647bc4cc205287b251553fcc7689d5e669f9ba4bdb4036e064b2a791ea5de93c66918ad61cf10be4f5564a071b02b9365bc587316e65bd1264fe1f8dc7d244ab3319e9a905e244a0d000bf3c566811f729d10f9d81b060cb7ff93da8056d641f93121c50b987e4149d44c23491e9de6a5c1d6b26f644b3b020627caf32d47f95a4857b36530ff5c5be38ca37b90dec3bde10756158d6db91bcbbea6665fa1408aec0025d9dfe3de8a57b8af300179bff26032e61db60d6e20acb671595056fd65e84038040f07d46dbd4cb8c0d3ce9fda002d22e24750f145801af85d782681bb9b1228fb281c543e5dcdef84b7a2626de59e1ec79e44d1a230fedda6e3037b0e9c4ca475dcd319b86bd4ab2cc3cd5ee47857adaa88e7e77afaab3fd85076edb3615ba44e97b5e181b5e8c8611784854a8aebdcc0983e0b837455a2901b91980b05efc9223d206dcaa5be6745cbdfb6f9af13873b3773f5a59beaa0f4a36ddd383d63e12f50e0f7c533e6a559e545d2851d04bd36e412d891eac7bbff39936937fa3e4fbfaf51037c50a7d5730051e4c6984f394f3f59faa61ac96fc2ba4e33564c2bbc607b18ef8aef19b88b7ac63cef3e0971fa1156233373fa5b58f16fa99312d84a6b790e7a663ba05e237385eb413e4260e021ba387912357fed39f1366e7318ebea7b921ded5d9f9ab5a86121648310f0904258a9e4d590d65431d23e622309de964cb77df8f2807667bd58181e485c2e03c295c15e5274c706c1a0027b6751e40959a1581c710774bd5575367c93c17fb8444976e384711d4debce09754e97b048d47b3dd82f75fa93937d0722cb2379e8b4b02675991ed1bc5f1f15fea5fbe59c63a2991af998a21991f1d46cd3d211a532cee732ffbcf55b28790c4badba768c57a2623df69b396c2accf925806d55261b7087435e497452975b15266522ef97637956faa20e8ec653c9c0c0773603d77677d0ef1ec99a0f61cccf7e1103051a7852a0077f973369f6d8056b79c537aea6b410709df6937b6b7ce03398e1a7a1ef8e062bf5b5a110bc0daf2765c92e695834add9ac03f5ea56f8ec1d64a8fad07410e3019d84c0e7cdf1c49e95091794a3aad82abf63e9c6cebabdf05e80503d1ba7037e9b0b35aad5517a02988a343b6a4af6d8277964fcd3e720c19ebcbca7c4a877c4b17405d4e04e2bff036d6f5e8da62d6ec70d1cdd970e8ba36f7fa956cbde78925a443b9579be039e5653966e745b1d93c62970f2907fb535c88820b95b24409d1bb81e0cdfbdc397278a8b1eba6325e693a93b550dc2d7ff05598f8246794b2d01b58f30324e44c439ec6e170b692ef2d552f332242101fe24586564b87e4d04c5c4137f453451dc82ce49f93d50e49acf2b966d0d500fff99b984d70faa2061187369a3dd50337872c230e6fbda2420e565886b6eef53eb532239a98237bf8cf3549f60b083d81a16e6a30c26a74456fbf8ddc2476784e776df7490a31e1113cb0d876d5ca9fbfc32cf6081f7542015b41ae86f9c0bbfed2b8474bfcd78284467c22f1d6df54bb3e28f5cff007e9d5d5597c837a72eb04ef8d1f3ac060b9f1fff3d74da35bf1cc3ff9d836bfc8d2ccb07214afd357c296ae04a5ce01fdc779e9b4ae6d677c6fc48f7383064f2d217d51e390609dad933022ed7c35f89e83b555c8e3ccec204e593228f3244427cfed43bd371ee5f584ceab01f88d1c99474189b876c9534089dd5d0460da833afb14cb1cb1f4bf8517fff86f94a919b9f8eeb360887b139f675905ceeefa05786fd7eaa8cc6010ee286989b6269a45052d4c62f742bdc252fbfdb2166f9b0215316ce569d53f12d7ff1e92d2bf11b6ed6aec3fe3f62c49a4cd2febcae8e1b44b38eaf1a6e78f2da3cdd94edea7150000d7015cb652ba46d3b2315b649edccf47b51d4585dbc76064a12b05ced6fd11fe3703ad2267f96297bcd455810769746ee264e73d9043384e3af7b445fda9f12fffbc7d63cdc105ebf8ec1f52475c73b06b4af080037babda8888b05b3d0051d7aa6c949140df65806c8366f8e3640f5a7470262696bd3cd4db85502cbd5fe22bb0f59287768fb9c52e6933e568e0d3ce7283a420c89fd04e93e565df0ff68cc743cdcf4dfc7ff09cbe8a77a020804f4c1761284616d958401f57af9dc71362992b3ff3439ccf85f43b6c0850989650d8f55ba1922a6500d272dd42386cbb23e6e67ec926a1ca9357f4c84b767152e6c43617def94ac6014aa3c6ca841859dc57524a722741246530da550671ec17d2a342e557b43c08a93c1267637fff37ff4a4085528e7ce6d09de642996fff98688544a7c23bff8b6fdbe533424ccb119a567f1f15c0b4650ed80efe24ab4d1c1e33305afd2ceac682c0eacaa5669e4434f634b1c61271d95b0095c7b1a62a2d073aad80c51015bb5150845c118633a3c4c94b7463fe7339182ea01a7e28637c27b5f86068a7374ae77c5cdd6dd9b469dd9a475c37528e2f1c40132359e9e65e23ad4595b160ad9a2d83cce078f4d6181fd3026c2a0b1302faa69a5180a2c20b3a32876efc2a6281c409c2e66e00deb53098197f13185b7da589b0cfe2a312f0f61efab29a7b1b614faa57ed37e01f8b0cdfb2ea7867745d6669a4a895b97e1ed24c2f3cf23e8851138d9a640c2c0b321d00f0a4dd9a72fe5ba43ac47dd31a014d31b725ee28cd8fbed0bc78145980b586d371848bb96748303d0ad1fe2a2e7f5dd34070c6fc50e109dbb15cddcbc04e1cf6358d1050e6319a34f1452f44436d8cea137a37a1dad13efc2b9a9587a43c2c3f3d5aa32c0978520d24dadd18efa812a72d33b2f441ac885226555f7cd254ab277175c435683c36df697c2fb536271948e538dd3bce3909a5c8c37e97ea3736cd1ada26f13f121a990633d95b59e67393432993c0c84fd6d52beb7e3d02a437eb281af573ba1c47f373f6ccd6e0b183a21cbe9fdbb82ccc396f16aff1999fb839ebcaff97fa0bfd0d34cf8e57606fd82341db318e40cd9e85c154465dcce1b7fd8b22808f0e0d454ef9a2b5a4c35c0a125b9237070072d1cd827cfdea8e3de833b0814c8ff260e6b39807ef86ac677abdeb507dd57f6993d303d55517840bd7af1db3980821"}) shmctl$auto_IPC_STAT(0x10000, 0x2, &(0x7f00000042c0)={{0x2, 0x0, 0x0, 0x3, 0x44, 0x7, 0xff00}, 0x80, 0xe5, 0x0, 0x8, @inferred=r7, @inferred=r4, 0x800, 0x0, &(0x7f0000004180)="b8472da763b7f233e5d2387c998ed4355657", &(0x7f00000041c0)="10f121593543ac483ee5d9fc0093e203b927b44bb534a8711a28df30c87570f25d8dd643467a2c9e531e8a4aa6e033f571b9feeae8b65d093f915628885d3f028c3f4447632b36f22e16c1fcb5e7bd6992c089df961fee65da52263c865431c8324d25205427653902000ee5f231b03df00cf5b4ff9f8779d331a8b511c4ddf3ba9b68b48133a4cd4f26e7376650cba610c62a68f4810220009706a85a063103dc90df67137a34a2dc60eacd868a66d7f68e69c04cc195fdc8081c4be4148603242caf94670f9e25557ef9ada0f23c5961fc07fe58c78bff013f8344dd9611e2314963bf51df6c984c56b9af"}) shmctl$auto_SHM_LOCK(0xfa95, 0xb, &(0x7f0000004540)={{0x9732, 0xee01, 0xee01, 0x5, 0x4, 0xffffffff, 0x5}, 0x80000000, 0x9, 0x5, 0x8001, @inferred=r7, @raw=0x2, 0xffc, 0x0, &(0x7f0000004440)="aeb6d5073afaa31c2e2b2c269112dfff493937392207d13fcd1a8ebaa997fd976ccf817f4290a89565f45f54382b313d3498e2a676fb908ee4d892131f01b83dedd09498c8c2c56df4ef1c8232320b42d583cc6061c92cc06c764fb0d446a8b9a5f1903c9b2b2ba45c1ece47cd249f201b457ee03c79fbe26feea6dec142689ae21b9ced8439f10a2e3b657a1e3ab73854c1338b6db905248ae4bcee973d068e9bd49bf4f9e8d0177c72612bce4ef6b4d76c093996de65", &(0x7f0000004500)="24a7291c4abc17ba4acde1c6fbdb58896ad27dad256440207ff6a5e48ff2a6185f2c"}) syz_fuse_handle_req(r9, &(0x7f0000000700)="2bce1778fec9a1286bf6aba53c3ac40286ad6aa7112d6f2fcabfd2ba713eaadc8139e14f618070126ac3a38ad9cd7b5c94b1783b2611520729353d56fc5bd5cbd4f11d01359ca9eb2e0c4cc66095846c2b10d41eb84677f1c352bd90ebfa66123a7a19f45caea84f12e77657933246c44a209a4b9f155687e2a4fd902f57ea49085faa760119406827db2e6ade2029f8201de47e97b133853ae73214a796e4818d39cf10a8e6a6f11a88e082c9aa25857a67a32f35bc8f867f044d0f329953dc0602249d83197e0ef5c983b9d556bd527a6a599f52a211f9c7113edcc0e93fc18e79ed69fb2a7fde97c9c35e31e35f077137c8fd8bec401814fb99816d1ee5a5e7edc210c610970daf8aea89acbb754082d8f68eb4a0010653c70684a8dd7c002ba7e461c8dcc45c2286da3427351418cb24a94d6556d69e2a319b5c0e69e6bf111a9c45467c41575fdbfc2646dafda3179b0fcacc149b45ef10dc13f5fce2e4a2c22c2ae992bc6bd51323e724e466c736db1d3457ee0f7de147661dbadc942bf0df2f089e980381ae888ab022fb545c0343c4087f2c1b6ae0cd21d0fd6565790958c93a6759a5754b700a6f53abbca7d22cddcdd709b279d111d6ce1fd791ebcaf260480986b321ceccf955618bbea2781d331490cde5734793ab075f5a729321aee177fc3c20efd0797446e512c625a3bc1a56f4c01889f574933b726f7437ee049491bcb91f1c63a0b175e2ce567507dd354bf26b08059ac229046a6e75d3d321ee63c5abc1a7409e207e6fc51679df37bc7ba339cbce32d45a9609068851b0a7f581aaed7e995c36779d07c357e5d976f6deee4f3684f97e7c619d3ccc28722f130d936d3c073b9bb5194eb9ff69910c6a3d5858c2862ba8ce9425cec1e801182a7fb5c7017a4185d13feb353829dc681a5619f0a02db6ebde860cf7c6294d2145f9a5291849762d93816682d19189dd768280df4a68c80801f66ababdf722ec213a7b7f58c46148686900669bdb0c643d005d600d95c5cb5d28ac4cd4c7022294352ed1350c4e75fe8927895392b0062c78292fc15ad7038d1bddc994535e73ccc33c9ab23311d6f65de598f5ee9f9134ca4e4b409f21b0b0e40f36aa5c782b7bb864707afdce1e7cfe5a27c1ef3d2dc14105d6a489b87e7ae167ae87a5f3cda0b8a622176297f5328b79690df98979a4806dea069395f5b8e5bcec683fd39b86bcef865de60fe407291d127c4f0068bec8ae95738fce42205ef7cbba2a10766e32191cb4e50c06dcf6ca3ae78c0caa658fd58b652cabdde1dfa9d1f54a4479ad61d25a47ff08b3122560099bdec55deb110e406e08595340887e49677454b60860153c4b1f7cebef25dad082f4d3402078298bfd390bc766234595918cbb3b6cdb9961e1bb1d4f7c7f2401a8d80ac62b14624a3b16d97046fcef8d025deb794094d2cea50ccbe272e1c79a7167803c40a4ccee138444e7a415347783bfe0ffda3d50016d0f6b1b06126fcdd9237aac400b8549e4c1917a25db59cdbae29d1ea5bd7d25c575022dc55ff32ed42a610e239479beab0dd62a30a4fbeda0fcfe1d0b613a8d066933466a9ab31262701d08e77928f88cf8a838e9729893e55070efcc83736f3cb32eefc08f240d449a61cdf2116ce4eae7b9669ce6fc528b9834012b0f7c5425c262237ae8a301b6cfc03a579cb109df417d8514af612d320d0ed96b7f7e4a48aaa30f6c8f427db2f981bef360b9d8c277c84a8015f49bb8840dfdbfd5402a053fbedc0751587ebf6df4d69285cc398e98a7fcd68876eb2bf6f94fc0d03d7a93b1446cf2ac7ec11f8c3b62fcc0741c376d15ccd8dc9c85929453a177bc2424b374ccad51a57bd05290241e00389e5d9733dac843b25f4394db450fe16fdcbb56333790044d65ad606ae8ca97ceec3f809d789049a3298881339d2ed1602f2bf2bde3cc87163cf1dc3f8e32e859ac7b2d271ae42a7ad05e6fda9b98c14be9a3f65b16253743995982237d3130d15a18f8f532a8d0273eabb3386702859833844781dcebf2164f0a4b1411d88299fa82e7bab71a0836d50b418a6a47f747220fefee2685af32c2de7c3375cca11914f2da17ecc46e635afda8c36feff10c7d6ebdcf7da4414b4fdb28c42f738c9561a656b01ca0bcb0224ec803e6a23864e01438974bba22369212caf053e560cf11ac83ec0485f570f6e536744243c211fdc03cb35904f1b3ad1e7965d4731aa048215dbe3b33d0963b0d5c0ecc90fa99997f19b583574868b4081c9ea2712343b918d22fa37e8df4db670a4be4295f699c924c4b7feb71103d9aef0270ded29d4f42af37a487e2bc8dc0b0bd3f6870385a1a8a984220f79a47a981e987dca44695ce6487d53c019010543b204222efaef7208dfa23f808c45613d514468b97fe57df911eac0c90ed04f00649321c3abd2701ec1a0122b4bb48377b5e9251c0203faf0898260ff747c5a82eed234250158851a50906ac5492719f970a9062005ef1675576351a8b3d9dda735cc65b8209e98668b8d497885fb1d91d893e3e3fe96dbf56b61c606a8463c41fd8c9be64df1a595627fc711438eea8dfb73235a47be9c03704feda19e54f65a2876294495aca4d611c9b43842915fa7a51e45e16c7d22817c1b159e0bf53dffe16ed634161be4cc9169c952b0bb5fbf445aee0e9d386d300611857c70e95cf2e42a3e79bf7c202b77ce4f52d5e8ddf50d5db3fa10e95f24d656186d356dedc85c6f8684b8102eb019c18da8a663d70be24ead9f1dced78bd068a6c9b324dd747734318ebc62a4a9c74eb3422ccdee02f947c1a76e738542806ff2c9c851ab71217f7539da9c3350a1fbd5e5390a048ccac1f5413ab2d8147d7b2d7d4933e24d7ff0d16fa34e238e931622730da47e8ee853549f57d8cd0411fd3ddcd5d6bf36388d0368662f95dae7d3bcb932d62e0f895a56bd879d1f57043eb6ad46e35976c4fa6244221e9a68fb5a93f2568c1772ad1faef2aab0021fe7dbc57f3a777ddfe61f41cc3f7db0bbf637bd48f72d11dd052fb4e32520d4139ce9b920621f1eb6f378871f1e794c38759650a0a742c0e3403b6be88e31920c0f3afb58c686beaee1d65d6d83b8eafa7d0bcaaef875efa7a27371cac0599d41ba51aa5ce65ce48bca24d4a438e6e3ac33cf1fc7cd8cc3cd9b75116b53a09d98141fccdf0b08d8f9d6efded52d101c3ed6b27f6c6e42f9ba199f39c9a337728bde05bbeee63e4dc680ecf0f020bcbbb7b6ad0ba9b2aa614391e8aa41552137356953ef21535ca4e3220a26f061c7e78eb424288981695e651f6da9057c61102f5d58d331358d691ce1bd7f68160cb76fe77f03ffd460ecda1fdb1a78333893f1dc5d0357dc24335d3f12d7df9133169d9d21445b6a58195663da0330631b732c1dcc3e658f237f0f69a11602d4cac6468353fafcbf4cad1a3a26d2deddba7ccc886347ff059dacf969698001853307a3c5b3634dea162e63bd27b7c9dab63a67059299d6942675d10688a797d6b5163eab83b45b18460c28d6a83371eca626e9bdb94b90a11a7fb7f7d9fec0d773cc0566636292c7d90de6479ae9ffce8c34e284ff2fb4da4c0b4629a023f1e9c1e79c5d6bae6252cd4a30153e8c1ebf08389c206d66bece902ed877c36756b3f9cafe841ca61bff315fae3af3a18563f71a77eeb6fde0db2cea7fe494a78391afc1b21b233e0c4b4a1a23eee6feba1aee1124eb04ec4d23b6ae5ccaf13acdb656c72707fed010fc4ab31ba093a22fa85e47389acafe2a22298e51d36732695008e65affda75613bbd22f869b05e9dafe411da8549f141e018b362049c6af4ed782378172c55ae7b1d005a19086c2ab19742ff7f9b329dc567f614730ef3e7478b62209ec2db90f3a6037af0cb7bdcc8bad8b32864a4167a370d0f916dc751fb28ee9c800e59e2e3720dbff363b28cf2698fdb3061bc39197677efbca4f86da8a976a1fe5f9e183ab9f3bdc9ab6ae44b8713a1ee07b894bf37490464f9d2c4f5a2a46c6b3035343b926dca5d993ecb074191df0e50fbb114c82b369e19d8ce958025e12a6e135c33c4e7040f2e5e4abb143bafb7c712144a99109b00dfd72f66d6a5d7d1e6aeaef794fa404575328feefd9c208ae710236da12de525c78403e78fdcfb5cb3448f93809eadbf8c6caeca702833a3d30bbafe94ca14b5e91864aa575409498939c5b2cce2d33d1f14ae3d7169ffd51a7421d2be6a4f6ce0d7fd5dd834e020c3e69cf5debe69ee863f5702bab78feccd285ab472b56d1c06ce40a79ef15c072361636317413726643c950c67e576ffd80d5f80807b6729736547b00a0d458e93bf964f47da3507747ec323d3108c449826224ea09afa36613331a961c5cf259252d0dacb502fbc987bbf6b1c8c6225a6c0e65ebb5a55945c5a064ec346f84270e3b38a12ae72c17809975ada72bad05a12fda83f1b00a42310481ca2a0990b663964e194c925c99cee86279f62c64548a57d3f167d6213accbe679a9fc204d21031f64bd5f68e8c75cf80af207cba25aa42fbc7df0734257000e5e9c223366d1df46f508b8a8fba4933352cb7c3f0e25d66d8c5129bdc467dcdaf4f4a871fea52b707c85ca1ad30f00804ba500cfbb2eee18c6842091c120ff9f5fe915a75a623e5407e77b2f2d7aa46e24c96986a60865517c267945d391692a1d3feffc935576787c90da846f959e26eef2f98ce0b13174fe456c5d33fb6bb65e8603af4f102929d8422b8bb5a24e0bec7214ee23d9b8dd07e7daf18d83fa66d849b91c708f99b4685c7b5dc956d95c7fceae7759feaa0d2a01f26b17b9e5a230c18c610a7e724db79becd4ac0f176bcf20449e90c3fae89c3a993e2f9c51e428dc0bddf67a7cd11f9ce0dafb4277c3281b88fa7138d217d79fe3ed72b195f27820e33229c5a6d7f493720f9190a1cb229a3bea0a78f629d00593c988c2d3fa09f8935e25bcd4ce0276a16f2306f7cbc8912523591ed88921aa7aefe26712f81028906d730fbe81995521e02e3ddfca0f881cb98a661d2cf8d1fc310845df4ec588c2b30fdfce181e6ef9a654e83fa69b773fb51717774936e6d037754782fbff13d32a50c75e2753bcaf4ae373526e610605f07c677aedac8daf379283f2e59aedde2c01953d1be4591ef165ca1906debdc0b8e47def1a34d3c3a4c12eae89668d143d1b0984f945044709df868d0975514dc1093090b0fe42962345ef40b0dd84ff7a20f394d5b3fc5a55d69b4bbd00b53e3174c760cb9c79f275275558c6967f03cb7b54ec6c2a8602a5557c48e0cceaebc38c4cb35f171fa42622b1e8be6dd323375033ede7bea93b6d667758fb997ccee896cb3a03e47fe8b51bfefd7165b4b162546c2e4d46710353b73f6f1dea17e442b8272f6aff99c864372e4c3e5631bb739b59ad1235a18af7d59b79320a41b7c0e8d64d5a79481cce1e31b334ab33e92e6a4297f3def0f1b34675c7de910fe38e494ee014bb844e707bd302b24786bd6062bacb82d527acdca236f217bf0474742476e6a9325d9ee282dee43636beba541e6af65bab1f58233a6f558d8c6019f4ee4c8e833ea1618b053b3cdb8f88f09ce1225a68f319de5bc583eb3d22f2732343e9c0acbd8efde7d9c0f22406b9d1beb10e7bc92807c7bbdc00b1d88534e65dba2562167e2cf12a6f4b1e89b2495be631fe9a7afaf3e440254a2da7eeb261b40b4b2c8a2257d75b09b85b81d7954ac55313ac4990c54ae40793c2158cfebf329b267405dd2a5e76154d21d74edd4a1e086f0f240e71996a04e8f96ec8822bc5fc91838d17d97b03cab995833aad9fed8dbd944fc11ab74fc515fd8bc5c067424d32dbb99e49e0d42a597dd807317d669df7c08979dd647cae4b9d123a644037c68fd7b454d158b5128185b7a071b77453e29ef5183c03f3dac2758fad6673d17b95a42d428b56dd7acd6b44a15f8a6acc4c73d23fddfc44fe57a9add195796cf45c0006f6a24160dfb879862b011e74b880f5a4f5dc8053a1f2c7d0e1d772c62ca028b09cebac88ea7a8a1855996201674f2eb71ac526c0a0ec4493daf01a5516d2bf88bd81172a2f75fafb3cde2c92b7a020e0767cbdadf655755c3715c6bf9cc3df38c3834a7249505a689480ca3a978792ae9befdfb3f25e3dfec22a90d66acbce1633a297cc2bed975731fbc97c09da8942265336d17b13a52efff98626a8b7b188cfb9dfd33eb28763408732bbae7b80122a91ad9813897757effb84358dbd62b0133241ab9afa79e353f5e7db9163921d65efc93e408bc38ff95842905a913d084d24fa22359df710b39694de240389831e344e9d5332ac0c5484edc3a9ac612f668e4e78180109e1249ef5dc27cfded52ea37ef3a7d1d0288a9f7532fb9f3a380294cf03329628fe8fac3b8121130bc3dff51ed6f8300806786f9e505de5d25d687c402c0bedb7d41cdb9cfb87714ba2928bececbe1aa32dfda001707c784cee7f6464877ef8798c1608c487ce088d07308b4f1672fb28efad8aee845ff99e00db8d0a4eff10e7e0482e10d2d4f536b90a17f2cd0649958619a3bfc4c72654ab9a0dae3099d6958cc43acee94a4501524e0a9dd76700d81461ffc9cde222715d4c8917c2e53560b6353a098c948ce16131bcac5694846942657fbbd47d14f0b9e6e0e383e7d60efe2d9935c04dfee10e22f474cf382329cce12ae8d210ffbd17dd0f1868f6c10aa34dc1fb7bbb7a25db0cdb0afcb3a523445564c6bc6c0f8433a6775881852d9970aa4203c9258a944274168899d5a815d665037da716d5304e4f26c289a46384b965f2ca5aacc1c8123b54c14e83a59b99799648814797784254e3fccca53790ce3f0c24ba01722d42baffc8168a36c95b5388def137e6c929e2ed1429910d138e791f8c45c37ea0b8d5f25dbb2b43a4c2e0527327a5847df44a214222330144d26446366764f816db2847bba4860f22dca28aea5bad298dc4e5888ce737b1696c952c2a515574d10d4d2c3d0a21232422d0d600745862a31513c978c8442bebab3e3efbc5bf0657270d1db26e979cf50ef7a3cfee880f77a0b802c7b371bf966a5413d6874d9111e7b98a972be26e28fa9ec1f779391e3a491d5e8695f73d88773a3d40682ffe1cea237fa5a91d48bd82d8ecd25e6a6292d1777e38be37ccc8d96cf9d191ba90585e728dc415bc406fd94e53c674071df12ea089dcd94f9d96b0386f726051267c96e5c3d7949e85502b5da43f10493baa2fd77a02faaca33558f78f09f00433ba991ef1b40c5999039bee177fda3ba5dc0925162e59a8e327c19e7d4e0aa8f1371070271e003ce63f427265b6a2dfb1d6864f8cdf2a9d0f8b38e57712b8543a20be5024aeffd250a106e783a08a5ae385ac9a576b3c1b09036c50f1a8d5699f1bad3d16968f11e9b1f54efdf3c2ec03a1f124ab5e5c453d19b939b68d0a339951b5bb55da3eb459c3f86a1de1b8b9cefe6e60d14d8c6143145e24a85e9c062a8f6bf5c9a51b2a507ffdf6f601cd7d10a7f3cb16f38d7f2c46eb2c1ebd205d5b60c5d5ec3d60e15189b9f445cbf29177b8355d8af6bad6c6e3adab39df71ee2cf90df9ab86808e62d1ec24ff2bde6fd56a231e4e556cc227f5fa6d617d549aed8e2e366013d8a2c2899a5c752620d54471f9cfe17b687fee42799eb8621cabf3b8176df654b20f348c9167d70e959221338bf47cf3b347ddb46e4ea71fc8250cf4818607a35951665aeec1b4684a9f2d54039b644e3ffcf5ef2a2673d97408fb9c5b9ee802867fcfcbf3ced4295e59e78365de8f38d98066bc163b755568bb02eeca38e04fe45b7809cc4424023a23b15e374e383d01e02dc66924847f372d8adc3b8aaddb6eaf9575f524251ca6fea93fa3357e81e94715fbbe3ce2bbc0c3d447a5118d859b1a743b3e8eebfd352fc50c28c89d9fbf2087cbedcddadd1993a35f71bff4b6e9190fb1826fa2b308901876165c70417dce16ea0c1975574bdc7ccf8d92b3e772b57fbadee74fcfe7b73dbef59c7f2e5ba57b9be6843e06d0c13da2f487840737a8dfc790cd553c693a9d1268a13acfa44fa5e4b4f0da376fcc0ec8294fdc01823897f912127db76903df2cdbfb9902400c86bf526ddbb47c8e49b673055f70a7d90081cd31964e0519d504c171cd41ab7997916a711cdec24f80f8039cec9f65bfbfa93e7bf228351a81892e57180aece3e6b0ff3366dc6664447fae5bed381f629134adfcc51eca2ab3276682e5d9f677b301d6e6dcfa86461a567cb9cbfda3d2f91b3abc20a5a7d465d57c507fe9cad8343d64f51be630ce818ab78e92cc5408f48025fbbf8396d88201c042fd71182c3d5dd62ace3ec9231f847bdff19b7bce4e04d1022b32d46c74709aa4963166aefc5ad6ed94701d4327f394e1c9d01fbd3f25903c5020a8487963008f8e4eedfe9c8d62ca9cd72a96239b1c0427cb4e17118219b42cb897353621d667a538d3ba3e9266738fd2524681fd633c1f71a51286210bc793fc89c0f043866480b7e0862b7a108593b2e9f8d1fc62b7c67f50dff638f9318fa260f3730cec7080afd743641de7d59bca4d321f031f35fa616c433ed572a39bb17b93c8581b12aa1d251541bb5b21c63917c5b70ec65e957c59c643a6c0ab002b546dd970350be2a57e1a8f0f46b0119950aab3301e5ca0543532e1f08199075609f22cb8c8ffcba4bc81df5da4ba7ae6b111b4cd9c6e2e6c20ada232820b47753d6262c2b9ea61ead281ba0c31c3bdfc06b8a42982282a215beada3ae9b2ead9afd24f50bc2281890097791cf37b1969b45ba7eb1305366767eda01efd057da567431c49e79c55a58954f12dab8f1b688513f4c3c49a5f27ee53750d89b633779980058789d26a6b1720be7ca549de74bdb763f4db1a6bb860b05dbc4775b20ced871b4a9d9d877abef6c4bb39d368ef7e7fbbac5cb88212d87f3c7620659cf4ce1c6eeb0ea8384a6df2f291334e58084fc55a3b6d7a8351f625a71eece16fcb52fcca888093a040f5f157ae27dd79d26ae555dd0d219b58553db3bd8b48d856b3e233d19726578d382be3d123f8656dba5e61db14b627eb074db68d5a69c9351174492b50824824d3d3af79295f05cdbb47c8ef7c85d815bdcbacf4b8627965c07c8e1079f201e50980284f2005a92ba8215d06ef5efed591f5279f18a2fea042466d783e10864e93a54b8649bb4436d886c78819e927c163c769c22fd6c1ffc509849f685acbc5c6eabe4bfb2e2650bab1739a6953b27a1846464ea8f56a76cd371a7474595949b6fd4db076d44ceca31122274ec568c581d088ee7f568c0024a491920401f165dd1711a2f9b037ef4b4019d2272e19ed5cf4140e58d74ae1d93018d09fee3263e8119fc7a4809459c434e93d304702f110fc3a40dfa78fdac5edf2425d8dc1629bc95bab9327032598c2f553078187c3d076f15674cfb9e0f182b68cedcec34cf0490901af10a2d10ac8731f79e60ea1eb178a6014297a5a3b84b80deb5f3b56204cdaf3a4ca0bca0083acac6d2a563717eb70b9d8275bb31dd4da25f6aaf3bb576152cc598399bfc1f703f9d65c7ca6fc45d7cd81912071a94b4981728bd3fa532dd3ab95edc2c8a8792316b7828c17a0a115a80ee5f7c632fa123fcceaecb311915349c9b26f2ed275223d79bac0c137671c3ac5f489b42fbf5b19b3a46ae22a72fe347d8abf11142968562c6329dfb942249b593d37d17f40d793a48189210e0b60b958375c08993d34e3eb0ba6932435cde73d568d81e0df7f76dab7c1c1f7e5b764144896fe5a819a4f0aefa099e1d84f8c11202bc141f7ae03fb4fdbf5b6c30834a4dcc7f9a64bbe14076110b9729767e5f31edbf5ddc540f3a31a36f4a332b5a24d9e0be54f8161b52f76b78083e40a663c8d20bfbc446533c2c4b78e630bbc94a24d9516018faffedc2e85fb091deead3612c8ab241b12647c2e71407a9bbef11c975edbb9722ab6174a9191c5f0128c1e0f4393353689ad18b96785a7d8e045adb801afe79000f18ecbc07ea839306becb862b1753fed504df009546672fd65e60a2b523ae7477502db75deb994452e0b3f7a841a98b8c0b0e828f0ca679e1fb97f8df292e2db30f756fba177545a09beb2be193fb3a1a94d34456d9071e634bb8a43309302f6ce4c338d439270c426baa048bb92ec139e50fc457db0f37b494c591f67115bc9c522152d28f9cad1610bffcea139bf2c5e0239d4f8db125f0c668768a02ab702814ab61b57e0dd839549cd78c1d331d3cf42e0e94359df9f9d8d4fa2b982a1977cc55a888805646231545c2e96a8b80c9dbdaf7b7644021f8dbdd8f3c373a72a9c5a8ad05c67f50bd32a96e19a606170061542a0b1ee90e3c75619d95416e1d2f6c76ef08f611882c87d096b2f84c1b5f79c728727e00b0589ff867824b88939c3acba96f59a3e308ef7068bd4ad8478b9f0d6d5c90c8d3fdb1bce0822fd4dbf60433d0fd9a1d00fad05b135b0fca522982bd41a1d32ca9e13cc2de1809e51e12b540df58cc4bcacbc39453e62effe1cba62a725b7b690a531a169b16cd4fb4230018adbfebfd58ec476742a8ea7e8ff7e56ab463b345a84299867f857de6ea30759a8dd093e98f99c62f409597f9a3ddd490c88133d9831a7ddd0bbc3536d80deaee38acb1ba95ba0cda910f4b120a592bc91504f4b0d99171e2c45d4e256dc03fede68ee1dabf8029c99dec198c4aaddb6817f839f1da74971267c212bd2269f8cccd32495e8f7204486d985987c25a5cb7efd639b1dbd2506022f6caf24b09226227d8035cea83b9cb821ac3fdaeda5f22dfb1191593f4d1655e23546c84a8ff482789bc92f194dda5f614d6986eac829bab2b7a29225bd5517612d40fda6a153fc52b24663368adc2edf56b07bb22f1b5d526bffb21282c654a7795a27631f95d885df4c0bceb0712bfddc058dcbf3283a8b96664df548340466bd717329e6d5425cbd8f9e6442ec4671381b8017e04baf166d7b14ddb516a624ac5c76587a00c6502a9401ceec48269c4ebf670bd1caf4613bce86e297f9dd0022408af5c7a7e9ca4a1a2c7ea506dccd7f840eb4de4dd3c734006cb85e9a0539f988ab45f593d1d9606122a2f106e9f84f52ff91797076103d042586846ff7305c273fe8eaf053f6f2c7fd4f118134a8c824bbb27e3191a8b192555c6614908ba5436a673830c27a63169d3c69d3f7e052a6b6de6fd2a544572cbce67f67a3b3783f4c8db2271a4a13c0355a92c6b036e5ef06f53323db1432bd5bed2601544387dfea3f5ed9b252fc9a20411999423944fdc2d163f66ba1826c7bd6da8e895efb19b4fe0f2038142d7665fafaf979c56352940b55caef5f8f881db23060ddd71f99fcab6bfe412beb2a17d106fa450914aa7920cb21267e16cb4943605609836149f1970d5ca6f311014d5b691c145ba81b4ff94c72fe150ea49e56070cff34abee37061e871aecf5dcf9f91b52a36eb993c6789f021be5170892ca80d1c2ad5bbce3ce406cfb412bd66fd6442d70ebe18cdcc2958c509341f0510", 0x2000, &(0x7f0000004700)={&(0x7f0000002700)={0x50, 0xfffffffffffffff5, 0x6, {0x7, 0x2d, 0x2, 0x400000c, 0x7, 0x6b, 0x80, 0x3, 0x0, 0x0, 0x1, 0x4}}, &(0x7f0000002780)={0x18, 0xfffffffffffffffe, 0x4, {0x5}}, &(0x7f00000027c0)={0x18, 0x0, 0x8, {0x101}}, &(0x7f0000002800)={0x18, 0xfffffffffffffffe, 0x4, {0x50bf}}, &(0x7f0000002840)={0x18, 0x0, 0x3, {0xffff}}, &(0x7f0000002880)={0x28, 0x0, 0x6, {{0xfffffffffffffff7, 0x0, 0x0, r4}}}, &(0x7f00000028c0)={0x60, 0x0, 0xa2, {{0xfffffffffffffffb, 0x0, 0x2867, 0xd7f, 0x2, 0x28, 0xafb, 0x7}}}, &(0x7f0000002940)={0x18, 0x0, 0x0, {0xb}}, &(0x7f0000002980)={0x13, 0x0, 0x80000000, {'&,\x00'}}, &(0x7f00000029c0)={0x20, 0x0, 0x41f}, &(0x7f0000002b80)={0x78, 0xfffffffffffffff5, 0x5, {0x0, 0x30, 0x0, {0x0, 0x0, 0x9cb, 0x6, 0x45ff, 0x8, 0x7fffffff, 0xffffffff, 0x2, 0x8000, 0xffff0001, r10, r11, 0xb, 0x7}}}, &(0x7f0000002c40)={0x90, 0xffffffffffffffda, 0xfffffffffffffc00, {0x3, 0x0, 0x6, 0x4, 0x7, 0x6, {0x6, 0x5d, 0x8, 0x0, 0xfffffffffffffffc, 0x1, 0x3, 0x8, 0x8, 0xa000, 0x2, 0xee01, r12, 0x6, 0x7}}}, &(0x7f0000002d00)={0xc8, 0xfffffffffffffffe, 0x1, [{0x6, 0x5, 0x5, 0xffffffff, '\xaa\xaa\xaa\xaa\xaa'}, {0x2, 0xffffffffffffffff, 0x6, 0x7, '\xff\xff\xff\xff\xff\xff'}, {0x5, 0x5, 0x6, 0xc828, '\x02\x02\x02\x02\x02\x02'}, {0x3, 0xa, 0x1f, 0x2, 'bpf_lsm_kernel_create_files_as\x00'}, {0x5, 0x100, 0x5, 0x9, '\xaa\xaa\xaa\xaa\xaa'}]}, &(0x7f00000040c0)={0xb0, 0x0, 0xffffffffffff51c6, [{{0x0, 0x1, 0x7fffffff, 0x4, 0x80, 0xe, {0x5, 0x6, 0x9, 0x0, 0x80, 0x3, 0x7, 0xffffff01, 0x5, 0x6000, 0x5, r13, r14, 0x9, 0x4}}, {0x1, 0x7fffffff, 0x6, 0x7, '\x02\x02\x02\x02\x02\x02'}}]}, &(0x7f0000004340)={0xa0, 0xfffffffffffffffe, 0x4f4, {{0x0, 0x3, 0x58be8e49, 0x88, 0x80, 0x2, {0x0, 0x7, 0x8000000000000000, 0x6, 0x2, 0x0, 0x81, 0xb, 0xfff, 0x8000, 0xc093, r15, 0x0, 0xffffffff, 0x9e9}}, {0x0, 0x4}}}, &(0x7f0000004400)={0x20, 0xfffffffffffffffe, 0x4, {0x1000, 0x4, 0x7, 0x3}}, &(0x7f00000045c0)={0x130, 0x0, 0x6, {0x7, 0xf, 0x0, '\x00', {0x4, 0xfffffffb, 0xc3f, 0xc6, r17, 0xee01, 0x1000, '\x00', 0xc42b, 0xfffffffffffffffb, 0x8, 0xfffffffffffff3f4, {0x7, 0x9}, {0x893b, 0xc160}, {0x3, 0x6a48}, {0x40, 0x6}, 0x5, 0x0, 0x9, 0x3}}}}) r19 = pidfd_getfd(r6, r9, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f00000047c0), r19) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r20 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x70d3, &(0x7f0000004800)={0x0, 0x87d1, 0x200, 0x3, 0x92, 0x0, r19}, &(0x7f0000004880)=0x0, &(0x7f00000048c0)=0x0) syz_io_uring_submit(r21, r22, &(0x7f0000004980)=@IORING_OP_OPENAT2={0x1c, 0x40, 0x0, r20, &(0x7f0000004900)={0x8000, 0x190, 0x10}, &(0x7f0000004940)='./file0\x00', 0x18, 0x0, 0x23456}) syz_kfuzztest_run(&(0x7f00000049c0)='*(z,\x00', &(0x7f0000004a00)="f77ef6bf4c19c04aa57c4c2ff92ee1460ebf0e57595cc355aa22679547ef84499ef99d9bdd691a9a0ee19fba5fee97d9a92bb7ae3d754a98456cdbfd27da20f977f4bf4630c3ca421a6acf8d9f81d293d3a0b02327e406323e773c64b865c2c7a10236fbbbb9c9eac5d14f18752a0389a5815964041b844f71455ea12ddc9dcfb6e900a3665758cba3c7", 0x8a, &(0x7f0000004ac0)="a58109a5e0dab93137d420471cbb19fc28b13363208467ace8722160a2bd5fa04e7573442cee6621bbaf3e0c408199fa9834f59a314bc375b4a23459d2020312ab4194c9fd9c5864c82edc3367a0f8cdb8a0ff39b96fe339e352c903af49c77365b3acb2eb431c8d988b517dfc639532eed4ae0b4ed9c64d53b29a18fbad20223062a257aa5e183089cbfdaa0c46a4b8ab8dab0990adb18eb03e5c0d4d72ae0de6f67dc96de9940f710684bcfc0bd26cde3ea3fce39ee9d71faf2324cc661626b1b6cf4189a0eef57977918a8b3e2c135549e367e4a7d2527e24cb424d663f00266d3996d6fe636e1a9d035a54ff46778c6b0d18c4acc3e5b23a5566323e1e0a256661d688b18da8298963f74441acd2b82ba472242de35402df8f05bdf0d54b383787dae5ae1d143d21df935fd0305a61f83cc42a45ba77a5317948705b59fbbc921815cd56984c44f89d8075bb7bc5afdad2beaee82b73df1eb95bb0389c04a3fcf33dd342b8353fff76a627d69c5a76bc39bc57c99732ea8830e692bc09bef94da07faf89d6302deb5111ae54523c2c16a35019d120b871e797a9a9f12e2d3b73e6ef1e7b9a4e8048e36b3ee1721b98743a96cab0c508a6a534058b341f4d917fbbff140b8c5b51b8b42c605ea4d2b0a935c501d5b9ae3f1ff3deba846c0d596308f1bf3e0496a7284732d79555c34ac567d731b4677e09287ea315b3eedd503596c4c601210d7ef8a6316359183e039d5b211db87457ea44f43384e3c37e668ccb54964b12ea874057cb6a75559812d939bed5a168e7ff02f22facd5fa33e3067996282f603fc71676d7ea9e38f7ca727b18b933adf118e8bf652cf36e2147b97fb298671a62480065d517c935c5b5d76014c13aefa1a7606018648676eacfe90065aabdeb53e1289471682cb6a1f3efe7d1ca73fe8ad262442414b266fe7dc1dfa1ec7135e9e64e1bfe49a1bfe7ce3bada05f01b47ea14a4c92b50654d7ce442725dae73d5e93f722316920670e213f8b09d9da58df0eecd0b0d98081d5355300e0231a0543793dca00255f3d189b046c999f70cdb5d4043594a486a23cb9c78fd4c0c6c3d9858de57bafe71fcc1cf3327a63b0d841bca21c72977a80c9f4d3dee4c10baeeecf7ccf8071b1f618c749f3b0fc699d910e5282a431a9767c064c7010bc390f8285035c462ef24c879ef11f3e42eb1513791c7da91608a95e5e2b4803c946dcd77b7ce004a6d8c6274ceb2ca3e07cbb1c41d70522c6ed156dfc3db146c3df4f2cc286f4bfe994e1d7e20cae2bab653590845b7105ccc12773330b05b52763bf42826fe3badf907716d8507f8e8a17e51507a0a9cb37e6a663e4c17880e21736f37d17f173685161cb9407007eef711927e6c3ddb5ed72df605cc1bf3b92af0a86ca60fe7f042cbdaeebd9a419b144d2772b10e673f1538c798b82f48a143abf4dfdb76f747517a13ab1f35e598586cf6a7fba9371b0ce35b14cd7f34685ef0c2afa71ce7dd13b4c31732a98dfba7bb9ed0dc35a8905debe4f7bd03bb2ee00ff45b955845a3a876dc0426d23a2c524b819aa04a671fa1cd09dbd35b6e63f64f9930b1f4ee1032e46adfbb94c65bc3d9ec61b6faf65e76a572cb3173fc3eff366435d99a370971c85274736fb87e72bc74e2eb4b6a195e4c7c4de5ca2d65b0ba4fca7fb335ba405b8f1e5ae24bee8d554d82a42d50fad4db1bed0570218f5a47a2e156d76c0956cab5c3a44d63abbd2b8dd54dd3055fade3c31b5946daa3cdac4fb507b3445e2a414d35044938aae903adde90f8412316b2a3b6fca7a908be62eb8c5460f3015b13b5ab43822538cc9b860984a4a257bc9ef6f7fd9193840c3e46361a1ebfc9117dd57f0d7e1cc21ddcf1b17ca21a8fe52108184730abcf9c0be332ad8c37fe842f65a54e869db23bbb6d44aefea29e1ddc32788d242e46989fe3ea6908056591ae9ed91efaf199618a6b6362892e55b83f83b80da9e0e716a2c6e42eaef2016de831f76a7c73c2c8d847595e03dd51a0e998b74b846b8c1f7ad4c528bfbe594e26b66b6fd9ae5c2701f1e1924a449634d64171d2eb2ed04c5accf540b477ce77474fda9fdfbe294b1c1bc051b8f3cadaadaa79aec8a99190afe7b64499d19e9dcb61f3d63c01810726b4956c28101070a1747de55f9baed6ed3bd4dccc963a2a882028bef5805a871fb35586e124616bc141f1c2db9056ac2bd367789beb277dc9583777f5708a95aebca263f57d96f70783919b012737c2c64997b154a26d5bb01fc5a288dbb01cc37e943114cb4d375bc82dc48737e15e209b48cb9645f408218751ae62cc86a38f37df83a0130248ecb35c484353408a343a02704a56321a7b46b6518ba59892b5839319d74f4ffd52efff0b25ab63d2bd33dcb193b785c87cedbf9985b0cdc7a105850f8fcf601647f299b6ce3da49bb042a3d6705a877a9fa60d16a946f2ba38bc73f03702fe63fa12814e9c0ebd6fbf41e55a88b275933d221dd957472c4e0592d2f1bea33feb1a1947ce0391b23b46e1244891d2507c0fcfdf60213e2904246fe0022db77b15466525a8e074ea9229f11a2ce2fa8b3c2184e64f26774d723a01213a7deb991b30e4a18e42a94e26e553c465b85397e8344c87dac3ac004b6094da9ff287b9100f770c7d5b919a22f84fc30534162660ecf71bbff9bff48ce42a1fed6dfdf2930f2974e341f6d8b4e9c551ee437934702e6bc0da5515712d7be5a6b49ada3b6322939df6fd5b319475e8312f41c5d37f52f82e7598d7d71f3001d2db5431c5520ae57ae3c7cc495dab8b7e8d04e5610eb5111184a857af2f0723a52cf4c602c6fe47a3b6f7805d95712ceb22e24860d6a5e17cfdc25ec795a7089ff927da535f2be46da244e3569712dabb82b007e156a17579217c5fb8b43d28836e9d280726cd7192ba8f018a73c129b09479ec3eb2651104f56719cff6adea42c320bdd528d6ab33bef8c807fd69e055bb1c1c89547d34badd8fc3a064eb7abfec85d8d4396cb221d7767282ed873561a7263cb241303825f1fda618a9e64dd6a4299581e7a2eec9e750506c20504ba2abd8856bcbeb36a17a63cc8c77619c29476bda703bf3bff6c2019cd8376713970b56f825fb72e83626c2bd6805031a2945ea9efd2f4780ccb5bd8a3607ba78cd79115849f6d95c93eda04e6fd8857b1f2ea0073e5db2116964e7f8d1d35909a3ef8336e07e0db4a93f5c902303191436b2623235b3c694eca299262184d983ba33a0bda2c04ceb8df35302ab079ca7ea4b52102e39593b2c375f10fb7906d10ef3c9149296dcca884c0181bbc3304519f797685038c4e66f90f414797f389334db759641025af4848af615061d903ce2146e4bf7936dc4f2be7f420ef7561fb341bed654e3f93c1253159f76a75d67378f5e9151f8b665d10676e848329b007ac9aea4c1b37c893df05e9dc2a631818620976190acb08cc4e413b1f371cb2601e1aaf3c2a4787b9aba6e11e838cc41a39983101825627f5591b85ce06044c61f5d6c00ffea265340c675a2171a31da662b7713eb49204e4fd5d478f3599dd76952a7d4875cb972fbce7a59165db90fce3ec9ce9a0311abab969a9e24a8eb5a33887835b198bbf51a857a70455186bc5f0e65660fadb5c7cf45bfac5046931b24ff30b32ed35a6abfd48efe4ff29cac0e03c9cbdb90ee70718fdc5f172ce01b680c30084ef62a41d421efcbba1077d88c6cb5d8f57cf6c896d96e5cac28f85bcfa21c5f929908d6e66f1e28063c1fd98e5079b60d12559bf6a164901337d10e0bb16b9d43b719bb6b482036eee61cedc39b7773dda85ea04826b8669b3c86873ca24d10b61dd16b6a54b7c416deec8b0287ca8f3d2f66aa53012cf10f6f7e2de8c9d63551485d98715337d106d6ae2b7a48f2ede892d8f04a9116d1d27765d4863ea0d2efd68fc1b8a39260e064e5c72ec53d18107b1ca044fd5b42808d71400b1526efba0ceb57c27e53f29327b314901e177564f92988aac81fa0780fda44257056bf6cd90a49a56f942f84d5b1a239d5067f00d0f4c3cfa7cd60c1a90c409b813aaa49e94587bfce1fff62303116ddda4e75bc058b06f46d58014083a4321c3d1a6899425874bbf9dc195448c0d29711c23a88fbd4351e457009a10d1d2ecd47651c5cd9dcede7f8231063437cfb05a319bbd6189d794c6f5c99b6278941c94931c876289ce33b3e3bce842b69689b9aee44a423d2d429d996c6bb6ceeafccb15e1f63366b790d68a093a85cd6b5bd476b283e17be3eaef83b701391d728e518edc491652c06e0a93ee98803f8fc051d90418f905344b5dc6585e2ab9ae7b8c9c8ffcc98f6a76ab30f337b5cdf14e99e353f152c8c30e98acb4452d7edd261fc1f176f9b5c6a4f207a26caa9da306f9c9441f88d274a2f89d8978922bd2af4d1a98ddbca53e08239f0e3ce8aa8ca7f554fd4ad5b84f12e4a6c44a85d8a649f461ff01e77faa59c6eed9d62c73ff34081a31a065f0a17ca7ba63c5fe753f5c1d7d4e11de3568409ad43bffc4da91b22970340ad4b5a5e7dc4574a4d436ee50745ab58b1f06a61ab3c2b16ba2df015be8f1237356cf133bca98ae7f78c87391ab7fa80edbd0ac93348019cf2db466cf046775b21c8d2522a6208b3db796ad26728e4bedf47c31976cf2f1a66207f9ac46c8cbb6cf005642d991fca160e9b259e422e565f510bcd996da07c64cf369d7f7348f61f234349b887a41ea2f98ab7eebfd3968762c50d84116bd21b0103581b54ea07ba388b96fb66024c9e208e506f107f7418884edffdb1fac8fc6ef9dbe021e9c9f8f86a98dded8c81713fcab3efa63509d188a3576f824cff6c5b622a82b6cb74e937f0957dbc0f55ad3d0b6573a7310fe31098bf875eab3b1211999ddac846e5c202a7262bc70e1568f88e349c6d315d39f2c30a2c9db3b97a7e6a3cbf45bb675e3cf75edf033d7b9a5e600c52c8e7bb899de1ad3d98b2ef30b85f1e5adce2837cb1e2190eb341a29a000a03b46552d4350eb6ca5a5d826c074874708580e4bac76cc11f88d368d531ff7248d3f624f2e409d330a2696793f58f7736c08c86d28a3225359730346be9437f035ecd92bc2c8aac40b2592b4c6b79af380f49d811ae459173f5cf917f63f229e87109198b6cd64f6c303a4f8a40972c837e0f51ff047bdcf4bc5347dd748756b295a921b652ef9fd55bed20f7ee4054b45214e54a366dc98ce23ac69fd75a3dc41691de2b0035924fb5e7d2d9ff777d7b0207e9398d1a6ab8496fe6245dcf3c8e6f745622a015e339602caadc9001c30d89ec31deb8cef3e15488d26c1704e30982cf45c9df58e293cdbca0a032da51a08df5d2fe0a93a5ac28d3d512d684be20f62fbdf066d345ebb642733de0331b2c9ac7a6001f8f6d248ea197cfbf662d7bb620d996ab31de7c4bb3ea1303321530c7f63d6a6fd53d9fea3d515f107cb881eecb0d749f84fb687d98cd27372fb06f49d628c4750edcc6b2bb1cf6c5d65c1650e3f8b759716f183314e9f7afe38cfe54fdc4768b624a7d054ff45588ebcccac5ac65b150103976625cdfacacab24c635eeaf40d99639585cfffbc3f16908336425ab7cbd0b6b4dae4e0ce1a0dab2592900a988638bdc9da5b824710a7dd7ec9b818c01b1cbfa687a4428d293579b2cb0593e5f1b1abeb116ecbe1c0c6ac5a2b3cee613676c16537391883ec7792f75b04e342ef1dffe504fdd124ded4e4fc547cef5c60ea3433cfac40ee734602288f94d1570031df971b2c457dc366e77b799dc14e002d29999c2426b124e1992dcc1618837d3a290ad7f892f8461634e67f9afa1b6f841827b289d1c82177f9b035ed14e7a2671adfa1bbf3b6737413364c49caa5dc32bc927143527144f3a46d19735aec0242a80e7ebabfa1bf7222c60e489f0a8706ea2ecd66ce3f9d500129d475c7eefe38545d0a696c8c8f01bae8393c89adbcb85e6eba1884c674d9091078d4c3759b25e7f511d4fbd70d3dac32352328c066ea2f81cc7f5427508270145ebfd80807d9ec0a6cbb2219d69ea0a30d5e20f914ebae00a9e37e49c6c611f17c799192c7120f8f89e3a316f98f54d36078e794464941fa43822a701b55ac941dd30f882d0795b9c9ce0e86cb670fe920d4f6fb595e657599e6da0f7de097c0193cbbacdaef6c3ee2294ae7217311315ac073b6780b6365e6a1039526eb313cc5dcc9dac4aadfdab4efdbff316d59091231cd1a54d6c6d644c8efd2baa527dde2c7aacb9dd305047d8bc04d67a7cb60d0270cc4a01f2a6dc9bd5bf0d5e0c52f45721e4508dbdfe9d1a37cc04769d82015844d10e74defdb36973ce0fe8a08ae859bc8d1fda984c99a6be8f024d99b6f1fb85f390cb2166b275f7376d5460c9181116b91778a91ffd5ccc4acb50d4e1d6e241aed090b7053303ab6ede389eb0302f7522e92778034d0a9a0bd5f56494734d7315d627dc7e9746ab1be23a4b4e6646b116ecd04131c56c6ca3a18f8d3754c35932ba5ecad1d5e0b5c37bc4519dbeeb4b9e7ad044a76e364c89bd52a3bc2fd089ef1229b55a378faad365fb36a6d363e0263d378f06862b7c6e16a0ae886b9b5392ac4f9ddaf86f5de4e463396e99de388cd4c346de1038a46b339a121a07aa415aaf8c76ca129a33ce42e00d59776e9ab89ffc92a01665bb5a10709c644ca3f8d8eca20029173a36b9d3741190e0d296cef78012d90962a4db05412c154f84f41a503ba3cf60decdc2ce4c947b4e379a4627cb5c09525e60133e8f80d1bd9201cf39762b95f66a40c62fcb7362293361319265d687bbd9cc645ee9e7125408ba40ee6f1e63b4d546f14976967c21cf74dcd824a73d9bd7041befbcfd6ea0a8d2b7758fc85e09baaee1bbc890d3134253e9b0491f719d8812532d65ce926390fadcdd25b05f45a61ae8e61e61bb83c8f9b6504312bde871b10a6c5b487cae61dd249ad157234ea8d28e136169f0559c93d67315ab3a67d947ca9b5551cb6be93dfe22bb1aa07c7dd99c493d0623bdd3650f09965054ecb738b5d5740322f57ea9f2494622f10a369f1dc8d38468b21931a5138a9fbb7814ea39d0b914a2c3fda44c1c63ed8725986fc07567befa41ca21adf7909beb981ce3944d4af2917dcef3e4581a6238a5280d7d613ad28528df86625ce764b8b03e26454cbd5d74ba7e047fa6715399f12f97cc5d0f74cf6c1085da2b86bba80a6354493ee32d9877a7c315a7f99b59a3831e61704086158fb751ea302eafc5bad6057a4280ba67c564f1347a775e428548e6e09bbc160eb1e8b3e40455390d59dfa1f0de5ab2e4f8f6decfde3cc1ba04938d9344b7a9beb36f78ba04dc031c9fab5c741da098cec3aedf4e253df7711b2d9cc38efcf310b6a777b8de675288d6c90786eeecf935f437b27738cee097d4978a9eb10c1ad686d5a4d739c85cb92c7694a5ce675beff415abede4b165881ad5f9ce9d0a17ae710c8a890f53420dbfc9f3935a8771b6a48324c13a6e5aae85dbeb26845a9469f0187793d0faba88ae60822dfdfd9f2f2921b863046d108be2f6f809c95e5e3e57413cfc0fc94a6d0c95faad1d7914c454502ae615cf562c86c8362285c35e7bc011fdeae0f402fdb813964ce1012243a791868b505bb4a62ffb9c2545b5e2d39b2696839a510f0a1c41ad45da72de7a077c39a24312b8edd290d0fb6774c6d4a47dd3a6f4856a6d9108af7d5042164a578616ee49dd3a1cc74e8d083cae83bc1117889f9744bf95092d70ca295d8f66a1a18454ee9ec6982ef1a1ed9550a87cfeedfe12ca5b7cd9099591f6f9f978c938640a4fb880fb9b61ff04b8073857b18c87ec2f038febdd6162909523fed57387bf0aad4429f3ce8b99663cd060bb2f9a09922e579ab34765be81b0aa877d99d8aa0ab0ea03ebc4cf3d8e4af1725651386ad6dbfda41888a0dd20c8b2de01123bfb8d496fed4070056c666004cc73568e760e2276a1baee496a5c836d8854dc3ac3f645f5433ca815b580f787c3864b232df3d372c50474e45640d8e2933aad519fa64cf4fdfaf029b41dfa454f423a8a8d4655290ecab35136ea1fde850d3e7c67937b909fdf0de0af7a2fcde657a601b970471cf992e4e2ccc8df88f7064911024c0306f59734ddf01e0c864f5c314f658588aa179c1077d0f2804858359173cdaddc4f9c15816c8738e6aea3a83c28a12e1f1bbb9d9b46be631268aff72b605bd6115d0af106fb0e362f82170f8c2b0f67d91496a2da8783105529c996af674c80daed482297dee05d32bcc55e046f7d81348946cd183b63e34ca25d624a66e448bb8d532c335eaaabcdc2ca8c822eb6849cacb1fb0039f90fc0f7868327e9b3474880c15030ca2490e0de01e254e4a257d730bfdbdb1897e37ef516e2af7cdb9108308350f77bdc500a3740d181ee8e9ba6064f6af79624512b736a03969ab5735c247f2b417b87597fd33cf0cd406a42747f938d871186fc6b20e02a0f379834d0a2c1afb2d07ef20e857bcaa16fb795e66405ffa3867b35e88f54b953ad8907d89b62f56eb148cc5a051f2cda1f4774a251b9f9a69a1c048928c4fe0fc24f9f77ec55d864e9c3b6afb0ec5c1832e8eb6d560c900a347bd85f7d017da13daf645667db3ed1dc3970b5a5c246858d556f5b266a212c2d70e7473c359e967879bd39c574d22f17402bfa850a0eeed253035c4b79209d95ff3fcfbca84e14412953c8c690708699a035d021a2a61d317bd19ed34418b5ff4bd53b685b9bcb0eff6341eb2c749b1896e2d4f14b782b0a43b78eac491bf1c49c9512d848630d7d7bd80b9356bf60540c8465f7f6b0920ca8d7e9fdef6d64bbd81ac6f838193b8146b047c7ac4b934ca28e742eb73b4d3d2b6bb795a74684192157e4a1b0192c3115f49ae45f06296794757b27c19f33e0f3ee30d756164695ab589aef025da931b2c3153220b7ea56043bc27f806affb93296ac617f3abb21a2a34f96c7257d1a8efbf252ed417dfa42886eaed942cd06c3281e6df3fba6a2cec9b90ddb63ca533b21aef73bfb8db3666785fad461b7479688d8f5530018dd8a52849a8c256f4aa86460574c702b9bdc1ec1e6bc246913b8f2686f697b0809b9f55fa9b8521d69b246cee705ebf7964c8e9200b6600b488033fc88a834b00efbe385326395df0f530f34d1d88c6a9c605a67ed64da81b4021874bd8e66f96953cd8bec7b1eaa4543f158bb4e1027895cb8e8c8ea9cfddde92de0f79387543b2021739b1156b828ce23ac3ae6aeb250692b9f25733207aadcbc0aea4f46ac4dc8cfe8d53b5839e9544002bff2a791ddff2b3bc7efdfae13842732a8bfb7d971526f6ca2998f9287fe03397e01321b3a13a128bb61689534b06550085290c7f9202b07b3583ce0461e9bb3716362bcff7f28ced83aa57311c7dd7368f0e285a9b7ef805ae8d43406d70e753ecdb7f9ec942a0370f69468583615ca7cf746b497642b8bd3545d5218880f6a439e4b57318a6f9b11f04def62c91d7d39082209687d93bad79f4cd874f5b9f9615ad75bf02ae6689f4142683212bf4abdf2662259dc3007002b791bbb17caef153e14f0999f33ef3e9288401626e2d4acc4040f735e88214454a59bfd412b090d6c3e9ffb1e0512cf033c60fbd04ccff556e8735ee57bf3e78870bf8382d85f51a9afaaa8d23eb7ef95cd64d2c14e4df21d675379e8b62373d11b60e4c3cbfeeef453048bffc69e13dde6bccdf3a598e0c4954b3c91f842e8d48da9ab294b49bf1e7c085c6eab52d9529c2dd4244f731997ba0858480a17d125e3e735d4dd1fa420db3889e57a6f00b5d88d669d837fe46978e99c8fd3c0daa663aee7442868a7be6530f72fd2da551611641530967d5e3f44fe15fb437d6675ba911a947804a92495d57fc0038e9f4956846f0ddeaf5c7173a4d642bf70f4c4a09d00a67306873e2e01fe789e16c334949cc4bd802a5890361eba8efedda780afe2026ce5d9da88bb9a5c01f098d7a45fee1c213db3b1421c4d8bdea3477654e24bc40b152e9871b174e3a94d6968b21a24c1abf795edb89308fe666e1b22fe4002b8c419f98c1244e0a032d18f0e10def94a12b4b38266489e34ad7361af7a860f8ae19fe08f8f76e5b458212dc62aec387667342598f5bac9c12c57808e218c85822436ff75b12998078373d1f7a0c4076b5d0785df6c0a5c8af9422cf89058607b69c701712684a30d4db89f32334ba86f5ca420cb38765e612237962292066772b0f407d0c0ec346d4eca1bb80bf8cc68f807d0f59baa4f9d5f505e67737d5d6b7d730d6d146b604900563067893d08c31660fffdcde2c57619f4717b1086bd14c417c3c893e777a92a2a00cde56012bb1fda1ee20c922417efccc828247cd4e3d62aaf1e889e0c7862474288c8bd145e7345c3110e941b5113b05d84d1cdc54c8c8b1cc3f2b93ca822559cbdbb4e5629ab98b6cd9021c84f385415d3b3acdc4a751bb22fc0f643bc39c03264dbeb81dfc7b1953767f2c5db305c18a636ea6fcb5eb685cf38a0539bffd437265b966f46c062291cdd14a380bda6e7b31301b8db274be67a2260865c5187660aef5d16642102a7c61671b13505909173cfdcf6c1aaa6633f4730d2cd0c8500e8cebfea8bb2241daf9ad9447c67569b31abf33e914617bbf1d0c4342507be61144ff0d3eafeed6776d60e07f02cc120e6db38245ceb8f08ae630ed9e548e459878c84abedab3176030d820d72eca7808688868aa72324834377e201f42b6e5c017eb8ebe2c2758720823d645f37d33c072955cdcad179dcf14f008283ff3a7382296e9272ccb6d3ad0a1163cb970ffd1d5dad50b31f75733f792a7dca4fd13bca3391c90d7828cd044c0e72225f7146875717af9ce4e65a06f8ecd67f1899b4cab06bac1bc2e4944e62419ec9fa1b0735666e4f2360b9fe3b51cdc4d6523cb4f8820c5bcb8feade4cc2c09533cfb326e090eed808040182373cfc2619662356cc5ff8535df5d03f68fa01020f149d13327554320ec2b199cec922d0d7f0495e3bf5a35e9ba8cbe717fc2d5f2d7724b7016cb07c3db1f06e9dfb890b45a8cc036422739771011c4a4124b1600c2cdf16fb9df3f76ce1b31236ef41ef4c3d085f9c8f44ef82bf042a1eedb77f515489c5cf7ecc245965dfd29b9bf27664a5684ac5343228e42bc1779ad40476ac8860a59418d683568a907f678471ba9df5a7ddd28d7058609d3e577fc1ad425d8707f9503718859f28273755924876d469a1fa1f447b7612d2b80768ab044dfa3f662e969885a82896dfb88707aee9c11f96c8c273cc87facc17778e5d1a1d0d2a781068a56e56c0d7421aaf33167cdef4022802cc12ceafc99948fa2a02c766758ed98da6cfb3a2148b9f78095dad01e35bb36ed8d49af270ebce76d37ca39e7ee7fc614dbe7e85d78f4619888289b0a4dd2f965e8314ad4069b6750fbcce00e64a3fc33119453227645b8182078e6c813db7e5ab787fb990ff52ad1033ce56a2c849fb8fbde6259a6af5fae321ec771fb59e15c052b71336cd46b8a993e2a335c64f25fd588f1463247fea99bdf9cf90e1f83218c4c43e97f0938cf991e4a735763e565918177b951071df51c3a17dbbe319681912fb4814bf47c9830697aeb7a5a923750236479cafa956692d983d24b2e848052af874df7a8cb2987b7a80c10cb4266fc47fa7603f56f0b8cae45cde5632540a7e6bdee9a44656adb538dc504a898f2a6bafb396239031e70081eff03a5999f942db7696a8da01c99817a71cea8129cd27f7fbbc6f171034a84305cb33e08e7d9979fe70b5dc18da2db64973dbcdb085368b18aed290f36135d634343d068fcb94774b0266cd45928406930994702d39dd87326b2ace2bdfe10bbe9ff1044faeee498ef18182f228424f53abd6b70ac64c907913956b4241a4d98b6f392a61a984d98020bd7594ac09ca269eb7dd86261021b5f1aa3772cee8de11bf8512cdab489ad67fbf2f6f86c124f5f781b288344d7c6117e75ad3bc097b4d17026aed559de65219044a8d5aefda109dca57011e888183055ee2112453096028aeef3196b8350ce5c7af28ae0b187b64c7b6796c801d93f620f9e8af2499a27e5a59ddfa907e826bad8c3b46250ac1561ec0e21fa17b72565f3fe1b0a369273de5bd04e65512b41333ed743a51a57d8debac85ecc46a41408b551f2f46fcba4babde89d353e654a1f7cccb06389c4bb30dcabd5f7f468bd6a1eed6933f85e9eebd0348f1c4dff82e39a1a198837f8aa69c6251fe1d64211e379b1b84a1f2f430db7d158ddae9d0d2da1a7aff1fb5cfd59f0c6b8afec6f0e48c4ef7ac2a764b54469d78fea5d9b2b5445747b69d4f70e9f980928b816e354175ba1291733844ab959772eafb60a32e6eaff4779eacb11356385845e4a2598688eee44b54af6b0285fc7fc5e2b7297398ebdba3190a3ee656f54849be33da2d679700ec4f78d45e7e3fdf9c67d822434dea8cef46d34148277dced030e80b3214f3e568de522f744e66c61d08165aecd311d86d3b343a33e20c1cd965fc72f37a34a63f1eae73d3b03fa704589353f586e202c458234cf4d52af8e583077c784229b3db98189c760c97b3f02af5ed34b0b3a87ebad6a2d47fe6c060f9c08c573549e649eb894ace871adfeb681bd4e6ea5065393afb66cffe8c025c18f398a373dd8ba0c543f9fcec2ec7fff239d967b1c1d17ba2bd7fefc473c75685e844ed73703738c25bef71ee392f70d5105fb6c477e254d0c6e42b62906dcf7b74744899a0f199512a0bea3dc7d1ed1f64d316fc1d8aee157b3e22d00c129fe798a8d3bb1baac4812ab9c3f914a080e484b3894cc72dc2113570660106741d08c8f0199e2196866a83fa53b304d36cc682f11f7c925ed532feffe9db4f855eae8b1ba9cee4463b669b5cd91323a2d51e72e24aa292d2a1579a034b9a39ac3711ec9974ff6f91375e0a91975ea3259964156329f47d6fe8d6596ebb46feb7557bad5c3c7492745bd7e214888174cd1573bde3b044b98437ff6917366b1d07a445b95c604c098fbc25f53712ae786f56326d9580704ee3b44d1106f7b7997e37367e108b46886511019cac3ce31d759c267e067e8f2518bab84cf27bd430274ce4f62e9741effc8447d4f7bf98881e48b94c575e6304a0015f10ff9ae6a942d0a410595f55e3b9a55460cf84b0590ab869aa4dfd2b02d248040214a3549b9031ef29c639335f68910a65e105fd83e16f7dbbf76eb9829935231ba7409c1b4ac81f20097a0e60eda384adf185e64b056805c80eb485aa975f35a571b3de5b7d6108e89049d1a37f121a3be8818b69c6141f342fd75f7c5ed80aaf42b9152d8356716f47781de9e63e4af5ddad120d1bbf7bc68a2f4e5cffaf80021606949e4e2311f6a15df4eae8a2d6733cd77612115047a9aed3524edde7df72ea1c3d976df25dbed5e7ba341a7bcce987039f7b99a93d13b2c14eeef72ff7b4611c13b37e6f6ca2d54bc8756ef444030b7996b42b8f58c9ed18f7b719378fbe94f64baad4273c51efcb2beeb57545490debc9bea9450a8d781b21376f6c62c440940887af80a0ae87c17d624b9493e37402dc741c65524ed09aa115b43967ee8153966b435ce3f204811fab2bea5f2ef5e5186df86a2ce2370597894ef31ec2c0c19208daed00be9bc9c0306f1889ef797ac87eec61e5cc61ed110f6590578a91f987ff86deed1f4dce08f5f2b96c0502f5cdf88a59d9628ec41a7ccf192d3aefa8ec975bba4a877059138488664adcdb393a47735ca5f43153e0c79c403ce9bec7012259333cd11e9e42e3863be2711a48bf5330c207c0d8da651a1ce0c53b94ddf246d1054689502763b34acf020c4ce280e0c8f22d406319f54cad6e6d5b3976969e687138a52a292277634f2cb6c1337ebaf11684d1e2601a0f92f2864c40c57547e5efc32b08cea3964860f90f0133a17e13c60ea71d16e6861cf3e1865f584303b0f16b80e6128aada9fc0e6fae29dba4a3fc993b406795bfac7afb5ec9ec8e6b4eac7a86418ce9513ea353ee47811aacc144975eabc6dc9278631a9e92ce0668b0db8bbbf5a54c79906ff638809f7d696ef49ae47e0740922b15c503559f0118b0a979e2ec8d25081043c72ec0c5f3e20f6182594bf5f3aae3be1bcc90b994a7a88c35363e12f76fe9a67c256b4a30d73668676cb87e1aa1cb90eb253a2f6642b9a2315f48f6b44b5857e692d8a6db0e064cdbd0b8ae746352cad11812e180df03eae8de9e5804edff73d19a22af88a7fea01ae7888c77f06f42c216d30edadcad5ec56ab99c94248b6fdc1d5fe0411ee122f375ec47bd9ab630255a2b14e71fed7068d3e2d58c558a5106fd0ff61c6e9309bb5899ddc993d529baa355e9c4bfdbd04e88f67c564b34f1c4093a83ab27a05929f29162b448bda177a4725008ca3d61e31f10192918371c568e917f3212de031a5c5696caf0b2f85e778c26fac0c642e69f759da27c8c7a44cae86e0d0972ed8ba0e87416740b3f0687f052dededf00101e230c3662c36dad8537592871199e48a7235f125cf031311e1ee339b7a62387b52ac1640d5b2795ee2af827f09c8314b013536373548592d64bc54e36c850c44c39dc230cc99da7bc514d29043bb9ef2a227f1f912e2c6d906123c1d1db2b813985db6ffe2c41b3dc5f82620b9eb51f9e351eb6a115409b70eb5227122437bc53ad500af869b84c624cbbf5a0020ac0cbfde82229b3e7bc3063969474efdbbee571cc553ce2f1e08be6c494c5c660a220e9107be93dbb4e04cebfcb8107737432b144f90cb9b6b078d813de2c803c09003606af461c18a2b5e6d472f3144984007ed13474ecc167fca167cb9ebd6f7e37070b4d5ef787d90eb776d94ba5fd63cd3dc1c555176f1d5e090aff9013665ecbe4ffaebed5ddfc40434dc1e94c954a3e5c6fc8a2ccf679c1ad8c5c98bc3107f5bc7b639f23203aeb8d3c00d89a0675f14d486b83b72bb453ac3fb74da84aba00322d7716cae55a3865e5f4d18070e02d3d19df09479a41c8da91fb084a429849a7907d2b9f0776fe0bb5d51bbdd0045894e96a1f090be36417c6603d5ef01864f221b36dc34ad05f43dd8b099afad95f23f2c611ad9581deefec4e8314fab34761f9bcb47fa508b38ab19142148bcb6bcd8d35074919d89de51fdebcb40ae9608a7edfbf3cdf00db9dbf33bbace91ffbd5c25c29a71305a2abf343160ccf922dee487519aea764bde66617977f0be874a35d468240bb81038252ae8994dff0053fe21a82f68f039fae01c52cf1f6857ee51e17d5cb2c6c8dbf8560afec66f1a0d527507bab2b7df5e8984d12eba2d07d836ee7e01967fb23599a3583b625a75e7553bc66b2cda3a4b67b0e864dc868dd1c78904a74686a91919e670e7fc918037c4f76df3a78b860bc0459a12bc207c30b1badd85324f5a1e623b661aec28027bc086ccea49bd22f39560d289e233c4231252e8cfb6af721ac7cd1b6b37a14fbde4393e44e1b25e302b1ce29bea6344912d1f7e90633816845fccd3ff7242a008a743e5a47d48ab3e01c21f2e4606e96b08567496789315d87936f45c66db50de407fc101153536949306822e1bba513ea3375581b8f235b827b3bde08213cd1852f36744d9ec05fc35de3b5fd1912b14a38eed439a6f7dbb37c3e55690af6cb75945423ee6dd24362327874e960677072199c4d3d03181f6db4370a7269d9d778d0cddf67e266a29a22d5eb7129f2d5204ab8c3c5d01bbcbfa60b11fcac944ddccb27661860a8addf6377a3a3b9f7747334f233c5a44a55ed08ad05d233c7c43e6eaac0f89e0082ddf70c406814c3dd60178c23ea58ff7e6ee0a3a57358337e7fb83be96255a35d17914e6237a3a74215bd4ceb8e9fd3f0850dca086c46efdbd99ffd86f07d219d1e2b087b000b8ccef9e49337563b48a27a505970f30cd550b873e32a8447d8853b129d0a40afbcd900aa29a9a59332435587b38d2da503171da6f7f50d2442ae1d23cd4069c38d0a6eca268f9e162ca56f920aa7b0e6799d2029e82ba34a82959ae737db3e7906dc8dd1bdfb36e4107e36a54875348b9e45b8e7233ae4a1c0fe85755ba6166ade7d34bf631e9af8f5f90548ac7acb613f32c74addaf42d97fc9be84d30d18821b796be490f28274fe68233003641a956acc9bc3a09d5f43aa22fe3a2b98a8b2a15b23265ec438e3b15a1d137ac2761f7349311c8e4ee18dfda5f96d66e16ddc255fe70ff2a051ccf744fb7eafbe2b5fb713918c8c776436f09004deaef5da7409fae7876850bbf62f17c0d48ca74d902338c756a337d3286a72087788f7a42f4f1675d6f0ee957b7984f21cd95074559b8b2ca49e67b4cb7634f513a1722351ee15e9059ffe289e8c989ada53b47483d4077e9d146e5428da1cc19194ff182f7d2a2287635fa4e4a81a290a3cfe38f376eae489e1df5e9a5d59beaec83a30e9af78893e4f3eca07fd4379b15353c7534c639c7b33a0ad5b58b956e8fea983ee12896bb61f07564ab52345ecda4c181f4d810db0088f6054b8609aabb4fcd48205dce63810eda0775307d72544adf2828a2a3bf105b6a6af965b8ce30eebec78f49383e9e0542f0d3aad5bf48f639e022a021b1e661b10fa7ac6a86322537822c42a4883b0522bae9ced98b1e4812992384859925860eecc78fd0ecd14f4cc117d9350537a8d80c2a6c952ac2cfc4fd7adbedea1c0634438d88126307f01042ba7a13869802d0798cc0b42cf2c1db9132dc7b5e69c807b5a2baab3a35563cff152cdec01c47aa9accb546d2b0287fbed70359e15b1f7a78d79d32cb6047d9de5dc87850e23976280dda2e1622be5df43f0bd2f71234c631cb60a6736f1cd27545dab2db2fad1b6ca00b85b6180bf8ffd8b32a353d1c251e8d0401a7dc818b51efbdb52cbbb4f7370d2ff05d320e97862c7ceb40972f58f6175e88d22db6b18d0ffbee99f0f90bfaca89b94296dda5d2babcbee5189332d9ec6f9223f0197e5a98b85e6bc00e8801f52ae06bbc73cf8d2ff6ffdf9211f95d5c18b27c44a9d33dafd6b6ea8568154a0168610898f9b143f5aaebfdea26c0b7e789036c99d9ac8652794bed15212203b8dc3ffc5fe9a50cb3f493dc4e0e463f828d0d9f1b50681c30e155f1e3748769a61ec7f305aa303f32a1a149f399793041ed3cbe612b6a73b03f61c9ef4477311026bfff61678d33970f92c2375e862e8c5d2c682d45f47cd59d9c2bf7f5bdaefa550d4cafb6650fb5bdc3842215efa90e6d259e05098df0d27adca16a386b6f9f2f94a477bf10c3bf9d06544ab19d9d0da819dde1d61d317db510cf3483d0d7cb4ff99e076a2be55348c2a1d3fbcfc0855ff8492d2e1b87fa50771fd68ef7dd2c20ce5fc7b19b7333a8945ef4b614d487ffd49bba89bbf0eafd5980ee6d196f8dda8b07c723d1fce05295c646f0d20eb0ba3792f657c0408d2ee889022c169461bd494b62d2b9ce26742a324ec630cab022637122976bd24e587ccee270c82f0e5c182ce82eea8ba0b67b7a78f2604ff9770b9943516b471867a6d9f1cca6a49dd717ff8d2528e54f9d297dcf248805b9228ac6f072a947aeab962ac407d712ee40891f2a09d6265950fc05f4ffab6068a59043a3ebb67a3b947ee0cbccafbc5e543fd6c685c864f32c5b37c1e4b0420dd1fbf4ec519e6e8b38ede98dc0daab773bbf3c9c3eca5d3d50ad2204fab49c3772c369bad9df71c00624f24eef6770cc0a151154252ef33a2585b53cfcac85e22dc8aae052038a31e9d55013ebee2204775d07aa5210e86cd63ef1b0466431cd16adb9bd78b0e1f8ceeb86c052ea9c986afdcd6f9c297afd4b14011c34060203f4e13965e12d518785dfea41d7c726f4918d20e5f1249bc84e380fe0dbce2548c1d85cd6bc6c996257a101e28d3d62b75b7fa492f49561f1046590ffb2838e2da043b1d83aac7b5e9b8a3f9ef22740e1f91fe9b0957e5d3b4187e4380a47599ffce0a56f92260708ae42df7a7c69517f2f9995edd32ae81bddde727945fdf1a99b13a00131f978a354f54b7c3816c168ccd15d5c7985357e1dfa254713ef6608a4a4ed8190baa0fad97ba418c2a9aff145bf721f1fe9952e848a46073e9876ddf1a91b1be116016e17c6f0eda76c4bb577d24069f116c327383e1f01b189fbca1d553eddc8848e9d7ca67274811e2f80c6b4b523e95e0429bb6fbf818f1270fc90b32afc8b2324cb746bea8f14123323d253a8eb005561fa1be4d4a155ab4e26c92d48aaa0e10f9822cf267cfa4b5bffd4c89f80a7b84cebf71de8f1b49ced1cefed76fc5235228fd98d68bd1646e54c77eca6839209d3f088cdd806cfbcd863456b41801b68cdb5b8106955013a56b5b829c8d3591ec6bd8328bad2dacb62c98ac8dde7591b4350c2b7cf3e20e99ac8c19aa1c52a164815cdd1c56f053dd0e4f293c1cf06c133e11448bf2c1f26dda792c3cef658b714f1f7de70a3c42211558289625ed699242aac645613b7faf7cb1cc76fa0e346092dca4f88d59ee9791db16bbe92085fa1fb1521cbe0db5c00378a5af17ca725c1de4a9fab6d291d55a2432f6f8f035a1e0a4eadbeaee9ffdf7b11a2074f2b7f5e495029a7e63c9af460ec7c34fbef8b874ad06bf7c08f78b0c683d0d89bba894de6d6147f6de02b1872ad8d86183189b11ad67dde3adc51355819bc5d1225cd326ea3daaa9cc4184ad92db15188b1e39058cf730eafcdf6b169f1655032a5b7311beec7f145232683178e15ff8440f2801e5e840a48103d82be492e5bd17dba0c47b653b781c1af173a0c7273db72a674e3a00d70b897451fc903dc43574e64fc7569f881ca7379c6da873732611d5fbfc234d758ec0c16a141ef17763689beb502081ede9b11a9a492debdc9a09a5cea5e2316cbc0eb5f5246ee0fc838173eddbff63a68dfcf4265a5db77db823748209a5aefb86d17d90f9b61b64f8e789888a29595b5fc475fddd1242dbde9662cee751041174e5387506b332de62511b2b3bf89ef6ca8498b42ce1cc1aea01f4827ca8c4989008b10acdf2662b06f7635b26c8a95ff6d4d4c4dc60b44b9e8364a98a7d98e6abfaff73c1c2dd69c52dd12deac3ca415645b1c1c7b963a0ff113b44f54ea1444eb907f2657df2e95a73d8cdd783c4676bfe5fe5a71abbf2aae079f49e6d51e10cdc8a7fb8e26b2f605e54596fdb178133f746fa96435455d5fbf1b19b585d34e8205c92e7e03500b8b80e41c42eaeea933b76fdf2c0accffd051cc0f77b9d85cfe84ab71662c7f83f3b6e272b82fe886d0febb4345d9afdfcff94a1ff107b6678805ade9f768aa6e33394b391779ca937c90282e9124c41425289cc23507eba96df73e2af99993cea1306f59b8c59816b538cca401d7f2bfee84b3aec9e054d048054ac2cd280d3e55c5e027716938b7b31ee1b2f00f95f1b3ca9540011a4844e86d2cc75f681394e4679493e9d18075a659a458299961d18cde645dae173364a4dc0be39f4b6fd5ca7b619b26686a812417a9f1d3e46646c730eea7b4f61a8152101a56732e09d2507b3a0eedc180bbd4e61280283f783aa8e9759d6670bf28e13526d89aca86780216f137077d761972a988e1bd9303d44b7e00027bc7f537ba703a2d285b659e7c8a5d14c5ca705a1eae9ce67dd99f5bf5992bc612c5a0a01d161d8547211c072d33f6bf88ea8980da01cb87712e9a0c8b93f80e6deed1b6a092326a1da99bfa9de4dd9fcb53e586ba169cd008b7623468fd1bcd7ccf915902158a139311a02ad62c6272a50349349f8a6aef9d44038f759ee57b816122a5ce8c2d7c14a65f24694c5338d596d0458c484afeeb8c25fdfa10560aa42ae8cfc82eaa108b567f86e33e9123e69d84dcad2f1fd9ff60f90ff413a22b2870f16b0d35c388183595d5bdfce35b314af588ce9e5ee061b8e8f1089b14e1e77b2b3f6acb232fadffdccb18bac721d90a852384fe51a16fd4da788bb76645211cc162a9f1d0dfc1eb29aa11d85b783ec23db41db8caacd9e88614a51cd444eae3db3e22c5a92b0d30cfa5403a2f28778bd9df158cc082bb8c7e7bc6484dab455c390b85a4304a8bc23a268c6faf3bf85c98056d0f715e74eaa86c4b6af45458a3b0e40b658702fd883a55eb4b6fd3fd65556157bd58d0ec42f06f23214c537a5b6bd1394c74615748b337c8c1d7fdf44bf49e35f7bbbea1d8ba854c060f883fc03f3d3dcb7244977f5ac62e696a0ecf3c419e0794d3abe77d156e0b97ed5a043b6dcde1f7f2ec010d9e4fd5d53a13956027a489eee7b497ad2649a0523de4767a8fdef6fb66bd49744ccd599d2efeb267f0d2990f234cc80fd069a97d1875390d6e2aff8fe2f1eddeaaa4f3ed528cae8c9ee67953e3a3c32732f0db007f106f584390c5370e3edbe2bad78fdf2ac2056a9faf243546d26b856b788eb5d7969837b3ba153c655b4c41048192b77f5528bc75abb50d85eddd8e9686a48d722b03ed945276a83d9abada8825f6a97eba1fc9fdcf92a74b05db9ce32fee161182999d06727875439ff109491da219e0d53e03dc46d205d4e690f2543fcac1cf45ebc60194306761d8683dd2586929a5dadc2547f953d99b7bfcf9b4c2c44937e7de619643b392a866bc88a8eb9b6d0a925e4d6f0d574be68f31059d14edbb50bb75b705f531b66bfc5af6d29095f38a127b46c01b2640f952496e7246ddafa8d3289b36b800431fafa24795b4a73ba1ff13bde91b5a1f69e151e6ee9eb795197bfc9ff7ab1b3ddbfbd959fcefedbe5bb15b64e1122f231870f7c3d4c372a4c1123d30aa097b4764f4d14851833355d7b1a01e5a37b867ddd53026ba9038f8fda171ea1f1f9d85ed47d90739a85e0006b0ed40a2b10b4154178240ee2e42cbed699efa0720943cd35836ab42246a1e3f890d727d1cff39f7fe2c70851065f0c52631770f62ea024f60a8ca18e0ae7afcc8a184cb6fa4a2c6d6c311a91ec25e7efd7e8d09525fdbdb9904364ea00d331c354d33c2ee010c6294a9acf7cc0ce7c184eec91fa95accad3dd7e43d66d5c5b8440769563bedec750cd4157b1e96a57bcad3ba84fde6998591d2a435a0af48be7810693a3e4dd4ef072db8b5a14b9496a53b818bcb124c0b6beff036c373f1a9afdb2344819903f173a800a29d412aa3d22bea42d70e95e061e543902e60a1a2747a2e0344189f942c03a2b1fb004bcb11bf0e495ac79b58cab4dacaad7d8b84ab2e0fd199728029b16e0bf714a8dd10750931d167e819802ffa3c177e0e6d8df2d43daa2c55db0e3edea123d0da42b4d8c0c12c92586594444030f217c8e545eee3a723c57070f02def3f50bc6d21a6ffb635d74117e23d80b14c36a0c741189dc77b5c9cfaaae1b736e8663db61fb5b6d354a53b6344ac549ef3ca9ae5edbdff88ca10f1ae2fb33d2f2b230827a50aa40a09fe87a34ec4dd49a76de5483b7f58ef1ab4d8d78214818a8667f9e9e72f9cd9a6adeed0f63aac8fd5a3510e5627f5f3ab8ee216f9dc3c718c04237ec3ac1f67e119753704ff4c6a7b913890cc3d1e18ec06691808e72ad057896ede0974cb10b0e70388384f377499575836a24bdecfa92aa379307caab1a27882439707814b25bbedd64d7b030a6bfbe5d3048e6cd9ea43008a018a77f3ce008a22d07fcb237e462674bacfe0862f255625b2f455f61bf9e5fa363ac46afac12a0fc687b6d802c6c04a5db7ca3428e7afbd73d1934058e6e2836cf9bfc19f7b796bb5aab698cf9cf1d9cd031862780cd05cf6a9c3285070a5745b43d8c52303308aab14ef77982dfbf4fd8f5b08480cd283246eab28d678a22a692588eef2c63044c739fde5f96d13b4b21b19b8d926752d061c7dd09c94aefa338be45987a2b038d0db15be1254e9afc337b321aef2dae93708b388bd1c0661ad11d461e69927dd0c9710d89de9ed029d99b9ce06f739b69d8184354aef35d8783f7cef2a3aa3edcd4786605a743def859c6c9ae766eb73ed46e2a58fa655f0c8c12404ad083d0f76d6ba561cc152956b636fba83fc612bc544f9f926c35fc508e7d382372b26a2f0c3b3633f76c0805201ef9e35a83fb69371b5c6aa9b3840740e26d62c3d908ccde8dac511bfcffc039bf3fcd91e89e6f9a77ef342fbf2cce80ce2ba8648e61210ce698455e3c90a099f8409b73acc15cf99f7969a5d9d6ce52a7f9b590579f3292324e1ff18908467ead6d425938e715c640179429668be956a52011e16dd94e2bcefd176d7f8f3a68729d72322889ef6cf64e0cf040318620167df45b71a80f3db12bc8645c055268a5b7ccfcbe2635d64862b8c75c070171f234035ffe120e6395a2be238c02b1324cf52937b49f915c23a31ef3c8b36cbc20df99f0be4af200cadc4be04de5af0152b9f95e5980a4c94efa65d86d95a7d9533c643f2db6a9f9054aae02a4b9715405b6cda9062c8edcf925c8ee3eff1fdfdb29117b8ecd6bd15bcdb82977286bc771991d11110941b3ac2c5091249d1867a8ec1fd63415966c4cbfd3a686fac9cc89212dfdc6d980665c5857d3add0045cd0a7fcae14a929c8672f95c5aa8fb24af5fa88208c2ecc5bc647cc8e29bfd7e27ab76509efe431c13fdd015336f36c1adccca0def73d33ea6e540421b4c54377f4c4ddb53ac33b2e547fc0dcaf801a8be09afeb183a3eee9f04e935296f297aae794d42ff0fa99d5a4a80989f29738c30d7fd66ab2de83d6409f7c09133f3b6f77e56f443b419d42a814d86d8ec4f6e7fe3bbeb7af41cb7d4956be1c5668c6bc5761139bcc3a4a15d6d8c904a8877f336643abe7da978ec24c59e991502c4d7912f86a77d7d2f10742fecd1cbd3758d69989af8032bd91ca0ba4c82d7883a47e07bc6990e21876bd590df875ba7b434f53512be5e8e069e5fbef1c09a2e78946f4bc93d067f5e5bbac905fb3ebb3001346c40270998de04524d1c94959b1c0a4a858be5139590d5a082763b98de9f9871238494d985f8eb9a063fcb08005742a4675312f40183a2a72a3a230c2655f4bc880388a7697ccca97be15aab36de2c275963b4650c636112800401c6aed61351839fe1d0716c0e9ed48c16015dbfdede31f614443f10a52d357fcfb884da7adfcea1787de1aae9380b505189f14e50d55f297306fae7f7ca911cb0a11b8c17c64146dd1b1f20092788f90151bba09717769a3aa09e8fb2474fa8d7594115e8a6e4c201f07692f14ba61e295c029e379a6337a6ddb24ce5ca6479516131784f727f10ac32186e1b5a7cee6560b5244a68bc79049ac92e97f20a9f1c0c3243b8efdc25599fce6d2dee1658e8eb2fb82db4c683f814df56f3c02dcfb4061b579423db569cf6a7b1ca97658b8884696419273320e7d533ebbcb69841a73bb49c1fd4b64730808c08e9672ca774010c6b23fe3b52e5d23a06023ea3d83c03a75a8d8bd0dc6c7752d120c68e48e69dc32cfebfc7d33de0138d7f0b6eeac085381f6daba83fe587177db68a6d789b1b0cbc59c72caaf525b0948f3034181a4a8a9a0c5a854b41ad44e987fbb3c7451fca963b90148445edc4bc7b53a821992bc547d06f14dd456788dbf4bb3e0f390a4df70d67fdd906b60a4abd72982df615ab711e1b564fb29af96a217b35453fb7ed9c3ec684b9cd6fd6bacb88e60c39eed8a95baea27af6ad12b5525d91a3b41ed009d5e87683a2d7cedfe25ddae724bb60bd22c54ebe8724edfcf6ad0cafa63c4163370fea7565bd7e12875b77ece62f399e594e3af27f75dbd14b7ba859dbd6b4480c6b9ef34dafdee8c2b36d28e52f320e9f8f3f635b7eb03e584f5b376dd81fb1a41316b6ef01072772a33ccae1c43c5c9e22435badc3d8ff28864a39f2c0dc7ac3d5feba33e70aba25e0c49084c1710078e1cbb5525fa17c3e0b128fc45028b6c266bd3ab04e11a6fb07ffb58ef4f6dee7bf2ff554b759d35b50e0be22f7eaa3250265282185772e08293b0dc8bee4c8d7db097556e860f482c8c3e9b6e864fb477d45c955ac82f034b397e6e75a4404637f0c61d4ed90dfe15382e85ef48e6fc1d248dc1b943dc4fca20568fdf634b9b0baaa7874186ac02a887b0344275a985785fdf59b3a71d3c75b275d10d8b591d6b72096a77e2b996d0349dc4d9c54830616c73e8c48a472c4551ac4660e196d38e890f7931c1d0cd6d90c551315e85fc3661338773bd4a4ff861f0f3e892fb4d58069b3ad97b2d1bfd72ec44e4a295684d1422b30e1ae95b5c1c7f275a75dfc4f7a1c2e3bc0f0f42252883992912c95ffb334b1878c65a4bbe1e34f926babb642924229b1021f326c8a50e5525121f49dae936dd56844d9dec93aa1435a16574ecd414bb039032db875a2d729d47a3d8f0386fe9b067cf025b7e1dd3341827055ccc88677999609ece87add06b2f07f957703524e99aa0c3389741b14233b5eded5af8e44a47031803ab23f734aed4121ad93b12e7f632733c2b57219ef9879b4aed4af9094a4924efda16615fe74f3585a70ed067d38f722541082ca2546b032a991beec9efdf6d055f9cfe33717ee55af6b33cf61fbff69b1c1301173d20a2511249b5c6438cb510b36c54c7fec67c3bff5cf712baa3a2c36c415f488e883a4bec4c2a10cb3fa105d1aa3c829ef6967ee6d6add1aa9b3a88f7a6e69c4a0cc253f17902f37cbbef417195127b21d4fc95848312bb82992d5a95431aa8eaebf16e10a4030ad676d5f29032c611fd5da2d4c887433bbf3280d7d0626989ad5f31f5bb8d85e3d83bafc3747a52e5cf844d6130679d5893f9211eb9d09d1fc90d83fc56c5809a86c055c14489712ffc6606144fed013bbd2795bbc477afd5712c41d2a23ea998f73e5f0f6ac6c5a7debdff6f978295c1385d946e5e388c05903d77264bb45db975d1a4aa53d6e76599507827b86ac522a63f999d5bef7c517f1c8a80027e04c39222588e5b405576b0c2a902207c0d5cd38ff267969479d0111c21fe4559c4d9cc5173d761211b2490cef996cfd500a457f774f2a2180b1e2962851f8e50086fb27808cb4e58d835124633238778ecb04dcca45142657da5766f2cf330cf5c8de8ae869036da37cd3e43291590c3a22df431d2e271c78d3bf1c2554497ac43523af157b96b799b8c52fd5a7530c4065c4e23f9be087d911d9123ad6193db87bf4bbac1c62d1ef5af2f12e86d23342c14e814bce96b58bf22957152ea290ae0916e88beffd93704f7895a2c8a329bef11680989dd1d3e0aedced41acbf80efc3f21c71c2c1c2e93ab1d9984f76b70ade85a391a4bfc05192b2b773dd3209ca50c35be3344b143142b25912763cb1555faf6155e83e57cdf5f0e4c0d865d297547a6087fcc7df7e4512f4691c90d25b1a8693e76b4ef8dd37f8f93e982a2beaef083c4fcd49f904b7c9d1ecd8bd2cb56282fa90314ee4f601565c497557d4d3f304cf2dd67bd973d7c6bf2ab1c4027d207218b71f2e19622c655689f1551bad47d5d9537a48cbe5a2c3288413c2b458deded658a4f604205d58915514bee43c783082d656b431af8b2e29db931f4a6871a587905571937c7e08b2080f901364f029bbe175d1c317abc8048461b717c36afd3ff608f6242c0b256cb5fe817b87fc75d07cd0e477023ca620c454b339557802842e5d60ca94e6cb89185ebccfc1b34b8a00a5ec56d350581318b8dc021d85223cb6a07bc512885577763c99274ae4d295514b94aab14ae0d0dbb9508e2eaada54a66de04fa0d848ea67ced8d6adf278a0de8ca8bd6f36ccff7cba1ed67e145201d5258b40bf1ca99279ecff9d78ee85a88276e5533c620e80ed6c7c17a9a12b03f5a740c37774e889de0e0761501ae589562d3240cbac3855eff6eea626f2c64d297e9cc97dc739ec7a7cf9c33b54055e630c8a84887281bcc48e8b4caf4054fac8ea7d0c0b06f220f80f9f141346fb8df194c314104f623b44621bcb35443346ea09914a96d6c7ed59cedc7c4ce71912bb8dbf8fdcf13bfa13080ac1e04bdeb46c5c57be88db4fe1f7dd916bb44a34afa1902f502587d7f910eb91fe910f359759975a7748fda76d42bb488b0c346ead2bb433ec158b1ef83f1a65581861656a32221f74598e38217c9b39405221c74b16682fc98a52b1e139de85e3b4329609449d4dfa4f21ee40dcaec4e827416f3636203abc837275bb08b69e55fd274fda90c1cdb3482c47ce59523e136b2302b300bc86bf088a6952a56fe1627cd6aecdf5a5260f78c4a677ed1a21d8952e2e161a7378a181479825c437a8ae26bd4e9690b1f18086decfcb311b625f40b31082d143c4f0e4d2c61cd2bd111d35855fb2ad1fae254175a6ec2c997ec8120b1e87c132d477ec5aff4b011b82355a2bbe72b7b191e0ed3583900fd1ed473a11ceb50b218e064ab7042b751628fadc59d1c5041224abce2e3ae008a0fef5efbacb160c2b5a712310012ccff9d20bf50a7465b621d860f73af8d3f6c195ec548d31e13a179a21b0ffaffd762fd48fb955a6f5a97632c4af55dbca3ff6ad479600bd96ae31f3204aa83407f8b8b1e16e497e26d6b1e64d45d8e9ecf7a2dde939cfbca025246b7ffe29fc2388aae16dbe4577a920e00c27975174d0207e458e55f4778c5a9e62954645c322310cf09fece830043ba6b437be2ad91212c3d5219dab65d10c76052ee3945fbc37ae320b016cb7052911063c65cc5ba42bd91f62371a0fb6dfdf5f79d179cb96e21b40a4bbd95847055efc523e264679c8fbdfbd89608a227e413619536ef2481e9b1e9c888e0c96a0882e9a0d3cd8fd3a152b3b41d8e7c25ac72734fb31697e42246c33392201b5209e75f148ebfe5bfaac751ff30e1c2ff276b1b55232350bdc0183763833429e3e92d522fd00e1a6db089b89d9ed044886d9c6574b874eebb5d0f53f57cb97172d09a93c1ef21676c24143be15dcf7a9da0a9dfcd864d029065dfaf64a9f3aefc34598c40d374a79bfc1ea338f85918e1150aa97794932aeafa662fac1ecfdbc2aa798b1b73485a0d1f5f518e05c1f6625756237a934e5e1c8b018d349ed85f592d9294e5a2a62b90f76c29e2e031fb7c2b0d00fc6ce1f01140c3c9b38e5e8055b05eed83d78f1b8b004f3d5d3eaef72bb7e007d99d74b0bb171aa057bd8f61bd370c2bcf8223a236380fa5e509811ddd96479126cd358aabb4b3260c1a18a94e108ed69aaa11e9518c0ed7e3e57aac3e8f515624b473700777ce1d04bb181d4e184579eead6c344ddc948bd8806e84dc0cc9920d9022b56bd040278e3aab3085baa8495858567578cb3c6e4f923e2a342877acc4d201ee570954c39c88942aecbb26a9536d037c6ea9c494f837b8075075d6749c4bc34c0a99351a488367a3b04431459ec541372a55dedf8fa7f82aced1ec8e35aec3c7e5982d764625e82f5180cc2a80f9320dd83a69952a3058dab1afe582877574eea63f0e480e4a6ac3f97cfd767603b9f3f80599a928fb07242a3bd9b351d019a22c5a1a3e0be03ee2a196fb5bea872ea5ecf879347b0e0a90291d99ea55058df72d2968bfcca089e3aeee0a1dedfc8788384daad697ad0576a744182bfe2753800b15864a858979faf21e447548892c100fb563a6b30d6d3ff16179eaa0cdd1ee1e0fc66d14c949c88d6ee66a75cb200656be83f4450ca6c0dd082df80c6ee04a97bf9e70007fbd80342b879c2b84c7b1891e6b53f47e5b935247c67bdc86cdc14c86e138282c61abf08dc80644aa56210c8441d2a928c7e0114cb9b60e13b40c9439a9c45c49296b0b5965ae7d67062ffbf9d41ed4159085d00b6089b0ce0bc273a7e9ce3f2ddf551f1b3c3665fc2d10dac4e2474057634bd8f416750b093ea4ee6e2545c7e8d6c9cea3c6f526aa3a26c18bbb9843cdd6a13a07ba65ff28e54b30ee85adc3436d63bdcbb27f9d0b311eee89435baffeabf61eabeef68adfeca8c90c075e64f63d6b2706219bf37d32ee804a42e3893470a5a2e2262e02cd49d7371a65bb54326f1a770d8d497cc47018262db5bb76a5d7176ed4f00d37ab55cbbb09d4800e5db5f4e15bdeb8922e4841c6a69782658b1bfc1f8571ac40aef4cf29573b600f1c8ba9bb97b1a52938bb1badd102c9b886b13da8ca1fc5a6775fb2014cbbd00d44595d9ab996020e64993cd7d0a7e9668a736d9383063a807f455d3940cd60a778308d40f6b4b3f6c44a6a7c384ce205f7253fcaf58fc872294827aa0fdf2acaa80b13901a39b54a5c4068fabd3db4edb01395abab31fc93ea622fbefef1f1be3bfd3821f6324b5f2136bd859a73bfde1c2e1f03a35e39e511e9d75dfcd141961ac295731c12650a34c3d4ae62a520597c1a6796f0c9837c1d1f6f489a885ec3c817223c9e4e00b5316326cfa04ed0c96ec2982800f7e24efacb9d318eed725bf09985f568e2edf9cf339e0955e07c3d13c46d390977dceff5ae53574cf11d0bdf761e0a63faba357cbef4848cfdee7d6c4c8d0b25726272fb16d91b644e2782f24f3e9c8f248590c67da670854100eca4152665c8a19270feaf30fc7640a859141aa7891b1f31bf4820de7b9494c1eef30b82d51772813ab49586e15d60651e679325bd92fbd462d85a44bbfbe2784392881c5049c047d8fe58d492948189fe172b1eff1159af539a1a5e29930dc6075ec1cd33828fe3095af3aa657f58b2ddbd714d2a3fd9b4361222b4ac303421a8f956ab8999812d6e48e9b232d3a87d192035d90b5df5e02da633e0eaf432dc1c9a695129e6f43d399a7c9415455e022426c28063da8084fd7019ba2674da9d70f7f6a821e46f6dcdd6680c9a10b455626a7eeb736aa57b4a22d42eadaa207a517c8528f030920d778f43e61eea485220dc76c39a987eef36f3134cf6c11fb4cd6a19be039c8c6c30f69228b045054f5e92a8f682448143b0c94065d783f8b62365002a3cfac75fd0b4074a35b704a3de7aacb72a86ccabb9f5d03357f41728fbcf954befdd68a24bc29a5b9177cbefcc9ce022d5f64bdeac623b30a53a8de8047174be91f54bda1ea8f753aee703a53e47dc02c3f84676b743c56fd2b2516ea9f2fd4c32ba085bdd7e39ccc47b6b0ec9a41ce6b5c35ecb79bea1d47f7088963d2cc5e1744d5a89da8fc5f2dfecf5e10809d28b575c32536e6057f22e98f53c2e5245c633c2147596e75777b707c670a8339d69c4444979a291bb167f4f410dc17cc215ec3cee119869821cc925f8e432689eb1b73e31473eeab613966dbb11b0f3749ec4828abde9f28044dbe4437ba556e01f16f68a763b7484ab8ea0b14263130fe1f00a1171396f1ca7a2c8a0f495a9731a9e37b50cdc9fa88bd723a572002b07a7ec9cf93fa6d0deeb97962baa2b4b0e31cb14630968c9690ad0d278a893d1c345eb7788ccdd4b9337a6f5d2d70c1f28fdd9a1270b124f7772e843b8e2a849caa11a3689813b4ccab6cd43276fc64d28aadf3e8e7b3437c2f5c8a6f3ae9151c07d30860b27c9d2934478f10a86bd583bb4f2ddecbe23f4edff95ddb2fd4fc9d7061dd74f4bbe620acd61874bd2e9af9f70061d764a87c9abf3b7eb296f7a0edf17034571b7c28c43edfa27bc5a3e0745dd73e22d0bc7dc4a7d110bf2158e9bc9c8a8bb7b6ad1ab7ecb68f47fef387383e8794507783e03bca6c9b671b4739c0f11f38664485ca3712ebc32f613ace20e734ca5755b940d9dba51d342f2611ac2734b20353c8c1075c7661f85c65e86fe92405b8c2032ba1dd5bca75af90434f911de577093fffae2195fe621c74b3cd8558a7cbb49861da17abb9fbc064c1c4955f8910107bf2989bd29fce7976d4500f537d6e233770b8022bae47c133f5b89088847d0ca3dde83547d8496c04b718496637c54b79a0503487f06e91f082216cdba4ea80b572b488cd69982e1352bdc9b0e544e068f73d1dd7fc2e5f5c5d6ebc22a0e6953c8b196607f12e9e31386e584ea5210eb666460b36e82bdf986f3f8ca1ade7bf79b9dcf1a6a06fd0a2f51271124db1ee9cb39adad646e20ae318e49b7aa8dbaae5f857b63ae802719e80105d3663cf006da07c9e06e0d40c7907f07fab03ab70dc5262a56e04ac7756b0fcc89b18c67642732341c25212136b9d325b324cb197612b30ee9b9f022f04ff454000858ddac08749670ba112884ea4b2ed85fabede4b892c554336c9451bfcf36d78dbd9ddd9767b550d0cf7ef7c264fced822116991445e717c8d69e975e3d9d541ceb413983a6d96426e62d2a921ec7600dfc3931f32d3cba4e51dde53e212fe07ee159ca4ade9e30d09f7c2b3b0fccf6d187d589535a3aaf209732ac42fe81cb00a889ad8b9bb75f1772c18b44d3f4261af589eabdf9b8e9b469096b41b2b8eb98078c9ffc798d64f81d043cd3f66744e86416cd4bc5f71f24a0311a4dd0fe4fc510d832680b89334ec7ff9118b7281928d7e4b2932de5b4082a677eded64c7bdcdd467eda1fa33b62e260461124d865452cf7491f960dad10a51069ba3dbb9f083c434789cf69c8902bb4969c5f0647967ca12a5f899352b3b024c576f8ce6b7dc50781f2465d1737765f056c72428207c2fa19fe1d3f2b706685cd7eb1073d491e414953322ba3cf13cf92dc474f6bab9d8f313475b0394a48bd78677a6451ecc945bf4fa497e859fa682a01778728717fe908e3d48bc82db826d9703bf504ddb3cb5c84d38ce5839caa6207dbf71a12d172c77c1ee024d3be331d0cc96a67927fad13efc14227e0ad78119d6880733a4002e3cb350653fe7b0e4958b0817599367aa6411da366d21aa606f139a3285e3e74a0f40e6bf85638bb03280e4c027b39b35b2703e15436c613ee72c7a0674a48d4d20ca92a0d425ffc8fa74835fd405406b282bd33620b314351e7f3e5562cc2daa2dcf5231858c7359c97a2226c8486738b22197a015ff487b5448ef37ea634d2cca81cad4d61fefbca05390bf40e7f27115c3229644c919d4fa094642bf85294640c521bd5a3e2141f97205757c4894997b5daf67a4a62dda7b38652c3fdcabdfe520508db54ee4c17f9385f14e61f5d707099356c979cafe94e6d298735f45cdfa27beb45cc223408afa53003f5541b066e5573171b00d8d53bc4396853dba190411c8b8089ce92b632bd48ff54840a5dc25965d6e37aa6395925a752fd7ebfce007bccc40e14c6f8f58304a3d0e7dbf03cbb5d836b17c3ffe71c2456f7f5147154dffda5cd403165913bb3486ed6e8c15b8a1e221a468cd0761e8d2e615721528879dc68124c5b9122e643ba77050542ae563871e048585e53bfbb4b34694916a917cd822bb773569b80fad04beca3bcdc4b58003fc2451ceeddae5110f5c836b759df3a096d0b577d5c337c584baa1e33661abbf15888a07e9d77edc465a39911492daa3a7f3854a081f1c099055ca034bf2c3051a3e3b89a3bba56d7d0394b8dafc4a5d32d6a2e9a459a72a5874da011ce1fba698bc5004fef10eb9174955f8c2e8ebd6fd879304fa0261631999ae144e904d58af1f8942dc9e5ca7f4d9cfe325e21839f1a5416754e3a8516c8cb44918d614060a876dec4ec9d178553af480f2ce021419e34c0c94183c6d69518f4429707ee433551cece21aeed9871baa3f661ee0c9d188fe58107842664dbfd62703be0be82b8434ccac61ea1e8eba609411a4e8eba9b5b706cafc22684f7c4702a8a6c04584f95f62e4be8452920ceb06606589a502c41ec5524daeeb527b84af3eabbea7b4cbef34b62a2503f32ee7713668e637336e51042a109fc7447f0c5a29b5a8daeb2347cd393f097f57bc1f4cce1fc8e2f4d7df8e1962fc8d60ef1857db7040147606d0ab30e6192c549eb49f22d93b3ac7dab5c309746d564db0c4b2a7298d9204d703cc6926423e0ef97fcf64dc459b3c709e1cc8cdecbd9ccbe0d9767bab9204ef39273aed5607963a86db08cd32d7294a1167404f0827b905a0d9d72440b221a637094f2b9d7a278356a10ce2791bcd5fb948c0711036192df7d0d5c48d1874351d90b385a81952499fdee3d0feec349b148cfdf69ef89b4ebe2b49eadb9a67e9b329c8106ca2ba96919501820294489a53721d194571c01e21a3a742862d0dcfcc80ad2533c35d68a40b4c052ce26c6ddd1e99f1d195534858ccd4bd86ebbdb9548d00dec3e65cd5e99dd701d86452208d00dde644c74a928ae4014e22c40646a5cd68ff740ce9e45a8df5cf11d7e42b7ea56f67ac9de7f581eb01ce9951c251e19e9a8750b4b08742d94582cc348589220beb8630d293d8fccac127e160da78f942d86e3b6ac03084bbd5c0d8dd69a6d9dd81e118ae7b703ba2bd0373cb93794f10584e0920700efe62c2c3fa3d3ab5ab310bb08eb714d597a531593a283a56a195e61d190410e9101cb3eefd7ebdb59c72735bd614a50693b8b5f8d60974a2886355ce6ef33290cfb0fa4cfef47db3f54742057dd6f449dabb06806736e96587368d0cf2cc8d6b5d88c2880c58b60c28dcf8ef8b8183348fa7c958ed5867a13a897f830f6050b4dc6971bda930a175bf1e8922471362a3d8924497465c5db18371bf6138d7d43599eb498bf42589250bf81a17eac6876d939939b377c5a2d36034d0946b9fccce67b753e705ccc014560bae394f9433bce16b8eed5cb857cd575b4bf406878fb325cbe98a0ad637b90613a4d4fb9c59d9885f2c16d44fe43a5209c49b0e6c4d300f5d7cf93d3aa5483c5884c6a457d035c1a68c4f55ff153d8115584def9cb093a5fc8176f57699d9736a63d3dbb5cff0c286985e81026ef6ddd660ca636c4e2ce29b85e7cf0053850ac8b35ef628f9d26aa7d43aff1f9bb4bd4573df7fa4594aebe69d7f9b3495a2ad47a79d430cf9853c334c4fa0808dd39cdb61a009decb23137377c84422f37b2d37801d7cabae0ee026534d57111a549f872ef6c401a9f438da15462b8ff7b124a18b04d3f9f5f5d9412dd0b902f455a5b91e4eda472e2c79e09e6595e3327ff1fa25a22abfe7249b3b75d9d3c28514a156ea721fab6a1d5ab86c6651aed8e4ce344290bc50191a9827190c4e111cdd866f1218e0e580b4677e2f3dedb97b62dfc1707038f562ce1b112b154a008c87e7d7e0d57a54de120e06285984db8837486d9b88208375ad5e672362d6cfee921b4bd99f3d9ce654ac9746713ceba947d45fb77879dedd89cfa09ef8b36279a3966216bc7e6737f8352d6acf7839d547e6c8f60197937af1ef1c40d7a8d68b37389465c1a253f509a1ef224ace5d352a45103638b4aee55edbc86b4ed1b8c57bde8305ef11ae3b7dbfda735141d5c5109ce18cabccb84b84af3f5a7c7d15f47ee7b2ad7dd16165537e9cca3a286f0e1c329ea9aacf5e7cbed343388cbdfc846c09717d35037a73c48e0df81e0a743845332b783185824e43b09e4fb3c3af605c568d967a679086b305e1b20e31d83627d5a186fcdf6853134da031a6038f8ddc96b056db1005c4c9866ef831e20a14e29395102f6aae11bf7e9df48511dba8e0939362a20faf369a7848f12e390d89f5a6c020d43b97756fb4d9ae1bc02025fb5099fac5e5c60eece74b99dc3259abb6fb1a28bb134f9cf89ec17cc0ce8d76575c3e16e59e48271fee7193354e41affea19b6840767244b7903a4ea44d3c541301a6db9aa403dbc7f961b03b4e253ecf4392e1fc170b81a62594157271dd89825510c10c502603366b4dbef6b112b7a2c68f50f189cbe6a187caec6abab643abf8943eb2889a818f314b0b7dafb178b2a4898efae1b18953ebe25a503024c9d7cc61213d332f76871dc6e57b42ba6185fde1926a745c8660f433b16c10262ddce1f4ef61440e94ccf4ec05c68a350f7fd6bc53809af8296005fc48ccf4681eb6387d0830dad5cb6b78ea044633e9c07714d5231ff329cacec19254403f55eb1064b9d900babb4bdcede3169bd43c8205bdc10a33bb48952afd1361e3dcbee0928ddcefa310f262abffc71a009b57c5bec4f8c7376813f5858712d46a053dd4cb4a7b3ba6dc5cc6f14fd6ab8a8ff6842972b91f5478818caa679859639ec8c8d4315a4e60634e03b7d38f638dab4724704a4b1158a0ca18f353ab2567cc3c4af0372b50f2457fd58791aa15bac8f0e089bb2fccf3616df85d579d99dd36742c5636aa79a0a81d2f482d5e349c25f53466b8590deef67eb326c67843629037394937ab5f63cbd9b005fcbe6ddadc1e42607a8a9ebebfc0cc67102d78c3c30fa219f054f256fb0ebcb86dfd1b53412cad52e1b1af8db229187c0ac79ec7f694451705aa508baf79dccfb074a08518757dc1b1ebb6b9690dcf987c1e89192b611819b5139c1a387f111b99f64443eef1a174289e0b5a5121b1e049f34c2bdc44375852269ad6e79fad6ecd78400d788f337a8c6a4f763d51cc7acafdf26cabb4f2d4c26d7f041a876e74f600758cbc497fc3ef5a1562af0047a278504f321b219e81af6130b0a0c7ea0664e6e173a87c3bec8c9f6bc7648a3765c2e04e62f71d03e12f97c971f63c34f2be07d8e702744370e818a690ab2ac354dc43d0a57aae77897679665d14f9b51e74856ef47548d9ffd8879ce92fb17b37d0e82927901fc93bf4b83c26584150fdb31caa28753bc146a37f4ed3088461a79ac84d4b770b0379b303efe3bd29b03642ef42e182571943f99715c4e836dad10262e0b1ac46525eb5a04cfac7fddac48482e5144f3be1eed50994371262df1617e1c339ab0da7daf130cee62f1d8d29cb4d3a80159dbb4c2d76468dffb16e6f0121b97f63639f9833656b0a31882eb95de199c7a82eb9af95cca03a4cb0b16c8757e4524b9ddc0ca0defe255411ab47699351ea8ae0e06279769899c3964c71183850e7b17c488567c74547242b7b863c6d6add597b46769a4eeb41f383e79c8b186b77afca4875cb377809dfafe197e440d07cec9f1fc2d588d206282cec08ca99ec3b31bf38102a297ae26804390ce1e5a3f21771a9856ac0ac9d94519fa79b4cf9e09ca292f8f01c1ff6f038cd8f05ce647240ac71bcd3c1f1e561705077ae8551d218bba050ee59fbe09d983bd690703cbccfefa6cce9535f0cbb9365eaf1fd46a823f254d143c85f9045cf1a4d1432350465585f888ba1be810f479a97f1691530145bb5c0f77d01f607dc801ee3a2a7d1f5e1245183e91ed4170121abd7e7fac429c1476fc332e7d9ba5ecb4a63cc9bd343ec1104abab38504706f1f53bb5bf2e2fc2393389144d7f3871051aea5846c976e4f7d4f0b73d8299f0a545842eda16924b5008e31a5306c961f7dd9d00a428c02f8e37d0e199270a27515ae73472eb9d8b20ce24053873cd123250efac0c95b86cabc4b096f0df6c9f69fbec30489b0f1b53d81c3331a2dac9435eaf7334fb55e0127b1097adcb21b38da9d2d674de21b836e836391f05de168fc4fc1d79c61af1bb79d88b422a9219d00bbfb997cddc992a9a85257ab84e0b9118069c25bbe4e539f850919b6815a776b515627eac1069d2138c7a847cabbf7edc86334a98882d9eaf580c42ea2ce1ad8381c35353184740d9f2d0e4e6d2f1c5a62ebdfb4aff0ab01d78586afa3b9975e32c270547e0eac603357a92686ed42fbc437535d4cbea0e67a9d0a24d30a6e0063ca3d7a92c167c2b3a5bc16f0bc7a903261df582444cfbe6d584549fb67ace7e358252f0c69d3c2e16ce07ee39b66ebaee381efdcc7eee9a45bc9ffb0a1a834a894093be1200f2128cf5de140ae726a569570ea1175592ed2708752425c165cf761bebe4c59e55deb288a18c7a034b71e9a352617d417a0b7008404732cb1f5a5de959ab865301e6a3526dab2ecc25b2f162abaf3e851e945a31c30e09edb32c65ff7dc25d76dd2a146f888ba0e2367c8479d5be598125a6d57e60e6ecfc362c61d8066254297e8c0854ecdf8268b83ef3be802342be14292d51dca07937dcb6a374651e3c54dbf3e5d8e8b0c956e78916612c6aa0407352a5f4fca1af086c212659a6493081ab05e5abc6a929b1c5c3a9e375cc8b5067ff145830d9702c7381ea21e21e448cbbbf19bc5d0efe82c5324bd15596ddd7a2e7da4f1e4ef42baba96fad664ebf06b178ae923cd76d0f346ea3cf090aa209d4e2cac9787804af2daad3436ea0ed675e75087a0e3e861d9e03cf1b43ac1354d525bf4cb0abb4cb5e32a55c8ff0ed9e109e10a97c0d5a651c0e066a7e11173218b17c9331d94a98c812e23afebbcb915e3bc88cd49dd74d4b63a099fbd2a270f1edc1c23ba93f2d8b0952f958f7768f6a5be0f4843ffd7cc0334adb9f21540fa356174b7f7ff9537477f78b8b5cbc6d59994fa7092aac0b50e253c9304904754c2b848141fe57400bfcec940e3cd4735300cd2970a8612de4f35571f12e77cf3004112795f38bd7344686fd378e14cb2a59d0f93f02ca35d3a13ee66be128f5aa341883b699a87365f15950183681a4dbd7626cb78c2324e7ee1fa5823239cd6d5b4851e06c7e4d1670117b7935211f340e3e8b398440aeb253c8c9c6b3ece94e33fa5c1ac5b9559bd485220b09494f82ecf4c63be96122864c6ac4595c6edb38555bafa58627ddb0a64f9a2890110a44a4a75ba83cc1713d316af0dc15105d7f85433db0fa5f3c1cc27f8b7dc170f84fa476624eb5ad8a9f74aca45bd638f19adb63203cb60a1cd61e1ca386267455f546a985f6ae4b1e0566daa33acae1db01b4cb13b513186038b5e2d08b8ec0e1a0619b0c0de1e08ebc9076c25367bef919287e2d105da4985a45cb5bd34557f55b3958fe07185b4315280406207a4c28f557abac99b93aa6ec7615a405a83603e8900c013380ef8ffd7c5285bbb976f5f680cc5e0d67948f450e47c5efb3b3e4d252060efa0a1e4310bf5487480586881f49676e64a9b1b3309d75aae70a3fa8a967f0576b18477e87e6a5dbb9e8e1eb365c3c12152f140cccf6fad11218622053e7e8978712955c4b537558a5ca9ae6ed0f6d20d3adebee1c1174d990c97c6fd387ff527c3717fd3fecddc2379015461e0ef1270d03810bbd44d03c9548744990ab84df2e961b272bdd889bb59e588d0772dadb5e41461331e7a0d85e065c4016ca40a0b18c6163c3d84edea32efeb2cf6123d6b64d0f6b980f89ceb9caf62854fa1d026c0dd965cba5216b7d2755fa4c7384d77d006bd0bb0db39063dde7a6c244feb5d745c48a893f3f46ee091e832f6d114dff8bc0fb8be91060c28f2ccaf6c3aa3d066e9579829a7f39f36682e4e8e47a9c0186e1528a97bc8c155cd0b1e2ef43a6712fdf84546e84e18c1000e9dcc1eaa7f0138bad6fe137be123a8cbcc399c8f49f3854fcfbec9b7d034be5cf7b9b39c804065fabcc5dceef8ec6e9cff42b9aa7a4135c9e42e4da3b8c7db3cba3cde41917368cb3d2c50ee9cc81e0983312d52c116e260758270929980323ad9eeb5b29655674cbcd7a77b12cc6a89d31afcd831720b283449cd87cee6f63dcc55908f19a10c97e264264cc9f14264d5646c3728b63d8aee045b4e4a4f2bc9103b81b5ab97729b083e849a891f27d4a41f6f97a85c81f703695b1ee5a45b8e95a8d58b4c8efa5fc3f6c10cbd4aeebbee4ca7a1e2fdf197d8b01ab64c8808846f374f1ba9aab06f0be4ef6537f4b5cde1d41e281b45dc9f77b8e9ddd066285c5088d9bdd5fabd6ccfa6a138989c214e87ae9c21e28e0a3892ac267f3778930833d90f7d65c33c8990b43b18a30b730b82282a933d22249706a21e516f4144e08195c9aff5056c68c3cb78fc246cb255c3293254f325fb4149977a1c8d1ae6c17f47024ea5c267bf2fd52f91c42fa2477958683e33cfbb2c01f42d21c7cc7ac96ac9fcfa030030ecf95b97569466adf3663c4ab8428b10e096a03059c5db55b445c486dd0750c6e95f3b081492d193b4c3d879849f1d59e558d0c84fe46e97f85bd1bd158bbcbdb5058d66e10f4b785ceb39a2e0940295369d58e4ab3f9d360ba1f08a1306b3e4ab28d14d0652ebfa8dd4011775dc77410d296e0b9747ad446a851a1185f82202d84052e1f01baed09470a0742722224365f0c3ab00293a84643568b36c2a9e9db2f723b232982a3532647e8cdfe45f2ac4b348a7ca5f1b29b199c9c1eabb9b475d30727adfb73c5c631f75c030c2e30da1afbc0991bd246b5011e1c3b1663bd0d24f6d135b3025e6b30b0bd64c323b02376de98cffc6727ca9f12ce4f88e99ca67f1eed3260e26596a1c1464674b38da151b470f501e6f936820448dec3bbb564e0ce79ecd21d3d4d8f5732747e3f9c14c7bdfcda194d50c6da3898b1fe9f65a06bcf04bdb0c5ef86b0358a9ee8786e4f20ed30535c8057934a28bb8bc81909a779ac3a5ae9c82021b700e37b2c9443ed2af742f97458ea50ac965c6b31d5f12494bbdf884a66f81f879e4b1c9e28a191631ab71c7a4672d663d563bb0b62c82176cb1c0685b07e662b0dd0aa66a1c36666311e9feba90be9479b38a268a94ce26b992bdefcf04d90b85a7e1ed30883acf162a504b35ef88bcfbf933962b804fcd5850e4a23dee62f2febe03a63f6074637e75dc4ac3c33e2a8c0a794c0f7ec4a2eb99023ffb398dfec22bc0221ab320c11a004042775316eb0fd5c4697ca7a19de0943323bcd0c566816299810236fc9fe576f41be808a5442ff7b1cd1a4ba8f1119b6191c1371c75c61bb7bedf95226c0aea22139777285324f052acfec873de5da629a99c75f8ef70ed33fb47a2712127cb2d6b79e23657dff6eb4f13903d9e0db788b268d94368d332ea55c067346b2a13fdecf34e57ddca370a3d86a03f2e93a88c71031cb418afe036cfc35b532f60416d0005811398633af0015a5ec75f47a0183cdaa52e92a5813966adcba1e784c539f58d136f6e25a73dda0f33507b11f82a7bea1673f96d702065c87ee6408103610ddcb252a85bb22a2e34cd136b9720a8747508f5929908da6d9b2a3377fb9363514b24fb17c884067bcd6200614394eff78ec3c62660c006874c7a595149fa25f0582830e7484523ffbcd3094c0d08d22441debba0400633f4081c7306eaae9b38044dd11da2ab0436589a0d244aee003049f0e1347799679de5c8ed8f155cf648093fde2933fec97fb69df07e18b6984f4f4ecb2bcaf74ecf38d4eca96ddb692d977546e6f26e52d45c2a7de16b75fefa3beba96b36741591b46ba24df1a8de44768c41569458acb8605dd2edf305f00982079c93a6aaedc955992166c367476dcb8fbfe7f86c4446b5b014fda58d49e0651f0be952d76110541849921683cfced3178cb15f9920d6825a865302516bbc15c32503855658844a6b33767d712f631523ad7f56233f55025950fd0aa9732266243070bfaa7136f3f821169ba3d015d71770b22fa46632079c47a1a23e9c53eecb1b3f955bfb5350214687b1d943a5e77ff937aac9424362ccbf6eafecde9661924ca33962cd2ef9796b27248b20779360ebe11a3bf2d4459756ce235880b318dea65f9bcd7fcba6a33de5f50cc27047e492eb138cc4591ae1c5fe34cf6d3a64b3eb0d02ba2d22698e8678cb8d899671544ede6b8921145a2849fff42b427aca7f7bb243d853e46ae18efab9107179ebb86f7c8a81ea015983273f2e4c29a0470ef8832ae2c214adea2b3f01936a3d2eccfcd6105d04e7b09346ed3aa304c2db87202c918658f431d579f6946f51613d395b984e7567b2d301ca8b2685bdfa0833c643008f89dd20a440e5b244af0035d5925617ed84707a5473431eb61fca3c5b10de22400a2eb0eddcd8a5134c7916316366e1bf8a3020739cedb85a4dc8aeed1282407526dd7da644baf2034e29bb6caa05374fde9a9109eabebc0482bf4b59875cb120b34f5e9ee8a0b85948e8db59b5fea4bfcd3caebfff3aeec731045ef384e2e15770dc759df8a09cc007717845c18db806f075cc76a2d156dbbdd3876298b677c31716dd37b76f4cfa635bba9898afb11d480a825b6f97b1515fb0b8b6e42a63d95122d6462c951a9779b1158de5eae17db71e3f2bdb86a4f09da628d828234a35eec94352e1388618f78b5f1cddb4753e4ec94204c36cfc9468d378d9ccf2333c3ebd4c04788de26de37989c82bbebf44c64f9d45a1e662fc25141f41bee53d890de898b3e699d6de74e2e1b90c606753168c893730df2a00cf624c3b34f8cd4a43c4ab63ea0a6ed7cd52fc5c6c68a57fda3936cea35f547535a45debdd69bfa886d282b22086529c2a69c6bc0bb6f11762badba6309aef54ad27a3e6895b4a90131d6df547a114326d2874483b2fac339ae3a934fc989d7b666903b4e90af08535e9ff279dd76c874341347343a2e26aa76cae3405eab7ddad8c3a60f8347d30d8feadc041549473d197955b91f7b738327c04ac34516477c1de75009ae8951ea020acc5a497043e970f0a67a693ac7b4a48e19d52d553d893b1fadadf219cc922a9aac10f8c7d7e0e549bd84657842d3d9830733396da1c1e2a88724b469171697439c884a379dd3943d10c27df424260ce8bdf91113cdba1507a01e59de6c0474852032dd54e8b620c9ba7c3736e34fd16c665ef10902cd1c596b2af6ce83f5d0add77b4559403756b79e041f5573418f12706053f4c726666b4d79a3df6fb4613a8a87ee5ae2bddc369175d7b1ac4d033910ad2f00b61fb1c1586da8ba4d3011899edeffe9bdba511d5bdca105adf1fc6e3d9d659ebef369e9acbc004d395a9f5fb96d4be3400b688d5f05f9ce43a7d87bead0b202bd588209b2a3e835f3804a809fd5cd1216bf93a14469e42ff95846c974fa6fb62b2021e71a31e1e66b3821780a90cafdfc7345e5a937a803ee4d3a5051a68b0dddd3ec70b7002ba20d54003de6d185e2e43cd33b87e6d3cc4589fa890054f39a40783522c092f7205310bb4216d08273a2467006d57c66adc3599995d25702a79a75eeae658aa06af9cf2492b4ee3c18e73965b8dc2615ea1ae7efa407f5e2751b91794bd28c57f7e652ca1a50d9fdc0dc165482fc13801910d77cf4ae987a8e67d8e19fe9e002ab55e997b977b0541c7c8c4e76871ef700b8f0c47e73d3d4473c17ff30da32779b8d1b1a289046038e606590d5aa672c11c3650859c3c31b412e1385a7f5f4b9a3cf757eb8cf64e2f6298fdfc68d659eab6fa1baddd0695ea5c97d50cfefd518ec8357f739435170382b6033691b54600890e20205b8683c47d7d436ebf42c7e7c117d38175467f0d24af74d412ad77b9f2535154a012be7cc5f01242345356f24b64793c6e34ac53683b169db9c29ccbed4f79fd4174426bffcde651db4c796333fedf446a5ca1fd98780bfab32cb02e23dd2532bc6ee5cddd9cae2ecdd90902d01b22b8b2d522d8049b0cf890d4f807b1ef23a871362edcb7bf11df5a056f2ed1d855d9d268bed624587a29c1c2116e6fa2756fd1869b956e999e5baa07ded7bf5899e9bf9b92c157e93ce9d34fa87ebdd1c2d8a88e33acbb4c7d0dd4f4e469bc6249f93e1b11efeff0a49171dcca566f0d3ae8e66fe659816db503833351febdc802b58bcd0531c5f1a9aacab91dac6dd7fc534d6a8ef2f2b9549e0261ba19a633041bc73044c7c52406195f0edfbc223eaf922e70769ad2bcd00ffe5130c6e1f70b5b520ce3efd8cf2a2688d2965697cfc1108c15301f157a598830d7e0f38f6f66fa965e141233242c30f555dca8480793e45ec30d7fcac73f077ab5e6e10363e1039fc4bd1401aad0669d2b15dd5b6fb3c2ce020ed6ef87ed28f1c056fd48bd934515896d69011ebf8f2710603b546b61b2ff4283287d833360826bc8c10b51eb90aec5481a1904f52c2e0b6680863e52ea691db2f48a7f7dfa12a8cf26d3da8377e6486a417e10849cdf1cf67577343184d2b5b4085d6e1a933f81f77fb50878d263eba1be1246552d8572b36d8dca0fe9e2c90178f335e4a75de232d67e1f7a7557bda375094bc6af447522d64ff6b89057f8e467a90d8e7578aaa91cb37a1a2c886c9fd933d0a938d6483bf7c10da4e861e7e73077bddc1923da616e8c073355559318b2d518b0fb4d76d86a01af9fb2812a12819f7692db73bd4d9dc02b89192acdc0322f3fab51b4e27fd94454c891165e41830423ed14b9f42d6131d4ac22076a5577020615a6fb9e8c444cb2bae4b957f55d36e7708acba083a42a33bfcc0fa1302ba0897df69d3289fc9e3094a7ff849325b6c723c305271e369ba8e705bf9be5b78f97681edf1ab07106077304be151512008fefdea23e3bc84ddd0e03fd919be860d797dc6550f067122a685a58ff810057b0a1ff35545a62b617b3cf85859a5962302fb7f6f660e0a840f823039b6a5ec186599b9428deef3899ffe6bb69e8d4584daef04243011819ee52f08c7eb62146e8e43c7c3836f9cfc3b330a56719ad32215896d23176cf46886a80cfe4961b7c29b6b35d07907e9d05cb66e2c5e1e7b5959ff1ea53696fdc6fbda789a16892eeff4f99a2f5b951d04fb01a9dfa4e1a422e5a75e7504ab530f2e5283747897af16b9e468edc921ba3a3bd4132dd7a2881531865e0a858cbabce180e9f1d20faf2ef90e8bc74139d608f34246cac9894d0872db0fe2b0469a64f7ba507be62d54f7cc069df2617f93ea94c888e1b7e1630b00f16ff12699033bf800d4680ca196ba4381a383e11fbb90dbb071fa109aa054cdcc00a9be4d0a118f21cdd487a14c8e02a4260b62d44cb3bb8de6b6decd86f461328b89a9e56137a1ed2ac6f72464262e0de7239b2b61082c0b6ec2e2cd8679c0669bf3f95c4c3cfbda5f9b6d01ce316d8a6890507f4eec10dc24e73599f5732d8fb388fede07545a6135fd72d8ae5340b189c83602cd9e68c4614297a9c73983825d1eeed7a6f852811f2853ab5d82e477e4048ced6cc74583abb5ffa5e83a256dbcd574693cb43663e7b555f19af242e9c232e3618e724d732dc5f5f402a9e3145db2c5d57e229104a72be2f9cc8cd9be7a51b8c364e4271731f6d2574db5523bbf86b6a54abe98e05e08378a50db14adab782b693c3e38b9fae76ac7a92d99ac54cc22ab02c4da5ba9bb2d6c061290fe1f718d27079881ea1b8c2f009bc30fef95d1137334c3e3076e3708fed585f24c566e462ec23217e0c743847e32dda3f562f6290d4d078ed29b67d3e8489199b3bce09a25bdc779f332b9400424d02decface9f5b035d6e4015da8c21b15a0de7d24176f267a653c518d48ab85d884345d5b9dab8a1b3ce718b4da4ac17557d4a45e18d8ad4e12b5dd890c226ce720b529bfc708055f2705282f516b76884a65b3e36dd5e3a996aa49045d3d04af3f1608ff8c8e128894cc60d434e24e4f7a37e43b848e3d97a233be44b0d871cb13337347efd0bd39236aa8ba98d816d069aba2989a871e08693ac0d36aabf9f816172b73104e5261dbf21aaccf71af5a23c24749506f8b3f607212672447a7479ee9fe0cfb8278cff53d16601ba84f767c9ade2f650a65dc98c6ce825196c0ad677623d7d08496abb32ec48d4e41b38765e47784316e59e29b800cdac01733c165d995d7a2da4364de947c8ba5a8d92277453f75da3eb0ebfea55f6f4a81316138d98707c26d82909947d8b10f8eede8c962a6971e43bc0cdbf3d336e1a2b26d8bc193d3f3ddac7d0bc8bf8469191583bfd74e3ec7bbe6d65ce9439b78f0b2b961459e33c15e5b394faa0a1031e81248ba57a29c5fb967f904dad09a5ec165e6779009c3290eedb2cfb436337f76a090129183cc06c6ad31916e2608b4f75bc937456909ef3e42616ea7a61632744b2e26b23a49a9292577491ece6a0c1fac4d8b799d73a6b851a45faae4c096c11064e3868f198931c0bb31684c73958083a4aa38934989c9b65f6a9eb741faf69471e8323db69e64488a3742dd4b39b8e48d223b2149aee19aa788561bbfa180786cd147d0beaa1353cb83804d3f8baf651a2170a240ad0d7aff2c6598dfff27e990960e307b6aae80a41ea5bc1108e2acc8281f821937f32434fa05aa4065663bcbf8c78f9d865fba140c4ee44394ab6618528f74282477f1bdca5e46fc6d94166397de69a592e7c8c065913742cbb7c0967d07a33047d9c4a4e01d9faae52046bdbb2bee22abc65cf068ad3d3265ec6dc1553c514ad41c15c436b98d77642b8fa63eeb38d6efd2d7d90ba7ac034337238a342fa1c6d7bbb1ca43a9f3035c4a5f16757fb521f1d45ff3e81defa599088c33a866ce7efa466af415ea22e54bbc60ed404cd12dc0a7d21f8a3b6211edf4feba8913a54df4f0c6148c41ffacbce903085f797481a93a20fb199abd400758d81746df44cc4112e3490899e058e7cb25e1a4ff90175b12ea03b5eae7ea66bfc54106c9d600f0015a43d2d322fa52bc7a12acaf93c38781d5bfc4f6d07a57a937a1a59eaf2277c9c498a878ca89fc7dcded6d91f54e66e563f06319cd818daf054f3d2ed62c13257862084e5246d1b99089f9239eb18403e6a098c354815d978dd27f4f0fe1f0483358c92821a65b7b601d98936b1906bae272bd8a45067826e4e0ebdd1efa253b0c178315c7ddfb658fddd1d6cc01703fb4b6a5244451d4b220d6a67f42de30df871fb81e416f2c39a8aec52c22d5359777fc624be2d7eca7859832b956c05c130930b7304194863913156cb36d5e772a780f334abbfbbc59269e71fced1b39faee80a60e5b440117bdbb9dc5f8de0e01de14b1551d85e96b6fc02a383929e1016254a27d2ce2e10b21bd7344707465488b8186b01e6ca347499c4ddde942b522395e05d0a681fad00618e9765d5945db954818e5b846395187ef5e1fe2a25be1d48055fbe9bcb9673f9b4d6d9a40daa3d99707c45f6b298e71c8a98b4cc6b4a838e0a64303c9f799638699feec8641ba6c3f97ad6bc641c193c29d1ccb9f910878acc0f486a29a8e9a7ccf4582b1e1fe0b71b8ca688395cc0bfce5851713eb34d4a4d444cf29721b7fec0294a1fe949ddfffbcf550b75b89fafddb2676f6e14b6bbeb5ffc357037c5db4736b80369323ec14e8634394dba9c347451e8a351a28e4bbb9265e18460b7fac0e272edeff89eed69e85a3f45c9d4b56225c34e3146905f40ed44a69325a58a01cfb6609c1b320fc80048f1ad7dfb5aac1288275653b6d07d3765cdb45b64f9905c25f828ce61d42f8c310addac2e74ce83e429e6c29249de2094e90015f432ceeee273db535f59a7b4de6506c7ea84665236e9a4224e7ac6a3abeb227a3911e683d5ec4588a680dd786bd6b632f3b092549215440064314b8523768341faf0154925b228504f8ebb69e760451afddc79ba57195d76a5003b01b013a4d264605108446ab17d1d57d6838c62cc10ffdef3b02769246c7e69917ee9bac22bba79391463f7db1c3be1948faf63b7df86d39818265a5719f4b7f2ab0413efa5b87952e112ffa74ceef99dffd8822da76e2162b51055fae76a996e4dff4c02df53c108245217a8a9c65683fe1bc2710b7e29b6963cbb21cdaf3d83cd1a91543faf5226e2e77099fdd4a90528f7209347c44c195f2dd897d6b66b341540721c5988e7502e10c40a04a4dd5e30f8f380b612f6d651818184f278a98079830d75b8e2c2b8ae5a7d3d2dda66e6c889761f9613fdefc418013e691e87dde8e18b83b6948248f8292672fe54e6bfa709870c9cbfefd114734b70459955ee7a04b2f7b814b1b3535e64c39a0f157d81f863ac8beeeef806d5afb4350b28bc07bf2bdb6249697ee1798b85ca3078e3683b4dd7dc68e44a05ce5d0763a608f0ddfad90ba08652c8f143447937d1104398343d6faf6586d2a45250b3f5973c3deaf26fa4e4a52e4bacd4f99ed7e76668c3597404a28f31746f94c12c5f65b1b57f338cf936e7c55f6e9aa5ee608efdc4b706674bf07423a30e8538122849903c6a0a7b814a41852f8b4c1dd136c31f548f54853bf10fea0d147d420b9b63e4cba3d68b18254114c68cb21e9cb60241aac96a308b70138fd441d5b0d1f3fe589e4b963ed18490a45914bd40cfa03d4e130ff3be37b12b63052c2210e90447330654900a9c00cf8edeb4884f9fd09f4009cddf0b7ae23d7a04ea3d02871215d5b8286d1adde59dd572cef31b375ab5e9a128de765ece13dbbd11f7be8ceafb7cfd07debf8ed1cc7e2d70b8f6ad57f16272d83e3ff3087d000c1f0aa1ba1e380c12f4abd810d40fb78f160e03ced14c6ebfca4dbe80a3c398df7216f8661d4179e4527e1ba0be1bc846d76670dd6740fa4165e3eb6b7f0980de86c9f2bfe31780a9c8cbf60d046ac604b60e2d850021e79014ec3722f06ca33a3fe047043bd0326d54db57658fb3170f602b25ecd1f1e7e3e6654897974ef8ab0248d3eb4bf4860ec45abe703ac33971bbb16eaea69d0480956c298596d1a90487ed5517850c726354820f18c0997c9116f12c148de2a663fe4810c1aff6a5e05f350c42187920b98dda54c35da5f6285e687b306278fb9e429f8db1f1e38c998acf318456e293d182b3612df2505bd4e63769bce1d0bb23078eeb5b4ec09d92a1bb293c47ace0dc768b35f807ba31546a84ce3bca34b58e0a575763ffc308bd64c5c339daf909767ff62820c90c427a58fe9bc2979525e1209f56f708a266ce14356ed3847031d73c3eee8cf1d2d27122cb432a90f35b19dd053ba6738a3c6b5606c2221c3d5fd28283911cc71eb74f0e397f1feca139f6c6c8e0f9f5c12786a42157845183a76716725f7e7e5dae6645a736337a49b83e152ca6afe45d6748f7f4c496f736d96e8b10ee74c71c003550a4be8bdaa56101b7d9bd0027aaa6900e58fcc77772ad493a8a613603c3bc32927dd2c2455923e924bd66c5d7ec7937fe0f3a6f2eba16463480711142963da156cb9ed2c1a4f5a3c541eb1358565687f6f6206e0414d610b4122beb2adc9f521af15af9db87b6adbc8205183582bf1c916d0ce050a0ecdefc24353d00d435d6b07ffd1eeec39b3154f654f733a5c95371168b86be13932cc0df2d27c487d0d6860be3c5c5e7e209157b32f709f2def27bc38662629d054fc4b51510b62a1a53795ad5936e8afc2a1f410334df60fd2a66079f9c6065868b75e2699f15bd07ffec14ffbfc54cc40c4a01dede88fe3b34303867194afbf3810a0b3aaa1aab621d572479c5b8dfc7ed5bc233dee16b56401698a9fa5c0d12b5dd0e3f4db43eba06bc3445ceb95e5594af8221f884fb6ebf7a65691eb7cb67e844e32ea088105e35e96cbee00c323bacb35e0607e3ec9ac48eabe223de34074925d459abadd5e76c79220aae51aa78d558c5d3dbe2d0bcfe8727337372fc414388104662bd2baa1e840d9d6e594c3e2f7e89d626208d6ec0a5e203530081951de4b62347488f79af8bdbd26c5679379abbab3a7ce861197292af472a71a5c459944b7439b13b4649764aff5096182c10a71c1815d3bfe77e183c93af8d78007c204862cd4022da552901ca37328546a62acbda72427c8b1c345be78330f623004b388dcfb05a6f5e007362f70da614d08645b2ad355716b8231946950218b14971ecdffafc99bb657995b7959b9503d97ebe08340edbc45e2714b9975161c56b070e00a0553261b466b198e4686f097c14ea9212feef595529ad03b617e6a1c6bca1d3cd23e321eb694d37bdc83f36bf23e3d581555366f6c575ea8221fff4b25fb9fbd69e9f024e7c5aea79cc96e66501eed51d4f3763a92dbe7ccc296f9373afef9b18bd5d2ec48c44b5c5f7f5255a5fcfca7c9d9f176fa5ab4ad6812c8aebace697645887b33463eda823b1285380db9a63aabb7057d8b7832a50f083f72834dd5a19e9099598fd155a827228a95572754096720a754c6cb488884bc5b2078558f39ef9135312271720ad6b13ff397c7d2f97c28f4ceb2286d5c59512f6d8859c5668d74faa8f13f9adb520ff42d18a7521bf5bfac4216d193217fa222178bbe75d1ef215dab17326d47fe3166e0f6de5ed889e906791edcecae3df5bf113884e95adbd600cb07aa372bb95ded3fd88ef7fb5397a243783134794cadbf514ce633089bf1059222b0b43a4e07694a33480b180d10d5e7db4e678a144337e2a482f8e5d2dad6c4c15ec9f89ff641c46d2b5f77e045722bd706e6893faff3f4a2eb87a7751850b9092b05a9b81f901e2b180c1793515863b5b97601b20f26bdb9021fc20d6668fdbe555f2839c2fb275b10b047ba757ca3b7a01695a0407468e0b96bc8825ebba00273f21de02825f6db3c0d5db001285e5c16f4292532f6c9484f1b6e1d208d9c33621d66bddc1229df59eb12a27bfcec3cca6a83a2d217b6219ec4262e13650ed233750649d41c94c449659a09a7e320e0c5baa04750717b948fbb59ee30eef68054fc5d78af32b77593afccb04d31930c9c13874d3462845ea68ea7b4ef4e09dcd3aa8e32acdb473d2d6973f64846f8137e5a29505a6e29bb2342107b333c2c52f4dcae0114eb09215db428d4d870396f918a2b66fa02ad8e7a6831b6225428c0aa82b31d330be622d0439d0cab77cd1067c327b9b76ab619cac5660183863039545102db106586cc9663f4c57390fbc9a61211bf330a362644c23c1d9d61c567f30c661502961a55ed5135a273c5a60ac7115a20b8c6e0c544a252d63b446e8d36a93f4baa6af482ee89b72522ae090466072c7efd4e9577a50b89b33bd58cbd926281a63d776eed85982b46c5782bca2abbf9c2a4f494ea5373453b3ed9059262d081518754094367893772e2ffa11eeda145aea80ccb114afa3d41baf632c29777759731618b2ba0b27467612154db70052a3054b46705b30f48a543e36e2a80b6485ac73b650819fbdc0981ac5af93f930a93c026139e1ab88ffed59377d396cd43794439db3c8675cbc95865dc59f523cf60cc9458dc55d8ef9e124daa7dc4a2113f22f19dfe24e2c286e76b517ea0ee654602f30a09c58c46df9c48625a939eb217f0f7675175bcb2718fb938dc5e7c3c0608f73905ed94c64e033cdec10070d979b0d6f1f8c15c45a42eaefa27f3485b3e72681406a2b0971d9e106c5e538e40ff6a2499b627ecb5ff2fef9d3cd42812c22a965828495e2a89f2657aafbc389c21e8abdfc0f7a13346538d352c968c05b45850ac585ed5a667f07f33033c546f11c0d1dc150c6d9cb94e9722fd3d1b1a57aef79319ffc6d087cc60039840865f0e5cf978a06b5d18f08864d433d5310d98cc32dff4b373ea1ce8783caff58d1bb9c687abb74de768dd3078a013f72e0a87ebc88871bb3e3aab075242a00473566c4c13c17645d9df37e50a6128c7edf26bad4cacc140355df5b313be464b4eef7a211c2467cdee511f4fc5b803e4bef5ac1aae85e1c9b772d4d5a879e35f11997f11ff1a09598aa171c5c05d3694382a80d466e0ccce376dd92a6ee85e7906137ba3f934aa6a97761abe99ea0270754d73f9a04aee8853fa4350f55780393a3d156844fc35897ef0ae4f987041b1166954f8d96114734a777e8ac21a7bd5c5c7b02f5cd38ad2160ac9060973a91a58c36c60564981209620d88ecb44b56fcec157cf1dd518b22b0da5fff82a3e444a48f3f2f1e3cc23a08847c99e074704669294ecd576378deae6cd1c99871a513b3bc3b68198e6b18b2913c3733b378b6cb54bf966f429342f959bdc6c3db2a53eb3bb20a31974858e7f232b4324e1ef0048b9a71244c6cd2c3edfa20e1cfde955e2bf9044ba4f105ded26b2c7a95ec1283849e5f5eb1c578580cb3aa2026f072e7256136adb7fe23918b3cf703e11d8a5674d72726505bf90be55447bed894cde5c266ebe02fa26b167125320e47da1229d4e7b6101c0ab3ad58a0c99c1a60c7540460c914ad9da5fccf3eb1e6970b29a801a2bead23270c8eea61d84ea0db431043a183353864b693398d96267d7375b483d810a1c717dd68540c82bf828ed7290fbee27362e66ecb4f00b7a97e676e06c319fd2b2db6d56f6ebd50eba9dd30a1aeae5892dd51d2442e73c4facb36eb05d0c9592a6a5544e3467aaf6707852a5b464438c80f3e004b761fbe0047e39043d10b4995384c19e8f0797ff770a12fc9914fc7707083aa7392757debe027b051fb9374bfbf826892b2d9f52dba07cdbb024126e77a65a8230982d8d5216e26d9abe79d4e11149b160fdbe2098f60fdb11049a2f33a53b1d86716902c238d83c587d429315c0e887c0a6e81b24c93ca6deb7fd0142cb781e0fbb32767d20c7a5e4624526aaa4547bc192b43854fda8ed1b64810cb79079de920904f5e35313d7acb8334cedce1dc173e222c374d85c74df41edcbe894d57829e6461fbc21532a87f930ea6cbfad678af4987bcc58fcd035550b00e73615e4c581adef7a90639aba3a37c913ffeb17ed58e0bfe8b71c321ccd62ef13c73b7526c322ffabd04713fd83722895432efdaaa76a162e48b881f830029865773559e648959f368b60a58185ea62be84f3116445c0def90f4db6d8c64ac032bd734f9cfea0da8a670d3227a99b0687bbd5f01e1cf45b300745a628bb61835976afc8d49c40e31288065894c816eee600d179fd387f85f0bb9ebaebf8c1fcd2361ec5ae837e9169e5f164e0b4add81daa50f8e94a5d44e5845f49fc07dd10a68cdd6d2f8102f25a2da3103a9dd6e60267212833d684e28f20316ffe1b663647147f84e3d7130731160ae9b35aa2ef8c83cfbaf2268007c5c896a360948a8bb4370f6a6b6612f1fc8ef38cfa514fdd33580f048ad31697fd2ec177d4d27d8b4f6f591eb0c6cb48972012647f9dc77f6091adc0c5feef2b188942d81febaaa8470c2fd3edb621f1fc953924b38802c563c2ce2c35bb57503d09858b90671f0847dbb94608a0956d9267bfaab36e58f17586fbb7b747e51152ed1cc1966b262c0a77b08d521a0cf8d9790b82b6dd54b5082b152ec06c8bb7ed3574af7d813f2de720a80a9145173d886bb0ae641334cde508bf49f34dd65a31e6c1a188f323258e782c819106c7bf5bd7e1ea0865dcbe31f04e4e6aedb1abf869f8b424d4cd1a9b4d74b7999cd9572b575c89ed30ae8c072f9c403bcbe237d06dbce991b05bf5ab04a1df6634acfd289d6e8b05b5cb252008a2d0fd2fae67ffa56c0ef17b6e077dad36911d9fd909fb00f66e20182f6b496d30dd00d38a3020e394f1b66d69a0043609c7b70c0e9b4c7ba3dac140c60767e463bad88631ee5af9757e89be88e9fb89a783bde3aac1e0a0a44fc5c820330822f3969ef9508e24bea9dc68165d7cb8a10c227aea4780e19a010a451893cb6f29656b34bc202b4191faf3b2c965ba3c3d750b77560bc2335ddaf63557f3fdb2ea421c505224103cd6228964aed3677b68485c38942860b14f18e95b2409bae164684aae856207b6a17e1aa569f93634d1b922daabc0c423feb28d7c4bb3b32b6cb761f01912ca12ba023882af2d80b215f54ac3aa6d4c2dc1d2ad9e4f88799ffc0d8b19b379827177d75a82e2d661b20d75c2620011f89592b5a6acd861706e9ed56a779272583a3c60f479864e667fc8e214a413eacb563bdd584c594ce633d3f10bee3713d453e32f147f5bdc7a4e775ecf20eb883e6d4e866fcfd99bcc41fa8e3266d48b97f0a218892233536fa25141a46d5a41f7ae4713297a2f95ce0e6661d2116a05601a346210f5ffc0dad79efd531156be2cb07ab6be8bc58ed98cfa69bab6ceb638dbc8d97b6d44603bd96c204acce5cfb677fc80e5f7cd9058fe77100fa41da58b4dde00bf5481400422a1e1ba54ab8e4b80c22434e80a2f016149f0899f6663bdf9a89e201ebb69aad3c37748b71756ab35c358765bb77d1289716fe89899f49f22ef736b90b17516e1cc8d9e91e172d56a6361dfc06fa10852005be0b013bc0a528e56da8b69e30cbde3567f0750f99daf96c64e35280245861c092de0865bcb2913156f08a84ef7ead5a357408b244c61b26e34da3a80fc82e1485beecf5377d3d95d77eb3dd11979789b9bc24fde7698f7103891419eacdcd32e5287e79a72db4338c986d3df9a04182e18ee200551ebce1f3351bc0728cf3b59d5d95345092625e9406d14bf8a53348e279e518096d98018af438d87686ecd02bf442d73e46511c8e8fc553a58f9faa99ae9fbae97154ed855c7e85caf2d980d267684c6dfdd7bc5e6fe5db46b4ed64567df9b38a71bd49ec38802b91c8515efc7aadb278381685ccd253f2ef88ad1cd987cb10ab5de4bd8de8faa6c567b5a072c2403e92976e87e1749b995d5da1b23369c70d7e009151bd3163f1d1e69755546882a1b0c57b1cf48fd62a8c46b8b56ccc84dd2799d0bb0a3be9121eef3f860cd1aba1da5c4491cf117a09c330a08b3aa5c00c7f91a898ffa405cae4fb84ee3033e44a808b309eb89ceefa81e65bef7d27672b2e0aea89b8522c3ba136df5241c4ff20469351ad28e8f2e3645a01e0a8ac15181b247ac95b91a08d0f184d166f4fc19f98148f2193ad2a6fd39c9a06160198615123b884b3318821348cf5bdccb04ff6bc8cb876fde4588c3244e2aeb2e8d24b1775a942a41ac7d274155b8910c3685d4146fe5400c17e83e8288a560acbd6a819f80024e548ac5881d6faad171b6223c5883defb2d5fcfae9ef86d046bc7a24f69fb9b1d661178caf72fda94b29cf03ed188a7452a9e8fe9f0d1e0ce0c6ddec550dfa0281b007a752235cb63ef66ccdd05591067516523a813ab7186f2be8d8f88092628ed50b8b8fe3355e963ce181b2a7761640b6433596c330ebdea5437d2579f795810a1d1353e2a7eecd868c23debf3b417a43d71bba4e9114c64a7743e762ba34fbcb9002ac936e869f95a24d9558b952470f6fb124a7a107d2934da909278593aba7c7143ca0cf802f957a3f8e0557451c216f82c1750fd74baeb0a414786eabab18a5cb1826f9800c471c23dd7ad43d497565c078a75e3d02f6dc72cbd9488849389af509d5f8b64a4ca215ef6b148fb4ab9b52e72181945cb6d64b951976c34c315bc7edc2705838ae09e821ce5b1821bb3d5d409dd6542745dd5a74aa6276add2d479c6f16c1b868d7856256c93c6d4d4a2f630ff40363e0a07182bb4131eee6fbd18a236da2adaaf6a7b70660874d7296f69e9309668c75e4a5f8144f93348a4a8141c2d1885546047f343a096eb255735a9590b9714bb5263b3bcae7a467c6356f50af9d49ee572ec529f2bf3894675d554334c1ea92c5fa121de3ef1b9f74cd953aca996d23ab6decd343ac53e2f99a249fb988f4ca796c0a849798f0f97495c10b9a0c8509c4bcff637662696949efc09251a06a22c22603847584330cfea0375d8c5bdce8dc49574865afbdb3673a76d91a4dc0eb7e3adf438a8f0c8c03dcccfdedddf4d44abac93d84d8f73a7a4bd8d0bd07122410bf9215dca11ff32e98eb1739b26e71890a21ea173ff62382c56bda1514776e65d36924e2590790e812d24cd2aac5752a02dcca068a4c5f4eb69a707280721e755d3601a2a18ded5eeb61fdbe7dae292976137780bb94cdc30a247223a39f94b324d9d013da3189c2cff87cdb6c2d60b271f33094db4ef5dcf9ed72fc21244c9cd4be4d3328e815f5101643868abb4e50de054c95554316f3a827016dd9474787d3403472ccf47484cacf52ba3865dd233b99e6884bb09536e65175f4ab58e9b138fb659f29a216225a1a89c94a0a537ce70f69001aa8b3f3e9c271d7acc8f61da6d9f9b0beda683fe87e40e61240ba431223cf98fed0ce930bf8e44edb42afcf54fc10c46f93b8c4d70d5b305507e6a5e2ed79b32085b7598a90659d2d929def4026ef7e9fc489bd22160929a0892c3897226fe63b54424aad314454ebe080e29ecc3e6172cf0f64fb2566a77813fd0f03df52f7542399a134cf6bdb23b01276ff2d6e2db82661fb1aa69388e55c087c3897309940477ed3e222f860eec00e012404ae81c6ca35f1ae7400e0aececf33348bb4adba665abcfbaea95ced173132f6d6298c2899cd6184f9e9d2f62e9d5c07177a3de17f59e7ef60600c3b741af36e7764ce2cb376ca9646f1134e89a0187662fe24c7be0973779d4f5bb3dcd05d8ef4e3481bba1d7199149d1b34c074640a8a2d9614a1d3f2547837c9dadcba164da6cb5899f85554640792f0d3e5076cbec862732dd8dda895695efbaa77ca0ca967630df62d746780e82cc16a066ed736889c9f3c533bc4340b3046ea8bf75707daaceee2c7582f179b1f1259b03b4bbbcc510768bd494b4ddbe27db9ac24aca119bc04175752328c5bf91e4995392c98d934ae13ebb92756e4bbb80053c1dbd56d7989a0d13f81a62f05a33653ea10edee1b38ce2608ec8c2ef69152bd442c79463e563ba7c5461ef96d170b0640a7566e56e510e66cc795f71d9d728ae1b235e72b546f7b3219d05c4bcc39ac269cf69f1c301d228060b8093322378b1684c6c396271cedb32989cb13da07022dae62db8a489b32bdc5989a7266528c5857a43f0cea8a8926aec1a732603fb80ff5b0342f17092f2f4ba5e9fc4e49bd96405824578c2543fb27c32f3299060de4b11c12678da6aa215e2a02cfc99a602405b130495b699483143274e1429794df198ad773abcfa16a6417fbe9fa64f97f8037dc80b0ab21821058990c4775a052079a1adcdc89deb0ecd2f1e916b0d77489438857c462ad98eb4d601e6c313c8c590e3543b4ddf31bdcc2fa83e193c74688dd1c5f8df7cd9b0401f2c67ea55fbc47fbcc3d8289d548fa058ac480d71d8d4fc4c48c1f1b82e1777e298002e97af72a4966807b9bee4f244cd8bd2a8c37ad5a91a520e30a43142ee4c8e9d1f106ce5b108b71508d67aabed8332800f1383514748c57b2d2689432bf826d7894ffe86f7f2e7cee69d461060f21b37de45abb6e7d15025bca8ff9b582a6fd4ac7f9d61cb356592f4a3ec762c5027af675d65b73a5ff5a8337c42bba72b71df49a0ed42e9feec65dfd4d96d79c7a4ecc2f51bb2cc056300d941505de6bbafcbddf7c663e48aa5fbe9978ca1789b794b6bf4fad0b7efd18c30a0e3641c4ffb3531d1fbebb11e01784279e61dce68db708f838839433ab24268c36123367d20cdd91cf0302452e23b83b3118d8dff460701ada0c6d61b7d054e9dc07d5460ea91e16103a26290962affac4aa486c29e18056ab56dc87c2f0215ccb7ff553427bf38e76488b38bcedef19033fa05ddb5a4c9f352337914ed1acf852adc9a8355a231741ef9b82db7178a93f302a39dd1feff376a21e469a72dc59abfe41624aeded1a0af7a20d89551f8e4af0b1ceb5d934c5ee7e9cd0497d660d0d58513de8ec71f89384ce4f3047f5c5e599c444f52d7080f266785d9cc950d723ec588edeea7e743f477b50ef6d493cb350bbb867f9367b65ccbe52a03674f284a08d36bc50aab4a3f0c91dd68acf6d2b5c605484b94dc331257feb5b3b8128aab2a441d7c04eadc7521e6ba756e3d7e69a3a2f41cc71d7115f4adec5eeced9cd516171ec3bd6106ce196783e946a23aab8dac73f2559f59a998dae80cdc54d83aff7a88a9622bce3045511cb77de14789832efe7340fbac4ff25a7883ad5bca41741a3144a0f9c5b8d2f03ded15b72415cb3447cb621409481b4501eea8cfb8ab6ae53b9d0095aea90fb84c7160ecaa8d04b2a2f757a24c75599472e7c6f629279d57ab897ca4b84398f1841aa0acdb7cc208455e9ddba3db8095aa6e31a5e5a284946b26db2706951d5a6ca7b33354839fb8a424cced92f9db490534b27c93678e362b5a2c12041827004abcf80b3c9f7659fb1b2c671002796b86869b29388d5df277289535c976fb56ea1a938cebf824f2e9093ffa058e41264abb4eb08edb505e51c0f9bfe3d4f97e52e84884793d4db290692fb25cd68509390f1ae6869ec8dca8a824279a455ab7db604e563bf6096755f838e5b4087380035f2041426ac0014fcc4c5decdc74453cb407616c57ce736039464e998b8fee6d423bb377a16a2b1fd8adc418abaaabdb2bee541a5c312d8454a36b4b1c718ce74e862da4a9e239da612f3f07d529e46251d85629242c7b0d4f5370f7ecbdacdf9ee925d7b717455ee78f11f99c94ad4cc2f8c598e845226669251292287987019a6d4df23999c46783f66d9c0d1ab4df572c972c9e837993bfa68bfaeee52c98211dc9e0c1b254e7c23bb6a05de76d7005e2fa82d4d2ac444f31a45b31fbd4237f2805cbb18111e091f182ee7d43501c1e4e1ae69997d7dde527b01bafb92482ba3870ce8211b9779a1479f168676371e606ec9c4da411283c845839f2440f6b9373d901653a26e45ae2145ad6ef2ef5729d9eabe50cb51d17eabd72e08a61a428a1a336836eed361e9a4d1cb2f312d7b3e5765f054edd1d7477076db18592b8b880c78f1ad6b9d6e680729b906d8e44652fcdb628d7e0ac1b5ddc8ffa2fa26710aca2989d3e5dc0ad481829c9dcfa99f5560e3aa2ec5f11c1fc995a14e2959cf492b07002cd80c066ffd4bca1e0c5f8628717daf7eb3cbbbe2542e3f5a18c9ba54d56bec9f52f0310635fcf92df6a4738cdf845a3caf7b3859edf9220f291dba1aac89c07693dd220763739798b687cd6b27d896a692536ad7e847ccac64984cf9ae18174d0c23109f82cc943b004e07ac6741045dc0cd4a302257b6bd4eeea0d0f3e7af93f1b3abe724ece35482f2afe205ed2265824302454e8a29bfc39e943232b7afb435e7517d6ce926c5fdd49ecac1be18435ff5665d0f724a2bc2d22f19a6c1428e2f686419b124cc76861f3070ebcbd99812cb10ecb357a0e1171ee64a67237762927adf9784ab9033f6b566f7218fa67109f9607fce2a4b8b74a3cd5a9ceafa4ce0b38be85144505c0bdc18a49ad0ca23051d563d14af02e2ec8147e8f2bc0bd30c69debfe2c170dda04de73fc777aea45027e56805a4b8c3fbf09315da5b05de928df4397977b26ce3e54d36643b0e229cfa6f832085fb3008c03e924a5b6232fd0a82c1b1b91967fa5a1b166c67f05ee6481d895f21aae704825fd44a635c29ac3ce0f5aa28262d845f4cd0891134ca5846a6b62ce7fc90a6bae5304eb0f533838b522a74365e6ec1957375d09c511d221439dc8f17d4b90e298815d7b9df23dac9a6adfc2608c062d1328de36b9b8390b330a99d50590d7d3f566e11022f7c066869422260b693c06e38b025157442b473e97b7eb2b4365e494f813a99c695447bd3155199597ca8ffe224b08d3fe81eb80afc5f2c5ca9778754251d8c7e35b063855d66cdb5ebd722d444c4654989edde1fbc78d2647b041148a159414b94805b0c76eaa242886d8b45f3f98489cbcfaeadbdcf2ac5ebc6b32e684d7467e63e935a6cdefaa3f78f8ee8a00ff9da25feb8fce6fff1033231a4aef0725907534f174e5386484fa18b781f3f6894affba4d496deeecc374f4b3e69f95a5997c8978a4e0a29c470b32864261d08d5679796ee633a6230d2b2f71e9f219df7e95d4042b3cc991352e50715c5ef56dc07afe11509d905b2d357bf03b2366582ff9d473c9a559670a4dbf02d215c5b3367a1bf08adb7cc5c208a2264906b67d4d9ba2a15f146549578b20aed14013f42dd268aaad8e2979bb51c5ed81988e6030b6f5082d1cc212ba2e2c8b8084ff0e72490f0d14048a507beccfabd6d4b683bd7dbf4bd65a45809166b207b187a310fb2558df0caca91362dc72c3ae5d2def3c16a8f4b96fef21f76d1b7ef57c93917976d0384d06f0bd1dd8088d777eb6c1bccd68fcd68efa860cea38018e46668210d678b248f53f83f0c4b922e8de99a6e734289991e1046a1291b249874de24687c24b3070d7e8024f47973570660787b0854a229b014e38ba8dd1d12250b899e46df956ddc02ee440a577756fa0052a305b3dcd21aa4013be057a6fbd43b579a5d57d3edf2c74d83114b96e55d601d5076eb3d113311ee1abae22fa5ea7107b8e20bce63e2806e395e86db9302fbcb1e66a7f03158d508a06c17fd81560cf48196ac12813c7f1c7a2920121f26194210632af96a2372a96bab8f2b237d9260ec7e9c5fee28d4571c3f74a47ffc4303f794f6d161061c63eab2d6b71e6fa6601edbe0228a47e62b5ec8fe591c147545b74d57c098e2373cc1cda4a35d1c3c40a5a5baa4af89d1c21cdbc2c4d8ba4db7b3c58db287ab79f63ac779d6e812776e143a32e12746ed3b1c8cffde5300b2428c5eaac80d63dc69242c83f86bf7166a42a0f70daf00a005f6cdea71cc02a75490f185f6e3b1524b3de595df869652a502aeaa9873a10960387b3b8610e53e84ef62f4d211f81c8bbe4639bfcd02664574f80dd9904b9552c0ddb1f0bec77868f116325e82208b93b11e559ca17259c7c2be47ccfa0a6e87dc081b2bafb7cb9fe41eede8bce6c2ffb156294d436b814ca9b222339711efcec9e5dde3cb9ee5773a96a8a241247d69cfce4a51c8713b85d11e2fa1ba53adb8290701aed0a755b97b7e2c6304566911de3181a6515c056c7a484e3910d1974eeb9eb862109884781881aa681a43e1dad8780c4ded42fb4d6a19437e8d523ca01401e3a4bccaf17b3f8eb98e7826490ca1ee44df361c39c9e9f9623fa86c7fbe46a4a55b70576332372930c4768eb910d4aa4df356327ac851f87cba7637b991577987b46d7020c118452833a683f7aa9953afc3faff0997011415fbdf8088418027b990b62d7ae15dd99a2789b53f20fb9dfac425ba5116bfc0bb903a851ecfae1895bc86a1d50ccd869b29d7ae0b9a6833bf16ffeb0f65ed4be2cbdb742456010cfd1eaab378d1b394ff3366b9000a79bc0573ce4ca6ae5946650c94c192b6c84699ed64b44c59fc890e510a8f6c4e2430f482f4ed9bd7501790bd9f7362e34afe53a0dc6aae15dfa531b85c837af2ea7ac9ebdfb2f960e6a4d18890ee9afe1a4d2c7c4a2046e2d260fab484a9b62752fac90214633b10472fb143c66e41a7d5904750f3ab61f10731c9fb11df99417bfb57f277ac9808d7e1ddd05e4840c5fca77f16bda3ea2e8defbb0455e03df458c1407fd6e4ee34fb5b264f8a83cf1437992202c4bd4195f5abdc136fabf9bc6e04202587cc87cd8254e7393839cb35fed61fc6c6cd1ee20845b79f418cd04cb533e82c42e956d7bb781f1ecad11e440593c9cffc2e6ffec8d21e04c3f80fd29c4abcba1110f8fdc9c16e9f8f0c0bc0e82bbcb43b46b597b48b94e73d106553d51de33b5fce8c0f183446085b690738464f6ca44ab07d8fe63df04d9462632449644b970c5db757d7f1d8d8da3c5244d8b85e958ac52a34079f5712bd1e586abc64aee4fd75a62800f202a5082261ef2e549999a96a1ca69e7382b59a3f702fe96746a8bcf917ec39556adaccb91e84d0345d789b0c14b09a7249e8143023294e08e55c69a8e15447d15e4856929051f64c760d4ad8501db3a4d9ae65d39060f27c78582f0e772b9f57eb748fef6a3061136f908cfafebee6b3295dc7e15aafe03cd975f9318560ea75002dc70b2e27c64cf8459c63aa7f1cd3abb5a2b28bb797b557c4cf05c56102deddfd954c39800a55db62e79bf256d763e8f854ce3d075ed2efd27e8c6d6558602bcf7c4be0036c6ada79ed34db5995b36e2da666f36f7bf5565c8f5a265acbd909cbb1c8b874214682e64a852f6aecc7354f81da36cc00de2c2cd22163837a7c9bebe44fc520a1564213a939dfa2b11f531d246460861022e78e7745316cbe2f212238fd22bb1e3d0813136b0ee7816b0db76e47ac08ff9a103d2b946d0b656bfaead6af2e3d766a853f8cb09bc3b53295d2e21cb9e34cbf4e8a6075e8973d74e8a01cb78b660149dd6c0380ff8e6d59430d542920d62bb915d74d2503d6a0b49377a618a757476f538719e36013409579661e04ff86f916cccf3a7aa895da4323364961c6b340c9b82c7200abbb1cdef23da98ef8a7942a8b633f7f6984abbead113210042bdd6e99b69f8d7e65bb1fff7d5c4c98a54754871d53440c86c1a4c228fec4bb090335c5528aff48ef3ce9ddcdb3c1ab44ceee0093f74382f93c5b66c45b9d9b2ef7bd92677397c9181f1f53d90c49939a4e9481a1d22548e7d6f727be762bacb6c58cc7224ef4c5279abe6cc5849c216c2f69d41460cab2e6e96a43d7f3b08c74b15e2f9af245c8749acc8eb7f93f19eaa2255f82a532d8acc5c7d7ae0553fbe847d658f7e47d2c770ac02a72df9cd764cd47e29a552b6d28d3c8340fb672adf10a8921a0e361d59e48eaaca7a7c931e5603cbbbd3ffb37a7f4aeeddff8ae56e5c37f1407a78a986c4aa3e19919e9c2c93fb921e72ae93c3b030853722d03cf59baf3cb086e3e3e4047d51c64f28ccfe468a6d492f824ee68eabb4dc6788a745ee23faa23810dc3196a7d6a64eb7a7c42ce6afa846840604bbe0ad77319fd41a59aaa40e83ff99a5a5d1543bb828894f9f1e79000f3d0fd21883aeed024ec5d0ff5190e7ed6ad7ede9b3524de15799b28bc2bd9568c654f9100a47a2e8e4d1042b2a2401ea990359fbe1ea9c5a23a8c9d52ed8b01cc65c942e136a862f7be5fbb30f438f8bc84d599bc18d4fc1275da1c1b3f64d03d25e9daa63bf2537ff257f591c55af5f56402fe83d18f9257527bad9b2ac65d35407d4b0a43c58356c606b85fe56c387ddbbefcda8a71cffcb29193a51209748d8021d5d123540e50954fc4131d2535681a6799944605b79b4de9fb12c0db182d6204df04db4cb28da9e41753cc3dee7658483efe54115bcb68017d65af0ed4ae29939d6c8da3b3c6b23dbd1c86877c9513fb8d2aa04870f212a4d5d0261d8067997e4618fa3675db86b472589bae3f9e6246b83187a84b2cbd8194548c2651b2e32430835d6e1392c0729e5e718e5455c5548c7ade623de02991ef30b34647622c8961eb14d305634d59844af5550e99858de852451fb4bc9b589e5fb2960b1e056cac90d3c75b17cf2caf98e261a3c4f24d848902f186ff916e776f65e9cbc0a84afc58d7b97352e3d73d0bcac5b8930dc5180788fbceb260a0a8ddaf68116b467874c4a2388713f8aae969fe09fdf1aa072ca5fba6239b27fa1d1bf5a77a50d5334b61c855bc2a494ef4844471be8a02f04dc9b182e48bcf8f44440f897de9bdf03cdddc340a0a225dc4fc89b6a65f3685ee414e26bd9d998b7d764e6da265c15efe857e226574c16c5fd9ab2e7bce95e9c61b356f39029b7b2d293d2e96548ccb21637f4e10c5911c73d3feafa76f760c8eadedc2599e0f1330f95905e694b601028742518c3b31df3c8981ab7640fc86e6873ec0659e08375b7beaf648ef96b7061341153491199b5da75e217cb88ce407e1b5a1ecc4b2e7e8db7238ee1914834e2903317fc40fe42129af84835bf647f90af2ad6bbdef712a2a96cc822e6c40a65ebffbf37d022be19d16a8249640e0349da99e4afcfe04b618dece4713eb74ad58984f1625e32d9bd266fb9cee63d3c71ce16abd1ea5f6ea1f4a91b70ef74e0a919f34e9ba8277df39b047f759a8bacac75fac20ccabb5f2e6f60e3436711c5711955c7742dd6d9e8a9b83d5cccd5ae3448b25cdb35ecc8f20a4c34bddc374ee9167f7fcd2f6a2cee9672ba4eeacbbc98574db1988c71e8212e2d35dd0f303691c4191990bdbcc3fb770d59b0a90433bb2dfb3539ed007bf529702031fcf429fe0bda4abfc427a9fe71a1a94bb264ee88dbb8c31f222adffd9ddbfe46feccd67655fd944bd4751466a59d69ea36d910e2c9b4111a955ff14d46ff6e6afe568231dedf800a90773cc1f8f956617ac44a2eb6e64b88ed5a07b943321c63a02ed711854f4b60a299dad987a82933961600db05a2f4eb7846a8d01cc22bc4529502c9ed664cd90f5d2f2a4d50334b4c41f45838d5de74a6b2b558ea1d1b34dc21d7f7d0fd6c01967852ff0e0f40fee4dadb242b7b8e7af4cea79842215e4baf008ccbbaa475006f25340c392534d4ede113ea0245c73bc624af6de72d50562eee999a5b98ee53bd69c1b1bd999328456e154b7430f2f228749328e25233b5c598ec8b9e5352814fb3fd15a7112c0a8f9855dd55ff6b747777f93cd15a07f118657a267dbdc51d30e9681fe89851f5a6c7b6b4527a97753d0784a9f60406b54b47028407e177c43888278968fe637e336cbef51ee438608d052efa715c874fccea267e400a305c22a2357d9c5afda431e0adf26ca41c978f202792fc1589ba7ccbf9900e1c9e35e9ba5843c864f8eb28d226b2f3c3212ad02100d8971672190f56a6e058f70daf9764cb86c36d677f42e06bb291b4ac3be2e1dadfecf2807eb62eb065a91dddedaccd8cce08fcef4488ec725be165765f60ddc628b555952449cd8a2ddd50e06f6244184b7266a2eae1db9a0e951ea4b80f1d973011a1ddfa3a0adf2ea03ba520c9025c3de01faeff8b74cd343efa2e886d18a50861dcce0941de826c5cd4cd9adfa4658faf8ca8f1bdd5fdd2742f55528f190b974c1d756126dd587bce6c0a54310103fcb750b4b0b97e032f7f3c1a64c5b37e51fa88305f735c6acad068a4fd8836049f9b1ba83ab3bb7301370429538601a0d2599aa1fb71085703f000f0f00ca386cc2f6600c0948caec2451f373494db089f4337cff642ab03059174ceb2a20ce3f8d2ed77ecde59855dc6a380fa0a9f1e0fb9dfd007ae1af1f101dd154ed5bdba618715261795b60ab5079d085634559da89134c141da8ab660c12d3e85bd90081478e8a0e2653d26c303bcc58721189d02688e9b7f0cb8d26a0c011f3b31611ca63f519fc1d5152f0aaa2fb599ee719b9f5e3e6a5e00173f87d9b3fb9eada124df2d95b0bceb55c984b1230f93bf8e114dbdffe2d7df566f596a628212bc50cac930df46bbcf3b28ccabc05f33c8c529e54fea057949a50aa183d2be6a17c3c825622793c0f8c93ac0ca3cdc1b748273d6f9a20cc09f2ee1f1bffd215a3def20886bab9047c227bda97d87752df8914d7dd0361b4b089611b5a4bce46fbdbb65709ea7b6026201a121eacad55bb8d0065555593d44d604d8c567f6ffa29d3f1cbb69b68402e85c0d5d951e74a46ffc4fb77711d0a3e28e4718d2a6d2f2118d98660d8920e914013caa24e3580ea7bd689f2aea02af380c1d7eba106c5ceced9e6070d00edd5f776a631fb83d021c0b410999c0cf55f0867ad828881d62677b3fa39c4d83f24b737220ed4f125b7c74cad934c3baf98a7583a6d5919271d7d7da84b360eac3b27a6505770f1b92305481dc6a0eda80c5ae69c90851e0283525020904fde991ed16da489bb25b2c82bdcb2a013130d49e7a35969497d7bbbfda112262a294ca959c005620144fb17448866da6e10cb6241ba38b1588dba72ffb8d04cd84e6d4ca0bc590f2be21aa223b0d5ff9ce06295fcdcb728a8ec85d92bc6fa270fd93f0ff4a0610c9904986a43d1275560ab2f50b3f5ffd5e860e8047f5c97e1d77d2643090508c3809da67ce192cdc9edc7f62941807ce1ff296fa1b8ab53b8da2d7e009be69e4213a0b76fb0bfd573f41d8bcf751686c41340713bfd76dc91ec0d7650cfa3c827631de51b70424d1d75d8f5e7c02d3344e2bd4d0eb848842c2d5a61f37b03986639a19b48974d943124edff77c84e57107974a4cf44cfac12d09cfaf96f5b914f9bdeacf9ad1c561486f5beaa92c9eb3fb975009cea69df9c0b2ed1c2a67ffe6b9a32b964ad127cf224479732005f66bb8a3270b013e12b74cec9cdcf24de84f4c74bca46c58e1dceed2fe2f79d4ad4963b129396deb616f878c8efff2998d96ae66aa3ddf059369457dbd321fe13bc50debeb8675c5c57e20e652741cc9e9dd84d3b30711947299b438c3dafa4146f4491c799822338acb8355dfe2633639f199f44e4ecb21e00a94cae6aee4e283d0db21dda8b618c6660ec344c11904aefe8bb5d977100e8ee4dbef63b9f353130e284923efde506b315af747a360b8adf718a63a7b8d5423b32dc484df2c552ff396cff605a228d54913202c3f6ee7e8042a4499675735569481fd5ec03610cee19c161f524ada7461afcb61a75d1b4d8b030ef3cc7d9880d2bd7aac7892ad0ed4784c15036d2456db2f0c082cee850a6d7ad435575f821a7cc5276d628b5c17f0a02d9df2ca6f62e6dad864ec46531c49fbbfdeabf6391563a0b8612d79272f222d85226918f128f50cd94753cf1f375cda5c9c5fcffc326c5f2d9d7790bf55ff665f7ae3029f983f1e9b0d8de6c0d239b36ac79bd43093839a8a7e3fb02fa8c47f6152e00b3bc4510728bbe5f8ebf24d6125a781e5c88e1c71c0b84f0179020c849936206cd98cac5bad53934a44e04b1803b0f2090b2c090eda5adcbb6787cce9aea155064290b05504a58e9d9539512ea246f1119f80148bebdd2490d7542a393258583ec4ff745458626abb729244137b67d7566fab4cbf3e2adda931509bb7d7dede5106db43a7639ae428cb33716e91019f784768682a0f0484b0d3f61104c52029a45a43488595d70357457010ad8bfc37c38fd0ab5536c20d18e40718e04cc8ac529432d6168ed48b95790ee9c6581b6d3b3fc14a3a864d6858c58af0ff02689d9de1b47f58fc0a8fc5780ea1742204e73be47c87121cca8662930a36eadca33487359f1a0f298971d83ec5562b2a9f32e69ea409cfc55bdac633b0ff384cab1d47ab47ae03c435d518ea5686e038a048b5df7241e51e884ed590392968919bd32593d6af5eeebdbd12f55820c138fd6c77e74d247b3cb28a70216615720c4bfd09d7068fd7cfadf7293fd6dfdf13a96867cda9db64b71255bece80bb8e376b4628c1a0064406e28a9656286941f1536c3375b908072c42c63a58bfca416497a4c84d917b89574f736c99d821569e2c785ffaefc545e4560d1425260d27cddd471137f17f76b7dd2029666f0a27d3194644d366f051c3066639a34d8636db5b8991911bf15743b23bed633305c4355ac820b85e7aa6c65e95ebdc68afcf1214ce569ecb575f760810da7edd05f5c8889a6e9d9940d2705702990860f3dc4d93b7230e94b1e317192bfafe8f8b5cd5ab7b1a7917a6dca13cc5956deabde65b1ba3e84e1f91dcf2ac6f0fa7c9ec942f2d7003b8167139dd2d6eedbab9d882131808a73c39554d3621aa75636ec73a1a8e30c697f4784f901eae702b4c5a7916341642f4790589b84b5c9a9f1999be3e29745154cbafe19ee29df11e231217e3475aafc3260f0dacbae05c74a9ed6c8856a84449611c67677be04ac0c31253aef76a3d5f6f431ea74f117fa76a3a888fa533b7bd84b0bea1948751790127e106b26a4c20160d53eba82f316c15bb17387bd3d0f9fa45005bc7630ee47538cae45ffe236400e4107dc9b5da5ced163acc49d85e2749208d218421f4e197be52bd75db2ea073b0cfa6fcec7ba7f2274cf7bacff7e459ce37317f72f084ee8f8dc573495dcef970a2e630013da40f5fdfea42578864d532aea7790e0319ddb4c93764b4a6a3d3269ac34f05acb211e4022245ffa64c46081ba910e8de2662a714e637d5dc0d46f83d85653799c7b22c931a5ee9f5b5365f23110721edd3c8812a5a124e0828042a9d9e5cf4934a3ee44a1550bf41fce8a14bbf372b01c3891cfab88560804bd838eb145ea51f219fa325fc175f38e63ad4fb30fd0ddf0062f871f3d5cdf557c3c8b6a02c2bdd7ae243193572e6df06281e3996b2e288f0375720afdc44206175839c50cf33fce705cbd6f65dbff9122946c8668bdedb016914e418145b104fa7c0d76b42ad8864ebbf916b03baae9591c473d60d3590c92e2803a7804c6012d5b011e96c6dd5248ab2c4e78e9402bc49a036017c1cdea653de71f4b998f553bb34a9b6b7538de01fd27d52d2d2523fe3a596f1c6e90e0da6ed3296d9690d3afe291f34d40ae76eb1bf7cbf61514ff3b32399794afba583849887aebe463814461251d08116c9b6c05db158ca15071e993e08ca0c49af4d23c1f7631df7fb7b5236d76d6aac8e6f8ac33688e94bf875c428c90ac2cfd16c7b19b959125953b2ebc38c478d97adf89921379a682622c107a466983e1d4a018dfa27608f21a9051535cbf4760f5631dea4df7758208d827dddeb18301af4c0f9597ace619b1e695647ee17770b85453bf2a3894ccb1894ff65616cf29327898ccdc544d64fdac5a3e4b01b063ea1a68546607e7b51465b58d60cd94c7b514a5c559724e6b1f802a0591e00b75679cbbc8eabbacc17c03f7449562dd8ac34249e7290f22d0173c5efb34c92de42910034f2e5ed65d04e6709355a9ea7c58fd5fe3f85f009bf204864560aca7a879fb5e26483c90647ab0d46f4bacbdf8430a76b8a94150d70b8db44340157d0b9fbc03225e33d63c44441836ddfe85649d2f1179fa96d5ec5583f6d01ad2e415b9683980f331843080e89110fd593687a6b767ac47b49e9704f26eba543c28dd26889e5d8107720d11e92a761f5021f77d2df4ed85c65d7d86c65bb68f149be503b93641e56922d9981593d5178eb25570be83dace578564123db5db6058d98d00d09cda503372ab65602e3dd7b63fd8e2fd8fda5f53dc29cb2bcdff527db0d49625716334bf5e3dfc4224968c0a9de9258e2e0a0a6bf16dd6667ff4cb598da611120e330de93acdc96048a638959c76e0bbf2938996639c6e324181b1fc70c7ce91988c32613840b7b6ae89b5886e7592ef39353583c62fb9a6742efab711e6c65507ae8dc66e85fb09c81db26c741dfc6a2ae64bcbca671ff426ba3a2b4f23db884b0945e0bbfadb90c62077bf729e7df1b1c20bdf15f7b1d549c63e056aa31312bd32c1d455ff18fe865f4704f0b3c1f8b4add3b2d6f1b4d70c97ece5faeade75da3846145b0cf4d308e8472b41990bcb7ac1e7868eb814c6d1dca980583d250a50974474e9f79032a80c34f44abe3d19a04f4059359d4bc6b38afd1f27254c00e7cdd1c4e5e501e2f99ca0d58f5010a5bb19101ad9001491a69378038b464d793d4832af28a2e7266cc61b9a82c01ea9deea974b5e386a239e93a7e8f986915900589b615b780213bfa24f56b425dc7456e1fe70dc57d0e1bc3069b0fdc6024ea813e0e2554223b0fb1991d841e539104c30adb0a685c24a04fcd6d0409d2dffb949352218df4d80978c64249798213b6c4368468cae0f61d636cd1f57fc99cc27f9feac4380a896449562ebfdbdbd89cb567422ab617ccd41d674c400907fc51b12e1a9ef2b35dd1dea86625a9819ffffc4cf2bf0a090fbb323bb2b410b01355c6e036bb70fa0b5d7df25d0180ee48cb6a84be30beee9fefcfc386dc16146cb772146b2665786763cd2db1f06a44340ee6d942f426cab6d9988a14cca830956e7907232f47125b866ce223a58fc04c1440bafc8134ad0acf1dd2ef5279390bb842f1e19f6b39898616649d7c1ec8421236fbc779b1693c0030220002b5a4b5de78ba14caec8a9f578483b07aa13543048b28fe2403bb8a3a5c6632f7e52f737534a19e87e7fe60ae03d9273573159208332ef98be87018f024978d4ec6629c9b79ea490973464adfb9bbf2b84fadbc3015d8dc4dbfd372cc54f4c84d2c402c538592ce2a8966b44daf432f8d1fd0a9abb66debc10ff2f6c874815c596361064f935b57b26cc31571c2ad33dc9cefcb307684d295368e4fa8c15d490833b11a1bf787ca1d214ed705e33f139218369fb694ae42da41b2e830e29b8d609e51a2d793471ef2c474fb445d0b3f2d5c65e8418cf16f0fb0937f785005e8a678df65558987089cfa38d78a926c179a354bd40fac48843a7427a5c135e85710d1ded6beef534925cad099d5cb3e7af503bfff666f7a68a5cc36a4098e04bb65de79c81888b51b88537521579b150e5ef9d0cd621ea956820e8a384ae98269c09e88a59892ea43b10b0aac13141903cfac8da80bbb60f70f8681620ee655cbcf1973983e6f24fe3070fbe323657179e7a0bd44ef5d619d3686ae06041b1d483960ffcb3d3e088e78b6e8fb6e8fb7cad6db7617ca8618c3229263e179de93a3b3a538b14bd060480ba0bff298fff01d25e40c4ecf8339b18035ee22f46c2f801c9a158750e5af4d358e9f83c7d849c136e23d509e24850729fbd32f2d7f10c04fdd70bbae22c2ade00abbf1fd6aae066894c1aad0d947b7c78a9a27a74e19492dafa1024724186ee9b3db8b72efe7d9c15405edbd97324870f080aa3260df0a2326992d796d93a9b0b727bd10ebb1aa4b252b8e08d2843750355d443f2a8a688898048810530048c2bb97104fae86fe8888e09bdc935a64f51a480bdc35151cb874616c21c6d02be49925d9e69196cf6d045c7823666d4902ebfa353f8997695e1714337990fbe98435e75c0ade4353bc4ef208ff6b389477e9cfd820061c059139781291b5cf213769dc429a34d04cf2606168c724acae08df128b468dc73d4965105fd46252633ae7e93cd2389cbca0ec43c03ebed0705d278468f84835a22497e88de4f97b3774ec1145f2dab3ec5c3ea9a03232f458e36e5964b25bb4b7391aafdda257a465d915629f0ae761ab62634e5896f566f2b09c9c0b6d0e7c477812f7dc8004b6250ce4ebc4073d9f0d67890edbba6bdda25a43369f0e15d358232b8b801790db2131880de8d7ac41259dd36c143559d83bbdea615946370697cf665f9f8b2fdd7f2ec5b41dd61ab00b207873c8db9b2e75f71b3d2f68eb4dfcaee6cd7400d981f59d770d51d15598f6622ee4765222e77ef70e6e31468c4704f145f48a9beaafe9a08195e2ed3a09ebb21ee183cef2addfa7b8cbea29ef00a06565f89fd8ec23dc1e03c236f1b706aede07aaffbc35ff89eae9edee57ef81d51ca0b881ff474d49264523f3f7af130b7e9bafb313fcbc9ec9d7ce8a23857d669294eff470937afff9a361f263a378d99b45697e61db08249ac838570c39687e4678eb9f3d45429b814f1f63e4b6cfb329b5639500050cdf21e014184418fdeeead744bdfd7d18bead1635340abc1c3cede4d65b5a5f47a3abcbafb537f0f56fd43ed5b3384dc8c1ee9875d4482d11c7ebd5541c37bd774e6faf6fe67db625d331b9a5ed366e45de2c1ed84e1a19959821d974d6478510d12bfbbc4c7c5bbd208e67b6f5ca526ba93a8f1fbde0cd8bcf8dd2e0d01ef54fa404e88c72180257c260148a02499f1d9278cd92b27cbfbf6da4c2de1c06453525c8193801bf892065c5f33a2390b81e84bfd146f8cc9b423e230ea8b7ed37dbc432f51e44f913b5a444f6ad4169e31df307a61a69bff3d26fc6f4fdb7191d4183de0c2fa7802ae0c23faba43de1b43f430b84040a90a8f5096a8a382a5d0db6a0c305b817ac1a59f44b1243488e7c3d80cc322506f2f7045a2c937876eff2d5fc2d077ae88fbe7455569cc278b2fec421b80e6bb99c989c57d323976ca99f40785d8aa3e3e2c57489dae2b2d421eee284325b7477231cc38d5d40945f5813119f2263bde664ee72b9c3ad5a8b6622a6415a38e393f8bd815af4fb7ceb4ea28d28939be965f5e6645b36ec726c00fb747d6ab805638cc90d773ad3dc669e771414adb6fcfa9dcabb6e537237dff6883bd39dd56b0a57587f8393aa698c46783616932d038c84139f3483179943a29d217b45c8d80b7f03ff67c3267a7c3316c2c5acd3914359bf9438d5bf93d6a33cfa5f86a142215f87d9becaeaab6173e03d292cf9725cf9117d12a9230b3871aa56dde5e7f9afc6c026d88ffac657444b1b07579bbc488c6f5e97ee1c88e90a6af2cf9f8ef9dd8b08980f9bbf1b2353bb235fe9f16677f20516e2cfbec3d4b2eb3bc1c87dee889ab2789e3f3e78b2da2dcd03644773b88f210bad65a1fe92dc71d2bfb55798c7a3802a5f9d9908b4ebaec5520d09ee1a84ee2c5699c9aeb53916647bc0096f329206ad50308b08aa2a7749e42dda9f8319b29d3f30e0c113d5e3564132860517143362dd48c7487e64065a67ce5922e76614790eea4a9f34dfb22170a6b2eae3590fe32c0764e7b738f1422664d23af10ed6c55f7b4e29c31b50a93b933f860e03192c39fab3dc9a1bd962c279bfa302aa80ec9fb1040d3b1a9265fcfb73f13ef73c4fa12151dbf9704c6f89d3042bf3c27c646bcf3d3b2f3b623f22ad71047c3c5edf248becd4a1064beed0dbcf357a086bcbd7bb40fdfcd792ff2fe3edfbf620e80e816c08e921e1688cffc780959aa2f3a6c3b18386072f17ad9936894e66b0947b3841dd18ed84b26dffc62f3f278617d681fb5f12bbb2b0cf7e6178c28ab32145ff7930365754798ec20664ec52f707908733e25f29980cfc7c3fa152c3a0dc3ffa80c53f1927e78278a5f06c690586ec268aa253aea10b48b49fb2ed1ba4e76e6d096736edd66cdab50c8f18e0c9be6a1a187ad0e7b3ad6facde6935c7bb1c4dff3358b5c73b306557f18f3924d8bf877fab3292d22257ac0098e4c9fa5b2a0380491b9154b450a8f829feff76529671d3b8ba957d9691c8b551ab0faaf6c2e3289149b96f46fe28ecf63fb55e3bd097b4e41fc277de00ab74721df09501e12a95c266a171dd15bc2c29564af4089efab7a478405acc384571e6c02f5b5ac8cc36be77daca524a1f0534f3d2dad60e2b6a54cac6225876820d8ec00ccb301f27724116836577d60fb96fc7f0b58fca0415be3c04e943903b573ff4ed860570a6cfc6ab953a57651060c4b359e1e5ab8aa49c7e571c8bf9a638d03db810ea30e58ac093563f5c675e56bd8ecd7209d13d0837b71c6f033ae89bbe7cc1aae7770e9ba52124fb5ffd929c877eed4e79585b7edff46b8aab917198ddf6a74d573b9ccf47f3b1f7d97cbe7a59bbcb2f0ed438eecae94f7006d5c14eaa14e2598536c37837a071cd6ed9b72c878b9d1e81bb215e76ba0cd4bff039bb2b7c4db87768099268c1b9de5041c3243315209b15ee81dc99cfa2bb034211b89f1a944131583f1b087f72b0a63bc1187511b4f2d8bf339b73faa6162d926dcd77396f0e39b533b657296bcd6e46475dddc33a1436fbf7e2b23e135bf87705f3a76bbd119d9d4c711da75de651cf8f02d8d48f8f7aac3457534cb2c45204ff46ea12190a7661e3cb82b56cdccff9f96c6710653f28c1b2e1ead24e09ef2be6bfce7f1880944fd1b7386e0f70e992fdef00abcfb9b277ff417e054bbc075b79d23dd9418d2bb952db441f0e92712e0a17884a60acd3446127719aa1520321305e2c47d670177d42415500d726dde18bceddc2f4ab17f050dbf20888257bdd859696bd52583acfbb55b62b82470425472b4b64a02677fee8b4c4fb93dc36fc415b08fd0f7bc5186ecaf82b24560cab3a3bb79f91e7d8a22bf8d59efd09426ef012c485bcaab4bbe7c5e42c69ed15557e630c2c97aaded06a18d51aa04ace19bbb97bce583cf66191b94953b0f070b5a32e49f160c5af9855f1ea5e02291f974175c30830e95846e2f3ce2e16050f7109343abcecf018a1cb389549d7c5525106872c74db955e4f33f3f86e38c5dfffe45686bf35a84b986590f33d57530125ea3ce3ed31d4295847c5ed1340a22218bc3e8597bb2739b55eee5a9c3c998b1866da55415a4bddb9cf22bac8dafdba6178eeecf9b9e04154857af97170da61c67d4a4a9f6ddb23258cf6fd1703e7220d7a0d14830cccb0954d9b4921b62dd976bd2522f2b2f86113ce2fa875f26d58f5779b16d42c1d4ffd0738b4489c2b2ccefae55099f8171d9b1b6398476b6be2fa9b789e62a33e66d61a5d7ff10029dd4e10aae05ae40e12e862d2d98ff9f18b923eefce9b696e2a773e2a89ec0fb332816d4349de32911eefb35d715c0fa865e0b0b78777fa08a88ce256ed754443977c3f806da9ca26a54c5823610116460c99afe44a678912915532e6320bc9303ce4f28cc144d1d246970a83385124a9229027c211727dac815eaf9a119fd892a7215fa6509fa232881c80e0a3c6780b928485ceeaba80830d8f9abaf408d1c929a120466e057a4d30130bbee808e25a6d5eb57ef51a581f5322670afb48d40b439ce0b8e756113785037192ba57b4285be38d4670829f863dc33a3fca49c8f58f8953a3e2ed44439b923e5c398b6e790cb79cd8a844450f086e770e6c206ce74968903136f0bbde0d212bd1890239054f257a5b0f81805b0dfa9d27ce6d6b2feecded46ecde172e8699423656ad431c5f6dbd24e2dac50b3449e789fb6e66521756f3753c4422afc49051c7825763599916e04bac0554a9f710642e3e024ce560c7532bb2a3a38073220e7c3ae2fb39e6e0133b7d210a806a9b88f4e13a7b43406405ebca415cd6f363517ec828a5e704b05599623d8fbbd4545516297b8bca5d990bb243c550ded2418292282cceb1c80ef7a706a3aec6e695a3fffc3f5ce37f579b986c27ee81789ae8541d3bebf624ffda6650a27d4aece4f1cb2ef7f13f40c2bde287cbce7c400ce5f508a44782560778409d9cce8698210c38ceaa66d03f8a02e777152068359464742570088ef5c475a5b542bd6c735bbc75f33f30127b0c4a9c4ec179e16fdb2a459dc0dac4256568041a19fc672c8dd2f67ef2d870ea59520dbedbf1e3a64fad80d167da484cb2ce92d7e0828886deeed1b9838140a8a9c0c1a69113679159e23dbd37f3d7779eb721c71b11cef8b14d976849952ebb54245c19b0b228701ef9f951f1e3e024f11b8d63c44a0562d6ba3ff30d6c3c644331c3422d6335072c77b71740c197640d7d5619cdd8e2330527b59ef15d0b96ba9ab8ebd775f45df018db5021e87f73a719ac0be9d36fe02735f9f4f6ce921883a52b05f2d505676cc49492a70284c3c590a89c074edb0cdbc6dafdda6e7123774ee64618eafe99a4dff441b004d32ef408f701cf35748b9c9e60bdf97c4c2bd57c5cfcc67a426fe5ed77cca7678bf50852bb1fed48b7a4aa1bf58f65b6694e79094af25f5d97f96aea0c82ed6be5288632fa5203eaf9521e5e19a13e4f24b1dde4058393be8faab1b077d3f288d0662205cf4226ec21622f81b0aa2867e1a565e4a400de4a98683ae8a445ac65f59b78790636dfbbe77258a8f568b743fa37186658d185740e95b39d3d9756660553458fdec896d65a456b5ab5b96326215fb73830fabd4d4b0442816197992a44eca9f618daf658e090e6e4fa16cc6529e37992e4ed67bfc6d331a6fd2299ded2436e1d086895ada95abd83ee0f1d72601dcf77d36eede5201c8f6eee07cc8b36801b1f5489f4ded0943da3dc349d93832bca8d741eef51ad0f73f1bc9ca8f0a04b053bcdff7a11662660b11c6ebee6a74eb3ebd986ed6a88c48a9f2399d6e80d70c6b9a7e7c0e5f6b805a3b8b6e8bdab6f2a6da910736c208db7938489aacd44e82782994740ff32eb6626a3b7030404ddb1bf5491bc085bfc8c741e7184ec8c470d6affbefc4576263a3166961e1c504eee8637e228c261361fd87a5d420090ad06aa3e39540efaed838556c019970faf1306356fdcfd68b428a818edac3b9dbf16d9ff4b0b8b45fd52d9eaab2dc8e59810050fc88d1ec8ff89e035ebf9ad891aff06f6a9376d229c8d71990b8ed6431674316035cccbb4d5d1749a2fd1b5d66d9b2591a046cf192544440ce064d821f11ad40b2cffe83cc1ac18f4fd1c1c072a4576985ef15f31d5446de6b36a3a0824f13041bfd48079d3ebf543c37142aa6dde5b87e1d4c977638a649dfd07480c85beacffbfd1be7e9a98fae468bbbbeca077216e7946e7f7bd2c17507e05f6f81965837f60c1836e18d8def34b1e8ffa0c2f6cde41da73ad051781038428ed3a0550585c5e1b933ee11046b353020344d681e9d83bcd21158095387ab8ac66b16d920b2dd1f8e4b8ac9dfb594949eafd31b5e3495c5cfd5f9736d95341548ee003a4bad9dd95a4f480e5f61f961122645e11173cef83749121a77f48ed2ff3e4a28158d87c1d4602d53aca09f071942a88a653f9f70c27102030872dfe56f3148ea6cc1f4eee92d45ba7a5dca60aa9c4cbe832ae0184df7922a6a72fc062460081bd2964001db833637b428f7f913d7d7641fa98d76d7eda3656da056135d15f7ae5b2ca75c6f5e606d1796b69893ec828a41236f39da152bb3e742e82fc3ee7b62dec3f5ecbf4f66baee9b3f86ea642fd543283f97128aacec9f54cb132c6ddadf709f2ccac623737a53b1bda6d355e01bff73f1c43124c4484c8fd9c11ad736e442bfa4ca7edafcc1319c22485f04fd8ef2b536dd02bcf1fd241b25c4d4dc7aef109750665b8f9ec0c554bd82de1d5ee6da379d6220cca2eb14c8d3db2617152e448f964b2e5abb0f921dc8bedbfa1ea4cbf922c8a1733865a918b228881443d8fdbc3d5f575dc39c94974da3af4b22b68a5172bda348f27359151096ef041d4d1f8fb3b204ddf0302dc93286dec600088b4d29c6d3f55c1d5154d1e56d454f2a7a22f65a22253abaaf10ad6160c3ffb9f76531045e01b2a4bde5ad042ab30e3fcaf3e35dcd963ffd432724b9f03692c2cc64a31bdfdca3bd8949c1e3377ca332e96f15879eafb95c40db9bdf3dd34bc097feac69523c6c29c423923227abb1cadbeb710dbc2ace43e6831b858fd4eeb8fb2a540349faadce46397c71a7e0ab45c6e8b15f03f43a8fdc68dd0ec475af71acf4b4f7a13bd116e10da73c668e72646ca02946961eddb7565a08f40f738f23bbd84c686c76540e873da89f19e2c33f57a918a1043c4d182b4dad50c86b2f921d93820d3550d12121c8ac9681bf757e64283add0ceb4751d5428632bd24f52eb0de77eafb16e86824bc9c21b518fe1596030f0e27015908cde06bfb3805dfa46a1993c8cb2428433d8ef60c92a9be5c7bfc542a3193bc2cf2784647906761816aab0c31556fc09a603f3d5919f85275591c668eaf161467d68142e5bb0ed0c2ec76d5fd653205270c96eef8f5357196fd3f4b1bb7b2a983c07acc261eba25f2fe3b255b22e7dea596deb2df73fb47bd7cf1070342b0a59c6975c066d5d7b5ee7e068fd3d9a0e0d9d4978bf97caf551000d9cf8b2b14b624d89ea47a92469a61e85e646a6b6a571a37302b13db3657c1d360a2bb336937859aa98607a41771c5f48e762b6e062971334102823d334a40396df9dd8cc4119675df5b8ab3d0965fb5f18a6ba9afd66c1ab91dbc49c25349be57299635b6168a85fd6b682bd3bdca1eb8dbb0816f7702117008e40f7beedd509778eb168eb0bcea8b229547c55048bdfeb9f76324070542130f255badb471011e6d110f459ffe53a2b60c2f2a00ddb272d34a83fb2365bca876b03afa395ae5d2c0f812affcb437a9f84fccf4ff790c2e43991d7a5757696d7ee6e92ce9e0e6e198f2f152e521dccb88a31616be1412100ce6dff66e3ee62b68f7d3891a9f5d938e1e73930d21b56076b9ccb86fed1ebd3311b7874e7a586ac0dc164411765d595c208539ae3dad52c5aaf8b9ff52ec2763eca5e1377dbf172b3de84f6d38beb5dd8a1fa885f5da105fd707dca4f744fe659b096deaf2941d1bb2093634f2ffdf38207a77673cc613bd2d2fc8f61f21fabf960c89b4adc82e9c855aff1315633769efecce87a24fced0c14f3f1e0c60e2a4ae3be7bfe2858721a454bd33c460e8dbb6e2aa85ec47c845cc5a40dc755f78f96827f7bdc4baefc47b251d4f96e0c170fa5bdcf3e1461893bec60a9e937489ab9c2c3af32a333da69af97b516b755048753cc99759cfafb51f4e4aae449bf322ee52b1ed55510a14a29b689c072088aeac0cf45e34b039111406a44bf7162380f35088ba09b8a4697bff4e5f6d1c69c8fad4610b1ef51490ef964c370fb182b47f1863ef451c5022399630776c43f33ab69d5b7d90f38f7e01059e3ddb3f4e89a73af0726a9d5609dc765cfcb5d1047980bfbf82b3914897adf8a3982d516439a38ac1819e6ce1379863878ac97fc4b5f2ff441f5f574e3630acccc51793e952c7e6063fcae352410e04997f577a6ab021725d8e25c1d101d584eb0ce9b5fb547566c906a0a555749f8ead9a9acc791f2f1e4e7233b21657f05ee2d75e4fbc71f269d2ef05615f0c933ab4d7ff3afd64b21adcf7ddb555d2ee6059c41f6a2f57bba943ded97cced510bd02cbbf52f9142223e2b030f8171643ccac365e89f3d322a7205a0aed36e94c1e300f31c9d71b93935d4ce1b3a0e42670eeb76b9b6002e6753bb8747c73fb7a0c702d2df14a75a5d1fd85bc0094f348505454998c50ea1aacfb8a63bc5c77418a103d8b6ecd6d0d4a481237db141fd684e64a0b63142631180e39eb1e5224bdf21a29f576ad84ceed390f3ef1228c204252da76f0e3b15bd426b1ce66727c1e700a0583cd716362607c0c09db433948dab990b445d005c98f6d401242dd831b0bc9edfcc8fe1bceeccdf5ccc45272a45884bcbc957c0f1bb8d2fc3a625eabb2ff61f83a95a99c6ec0e1752ec432205bc248b148d1dfaba0a9cacf8d54d6fa27ab941e350835d64a562f2026a1b29b2f5199782b384c514c19d1a76b20cc824b510c3317100afe3eff9b01a02380e5bf46bcd373bb756337ce8687702f5a4beda1d25a2ccbe3d53fb00c957814318349b4bab4c9211428c867bf42e6c625379eb0ec5b75122b0ce70efb304a9ccd708df5d60753aeefb0bd95f451cadc34900f24e45366753c1efa92131d2effaf41bafa3919db783b2c9d22cc7e1b8f236c2260c9bf2e7a3b9a4ea751b7b55dd47381bcadd544c25728ae62e2d6a96fd51fafa5c76f61b8bf50b5891210e16aea7b8bbea3e73f61029196907e6c62bdfbead62be35e2c714b6f0e5fc8224378988f487fb4799c23e8718274f0ac6881153024e541a02bb392012dfe27f0815e56ac7f02b88dc4205cbb4d036cdfc58c164219ccec2444a4477b7f8a9c15698178bce12e386a82d3920d5811eea072ff302410642ebc1e7120278e14c6643cc5f238ac4765e1b45c239f7e838ee60246e942405c807a17b235465cbb17f03afddc69043ae73ae578f55da41759062d7186199ecdf507d12aba73441ad2e6057bc05b00fddc4feec6781284364a978992eb195e2b27571b15fdd10e9ab8888eb0826bcc76b5534b7f5446474a31b57411c525fda1fa2934022f6462f6851aa1bd7fbba495efd2c275def068c3b2fd3f438f987d95e8a96dece5c18ecf9fad5d953a2c3d38f66a4f0022a74335119698b5f4a6ff428538470d975ae1fe80fa87abba6e1ade85f5e5fbb96b808b4e4a435ee171b838e0a556c23c1b980af93994280ebaaaae79a8b9b0b353344276c687b82d2bbc432672f02c7000ce49870d74a52f8bf66925778dfe1cd0c148d443c903c019e440659ae9fa326de59db3a597b4d208a3d9c4bba2641371603e528311078027ba007e0e5ae077244d3f290939ae6735604ba178c3469df241da9243055fb7bdfcd348091bc29bb7c290cbc2abcb1634de18efe0882f3eb638bddd9f4ea3f8211ca8d23a65767c4b45427a7c424182531bc3a94dc823b2ecfa57484ff6e64d8ed098e94647fe84d9828bd0d1ecee854a92a6bfb411991982f44b3dbb3c71015c8cf6f824d47aaa715e94ecd6e46d3986639d27ca0a9e2635cdc4c52a6a5ccb6a03e24de7aea55c7ee492ac3fa52dda7d306c2010165953c2ac16775be79002e4e68dfca61a052fb1b2fc74ca4f203765ab60ccb296d8adf275bef5ff9e99d554713809412b2fff3adef94965921fb04f2c9cce39bb36a57f61426d7921be06fbd5900e095fe9ef930bfc53cc0489b46145f26af0e1ecfdcf362bef9c0869d277999ef7bfe9e37e1c17084ecf19079863f562b50c653f520a3b5176ce09950d66816e830792bd759b6150ae189d2b0d0c6c03e3b7a36ac41052ae58a7edd85b111100db8a68829706f7cd3d5dcbb7314e8cbce8c80cc011090fdd136a74d807d375b9fddaca0f6a181dacc3bc7bceeccdc3424a339428c0e1bb805a60e8b99337285dc65bdc29f2893c42ef76d7da18700fe3b5006d8d95c532a78fdb7334c6481319058dfcfc2ad2924bc3d4f111bc301ddce84ba64cac72e6d4830d8033d736b830a913c02e338ff106b97d9b48f7f023073dff4cd48b7fc61d338cb4839168881d4224fbf7524d8a6a7c01a13068a19a5f38c7ca034d13d582b2db8421b570b47c656b2d51edbc18cd39643127f5c8e0bf0685bdf6b44f64eb4c07d2e9117ca45afdaef6979d37a7eef70e82ebada130561a257bb63ed5c9c3d3cf101d42c70cda123ea81a9f115f8bb78256450dbb6cb2899ed10684e8e18a1042ad83653e21c4c5f48aa887d399cb9fcf259b1ce5fc659a860a08c5a2c5fb3c126073fff976a57cbfba1074063435fcacb27b0caf0ac19b8e8f8f06fce07482d65d2568f908e93a0d0ef257285103797cc9f88f58eed2cd1717167f1f2dd006f055f27e392705f1ccb650bdfb07d3ab777ab9ba3ac3dffab3b1e663f154c62113da66b2fbd270eedc94a9437012625ce8ba9f00c1c4a83d588e5fca0e5401c66391a4155f3f86f552ccf9b4f0004a4cf1fbbb9760d1812f0c43cb54637b0ebcd7fe167c7700ea0031a5bd318338be50ee2783384e097284b8e59c170e8a156828bc99e773314e6f7a1f5b493ac21d9fe858d48e98b977caf42b95e9d54d4f17bffc28cca75a647263825f129bf12049394a45e75aa0e6c12b23ecb2b3251099a95422f19e447f6d3d337f9437037403c93d6d705c0d5a5d201a8e30d6b48cddea751d9c1dbfd65c04112695feca2dc25e9d9e73e5a5e1b146dd2ffb66f5647dfe44c1dbf502ecad9726812e9ccbf19c72cf32b0418b714995f58742798b624494210de0d2888a3bd6ddb47f9034344d08fde2d6b2ef97815c6a3a6e7617924dc02d70d713daca363a44a9325c4a17d6b7754dd4232c27c2ab9f796cabc49347cd35d2e25f918aa4ef2a775b556a248c5820e606af7e3ed95d06313cf7a07c3b0571b8ebb05b4b9770a047d9916906270959253b71d26a16297d5c6f2ebd84f9140a0e4543052ed2f8561952029286a358d7f1e1ad6650ea206a469e87874d281c226bc29bb5ae95c7c2c1145aa22c2f2c84f1d431f46e94d8e372456e0ae74323e680348d361f89054aa99f90526c1f243f72d908d039753d0a960f7788da707fd1f2cc95ba7be64bef54f395329533938951b7c85aad62a79ffc33f487f803fcf6bf2c26e6f82103a6698d76bf780ef70f3dacfba41418bb55e4a16014c71a9a2e56ebefac29a4804ec152bf89810f07b8acd9c5e697e14d40c3c8502c51182ca9e3870b392de488fc5d74748f700ab286e00db63f8c3e56d59e68a01b9b4866ced3d1e9106d1b7df659a14f59fd54f5a4727ab068889425c07a463da32f69b8bd7e747b08c7bcd323324c7f790a76f4dfa16f26d4242b16b3aa7ccd115f5ea17f5468f29766829fed9bd9d735d82b4faf5aa9dc0e4a577b53d9cfae701a54ebb67c75057053d8a4243cad178b9acf9c087518fdf50103b4ab347eecdf6a1c1b5d0c2a236d429cf78c2d21f0a7d213bac5b95d7d8c8ba71a28a21828b5cc3e87c67afffc37c7daa627343347789bc1316a670b298144283b81e73042039d627404ab5b6cc2001839d1fbe36b8de715a838a24c81d15d6071b04a285823f78f53d99491ecb2842f17de6f508441c8d3e75f6a35027c72c3ea003ed6ffd6c4043bc067c286406b531c0b553eacd468943659a586c17091b975b854dfb8e197bd72768b86458a9eb2e8cef2c6904579e6ef069191a0a2db735c5c8fee1102c0c7acc7c1f0f0b17913559e0f0fe6f19da77f878603d72170c398d11a838a5370edad089b0b0527a5cb07b33d7b38a49713be10f1ee477f867d5600936b6a9c74bed99a4db81e1cd7f959cdfd37116382b2f40d4eb980744772f73e1aa4a93dcfee36268845131c124369db4d0cca54d4f8c3899aace46adca0ce186ca23e2ebbbfb7b19ee441490a4962e5117782ae12c191f6dda42b96473d22cfe1636c460e56e7ab0548070db7a95fd6b3df5aed579b08b5815cfc8a153bcf141253d88c55b5ca968b811c0aad767a439db58677d5bb13696d6376aa6926b8f0acb54363fef2c29d358532eb252208471b146949f0af762f40417ced7bec03ac9752f2e16da680d29d9ccade97546fb9c0f46d911d735e9cc578308cefcfe8f406af2b7239f47643696f24443cfeb9f27259ed77a876822f734b739dbbcb9b72096b1e581e5fd12c957ce71f3c69a0885d02d46503798e7b09749c4247fead044aca5860b2242258763140f706e7509317f1ea81691f9d80d054535d639da733aaeb7cd4a9b0af300ea02d384380d50ac5842dd8fe47b82cda8ce9424ccee49763fe46ecca3e1e9e10f1017e333eb94ff1d20b3e59b92ca10872c482a4c1d1f1fedc95272bef6173a58d94c464cb52f34759dc644d972031a1b5025022e8f85173efb913ea59cfbec4da2586b29308a4d418432a79972b64d9c756905b96e2426f634860c944791ab13cf4010c83ca630d2ba4cbb55505eb0790194d927164ae80c0db21954943c66f5bc89beffbdb3e22a3838406704e1bda3aefb5fdb2a71ed23b4b75352aed0db5c8d60250a49a9e4899b0983efd5662be361fb28288b620666e05953cb031407c0a2605559d8cbc0421cbe61831aba85c5d62c1baafb86b1692456b6f0628289bd57bf9187b40d4aed39013f857d1912e561fa3b5998168662010a287c7e205e4e8a9c13ba68ce1de8561d9afce4b5d57917558e13a7cd3f4ab1fdb2c8fdfa4f61b8ed6d60ead1efeb9216a1fef78fc2099e8716522d3cfa575888823f558bf15e30e1ca995ce19c9069ddbd57c409d52f0706cb3e562fa18405e4181614230acd0c51e39bb7d9621ca50affbd209fa67bdb7193cdb97dcc6e5a7fa717feb917c13aab6c41cb4f2541738b0dca8b2b129e5f631c2a8fc77f366078286c90d83910d1604e805f9c2333b853c14bb4a3d5f22a641fe545121e14b7b1e3ecfcfe3ff8914a716f2428724c3ff13188b5d06c8ac9715d54e81836b2f9405ea8e8515177091afc064922ac4f409fdd1e1359b640f6337c4a3fd4a3fcd3bbe63c984671e15654c1d6621de7b3a95241c1642fb7a713ae1bfe8aac7bc26f613fdd226b19e98987c3041cd84d5ef2c78faba10b0094968f2747d42480a7b8ddb2acf2f87ac4dd22bf23a2da943c35e76dfec22234c0f254adb8e3d32181ff35809f41a619e646ea3ab7d2554cc237eb80aae024aa3616369d00bbd6c62b6e17c9f5d45bf780c721bd49fceef369349f58191a19d468e73dd9fcc6e38e20d3b131a9c67778b4f6cb8d4db5dd09036908119b23de74af79d71abca4869357b9c5e808dc60b6a4323b2d5b8b75e4d8607207334bad78418d6b7287b90d3480ff5946c5c41cc5291487701a08cb436fea3aa7638aa5f4ff7369f526783746600794f28befeeb543a11c3ec5f3245e3e0557abbca2c42ad2dd7f7d4d386884c70dfc1e45d56cef5a086808f3c94bef9881d0e45a98a731ef16a432be8bce4172b4a8b8f12d2ac858542816db541f11baa9f8632fc604dedbbf197c573a293c96465e64eb1e2071be5c060f168700bb789e993264551620303bd5fee285129ffec0eab47ea52f856224839787d2abc159421016c18597649607de74eb86f7454bf2b7dfada50c780449b1d636de6374f7fd9109f5b39ba67fbbc209e37c57610ee7811e26be2dab80005d72d19506a23861b88208a883dc9216c608e7d858e33f58088a05ec626eb3edf9ac3ed7de4ea80b0c23d1f0d6ba248c31b200e28702a3e713a7383bc3b6c660c2e955c39b6afeb4c9e0a72fc4e1e0a8c00183d8123815f0e943a7bae2bcbb1d4eeea175abb5c4b93e85d41542f6b8cb65bdf10c00fee8d8e079ccacea1f3a0912ab7ce1381d821191c7cb4be46bbf8cd07256b0f81be4758f35fb7537e5353080efde7521dde5e9881fc91bd6c7846c77049ac303c32ad9de7754d06e00a9b8feda1abad27192c550955589a6c41cf14bca6cac53527a37f4bc08b9005b42b9c70216c51b337b335fb5a1cfd9cd6b59f76ab90affe4732c7e304b9ccc82ed6af679dc39c91998fa682cfe4a6864c1b79e5e2da85c3211502aae5764a004a3b3d41005d5cbc118deb022a51fc1ca56f0c6f5732266fe215a3cb6e949698bb1ef1a7e67ddeb8b6bacf9aeca16b073309d7a7f8edb56f223c39dd2bd08e669131bd51b8cf9bdeb9988f71d8e553324492790d6a7aea92bb41dff044af0da6b0b403c80c5bc4f6fe92380440372a0e993a4ff3923b327992517041db7ba01280cdbca96667a0f37213c204cd7bfa009c2b4adce2846f9e9eae207cdf5350b30d0ec746bcee5b29b44fbbe3910fc015d164deabc65e8fc44253a7e42c38051fe184408271f8bbe0efc739a24820d97db1a5b351f3c3f02b17ad9984bd4c140972a71680ef1bac678830d5fe38562bcfcbdc268d8feeed8c7da82aee6d12ed0ca88454f2631d86ab6742167eb34eec9360c8227bf96fc1b17b3d0bd5ec8b297c61407c6fdd3d6965dfcb363326a85f0e84773f9fdfbbe3efa72edca1f6cf8c230738e104c15947e8f54dc46a67a40e4787fda23bcf4e4dcfc43a213fd09f1c4e61143d4ceae85fd5237c141d1f521abfff83cf23c624dbef356fccbb880c729664a568d54fcbe1d264deef7ab4d7b9be1d0ccdc4e6e78b324270a7fc806ba7c5c2711a34f43d3fcbda22968dce2372cc3fb35aa6578cee49b7425758be5fa1c3c6729f9669d9d067e56b7024a8ea7eb118be8b65ed817a7a2838ba8959ab9f3cc0c9b4b13945e1ce89b02f86166aa89c504a27503d1f57df0516284b4b4f36265b5bc9d8393d15f6b8d2a18046f78f2ecbcd410bbd2842be4ed69dd70a534490befd3843e85b12f964a12855e2ea18002200c728007d3ba098a7be3afce3608dd533eecd536c4d8d7f4da1ac96ad45c84e811ec3df571c78fdf7f8b9d0a1a45882c53eb2891bfa6f5dbf4c5b81ccbbc1ad6d73847f014841eac73782a1b5ead5cef12bb5a1a4ed82a9f4faa96cf303a5904c5d51b3053b141eaeac0b4b333e4affda6e869472c634dad1f270e1d39dec683b7e84afdedffb1daa22eb3ccbda3380437b67022c83dcdbef46978fe85e4b0e066621c1ac5372b955ad5b9048fd0f7ec567f1cd8e74ec8dfa4d87f553ac3b581ba69735a8d4707cba2d0ee9671db59b2790d43e88390c2ec109b94b1b55179b39f79026c8f1685a50c6cdb84c0770b30c4fc2f4690922757878d607d3d10646725f2c07e8863a96fe35e5a206f39aa74891a643acd4b3e16e95e69118b33c5a0bb16ebc40f8cb25aa3c1ecf83a9fe5c937381e165f273bb0476bbf8cd351510a53138124acd75ac598528d6bb492d1229dd50c1d867181d20fa6e2b00b46f5cfe910b61958484b176a6f168e9161ade81411eab0aee2051d30903af597ab648a2062dc4e2428a6efc01d3100e120ef09578596d0fa3f36721b7423d477bd9c74f77418bde1bb94ca8aadea4027ec2e066ebb5fdb37eb841a8d0522349f71a0c4c9a4ed958b0c76d35e6dde3ad296eac72409ad47574bea30337fb226c335d78f5cdf8612cd1e04e7619c808ecdf2b9a2ac0616a0720d6c3ca856fa8370d202f3e622d547ee3316b3ff1d271970091d00b338871f9b70feac6844c404a9343e4cea8cec59b7be9da09b9d125d73f0e8823d3fa9bd247a1add73a73064ea265bbad9f30aa3424314a48eb710f4d5df40258e9299335443226d4bf7812febb7b2de941ddddfd88ffbfcb5bf7518b8e99933bcbe477bf1303c263133d9ebeb1549bfd552065c783ec284a9ce9b553a20d7b77548f49cf519049ab5783afdbcfcf6c7429e76ab5419ebaaea468f8181d3adaf30528e67950b5be474207c1a7a81f0f3db8aecb28d79d56fda42b955194f6e47ad33ec19f8d8b996fb6d8b1818981aa2af6e069a4608258c5ee64b70c9fb3a0e45cc014e4f9addf951da9a06727dd22005c921dcd79ea3c711615b8a5368be587203fabc96b712bb8b7f7361dd268bd76a26931566a23ba17c56db36e003e6b75a2e756fe979aaad3b304ec8afeda488fb40ab38d3a920264a4f2bf1dbf55620b6093a9b36699b9c32ee344d043a4766184f102196feb205cba518f069952b3bf8f857aa2b16a6e55a1fd0004b7e8a5549a8825708a48bdfe71d2c138bd0de81f7f3686584b3ee09ef695a6fa68c2a2bcbf76da1734fde9ded42e4ee908e1e939c4ebcfc1dd5ebfb50ccf79bc877a396bfe76be7afe123c5538baf0e7c286a0505c63b9b9493960500153751017dd98eaa898110429ec87ab32d6d6d3908a27128463f01da7d7a410182bbc32e667031835e8ae20ae46467a73b1ac2f2a18341dc64a558c75cb831cd3496fbfcf42d88fd609886c90d8a71286aba45f8c7edafe0176eea6050d36f202f7c9e6bb7924396e040428eee610c4abbbe1cba688f508f11e01d4640e6c87c45d29cc3dde93d428b5028ce4c1d9bb95907a557223bfa9e9f6eac9195aa1b4990a9c125a7e116c8e5510f69c8b741836d7c43f13400c894f366a7d22281ff871782173ae78ab8740296aaa999587cc0005d2f4ee7b1b9be642ac1e496bc29946f72cfa6426cb3b07a2e948c18d2a1bac5e5b08562aa5f5407635c18ec0754f92d769a23c5e73f570c23b3d9561840d39b6a7271d9354ed79e26762946397df3ed2b2a692fcfe5109ef1941bc527658891033d97db15a08311c51fee65c8d98723569444e3945fcbc81632d19dcb9373868aaf4a6a3cdabbe97a915f83a386deb483d3dd126a9d1ee7b2b4f386dd32566ca0469aa6c6d80f982f90dd6be7b3e6e5c231998d88951ab0eeb8bcea07f82ad8cf260482365c413d48e7dfe108a91b2cbbe4cbe2f9a52132b4d54fcd36277225c68ac40b5e3b443d543b891476f271d2352b3095bcfb083f2c3a51f248cb4eb3085d0c910741c1ae9dcc1445358a6bf44e626a954dc909ce85c1bf979b88cfac5fdb65d27e65ab08245aab32fe2dc08ac6312e0fb7f408d75e6b01a3ccee722540016b0247df32bf72a767c76008a92e0b11fe9c05004545409ac608e327c0d7dcbbb887c36c33cc9a0e6906c177327f2ccbb43a72d588eef87501112a1b643731d2bcaee89a250663abc668a3cca8abd78c2d23f9e6643df9bc3028fd56b34b21bcdb808492e35de98c316dc7deb4112fcead0ad74937997a397442d38eef00a7b4d31dce64f9bf09b514741bd42dc0d3cb1b310a34bddac411f46a523113d571b4acb991dabd8f1d1525223c5656efc43241574ff51c847fe329ea20c1ae30eef094c0e64c0de95d727a37bbc510214fcb3bf6ce4acc12d76c1931e0efe47399a584a590ec68787b17566ab2e518786e858246e8474afd178e236274819a3dceb7652fd74ce86e7f318d82a25306f43c7be9f6babbe2c96a1b41bf442008065d59f8b055c364700624308332789632a682fe243a74e6626127273ca87c3d172fb12e5f9ac7ddeb4b106108652448dbd15598a4ed3fa649b93c02dea87768131d49656272d1848ab4230369a5f043df758aecab659430d5f1045259d3506fb84ec7aac3ab5b5bfcb9689f3c1b5bb24695ec97687c992d10f2db52e0088e5bb7701e36570bc51d376b249597f030e597a84fc61756b0c17043109b035592c2f6355ed8072f5e8d4c155c4f119e07a67062887d1d5601fcfba1195c8230e69de048544e7153108815f9b64d21dafb1c9f5865887d4bb11e1d4dcae48c91240adf033391e1822c849f38a0a29955e653d069ff4d222ae08c14a8d024d64ef1060e52490cf0377b6a7f957e61764aaf155669c8ef46795f92e931c6bccb0b0125f60d0c557c89e67c0bbd0c5a2569690603495ec1e653a39f3b574cb42df7d84989dd3c57df8420ff18f0210462e652a573251ce56b62b816c4257a2be69165c7209a2e12af189961cbe35b0b14d105cf9c8403021d98344a5372ba79ca588092e418519b8002a2a090bbb843f6adb13933439e422f3d6f0317f49b4c92eda47c065383cf4ba9390dabfd757e63e20aa4f2c5e369b05166f80785899e22a08d074e2535a64b814fc105b1b68e77565da771ac638558a611ea4c27ed209f52eed08e53041e1a5709403c3273ed21e3e714cf12448ae0d69fb10482628bc35b031642c0fdc0346e38cae9872308df9c5f1256da8d40db3a048e42ebafb041662e23affced6e7f32e2d70d0087306fb1237a937b90523dc3d4e3939ae06fcea703a6d5bbae8d99323b121e6de5cf5781fdcd8604c632129b66e9693431e04982ef5803cd1ecc3b2fc6281de955fd5e5f28986ea298524d23fefcc2f30b97b3900e1dff4eb2629de4761f9564d3c3dfeea05c633ab1f689bfa8eb5acdbd97ec6d15c4577ca900b401c2fab73bf704f2833183f1903f2f35dfda0efeaf50cf51b352c3f3b970a6150bac63b27024c6ba7d53d49d3abd9e23e4af60b3e004969706b215188fe2bb911ec4495570bc8511cf378578dd1a1c74ca1979834cce7742b4a6de492eea4cba3e63ebc661d17329ca017479cb3d1a16356b336b03e3a538c63a3f5aaa28ff94ecc31987f838d08b3c82ce7b14846bb930510025d8e514c194bb037dc70c72d56a48731c333d7ac4b4fbd410d408d1b879bf50baee91bb1d48880c20cf11b76a8e06e57fe895a82bf99746c1cbbc64469bc1b059e3a621095f841ea57af815dc34a00ab9cf4d30001c9712665d0f98b64083b177e21901bab8382a39a091917aa9bec1dc7bd11f7d3e1289ea746215636c17871f3267de96584b521e1fa3ef47ce41a6f25aba64a05783ee47f6bb8d3f495500d56ceaef1e3a0f38edefd53da0c6853f1c6c24fa434840e558b6d212f90121db3df0bd4f73b54b3ed9fcad65c5aed7c476f9cb31594d5899a32d979b9e20376b715000f314b7d24f99af72899c65f671e522925bfc966dabecbe3081a5a5d610417519d8237a0d102180329ec3c2708d3298c506f7a9a88b15c251ed48741c4cf67ebe00d5c8cb3d950d943c40f043a9d7ddf671577c5bdee7ad10edf26e1c48d12e99d70e5a1c4642af393c972872cfb1e11315d22dda189a36cd35d9b01733a4993f1cd704c36dcd15eba9cbf252a21e5cb17183b886be2e00d3a32ce09328f60e5c1aa26c97155608419e4429943571752fc53ebef0baf5b672f01346ca0499fdf16df5af75823dfa595872b569eb65a930caddbe9673729ee55efc49b2df0dda031167590d976202b78614bcfcd91735f5afd2a5393dcf192be245a0bdd673c6c81de5ab104c5214d3ada64a84e9dc9616ba71678b6f8a564d956e4bc6aa52e9b92961aeab853bcf7ac1a069ee2b81fdfa2aa85aff86ee3c9ca769dd3bf4da010f08bb9e87f2b9000e0b2cac60e3aec7f2e8cbd63d4509d228ab71ab24afacba832f3791bcb68910ada4d9b588a4410aff25149028975bc71bf36ce82897a796f5d5a98e3057dfa7a8a3a021243467e11303d1d3d9d342d6e6a3238a420d90b018cfb90bc4a68e40b73d3133c613118cb6871339b359e0136d873905daee1817963824c3dd9634edcb4f24b35083d4e72ef28a8cc1dbe04d930f99f567e0cd7fabea8315e8d013042f6008bb0a8e5adefa814f79e2f70cc4171af32c431b0b7e148b071df7575d720973b08646b0312e2a6874689a58430ea112f6fc4b5a56c78534f5809f785e6094ee5bf38be21676e4fd71a193033b0de273c2c1452c1c3e4c6de0f499d9839ba1625640a1b2eea532695613372b1f519bac2c6318d133aebb079f9e26d7f47b5cc410681d09d23f167fc5a43da874b9915249afc5c9195ae2229f21a14a178e66deb6dd765b306d9ded7e511945193194f118bc6e1ab326e2e8cc9c116ee1d6122793663319ea8721704c15eaac549e2ea9ac4e7b9841ab63c5e12f80f5081a4f04b0abd58bcf2c2c6965fedc77cc0222a4003ce7f51c130306f74ef98ff1cbf65e02ec98863d7ff02ea309d417d0e6a75c409be4019db6f99ceee78e39ff4d625b448761b4913b43524af7d7ec0dd0631cb97a8be0ad239c2017e9ead8529c6713c760e7b104869162f38cf4111644be90370dd298bc1a874b567e39f606f394f62fbe9b5c6111ed1f12193168f2af7ee60214171578b6c2181566608a3ff2fe42f7b04cf4674a682c6e2b0db02e4210ca10d7126ff38b68782e702a7978ee7a31bc37db46c714858a7d9fa88f86b435cfbbf2d1505d4075588b0543d246283cc09d789f1ce2a60faebf09e11a41098184d3b716e0d46eb6580208cb74bc0142075f35f2bca241d077560ac7dbbd240ebbedd9437c22c401d6f79656bc1f75a5c2c625714fd73016d4d9d0223c65d76e19e944f92936554eaa3a68b062588824d98f07aef58d533e0dd6a1406f4c6dd59b611e7679cc27736816288d0cd9d92088d00afe5fc7dc1527acd9c5cb25e5ac01092e40b530af711478db5c071546a4c74c429c2c77b69bd7c5397645ba1d0d872273daa6db759df53c0a718fdafb222e6d49c44843a31f3780b0bea398e005f53e430ba2bcec7f5ead0ea36c10c2306cbd9cb928e5d788da1ac27366875a623df30263f7851481657e16782b2a27168c105da4bff690a9cb6cc2306324e1d56823b649d3ca9eadae4ce5e0d6969dce92ecf0c0e81feaed7bfd3fb13f2d4e548cb724ff0b1685646f99f754df6a2302c498633573eabfb2802710dc70edb366be7f343f2476ba19e371ea3e041278ff01801c5de4b057c59bbf251404018631d1270a9ff0a0f0191f3d5797498a9b71854736a945a6f990d967f29f5a0ffc7e20c5b8001b73cbe20d75a668b6961b44aeeda1b57e3520de141e4cf32deebda2e562304339e3715389be537276931d78510f83286be11ec8e8ec14f67f603e18dca9f929726be0c337216b88113f00f4cd5526f40f294d4f72eaa120bab0cf536779903576436d22df5953b87a591b5092fc8e5fc5097233947fb07e6bdaa80e18a028721d76b9a8be32cc4c70552223cd1970abb11d33cb1cda59950e18a767df6aff5fb37488621bec27b9292ea88010c4926bc61f9c0fe20e4187da939ff2beb66ab492b45f183d856be322992a7404361e5122cb8568d8ec53057f0d94fcd2b897fd315267afc7a38a99d105448d900619c7423271686f290433546d98565e5f8bb3cc0aa8cf8870bdaebfcfb4bf45453608d74b8aa0bcdd98e2cd8e04352df3e6cbebd384ca197cceaf4bb5139731ec1126d08d217e292bffc3bee368b9d96f85fdf5935587df107a20d05880c6e8e6a758f14e81077011e636adf6ec01fdfb96db24be9a62c74e47a9360055969fa916bcac2dde45e719cf99729766a27306d7353a3ba7686f9ef0405966fdd77c616470b6c196f0286ef16fe5505b1762102413679e9c91782b7ec6a6d04813257b2427458afd627cdd608d408391e67412278af0daa1018ef8876db102a92c031b5a2aab225d2b84ffb6ce07046e9398ba80f21bc07934b4becc299b1cdc27e9c379801c1c3fe3ac0755cac61f59d044b50525dec796e001677ee39d77705cefc294ff9d8cbc28f7984c2e9b7335723e79855b7e92646d11a61c9cf5468d06b54950ca7c42991f893e91d2b1d1e7e4bf3b8c02c7c0a640bb80c2484d5a55ee001019cba3ee242feed1b0d42fcdd7a18ba1e7c2ccbd318f7d17799dccc93a9bee9fb11410449daf8014417498f4a33af9d0ec4f9f1e8068033b8b452c8f10b8b2f62f431658048f5484956fa0977fd980758bd6dc9785ce1293f702afe545286d8804333cb5ed0f7c1a4b38777523b08db5b09a6bb3addcbbd095dae75cd424e30271ed94630d36803f77f2485a11c2cc2b8e78a164ca1c5d514c262429273bac0865320f4f8b950f0e54db424284bb91e8232df4a47e5bcfd4c17ef96f9f6a94d720cb457ad778ef43ee58773d6a2e125a7727b3fda4faae627c6fc7c6e73aa95dcaa72604fa3d5965ac9caa8a4260bf4d47821de3f261c214d762d8f55f77ead902ce343829166ac0b316b6e5b1b34d8bc3e6d64bbdac9fac806fa4e48c1ce6c1a9bf0e565ded6d15fa472bd1fe688ed56b9ce8940fb62c4ec48d29ab8bd4260bf7bddcc09caa9402fe4a299548ea2738f324d66bdfe3a0cea466c7215d68c028ce7d255e9ef6dff9caa4f99ce74324036328f2d717b55dc3c48239cc0cc359a3725dc849f894f58b6908714eff472aba37ab283ccb7dd5707fd15845328d23309b45393755f28b4fc031777f418a4cd11ccdd0ace104c08dd4faab8b56aa37b51068b8f107fb392f6201028b55137dbc6211a6e67b657176b0a05a20696d496d852249102829f96431837335597ff4294fe667a039aefc268f47b986b22c2338cd639e5cc79e6917df9e8132c6a42df0fee096cb192a7ee8a4508e2642a176e28b60729373b444ecda1ce2da57cb966c1d285173c36f9489b1f08db9d8b4b2dfa0e7de81b499f4bd21765f10904b10b30dbf7e8301572b564b4ca57e8349fa41039712fa9aceb450a3d4339fc2e909a8eb9a3a56ed1b0d5996966e3437d6e2d518746d8f8697ca9f375d76dc06059446f2117b48b2fcd081d196988106b13e5afd4e042ccc20016adf2069d81fb303af0778dcbe05688682527017bca7ae1250055882bdbb5d1f0cc54c70cf3be35fe8507b1b65cec2cbce09495ed7af3816eea9f775b31dfba5e968f9fb6ce23598d8e52687142d867a468b55ad9b7106885a5b5f35f33548bd5001d18a3d4244144666c2081db896732a96d80d219c5b7c4ebb435a6d44086d6c411b8ef85455fbed093e5d168d2217c05ba1e2ca1401286013442c4bb01cd440255c7bd0199701f961bdcad1e376adcc20f96cbe887a24128242f8a7996b18de6d01325632d0d5bd27dae2d0a63a7a34c047b9bfbba9abb267f9f097435a3108a0c2686d9cc6ab4e7100097c45b3e58e2c610802b02d108b04cfd218f346ffcfccfa2be06b2ee9327ed4bae40f6cefa6d0a741c740e0dbd12c2cd77ab4e56150264b0cffffcbb27679f73099731921e38eff187c939587d14518c514fac44e35d77a975d1fdaf34e9ad2334131f26c24bbc13f2df90666341d1f5edd07b8d53b7703d4ef25bdd7a4272c0c17f7f6d5914bad5de0e77afa25af1eb30f18f1c6d52c996463351917de5f612ad6d3b57e1e0d9c3cf7659ec28110534f864087864844ced73b49082b77477be465faac436388dee32dfc3dd0cf5dff1991704c8e8d6aa22b3263b66b23f3180d11d21854bc2ffb2775f7a8b3601e9a6e5685eb265450a222118a5115c8dab86db406d8e4e2f82e7c41214ea54b355082bd153a7106048b72984dc0e01e4b8252d36f1e9c4a1b7179ae2a656fedc990cf54b2c4bd927b034604b04989c76c6782c496c23ef8e7958044d5e2a0caeae787b7303db8594005db1f8127dc7ae3c1617710ca451fcb6ffc9d0e5d34f19d9ffeff61325d4b4524995fe0fdb66dacf9de64458d3a28ab8fc07c9d370edcfda9e9c87416039adebb7c99c447624ba0cb8382d2e4c0cf1e8a70139c4c08c1d5d51548d2789fe71708081f2cfd76a8a897677c0cbacd129df1694941d26387d77d6f1aadb7fd4434121c267211843691651dd228e377256578c3c88ddf0426664e86511a3f8595d7bdf37ccaf396bc9e7cb0fc789cac81f6326c3612b3b2290d07041dd0da180a3f74ff96d82348060900216534c3069100704afb1372d36260432aec3f88fd0a4c4ec7ab7f002397c8ac60758f2df97dda34c302ad5bfcf0c15dfec61fc7cadfba50021d0a813012caf464cd6a16cce4ba49078c4c92b3e049b6d955bd0f99121af65067cbf88fb2c557840e6b50d92ef387ebd93fbbcee39a83749249a6de6174b88ec04850ad88d42e425de196fa9299f637102e4b19a86365df7d462019974ab6e790ee909ba3930916473a3e9d5aa856350126933193c807746e34e2f5451672e08e0718778ab3e3946611834948f192f204a06c363355457535c3eeb8a3bfc9dcf9e2a5bd648891255907995e923114b5581a8d74a60fed02f184ffe5f14fce6eb63f3d2bfaa4f16dffca143ea0e922a1fcd3a9f3a506239191b1c25071332ca3adb17e95c77b6e55fc0494442d0574c3bf54326042313602e661b5824920fc454e54c224d7a92e11059e04aac30e3691246cafcd66624cb17907db1dd0702de2554d2db0fe639b8a49735a59b58393a57acd3be6584394ac36d328e354323a8b9c23c9833b4a1d480b55889ec6f6f4fc64a2e91a98705ce5739a9aef3b977515b9370bc5fc69c5ddef488c40e5064653f6ed2381384292087879988ae37f41b515ffdc01de8da66cb9fc6f0ba1d5d6ef7ec616f575349dac097d141d27036e2bb74b02b7d6fed9c7481a84bdd72e2fdd7946eb6793399ed9f7d2a780769b3933e25691351d3d766a0fab511283e2b818af89a2c40277130c1ab6c85872b20548140d57e0840a23f5ba7428e8b6e9f7f5318cb5a5fc1601c06f3c892a1cebf9f08eb2eaeeffbee2337b820e36797c8d33570106eb31deae4ce2e0b70ee9370dcd6a48b4b6d66684b2e53d0e6c1d41bb28f6c7219010418d88c9d17065a6044b3e247af1d2ae04a40a3b64cca6be89f53c39f81fb9449849e368d220675916f81206e5d3fbe58dd4294f89667eaa849f02624ceaec0eb2431a9bfee29e5adc57") r23 = syz_kvm_add_vcpu$x86(0x0, &(0x7f0000014f40)={0x0, &(0x7f0000014ac0)=[@nested_amd_invlpga={0x17d, 0x20, {0x25000, 0x5591}}, @cpuid={0x64, 0x18, {0x8, 0x57}}, @nested_create_vm={0x12d, 0x18, 0x3}, @cpuid={0x64, 0x18, {0x0, 0x2}}, @in_dx={0x69, 0x20, {0xc003, 0x1}}, @cpuid={0x64, 0x18, {0x10, 0xc}}, @nested_create_vm={0x12d, 0x18}, @nested_load_code={0x12e, 0x7e, {0x1, "362e363e66430f57a90098000066baf80cb8288fc686ef66bafc0cedb971030000b8c7000000ba000000000f30420f01c866b878000f00d0400f01c566ba430066ed401d03000000c744240000000000c7442402493a5664c7442406000000000f011c240f32"}}, @cpuid={0x64, 0x18, {0xf, 0x4}}, @nested_load_code={0x12e, 0x60, {0x0, "c421f8107af00fe7649a4f47fb0f01ca460f08b9800000c00f3235008000000f300f01cb400f01cbc74424008d000000c744240207000000c7442406000000000f011c240f524b00"}}, @uexit={0x0, 0x18, 0x2}, @nested_create_vm={0x12d, 0x18, 0x3}, @nested_amd_clgi={0x17f, 0x10}, @uexit={0x0, 0x18, 0x4}, @nested_vmlaunch={0x12f, 0x18, 0x2}, @nested_load_code={0x12e, 0x56, {0x3, "0f01df0fa866baf80cb882caa98fef66bafc0c66ed670f01ca0ffdca460f01b3904e000066ba200066b8b7ea66ef0f0132c4e161eb5800b9810500000f32"}}, @nested_amd_inject_event={0x180, 0x38, {0x1, 0x17, 0x4, 0x4}}, @nested_amd_vmsave={0x183, 0x18, 0x3}, @wrmsr={0x65, 0x20, {0x32c, 0x10}}, @wr_drn={0x68, 0x20, {0x7, 0x2}}, @code={0xa, 0x56, {"f341af66b83e008ed0c4e13573fae7660f74a60000000047dbc1450f0866410f3882941f0e5839ba470f795500c4015651af4104000066baf80cb8e27ff48def66bafc0cec"}}, @nested_create_vm={0x12d, 0x18, 0x3}, @enable_nested={0x12c, 0x18}, @nested_load_code={0x12e, 0x6f, {0x3, "f3410f221766baf80cb8618ea184ef66bafc0cb000ee36640f2139c46241403266ba430066b80b0066ef66ba4300ec400f23383e0fc732c7442400ac000000c7442402907c03e6ff2c24b805000000b9970000000f01d9"}}, @in_dx={0x69, 0x20, {0xc3e5, 0x2}}, @set_irq_handler={0xc8, 0x20, {0xa1, 0x2}}, @wrmsr={0x65, 0x20, {0x12f, 0x2}}, @enable_nested={0x12c, 0x18}], 0x471}) r24 = mmap$KVM_VCPU(&(0x7f0000fff000/0x1000)=nil, 0x0, 0x1000008, 0x2, r23, 0x0) syz_kvm_assert_syzos_kvm_exit$x86(r24, 0x2) syz_kvm_assert_syzos_uexit$x86(r20, r24, 0x10) syz_kvm_setup_cpu$ppc64(r20, r5, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000015140)=[{0x0, &(0x7f0000014f80)="04eaa0ef0000603c0000636004006378000063640401636014c2803cd1c0846004008478830a8464be018460273ba03c003ca5600400a5782772a5649d4fa5607c62c03cdfa5c6600400c6787811c66430b5c660f2d6e03caccae7600400e7785198e764fb3be760020000440000e03f0000ff630400ff7b0000ff670048ff63607bff1b0000603c000063600400637800006364fcf463607609803c6cdf8460040084787cb584645d858460f3c8a03c8498a5600400a578a16ba5647c44a560020000440000203e000031620400317a00003166980031620000403f00005a6304005a7b00005a67e5135a63aafef97d0000803c00008460040084780000846400808460dc39007c0000403d00004a6104004a7900004a6571994a61a75fc07f0000603c00006360040063780000636408ef636009c6803c1c64846004008478b4f7846466cc84600380a03c458fa5600400a578cf35a5647597a560ae5ac03c1931c6600400c678a96dc6646f30c660220000440000003c000000600400007800000064120000602401007c0000e03f0100ff630400ff7b0000ff670000ff63a7ffa07e", 0x1a4}], 0x1, 0x0, &(0x7f0000015180)=[@featur2={0x1, 0x1}], 0x1) syz_kvm_setup_syzos_vm$x86(r5, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(r21, 0x114, &(0x7f00000151c0)=0x1, 0x0, 0x4) ioctl$NS_GET_OWNER_UID(r5, 0xb704, &(0x7f0000015280)=0x0) syz_mount_image$adfs(&(0x7f0000015200), &(0x7f0000015240)='./file0\x00', 0x40884, &(0x7f00000152c0)={[{@gid={'gid', 0x3d, r16}}, {@uid={'uid', 0x3d, r17}}, {@uid={'uid', 0x3d, r13}}, {@othmask={'othmask', 0x3d, 0x7}}, {@ftsuffix={'ftsuffix', 0x3d, 0x100}}, {@othmask={'othmask', 0x3d, 0x8}}], [{@fowner_lt={'fowner<', r25}}, {@func={'func', 0x3d, 'FIRMWARE_CHECK'}}, {@smackfsdef={'smackfsdef', 0x3d, '\x00'}}, {@hash}]}, 0x0, 0x1c, &(0x7f00000153c0)="$eJxqm+Dw14DJSO1/e8m97d/2AAIAAP//OKcIHw==") syz_open_dev$I2C(&(0x7f0000015400), 0xe, 0x420200) syz_open_procfs(r18, &(0x7f0000015440)='net/mcfilter6\x00') syz_open_pts(0xffffffffffffffff, 0x0) syz_pidfd_open(r8, 0x0) r26 = pkey_alloc(0x0, 0x1) syz_pkey_set(r26, 0x2) syz_read_part_table(0x53, &(0x7f0000015480)="$eJwAQwC8/xqlOy2XIlZYZGJIETVblKDS140J0glR3zwsGkmIykjUUmHMRz5PZfZ25OmzjN5Kq6BcIOpvN6UpQpfiwqdtflUtytgBAAD//9ZjH6U=") syz_socket_connect_nvme_tcp() r27 = syz_usb_connect(0x1, 0xd9f, &(0x7f0000015500)={{0x12, 0x1, 0x310, 0x99, 0x45, 0xdf, 0xff, 0x19d2, 0xfff8, 0xcd35, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xd8d, 0x4, 0xc, 0xd4, 0xb0, 0x8, "", [{{0x9, 0x4, 0x5, 0xe, 0x6, 0xff, 0xff, 0xff, 0x5, [@uac_as={[@format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x82, 0x97, 0x9, 0x9}, @as_header={0x7, 0x24, 0x1, 0x91, 0x10, 0x1}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x64, 0x5, 0x5, 0x9}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x9, 0x1, 0x1, 0x18}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x5, 0x100, 0x0, 0x1f}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x200, 0x2, 0x6, 0x6}]}, @uac_as={[@format_type_i_ext={0x9, 0x24, 0x2, 0x1, 0x0, 0x9, 0x4, 0x1, 0xdc}, @format_type_ii_discrete={0xb, 0x24, 0x2, 0x2, 0x5, 0x9, 0x6, "42e9"}, @format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x2, 0xaecb, 0x0, "e0ff89cc39b242b2b0"}, @as_header={0x7, 0x24, 0x1, 0xc, 0x2, 0x2}]}], [{{0x9, 0x5, 0x1, 0x1d, 0x20, 0x5, 0x9, 0xf}}, {{0x9, 0x5, 0x4, 0x10, 0x10, 0x5, 0x7, 0x1, [@generic={0x49, 0x1, "bedbdc40b657915aeea36befa743bbf476bbcc3a55777437fd0c0862a5591f0b8091626c6564a62b6995d0b1ac34995d442de50d21f30da08f64d3bb0e86086e62968216d8cbfe"}, @generic={0xc, 0xe, "1cca42d0d4c12478dbc7"}]}}, {{0x9, 0x5, 0xc, 0xd, 0x10, 0x4, 0xef, 0xd}}, {{0x9, 0x5, 0x0, 0x2, 0x40, 0x1, 0x92, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0xf, 0x9}, @generic={0x9c, 0x24, "9462e78d67a7938309f893388b585f99ed3cae5aeb241e37eacc73fb040b917d697587fd8885dcc892bfee22871988c70188e9e84546a796e56ea48370dfca689aaa0ffd0841c7e28cbcecbc3beeb254d902498dde373f5e920932acdf3222a561174a85ce36d5f5c709829a0429f48de3266211e3532235cacb3a64fff3e30182cd027ea660bce24cc197bf358f77953c964de4530416907fa1"}]}}, {{0x9, 0x5, 0x6, 0x0, 0x400, 0x4, 0x0, 0x6}}, {{0x9, 0x5, 0x1f, 0xc, 0x20, 0x8, 0x80, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x40, 0xfff}, @generic={0x4a, 0x9, "13df6f0c723d233880c0869f46c9399e148ef0d987297635b6bf6f369cbf8f07b34b9376ff57dcbdf27465eb5153fb8dd7ca2fab2737dd515edef1c966915e0676db831f2b918d82"}]}}]}}, {{0x9, 0x4, 0xe4, 0xb, 0xd, 0xff, 0xde, 0x55, 0x3, [@uac_control={{0xa, 0x24, 0x1, 0x3, 0xa}}], [{{0x9, 0x5, 0x1, 0x3, 0x20, 0x1, 0x66, 0x7, [@generic={0x8c, 0x23, "c344bd7f690e1122d6524ccd0257c1185e61c3ab3ccb366ef9037a58035418728d9aab96717e220d7220fb964b7e928d75ef45859131159097fa85b2d24eeb7fc590e048eb1ba830ac343bfd9a3c32dfc93fadcb90f93a63c737834f5e2d4e7368e02ec5f2106bef935e5e74c3e7d2d3d16ebffa13a829499da442f01726d07a338feb612c3b6e5193b8"}]}}, {{0x9, 0x5, 0x1, 0xc, 0x10, 0x6, 0x73, 0x2}}, {{0x9, 0x5, 0xe, 0x1, 0x40, 0x0, 0x0, 0xe, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0x8, 0x9df1}, @uac_iso={0x7, 0x25, 0x1, 0x4, 0x3, 0x84}]}}, {{0x9, 0x5, 0x7, 0x10, 0x8, 0xd, 0x6, 0x6, [@generic={0x9c, 0x11, "61c2c581bcf0dc3a09ec5465d8b39593b51cb568ad67bf219f28a637f8b8f3aae7b6cf31069da551c5d90a297ab0cfeda543a0f762c8185babc43a4c9bb3b095c0ee1396f8b1fd6219b31613b7560d309f173c80673fb08529fc8f175291f99856af198cf47a32c76df6be449493e5a66eb4664b84226ca1e2c8f2029ade7d75316b104a3480fbf7d4509d748c36f659f8f52743fd077fc7df42"}, @generic={0x4e, 0x4, "57fad147fa12cd27896e4e92ba1ad4058c8d43ec2150d8732fc5ae105a174ed83942dcb79a05b10fd4957dbc1ac027a2df5728b2b2bb9b5bc51f9a8c88e9fa851138c7cdd7626641911cbe0c"}]}}, {{0x9, 0x5, 0x0, 0xc, 0x8, 0x8, 0x20, 0xc, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x6, 0x101}, @uac_iso={0x7, 0x25, 0x1, 0x8, 0xfd, 0x2}]}}, {{0x9, 0x5, 0xb, 0xc, 0x10, 0xf0, 0x3, 0x9}}, {{0x9, 0x5, 0x2, 0x2, 0x7b7, 0x9, 0x2, 0x78, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x2, 0x6e8}]}}, {{0x9, 0x5, 0xe, 0x0, 0x8, 0xb6, 0x47, 0x1, [@generic={0xea, 0xd, "d7eef8adff593fef601257eb29f1123c0f04cf50d2f065a52ab835d40454ac46b6638738e9753c66062b76d457d6b363f7b7634feaac719c3e900cceb8d969210b573a62d4516498d598a61e6fa5bbd0fd386f9f1d7afef4ddbe39495d6e555d24555bf1bffe21fc472ab2a8d5d0f8a611ab5a46ae9b23bb6a6b363946dafbb2e741d34fe456f5816332d72d435fbd1fae4763325dac58c2de0a67277e2d74fef5d8ba6de17c31d5c7fb01a13d3bf00c3113416b72b3e2e0b80b4ab9cda77d2de3ed368fab4841fd62acf66e432121b5f5d7c8c036660d7a351033155e3eef2ff20f2aed8241d176"}]}}, {{0x9, 0x5, 0xe, 0x3, 0x200, 0xff, 0x62, 0x5, [@generic={0x55, 0x23, "d522b56c6dde6a698a23e10e4fc0798f87c946fa2848c717a9a33138fdb3475793c1b4d1722b3bcc36384d2589a27e5f22b289727e23f039ffdf2ab25da62c092ed01cb151b0ad8ba7758c32abd07f79514eba"}, @generic={0x96, 0x8, "70f4e5b83374f7b0de44ec45105ac31402140e176214641e3797ba0aea4013e3e7c2871f78528a256a2249dcad684fd577a428a14f446ce9d7de49364aa163c68dd1e4e20c0aa98a263547f07dae9c3e45ffec5bdccfb90b1ad9054da62866626bfbc394a1e9aec6b300420a6167e6e6ef4396dffb6bfc18d3b2537789270423867535f75b1454cc3b8a6aef5b65b9774139adcf"}]}}, {{0x9, 0x5, 0xc, 0x10, 0x20, 0x8, 0x1, 0x8}}, {{0x9, 0x5, 0xd, 0x10, 0x400, 0x3, 0x6d, 0x7, [@generic={0x85, 0xe, "1a54b4a07976e16cec507f7cfe00c93599f9fdefaf8bf86cb9ae60f5e7426c78b3e01cc8cab0aaf09debbacd785c9de3bb89551d0a241f2d65830f5364754991feead87fe8c8b928ac16853ae959eac27b59ccc86d22442ca629d120b1a09cf14184a9c4873f74ae748201f5f4e649e3724c7ddb89f458472b285f9c10ea40393f3060"}]}}, {{0x9, 0x5, 0x9, 0x0, 0x8, 0xa, 0x7, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x4, 0x4fb3}]}}, {{0x9, 0x5, 0x7, 0x10, 0x3ff, 0x1, 0x88, 0x6}}]}}, {{0x9, 0x4, 0x10, 0x8, 0x10, 0xff, 0x5d, 0x81, 0x3, [@generic={0xb7, 0x0, "bea8fdb50e624b763ddddaf5ed85d8170ca858cf74ac678eb54d2045e5fbb2772140e2cf1895cb693a914ffb891cd2c90d4827bcd34359d70107462ead889a6e4ed6968935a81a147ac0ccc81c38d62d6a84cf504552ec37d609b5475018bda124c09ea9f21303865fe464abc38cd84ae42de33e4691127e2b8553837d58cda51f11a05a1538ecff55e90f34a1c566c234c006d00b50b4b29e49b8d090f5a274ae37e03e49682c44c2b1d9db62f63233f9670cb2ac"}], [{{0x9, 0x5, 0xc, 0x10, 0x40, 0x9, 0x8, 0x2}}, {{0x9, 0x5, 0x6, 0x2, 0x8, 0x3, 0x18, 0x1c, [@generic={0xf6, 0xc, "d7729711236eb7896991e6ffe3dd7622e96e2e7d1760ab6452472bbac1d06861d9d49e4100606a227d342c6175945ade9cc3f46ec4627f92caa5d73227fae7a360d25fac9e5744073f0c054c9a5b8258dd279b736876584b904d943b23c26d9e6bc2dd3b98f36244158c760f0bf975029142b3f58bb63ec376d7f5d9611820d380efd7de6163ac8dc27144e21d92c93ffecc2d8c7b3bc5ead181863cd96a0abf2889eb10b687913fa8214b89de11f52b7d1936ad9c1c45da86a15e86b6c9060291d85b48ebc2344db8ad8cc52f79d4f0377a893b3da61cfc1513d2ba9536d6190de886a2d18ff8ab1f463f15471d7f96dc92d0ac"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x20, 0x9, 0x2, 0x37}}, {{0x9, 0x5, 0xf, 0x12, 0x8, 0xd, 0x6, 0xf, [@generic={0x40, 0x5, "71afb2617a61e75529dde0f32fa6ca4b857a84b3120b936168642c34048f292fc27a3a8f1f74580cdc36e9a40b4ff692f13224b914a89fb73085793a5c22"}]}}, {{0x9, 0x5, 0xd, 0xc, 0x36fb25d4600df5f1, 0x4, 0x1, 0x0, [@generic={0x50, 0x3, "17ffd473ba28c360591f571dc60f1324d4a34ab8d9d3c0686c13a61bda2464e1635423ebf4ed34037bab62fd30a8dd0a89f1bcbff3af4f0c989ddb6f03760ae76f63ffdcbfbbfee9a135257314aa"}]}}, {{0x9, 0x5, 0x6, 0x0, 0x8, 0x2d, 0x10, 0xba}}, {{0x9, 0x5, 0xe, 0x0, 0x10, 0x8, 0x7, 0xac}}, {{0x9, 0x5, 0xa, 0x8, 0x20, 0x9, 0x7c, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0x9, 0x4}]}}, {{0x9, 0x5, 0xb, 0x10, 0x3ff, 0x1, 0x4, 0xbd}}, {{0x9, 0x5, 0x7, 0x3, 0x20, 0x6, 0xf, 0xe}}, {{0x9, 0x5, 0xd, 0x10, 0x7f7, 0x4, 0x1c, 0x1}}, {{0x9, 0x5, 0x0, 0x0, 0xaead6ee2ff2b5f33, 0x40, 0x6, 0x81, [@generic={0x54, 0x9, "22a03d117edd7ff802cdb509b49cf07b1884a5d06a2872ffdd1f6a974c0574871d68b2fd80b9dde557da7eec4d7f2778a5c3a4bbef519d158a59f152fe19f598e43360f8a24aa973c56f46c4a68a273a1fc4"}]}}, {{0x9, 0x5, 0xf, 0x10, 0x8, 0x5, 0x38, 0x1}}, {{0x9, 0x5, 0x4, 0x10, 0x10, 0x4, 0x2, 0x7, [@generic={0xda, 0x26, "32162d9cffd7548ddc1524c6651fa112cb8399eb7daa746af4a3f458159bd8a487dade3217ae3224615d50ba5643301952fdd082ab52f64eb38bddcf02b06728a3bf4f73d3b780a3a5804bad04ecc22787690f67257674f728b10231ba2db83cb4eb841e5523eb43f3482d3ec33cb8187b87aa08a21e94e0394a1ee8d8f0cc088910aba4dbe5feefc245380ff1443e3a97bd4d5addd01f1126d4b70abcbbe140716a1c66dac61f66514fcebe67647b43bbd8e848333ff9957ebaace9d057b627a667e6f51daeac302b2129c26d415bc9a2ee7495b331b7da"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x7, 0x1}]}}, {{0x9, 0x5, 0x3, 0x1, 0x40, 0x8, 0x7, 0x5}}, {{0x9, 0x5, 0xb, 0x10, 0x40, 0xfe, 0x0, 0xd, [@generic={0xe1, 0x24, "66c968f67f56d0ab89d6819c67d1d6c215d2f3cf615b37028db269d93608cdf0704118e0ddbf97166c27afb51a132cd70f0fa3b7ad5ee3a441027a74122781ab0f1ce5fe7bd1153c8ffccd3ef109213f20d2bafd0e331abc5cd1fb54809a06c8fa60a9f0fc8e113f318c3a7f7bc6fabe193094ec493d246cbd702bf019796a8872b3c40234d8e90731b2dff88a1f0c4f1786a190eb16651e3ac45edb14d9fb898644bed61576bd7a9fd90c5217217f6b9aed19d4a22bff482d058e603d2a0cdc48b1b271b79b1e25d7fe6bb820506e48579a78af99e7e9429bcd4b07bc0134"}, @generic={0x40, 0x5, "8f82cc05df67734141e356e936a6e0a7247ac23b30900c5fc4148a14990b5004686de6cace04ade350f04a3d078c3910f7dba492af85da649432e26a7854"}]}}]}}, {{0x9, 0x4, 0x88, 0x1, 0x8, 0xeb, 0x43, 0x23, 0x4, [], [{{0x9, 0x5, 0xc, 0x0, 0x40, 0x8, 0x8, 0x5}}, {{0x9, 0x5, 0x0, 0x10, 0x20, 0x9a, 0x5f, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x81, 0x4}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0xf9, 0x2}]}}, {{0x9, 0x5, 0xb, 0x10, 0x40, 0x7, 0x1, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x6, 0x1}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0xd, 0x103}]}}, {{0x9, 0x5, 0xb, 0xc, 0x3ff, 0xa9, 0x1, 0x6, [@generic={0xfb, 0x2c, "df60d233063867e638f4ac474e685fef8f861557d0a31566d58bde1f04a113f6cb64c96056a81685a6dfa2978a60c2d94e450f6675e38b44c96bfbff6c5f3746609346497483dfc8ac2127362cdbdaa0253951a182272183f456aae2bd12b292c609e8e14b4f8c1853e0d87e0c3179c8be7b0730721bb30159040826f093510ce022587691627b236a66215620418df334d28d1d14f0ca3b9f4fcff06ba249dd19508198503a2c2cd4f3abdadbd4f1ace4e627bec97299a00228e09c064e5f342e00d8c8f2d5b1fb56485e736a87dcfe510c218632729122a4eb5d5b5d81df8be58527183e48f760b85c599f8813f89d706af7b22f77d68dc1"}, @generic={0x6b, 0x4, "07ece06586e01505f126e0db2ed1ac18b57549f080d741f38b0ccec6ba034d096429405619d01af435c8092be0e9c4a93c1b647e7c7f14f05efff305d2b85d51fedff750b87e5990d028fd338645029bd9ed95e00305acce8b899a786dbf30895be03148a7a1e3bf25"}]}}, {{0x9, 0x5, 0x6, 0x8, 0x400, 0x3, 0x5, 0xff}}, {{0x9, 0x5, 0xa, 0x10, 0x200, 0x6, 0x14, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0xc, 0x9, 0x4}]}}, {{0x9, 0x5, 0x5, 0x8, 0x210, 0xe8, 0x5, 0x3}}, {{0x9, 0x5, 0xa, 0x8, 0x10, 0x64, 0x8, 0xe, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x5, 0x2}]}}]}}]}}]}}, &(0x7f0000016780)={0xa, &(0x7f00000162c0)={0xa, 0x6, 0x201, 0x3, 0x8, 0xff, 0x20, 0x10}, 0x28, &(0x7f0000016300)={0x5, 0xf, 0x28, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x1, 0x7, 0x7, 0x6, 0xff}, @ptm_cap={0x3}, @wireless={0xb, 0x10, 0x1, 0x2, 0x61, 0xff, 0xf, 0x6, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x1, 0x3, 0xb, 0x100}]}, 0x7, [{0x4, &(0x7f0000016340)=@lang_id={0x4, 0x3, 0x457}}, {0xff, &(0x7f0000016380)=@string={0xff, 0x3, "85a764d829532917b6647a68a249b252f01a99f88767a2e9f13aeefab39cf6a405497e3244294b1bd485c0ec99338640a508fabbf11e0fd6a03bcc9cebaf83037aa77397cbdf0911c8dfb842f62f94766aa445925773c4f7c6701be8a05673afe95cf19c279ac62fd2720ed2dae689371c5151bf6b9e7727f8f497091c3aaa902f81e44c5173acf22152fcbc4d72a75e9ab4badc6788b2fdbb7e34b202e0e71feb1cc9b1ca791e92374cfc63cc7db5648591778bfc1948f9dad9b7fe74a588ddc9ad499993062666b3e0df0acaa67802ad37a86fcb411a2230bdd43fe8610f29c15179bf429f81876ee90b7d35a2263f91eb8d3c7c87c46600b45282ee"}}, {0x4, &(0x7f0000016480)=@lang_id={0x4, 0x3, 0x8406}}, {0x49, &(0x7f00000164c0)=@string={0x49, 0x3, "cb9d5f1c5fbc9474d59ffa54a92ba7aff97b2f65abf48aad8e2b09b60a5dc2744b250fe7529097bfbb2bcf99d0548a034fb7aecaf8dd808495be132e1b8c84abe53375dcf540d5"}}, {0x4, &(0x7f0000016540)=@lang_id={0x4, 0x3, 0x407}}, {0x102, &(0x7f0000016580)=@string={0x102, 0x3, "04ddeb57b5072b0dc9dc624cf2792daac535b02570dbb701e1db0e6c25d680f07b517f6582125baa7a7849eb0b11130e0024efe8a1c951363bf47a68fb5bd9acf185aea1627381f50343cb4bb8d7175131f2ae52a842db753904d3051a0ab082608560e8ac66b87dddbb9fa3514a31e5595170e3d21c018b37855992a2a4b348de99469b63f5438e240e23cfe0a26d30a91d953691d741b9d5d85dab27d40da71fc9d8677b0dc3e1d6060d0d98a71300d374e7bd550f6a57b6fcd444313f37367f5b55c20f1a2d44861e8a1a36bcdc769ffc146bb71ab5846dcb8231247f1636483dabb710d074fd2b8018d4c356d1825bb17bf96327e96ee867583243e8254e"}}, {0x9e, &(0x7f00000166c0)=@string={0x9e, 0x3, "ef2a4e829a0f6cdb32a449bba1d48f5dfe865e51f2287e2177391a43f9bbf1ca78d573f200eae40c60a21ddc2ad482df2a85f27559815bb4ebca560530b86553450ee38eaeb8712f6b77c14d47f85d8bbf641e1d9e09fa1e2be5e92c187ce56ef9949ae1d87cfbfe0ea1ba9f9b2ff0182d4b05ce506891c5a347ee33ccf9ce7d86d7ddf2bf38574d21d9654bbe80658680bef5589e2db6072d9fd0fd"}}]}) r28 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000016800)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r28, &(0x7f0000016b40)={0x2c, &(0x7f0000016880)={0x20, 0xb, 0xc8, {0xc8, 0x21, "01f48fe831d8d1992472173ea819a3a2ade96121341354e85ca198ec1fcf8590c939f727aa0e85856b357c23bc068f24a22cc6b71bd4add3ae66955e3ceb2a8f155c4feaf36d9c4802968a53b086a4a50dc35475e75c1851e7d408540774e8982191e50606991f3f33fa708ef6a94041511098b0267e737b9f399fad65b7cc2efa80eafc734bd5ab1fdc3decc026fa7675ef45a1d17ffe1c0b1e00b10273d7c57d183c74a3d9b1471322b59a98cebd12d16c2834b226cecaeaf960e3d90776c23923eae68d1e"}}, &(0x7f0000016980)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x280a}}, &(0x7f00000169c0)={0x0, 0xf, 0xc8, {0x5, 0xf, 0xc8, 0x5, [@ssp_cap={0x14, 0x10, 0xa, 0x3, 0x2, 0x9, 0xf, 0x0, [0xc0cf, 0xf]}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0x30ec, 0xf0f, 0x82, [0xc00f]}, @ext_cap={0x7, 0x10, 0x2, 0x0, 0xb, 0x8, 0xf}, @generic={0x8d, 0x10, 0xa, "422d46fc73f84b4dd0c3d24d79f270975a978d736a0aa3e586ae4e9a232483cf25269718cbb9df730362ce6b7cf0e3d10079c328ee2be8f5ffc242a07e20f7c3db607c73e2cac82f1c73c8fcaceb151e2022fe0c73ad6619a4dace08659699ed7660d45202749cda47dfa1e0db87664d1eff73f0606d30b778cb8808dfa6b24cc18add579f29e81b12e3"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x48, 0x6, 0xf2, 0x0, 0x2}]}}, &(0x7f0000016ac0)={0x20, 0x29, 0xf, {0xf, 0x29, 0x1, 0x3, 0xf6, 0x5, "d7db758c", "cb024e33"}}, &(0x7f0000016b00)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x2, 0x2, 0x80, 0x5, 0x7, 0x7, 0xff24}}}, &(0x7f0000016f40)={0x84, &(0x7f0000016b80)={0x20, 0x13, 0x2a, "b3644b33a496f2187a5863e64c407cecd2d6d13ae23ecf1c3c53f78ff217cff021e4718cea7fbe4c3ba3"}, 0xfffffffffffffffd, &(0x7f0000016bc0)={0x0, 0x8, 0x1, 0x6}, &(0x7f0000016c00)={0x20, 0x0, 0x4, {0x2, 0x1}}, &(0x7f0000016c40)={0x20, 0x0, 0x4, {0x40, 0x20}}, &(0x7f0000016c80)={0x40, 0x7, 0x2, 0x2}, &(0x7f0000016cc0)={0x40, 0x9, 0x1, 0x3}, &(0x7f0000016d00)={0x40, 0xb, 0x2, '{*'}, &(0x7f0000016d40)={0x40, 0xf, 0x2, 0x9}, &(0x7f0000016d80)={0x40, 0x13, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x2}}, &(0x7f0000016dc0)={0x40, 0x17, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0xe}}, &(0x7f0000016e00)={0x40, 0x19, 0x2, "1ac5"}, &(0x7f0000016e40)={0x40, 0x1a, 0x2, 0x100}, &(0x7f0000016e80)={0x40, 0x1c, 0x1, 0x7}, &(0x7f0000016ec0)={0x40, 0x1e, 0x1, 0xc8}, &(0x7f0000016f00)={0x40, 0x21, 0x1, 0x4f}}) syz_usb_disconnect(r27) syz_usb_ep_read(r27, 0x0, 0x4, &(0x7f0000017000)=""/4) syz_usb_ep_write(r28, 0x4, 0x9a, &(0x7f0000017040)="dd9c6225175b3c37dc1963b4d0f463d6e382d956edabd131d419ff0b343494a2c3c8bd5e321a506b68c9621ab544dc8bd17c2f62f3c56caecb3908a6430e4d9eafd02ca13dfdcc2d07c531313862ad4271ecb07f10143f48ff7e738a4a77623d0d4b8921084f7c7a9114220624e8f12287c7369f8b9193de6e3a67ff4bf7596fd6c107e477fc1df67c16fec951a212d960cd48e3a1758e8ec8e7") syz_usbip_server_init(0x3) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_getfd #define __NR_pidfd_getfd 438 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define always_inline __attribute__((always_inline)) inline #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_BOOT_ARGS 0x2F000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x400000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_ADDR_GLOBALS 0x17F000 #define X86_SYZOS_ADDR_PT_POOL 0x180000 #define X86_SYZOS_PT_POOL_SIZE 64 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x1000000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 9) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_PHYSICAL_ADDRESS 0x00002400 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_EXITINFO2 0x080 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define VMCB_RAX 0x5f8 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_TSS_BUSY 0x008b #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_MAX_L2_VMS 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static always_inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1) { struct kvm_run* run = (struct kvm_run*)a0; uint64_t expect = a1; if (!run) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered: run is NULL\n"); errno = EINVAL; return -1; } if (run->exit_reason != expect) { fprintf(stderr, "[SYZOS-DEBUG] KVM Exit Reason Mismatch\n"); fprintf(stderr, " is_write: %d\n", run->mmio.is_write); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)run->exit_reason); errno = EDOM; return -1; } return 0; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_LOAD_SYZOS = 310, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_nested_load_syzos { struct api_call_header header; uint64_t vm_id; uint64_t unused_pages; uint8_t program[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) #define MEM_REGION_FLAG_REMAINING (1 << 7) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; struct syzos_boot_args { uint32_t region_count; uint32_t reserved; struct mem_region regions[]; }; struct syzos_globals { uint64_t alloc_offset; uint64_t total_size; uint64_t text_sizes[KVM_MAX_VCPU]; struct l2_guest_regs l2_ctx[KVM_MAX_VCPU][KVM_MAX_L2_VMS]; uint64_t active_vm_id[KVM_MAX_VCPU]; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, UEXIT_INVALID_MAIN = (uint64_t)-4, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t cpu) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t size = globals->text_sizes[cpu]; uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; volatile uint64_t call = cmd->call; if ((call >= SYZOS_API_STOP) || (cmd->size > size)) { guest_uexit(UEXIT_INVALID_MAIN); return; } if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_SYZOS) { guest_handle_nested_load_syzos((struct api_call_nested_load_syzos*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit(UEXIT_END); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; asm volatile("movq %0, (%1)" ::"a"(exit_code), "r"(ptr) : "memory"); } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static uint64_t get_unused_memory_size() { volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { if (args->regions[i].gpa == X86_SYZOS_ADDR_UNUSED) return args->regions[i].pages * KVM_PAGE_SIZE; } return 0; } GUEST_CODE static uint64_t guest_alloc_page() { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (globals->total_size == 0) { uint64_t size = get_unused_memory_size(); __sync_val_compare_and_swap(&globals->total_size, 0, size); } uint64_t offset = __sync_fetch_and_add(&globals->alloc_offset, KVM_PAGE_SIZE); if (offset >= globals->total_size) guest_uexit(UEXIT_ASSERT); uint64_t ptr = X86_SYZOS_ADDR_UNUSED + offset; guest_memset((void*)ptr, 0, KVM_PAGE_SIZE); return ptr; } GUEST_CODE static void l2_map_page(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa, uint64_t host_pa, uint64_t flags) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pml4[pml4_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pdpt[pdpt_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pd[pd_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) pt[pt_idx] = (host_pa & ~0xFFF) | flags; } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id, uint64_t unused_pages) { uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; if (vendor == CPU_VENDOR_INTEL) { flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { struct mem_region r; r.gpa = args->regions[i].gpa; r.pages = args->regions[i].pages; r.flags = args->regions[i].flags; if (r.flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r.flags & MEM_REGION_FLAG_REMAINING) { r.pages = (unused_pages < 16) ? 16 : unused_pages; } for (int p = 0; p < r.pages; p++) { uint64_t gpa = r.gpa + (p * KVM_PAGE_SIZE); uint64_t backing; if (r.gpa == X86_SYZOS_ADDR_USER_CODE && p == 0) { backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); } else if (r.gpa == X86_SYZOS_ADDR_STACK_BOTTOM) { backing = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); } else { backing = gpa; } l2_map_page(cpu_id, vm_id, gpa, backing, flags); } } } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION = 6, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void handle_nested_uexit(uint64_t exit_code) { uint64_t level = (exit_code >> 56) + 1; exit_code = (exit_code & 0x00FFFFFFFFFFFFFFULL) | (level << 56); guest_uexit(exit_code); } GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_EPT_VIOLATION 0x30 #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == EXIT_REASON_EPT_VIOLATION) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 7 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == EXIT_REASON_EPT_VIOLATION) { uint64_t gpa = vmread(VMCS_GUEST_PHYSICAL_ADDRESS); if ((gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); vmwrite(VMCS_GUEST_RIP, vmread(VMCS_GUEST_RIP) + 3); return; } } syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx push %%rax mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[l2_regs_size], %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp jmp after_vmentry_label )" : : [l2_regs_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_NPF 0x400 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == VMEXIT_NPF) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 8 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); volatile uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == VMEXIT_NPF) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t fault_gpa = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_EXITINFO2); if ((fault_gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip + 3); return; } } syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, X86_SYZOS_ADDR_VAR_TSS); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id, 0); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, SVM_ATTR_TSS_BUSY); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, X86_EFER_LME | X86_EFER_LMA | X86_EFER_SVME); vmcb_write64(vmcb_addr, VMCB_RAX, 0); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id, 0); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static uint64_t l2_gpa_to_pa(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) return 0; return (pt[pt_idx] & ~0xFFF) + (gpa & 0xFFF); } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_backing = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_USER_CODE); if (!l2_code_backing) { guest_uexit(0xE2BAD4); return; } uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t prog_size = cmd->header.size - __builtin_offsetof(struct api_call_nested_load_syzos, program); uint64_t l2_code_backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (prog_size > KVM_PAGE_SIZE) prog_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->program, prog_size); uint64_t globals_pa = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_GLOBALS); if (!globals_pa) { guest_uexit(0xE2BAD3); return; } volatile struct syzos_globals* l2_globals = (volatile struct syzos_globals*)globals_pa; for (int i = 0; i < KVM_MAX_VCPU; i++) { l2_globals->text_sizes[i] = prog_size; globals->l2_ctx[i][vm_id].rdi = i; globals->l2_ctx[i][vm_id].rax = 0; } uint64_t entry_rip = executor_fn_guest_addr(guest_main); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, entry_rip); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { uint64_t vmcb = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); vmcb_write64(vmcb, VMCB_GUEST_RIP, entry_rip); vmcb_write64(vmcb, VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint64_t vmx_error_code = 0; uint64_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); globals->active_vm_id[cpu_id] = vm_id; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[launch] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[host_rsp_field], %%r10 mov %%rsp, %%r11 vmwrite %%r11, %%r10 mov %[l2_regs], %%rax mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 mov 0(%%rax), %%rax cmpq $0, 48(%%rsp) je 1f vmlaunch jmp 2f 1: vmresume 2: pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp mov $1, %[ret] jmp 3f .globl after_vmentry_label after_vmentry_label: xor %[ret], %[ret] 3: )" : [ret] "=&r"(fail_flag) : [launch] "r"((uint64_t)is_launch), [host_rsp_field] "i"(VMCS_HOST_RSP), [cpu_id] "r"(cpu_id), [l2_regs] "r"(l2_regs) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; globals->active_vm_id[cpu_id] = vm_id; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint8_t fail_flag = 0; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[vmcb_addr] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[l2_regs], %%rax mov 0(%%rax), %%rbx mov %[vmcb_addr], %%rcx mov %%rbx, 0x5f8(%%rcx) mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 clgi mov 48(%%rsp), %%rax vmrun 1: mov 48(%%rsp), %%rax setc %[fail_flag] pushq 0x70(%%rax) push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx mov 176(%%rsp), %%rax pushq 0x5f8(%%rax) mov 120(%%rsp), %%rdi mov %%rsp, %%rsi call nested_vm_exit_handler_amd add $128, %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp stgi after_vmentry_label_amd: )" : [fail_flag] "=m"(fail_flag) : [cpu_id] "r"(cpu_id), [vmcb_addr] "r"(vmcb_addr), [l2_regs] "r"(l2_regs), [l2_regs_size] "i"(sizeof(struct l2_guest_regs)) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 5, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_VAR_IDT, 10, 0}, {X86_SYZOS_ADDR_BOOT_ARGS, 1, 0}, {X86_SYZOS_ADDR_PT_POOL, X86_SYZOS_PT_POOL_SIZE, 0}, {X86_SYZOS_ADDR_GLOBALS, 1, 0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, {X86_SYZOS_ADDR_UNUSED, 0, MEM_REGION_FLAG_REMAINING}, }; #define SYZOS_REGION_COUNT (sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0])) struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; void* pt_pool_mem; void* globals_mem; void* region_base[SYZOS_REGION_COUNT]; }; static inline void* gpa_to_hva(struct kvm_syz_vm* vm, uint64_t gpa) { for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r->gpa == X86_SYZOS_ADDR_UNUSED) break; size_t region_size = r->pages * KVM_PAGE_SIZE; if (gpa >= r->gpa && gpa < r->gpa + region_size) return (void*)((char*)vm->region_base[i] + (gpa - r->gpa)); } return NULL; } #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(uint64_t)gpa_to_hva(vm, sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static uint64_t* get_host_pte_ptr(struct kvm_syz_vm* vm, uint64_t gpa) { if (gpa >= X86_SYZOS_ADDR_PT_POOL && gpa < X86_SYZOS_ADDR_PT_POOL + (X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE)) { uint64_t offset = gpa - X86_SYZOS_ADDR_PT_POOL; return (uint64_t*)((char*)vm->pt_pool_mem + offset); } return (uint64_t*)((char*)vm->gpa0_mem + gpa); } static void map_4k_page(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)((char*)vm->gpa0_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = get_host_pte_ptr(vm, pml4[pml4_idx] & PAGE_MASK); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = get_host_pte_ptr(vm, pdpt[pdpt_idx] & PAGE_MASK); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = get_host_pte_ptr(vm, pd[pd_idx] & PAGE_MASK); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(vm, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE}; memset(vm->pt_pool_mem, 0, X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE); memset(vm->gpa0_mem, 0, 5 * KVM_PAGE_SIZE); for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { int pages = syzos_mem_regions[i].pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) { if (total < 0) exit(1); pages = total; } map_4k_region(vm, &alloc, syzos_mem_regions[i].gpa, pages); if (!(syzos_mem_regions[i].flags & MEM_REGION_FLAG_NO_HOST_MEM)) total -= pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) break; } } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = 0}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = SVM_ATTR_TSS_BUSY, .limit_high_and_flags = 0, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[(X86_SYZOS_SEL_TSS64 >> 3) + 1] = (struct gdt_entry){ .limit_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 32), .base_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 48), .base_mid = 0, .access = 0, .limit_high_and_flags = 0, .base_high = 0}; } static void get_cpuid(uint32_t eax, uint32_t ecx, uint32_t* a, uint32_t* b, uint32_t* c, uint32_t* d) { *a = *b = *c = *d = 0; asm volatile("cpuid" : "=a"(*a), "=b"(*b), "=c"(*c), "=d"(*d) : "a"(eax), "c"(ecx)); } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd, int cpu_id) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)(uint64_t)gpa_to_hva(vm, sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_pg_table(vm); setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0; get_cpuid(0, 0, &eax, &ebx, &ecx, &edx); if (ebx == 0x68747541 && edx == 0x69746e65 && ecx == 0x444d4163) { sregs.efer |= X86_EFER_SVME; void* hsave_host = (void*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id)); memset(hsave_host, 0, KVM_PAGE_SIZE); } sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, uint64_t rip, uint64_t cpu_id) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = rip; regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd, cpu_id); setup_cpuid(cpufd); uint64_t entry_rip = executor_fn_guest_addr(guest_main); reset_cpu_regs(cpufd, entry_rip, cpu_id); if (vm->globals_mem) { struct syzos_globals* globals = (struct syzos_globals*)vm->globals_mem; globals->text_sizes[cpu_id] = text_size; } } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; struct syzos_boot_args* boot_args = NULL; for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) { vm->region_base[i] = NULL; continue; } size_t pages = r->pages; if (r->flags & MEM_REGION_FLAG_REMAINING) pages = allocator.size / KVM_PAGE_SIZE; struct addr_size next = alloc_guest_mem(&allocator, pages * KVM_PAGE_SIZE); vm->region_base[i] = next.addr; uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_PT_POOL) vm->pt_pool_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_GLOBALS) vm->globals_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_BOOT_ARGS) { boot_args = (struct syzos_boot_args*)next.addr; boot_args->region_count = SYZOS_REGION_COUNT; for (size_t k = 0; k < boot_args->region_count; k++) boot_args->regions[k] = syzos_mem_regions[k]; } if ((r->flags & MEM_REGION_FLAG_REMAINING) && boot_args) boot_args->regions[i].pages = pages; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); if (r->flags & MEM_REGION_FLAG_REMAINING) break; } } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void dump_vcpu_state(int cpufd, struct kvm_run* run) { struct kvm_regs regs; ioctl(cpufd, KVM_GET_REGS, ®s); struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); fprintf(stderr, "KVM_RUN structure:\n"); fprintf(stderr, " exit_reason: %d\n", run->exit_reason); fprintf(stderr, " hardware_entry_failure_reason: 0x%llx\n", run->fail_entry.hardware_entry_failure_reason); fprintf(stderr, "VCPU registers:\n"); fprintf(stderr, " rip: 0x%llx, rsp: 0x%llx, rflags: 0x%llx\n", regs.rip, regs.rsp, regs.rflags); fprintf(stderr, " rax: 0x%llx, rbx: 0x%llx, rcx: 0x%llx, rdx: 0x%llx\n", regs.rax, regs.rbx, regs.rcx, regs.rdx); fprintf(stderr, " rsi: 0x%llx, rdi: 0x%llx\n", regs.rsi, regs.rdi); fprintf(stderr, "VCPU sregs:\n"); fprintf(stderr, " cr0: 0x%llx, cr2: 0x%llx, cr3: 0x%llx, cr4: 0x%llx\n", sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4); fprintf(stderr, " efer: 0x%llx (LME=%d)\n", sregs.efer, (sregs.efer & X86_EFER_LME) ? 1 : 0); fprintf(stderr, " cs: s=0x%x, b=0x%llx, limit=0x%x, type=%d, l=%d, db=%d\n", sregs.cs.selector, sregs.cs.base, sregs.cs.limit, sregs.cs.type, sregs.cs.l, sregs.cs.db); fprintf(stderr, " ds: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.ds.selector, sregs.ds.base, sregs.ds.limit, sregs.ds.type, sregs.ds.db); fprintf(stderr, " tr: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.tr.selector, sregs.tr.base, sregs.tr.limit, sregs.tr.type, sregs.tr.db); fprintf(stderr, " idt: b=0x%llx, limit=0x%x\n", sregs.idt.base, sregs.idt.limit); } static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1, volatile long a2) { int cpufd = (int)a0; struct kvm_run* run = (struct kvm_run*)a1; uint64_t expect = a2; if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != X86_SYZOS_ADDR_UEXIT)) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered on VCPU %d\n", cpufd); dump_vcpu_state(cpufd, run); errno = EINVAL; return -1; } uint64_t actual_code = ((uint64_t*)(run->mmio.data))[0]; if (actual_code != expect) { fprintf(stderr, "[SYZOS-DEBUG] Exit Code Mismatch on VCPU %d\n", cpufd); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)actual_code); dump_vcpu_state(cpufd, run); errno = EDOM; return -1; } return 0; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 500 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 57; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 500 + (call == 12 ? 1500 : 0) + (call == 41 ? 12000 : 0) + (call == 48 ? 600 : 0) + (call == 50 ? 9000 : 0) + (call == 51 ? 9000 : 0) + (call == 52 ? 900 : 0) + (call == 53 ? 900 : 0) + (call == 54 ? 900 : 0) + (call == 55 ? 900 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 15000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[29] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x200000000000, "/dev/admmidi#\000", 14); inject_fault(1); res = -1; res = syz_open_dev(/*dev=*/0x200000000000, /*id=*/0x302d694, /*flags=O_NOFOLLOW|O_DIRECTORY|FASYNC|O_APPEND*/0x32400); if (res != -1) r[0] = res; break; case 1: syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x80045700, /*arg=*/0x200000000040ul); break; case 2: memcpy((void*)0x200000000080, "/dev/hpet\000", 10); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000080ul, /*flags=*/0, /*mode=*/0); for (int i = 0; i < 4; i++) { syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000080ul, /*flags=*/0, /*mode=*/0); } if (res != -1) r[1] = res; break; case 3: syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x40045436, /*arg=*/0x17ul); break; case 4: *(uint32_t*)0x200000000100 = 0x14; syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/6, /*optname=*/0x1d, /*optval=*/0x2000000000c0ul, /*optlen=*/0x200000000100ul); break; case 5: *(uint64_t*)0x200000000340 = 0x8800000; *(uint64_t*)0x200000000348 = 0x200000000140; *(uint64_t*)0x200000000350 = 0x200000000180; *(uint64_t*)0x200000000358 = 0x2000000001c0; *(uint32_t*)0x200000000360 = 0; *(uint64_t*)0x200000000368 = 0x200000000200; *(uint64_t*)0x200000000370 = 0x72; *(uint64_t*)0x200000000378 = 0x200000000280; *(uint64_t*)0x200000000380 = 0x200000000300; *(uint32_t*)0x200000000300 = 0; *(uint32_t*)0x200000000304 = -1; *(uint32_t*)0x200000000308 = 0; *(uint32_t*)0x20000000030c = -1; *(uint32_t*)0x200000000310 = 0; *(uint32_t*)0x200000000314 = 0; *(uint32_t*)0x200000000318 = -1; *(uint32_t*)0x20000000031c = 0; *(uint64_t*)0x200000000388 = 8; *(uint32_t*)0x200000000390 = r[1]; res = -1; res = syz_clone3(/*args=*/0x200000000340, /*size=*/0x58); if (res != -1) r[2] = *(uint32_t*)0x200000000180; break; case 6: syscall(__NR_kcmp, /*pid1=*/r[2], /*pid2=*/0, /*type=KCMP_FILES*/2ul, /*fd1=*/r[0], /*fd2=*/(intptr_t)-1); break; case 7: *(uint32_t*)0x2000000003c0 = 0; *(uint32_t*)0x2000000003c4 = 4; *(uint32_t*)0x2000000003c8 = 0; *(uint32_t*)0x2000000003cc = 8; *(uint32_t*)0x200000000400 = 0x10; res = syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/0x84, /*opt=*/0, /*val=*/0x2000000003c0ul, /*len=*/0x200000000400ul); if (res != -1) r[3] = *(uint32_t*)0x2000000003c0; break; case 8: *(uint16_t*)0x200000000440 = 6; *(uint16_t*)0x200000000442 = 0x8207; *(uint32_t*)0x200000000444 = 0x96d; *(uint32_t*)0x200000000448 = 0x10; *(uint32_t*)0x20000000044c = r[3]; *(uint32_t*)0x200000000480 = 0x10; syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/0x84, /*opt=*/0x22, /*val=*/0x200000000440ul, /*len=*/0x200000000480ul); break; case 9: syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc04c6100, /*arg=*/0x200000000500ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 1, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xa, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 6); *(uint16_t*)0x200000000042 = 0x8000; memcpy((void*)0x200000000044, "\x63\x44\x8e\xdb\x2f\xb0", 6); *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 0; syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x10); break; case 11: memcpy((void*)0x200000000080, "wlan0\000", 6); memset((void*)0x2000000000c0, 2, 6); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/6, /*join_mode=JOIN_IBSS_BG_NO_SCAN*/2); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_kernel_create_files_as\000", 31); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\x28\x03\x83\x7c\xbc\xf3\x7b\xce\x72\xc1\xa7\x3b\x90\x9c\x68\xfe\x5b\xf7\xa6\x36\x3c\xdc\x90\xc0\x0d\xc6\x01\x3b\x35\xda\x02\xa6\x6a\x05\x91\x66\x71\x54\xa5\x56\x7c\x0e\x5e\xe6\x93\x3d\x6d\xa8\xbf\xed\xac\x5d\x27\x8a\x29\x1e\xfa\x30\x20\xba\x15\xe3\x90\xeb\x38\xda\x76\x26\x1c\x3a\xef\xf9\xee\xa8\xab\xea\xce", 77); memcpy((void*)0x200000000240, "\x6a\x0b\x56\xff\x4b\x8f\xac\x28\x77\x3c\xa1\x37\x65\x2b\x5b\x0f\xd8\x03\xa0\x41\x3c\x28\x20\x37\xf7\x21\xcb\x96\xec\xf2\xbb\x1a\x61\x6d\xc3\xd5\x6e\xee\xa2\x6f\x6b\x16\xf4\x56\x2d\x17\xc6\xd8\xb8\x83\x8f\x18\x44\xb5\x85\xeb\xcc\x0b\x56\x2f\x05\x57\xb2\xc7\xe9\xf0\xdd\xa1\xce\x4c\xc6\x1d", 72); res = -1; res = syz_clone(/*flags=CLONE_NEWCGROUP|CLONE_SETTLS*/0x2080000, /*stack=*/0x200000000140, /*stack_len=*/0x4d, /*parentid=*/0x2000000001c0, /*childtid=*/0x200000000200, /*tls=*/0x200000000240); if (res != -1) r[4] = res; break; case 14: *(uint64_t*)0x200000000480 = 0xc2e0; res = syscall(__NR_socketcall, /*call=*/8ul, /*args=*/0x200000000480ul); if (res != -1) r[5] = res; break; case 15: *(uint64_t*)0x2000000004c0 = 0x18000000; *(uint64_t*)0x2000000004c8 = 0x2000000002c0; *(uint64_t*)0x2000000004d0 = 0x200000000300; *(uint64_t*)0x2000000004d8 = 0x200000000340; *(uint32_t*)0x2000000004e0 = 9; *(uint64_t*)0x2000000004e8 = 0x200000000380; *(uint64_t*)0x2000000004f0 = 0x29; *(uint64_t*)0x2000000004f8 = 0x2000000003c0; *(uint64_t*)0x200000000500 = 0x200000000440; *(uint32_t*)0x200000000440 = r[4]; *(uint32_t*)0x200000000444 = r[4]; *(uint32_t*)0x200000000448 = r[4]; *(uint64_t*)0x200000000508 = 3; *(uint32_t*)0x200000000510 = r[5]; res = -1; res = syz_clone3(/*args=*/0x2000000004c0, /*size=*/0x58); if (res != -1) { r[6] = *(uint32_t*)0x2000000002c0; r[7] = *(uint32_t*)0x200000000300; r[8] = *(uint32_t*)0x200000000340; } break; case 16: memcpy((void*)0x200000000540, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000540); break; case 17: memcpy((void*)0x2000000006c0, "/dev/fuse\000", 10); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x2000000006c0ul, /*flags=*/2, /*mode=*/0); if (res != -1) r[9] = res; break; case 18: *(uint32_t*)0x200000002b00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/r[5], /*level=*/0, /*optname=*/0x11, /*optval=*/0x200000002a00ul, /*optlen=*/0x200000002b00ul); if (res != -1) r[10] = *(uint32_t*)0x200000002a34; break; case 19: *(uint32_t*)0x200000002b40 = 5; *(uint32_t*)0x200000002b44 = 0xee00; *(uint64_t*)0x200000002b48 = 1; *(uint64_t*)0x200000002b50 = 5; res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0x4018aee3, /*arg=*/0x200000002b40ul); if (res != -1) r[11] = *(uint32_t*)0x200000002b44; break; case 20: *(uint32_t*)0x200000002c00 = 0xee00; *(uint64_t*)0x200000002c08 = 0; *(uint64_t*)0x200000002c10 = 8; *(uint64_t*)0x200000002c18 = 1; *(uint32_t*)0x200000002c20 = 6; *(uint16_t*)0x200000002c24 = 5; *(uint16_t*)0x200000002c26 = 0; res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0x40286608, /*arg=*/0x200000002c00ul); if (res != -1) r[12] = *(uint32_t*)0x200000002c00; break; case 21: *(uint32_t*)0x200000002f00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/r[5], /*level=*/0x29, /*optname=*/0x23, /*optval=*/0x200000002e00ul, /*optlen=*/0x200000002f00ul); if (res != -1) r[13] = *(uint32_t*)0x200000002e34; break; case 22: *(uint32_t*)0x200000004040 = 8; *(uint32_t*)0x200000004044 = 0; *(uint32_t*)0x200000004048 = -1; *(uint32_t*)0x20000000404c = 2; *(uint32_t*)0x200000004050 = 0x10; *(uint32_t*)0x200000004054 = 4; *(uint16_t*)0x200000004058 = 7; *(uint32_t*)0x20000000405c = 0x7f; *(uint64_t*)0x200000004060 = 0xbb; *(uint64_t*)0x200000004068 = 0xf; *(uint64_t*)0x200000004070 = 4; *(uint32_t*)0x200000004078 = 0x800; *(uint32_t*)0x20000000407c = 2; *(uint16_t*)0x200000004080 = 5; *(uint16_t*)0x200000004082 = 0; *(uint64_t*)0x200000004088 = 0x200000002f40; memcpy((void*)0x200000002f40, "\xa0\xfc\x03\x37\xfa\xea\x63\x1f\x70\x4d\x04\xb5\xa5\x94\xdd\x3a\x87\xe2\x74\x7c\x38\x74\x0f\x43\x57\xe5\xcb\x22\x1b\xf4\x40\x57\x95\xc2\x99\x06\x22\x7d\x36\x4e\x04\x46\xeb\xf7\x7d\x11\x1a\xb6\x66\x81\x06\xa0\x02\x14\x0a\x81\x07\x1b\x6d\x28\xcf\xab\xb3\x7a\xea\x4e\x26\xc4\x65\x7d\xb3\x19\x16\xf1\x71\x81\xef\x2f\xbb\xa8\xcf\x19\x4a\x98\xc4\x35\xa1\x00\x7c\x27\x0c\xd6\xef\xf5\xc6\x42\x45\x37\x19\x7a\x13\x02\x02\xf2\x8c\xe2\x58\x6b\xe0\xce\xff\x0d\xb4\x7a\x35\x35\x12\x18\xf4\x9a\x45\x99\xa9\x8e\x93\xfd\x6f\xa6\xbe\x92\x17\x67\x82\xd2\x9c\xcf\xc9\x00\xc7\x67\xf4\xde\x10\x2c\x3a\x77\x79\x57\x7f\xf3\x6f\x42\x7d\xca\xed\x1e\x8d\xd3\x89\x65\x0f\xbe\x9c\xc0\xca\xb5\xb4\x39\x0e\x80\x5e\xc3\x0a\xd6\x41\x1c\xff\x60\x65\xa8\xa5\x76\x10\xab\x7c\x61\x01\x32\xa2\xa1\xbf\x37\xc8\x71\xd0\x6a\x9d\x78\xcc\x27\x68\x8f\x4b\xef\xa7\xbd\x11\x2a\x69\xdf\x64\xb5\x51\xe3", 214); *(uint64_t*)0x200000004090 = 0x200000003040; memcpy((void*)0x200000003040, "\x64\xb9\x52\x0e\xb1\x74\x93\x9e\xc8\x76\x43\xa2\xfd\xaf\xfe\xa4\x52\x7b\xbf\xd5\x1b\x07\xac\x94\x67\x16\x9d\x3c\x7b\xaa\x5d\xc6\x5b\x8a\x38\xd9\x50\xc8\x58\xff\x99\x23\x7e\x6e\xc0\x6b\x46\x56\xa5\x2a\xcb\x76\xc7\x55\xc1\xcf\xf1\xc0\xa6\x5e\x3d\x16\x32\xfa\xbd\x9e\x1b\x38\x18\x52\xb6\xfc\xfc\x05\x87\x44\x85\x6a\x80\xa2\x9f\xb4\xdb\xdd\x71\x5b\x3c\xd0\x8e\x15\xa5\x34\x05\xd0\xfd\x2f\xf7\xea\xc8\x36\x33\x8c\x4e\xca\x04\x56\xff\x78\xcc\x57\x12\x33\x21\x46\xb6\x71\xbc\x42\x86\x1c\xd8\xbb\x43\x20\x09\x85\xa3\x62\xf3\x9f\x15\xbd\x43\x7f\x06\x45\x8b\x86\x7d\x4b\xea\x22\x27\x49\x32\x50\xd8\x3f\xb4\x6f\x72\x97\xb8\xf8\xc2\x73\x51\xcc\xbe\xc4\xff\xd0\x71\x75\xa7\xc5\xe2\x31\x9e\x94\x21\x0d\x4a\xf5\x06\x1e\x74\x3f\x05\x0f\x2e\xa5\x38\xa3\xed\x9d\x03\x59\xf5\xa7\x54\x6c\x3d\x01\x13\xe2\x55\x26\x8c\xd0\x48\x3a\xb1\x86\xf9\xc5\x55\x02\x02\xa9\xfa\x3f\xa0\xc4\xa2\xa5\x80\x52\x41\x81\x9c\xf9\xc3\x45\xce\xcc\x6b\x77\xdd\x7c\x29\x97\x50\xb6\x7f\xf8\xcb\x5d\x9a\x6b\x0d\x3d\x98\x16\xdb\xeb\x6f\xdb\xc5\xea\x9f\xae\x4a\x25\xe1\x9b\x48\xe5\x10\xdd\xb5\xd4\xd1\x27\x1b\xa0\xc4\xa0\x83\xd0\x4c\xc5\x09\xb4\x0f\x1a\x84\x91\x95\xf3\xbc\x3e\x9f\x63\xb7\xcc\x74\x73\xff\xc7\x40\xcf\x1a\x97\x9b\xd1\xd7\xe9\x31\x7f\x6f\xc7\x7a\x62\xe5\xac\xab\x36\xc4\xa0\x63\x06\x9c\xfb\x20\x7d\xcc\x7a\xf7\x0b\x77\xa7\x43\xb3\x62\xd9\xd9\xfa\xe0\xdb\xc6\x80\x92\x3a\x0e\x34\x54\x02\x6b\x6d\xa9\x57\x9f\x35\x2a\xfe\xf7\xab\xbc\xa7\xbf\xc1\x4a\xef\x0f\xb3\xd1\x30\x55\x06\xb9\x79\x40\xea\x12\x7f\xfe\xd1\x3e\xee\xa6\xca\xe0\xbe\x96\xf5\xbe\x73\x85\xe8\xe9\xba\x4f\x00\xfd\xc5\x18\x59\xd8\x25\x19\x27\x18\xdc\xf2\x3e\x0b\x6d\xa4\x13\xaf\xf8\x54\xba\x52\x21\xba\x8d\x27\xff\x02\xb6\xc0\xf9\x66\x7f\x2f\xfe\x72\xf4\x34\xf4\xc7\x08\x5a\x52\xfe\xe5\xf0\x87\x1b\xc2\x0a\xeb\xc8\xef\x87\xc1\x7c\x49\xb2\xa4\x34\x24\x21\x54\x77\x0e\x3a\xe2\x68\xd5\xba\xe1\x1f\x22\xf2\x14\x61\x69\xd7\xa9\xc1\x6b\x5d\xaf\x83\x03\x11\x11\xce\x5c\xe9\x92\xd2\x75\xbb\x9b\xc5\xd1\x29\x0f\x7f\xea\x35\x66\x07\xe8\xdd\x9a\xcc\x55\x84\x9e\xeb\x50\x28\x27\x37\x4c\x45\xdc\x89\xdd\x11\x86\xec\x92\x10\xbf\xf8\xe0\x05\xb7\xcb\x2c\x13\x4a\x92\x2d\x6d\xdc\x51\x22\x81\xe6\xf5\xaa\x9b\x10\x4d\x04\xbc\xc6\x00\x0b\x9f\x95\xf7\x43\x93\xf3\x12\xc9\x90\xf7\xd2\x9d\xee\x0e\xf7\xa4\xb1\x58\xfe\x69\x19\x6b\x06\x83\xf3\x5e\x8b\x4b\xa6\x5b\xb4\x9b\x31\x3d\x92\xd6\xf6\x7f\x72\xf7\xc3\xe7\xde\x4d\xd8\x84\xd7\x2c\x78\x6d\x66\xbd\xf5\x98\xa1\x5f\x9a\xc2\x96\xea\x70\x74\x03\x43\xd9\x45\x91\x18\x64\x48\xae\x73\xee\xa6\x10\x1d\xe1\x3d\xf6\x67\xab\x6e\xa1\xf5\x5a\xba\x4c\x11\x3d\x0a\xc4\x2b\xba\x7e\xc5\xbd\x1d\x56\xb6\xbc\x94\x70\x45\x59\x5c\x76\xc8\xf6\x93\x39\xbd\x2f\x19\x3d\xe2\x46\x53\x30\x10\xf4\x2a\xc9\x3c\xe0\xaf\x99\xf4\x0a\xe8\xbf\x3a\x30\x54\x3d\x68\x61\xb2\xca\x30\x6c\x0c\x08\x1d\xb7\x92\xaf\x44\x88\x20\x40\x9c\x05\x33\x0b\xdb\xe4\x4f\x70\xc5\x56\x1d\xff\x87\x04\xb5\xee\xb7\x12\xac\xd3\x21\xfb\x7b\xd5\x8c\x80\x9f\xb1\x1d\x01\x7c\x34\x87\x98\x54\xf1\x53\x24\x17\x41\xfd\xf8\xde\x35\x35\x6b\xee\x7a\x0c\xb4\x0a\x72\x6c\xc7\x83\x17\x57\x59\xe2\x66\xdd\xbc\x98\xe3\xe5\xf8\x22\x02\x4e\x33\x59\xa7\xfe\xc0\xe0\x9f\x0d\x1e\x21\x42\x62\xea\x20\x9a\x9d\xdf\x12\x28\x0e\x28\x72\x33\x93\x36\x88\x17\xde\x6d\x20\x0a\xc6\xf9\xd1\x4c\xee\x80\xcb\x71\x35\x47\xca\xd5\x53\x33\xac\xaf\xf3\xa3\x2b\x48\x96\x48\x45\x50\x1b\xf1\x08\xe8\xf5\x15\x72\x8b\x36\x72\x62\x90\xb4\x78\xf7\xf3\xda\x9a\x62\xdd\xb1\xd4\x4f\x5e\xd5\x69\xc7\xcf\xf3\x04\x51\xb1\x35\x5d\x34\x91\xeb\x80\x34\x5c\xfd\xb9\x38\x47\x5f\x9d\x16\x18\x1c\xb1\xe3\xd7\x33\xea\x45\xab\xa0\x4c\xbe\x41\x9b\x1f\xe3\x9d\xe5\x14\xe8\xb0\x0d\xb8\x27\xfe\xc1\x95\xae\x77\x31\xb2\xa6\x4a\xd2\x58\xc1\xcf\x2d\x4c\xd9\x7d\xd9\xde\xc3\x56\x4f\x9c\xa7\x4e\xd6\x25\x83\x0e\xd3\x2b\x05\x07\xad\x8c\x97\xf6\x3f\x5a\x2b\x39\xbb\xae\xc0\x4b\x3b\x88\x9b\x6d\x7c\x9f\xb9\x89\x93\xd5\xe5\xae\x40\xcd\x6b\x63\x72\xbc\x63\x1d\x37\xda\xc4\xab\x3d\x48\xb5\x89\x5b\x00\x30\xe0\x02\xe7\xf4\x43\xbe\xad\x14\xa5\x77\x7e\xcf\x5e\xe9\x99\x83\xb3\xc0\xf5\x00\x53\x9d\x02\xba\x11\xcb\x4b\xf3\x25\x99\x06\xbb\xcc\x34\x85\x5e\x6d\x4b\x2c\x49\x31\x68\x16\xd4\xd1\x73\x40\xd8\x93\x8d\xbb\xad\x5f\x2c\xbf\xe8\x3d\xa5\x7f\x59\xe5\x1c\x9e\xb6\xff\x62\x15\xf7\x94\xf6\x82\x28\x20\xb0\x59\x12\xdf\x85\xfe\xa5\x3c\x04\x6d\xd6\xe8\x89\x24\xa1\x8e\x71\xc0\xcd\xa6\x58\xb5\x8a\xff\x26\x19\x4f\x88\xdf\x81\xda\xf0\x6e\xe0\x94\x2c\xda\x0d\xf1\x8b\x41\xb0\xe2\x30\xb3\x05\xb4\xf9\xa4\x7f\xdb\x18\xc6\xd6\x8c\xce\xba\x1f\x24\xf2\x75\x6b\xd9\x6a\x79\x91\x12\xc3\x48\x5e\x39\x4d\x2d\xd9\xfc\x87\xab\x1b\x46\x51\xad\x05\x8a\x3e\x44\x46\x1d\x2c\x72\xf0\x38\xff\x88\x11\x04\xcb\x75\xcc\x79\x68\x3a\x9d\x97\xd8\x81\xcf\xfb\x92\xb0\x5c\x12\xbf\x4d\x3a\xb4\xdb\xe1\x79\x08\xfb\x79\x9e\xaf\xfa\x9c\xaf\xa4\xa6\x1c\xe2\x0a\xa4\xb3\xeb\xc3\xc7\x52\x20\xaa\x65\xc9\x80\x3a\x77\xf1\x81\xda\x39\x24\xcc\xa5\xf6\x05\x96\x12\xe4\x54\x86\x10\x6f\x22\xb8\xc8\x91\xf7\xb1\x46\x62\xab\xd6\x4b\x32\x58\xed\x13\xbd\xcd\x6d\x1a\x77\xc6\xa4\x15\x19\xd6\x60\x63\x74\x3a\x19\x18\xbb\x13\xe9\xb7\x57\x7f\xb6\xbb\x7d\xf2\x3f\xf1\xb9\x6e\x78\x2b\xda\x63\x94\xd4\x86\x1a\x7e\x0a\xc8\x0d\x1c\x6c\xc8\x4a\x30\x3b\x78\x41\xe5\x89\xd6\x6b\xed\x37\xcc\xc0\x5f\x4e\x9b\x4d\xfb\xc5\x3d\x3b\x50\xd5\x0e\x02\xc8\x7d\x41\xf5\x3f\x86\xde\xcb\x39\xc7\x06\xf5\x37\x2e\x9d\x6e\x3d\xde\x53\x05\x96\x20\xd2\x78\x45\xf3\xed\x77\xcd\x58\x99\xe3\x3a\xed\x5c\x4f\xb1\x40\xf8\xe4\x05\xfa\x2e\x0e\x11\x72\xea\xa7\xd4\xe9\x12\x98\x7a\x0a\xa3\xac\xf7\xc2\xd8\xe9\x4d\x16\xc9\x98\xc9\x87\xfd\x40\x4b\x23\x4e\xf7\x36\x1d\x0c\x53\x87\xe6\xb9\xd5\x5f\xb9\x72\xc7\xdc\x21\x72\x26\xce\x13\xd8\x2a\x59\x31\x1f\xe2\x69\xa0\x9c\x38\x4e\x73\x9a\x66\xbe\x43\x54\x79\x1f\x38\x1e\x74\xcc\x5d\xfb\x9a\x92\xfb\xff\xf8\x59\x5d\xf2\x4b\x40\x3e\xaf\xb0\x04\x73\xeb\x0b\x2e\x7f\xee\x36\xdb\xa4\xa9\x08\x93\x8b\xcf\xcc\xe9\x61\xfd\x10\xec\x29\xe5\x6d\xfe\x40\x59\x1e\x13\xd5\xe5\x3f\x16\xc8\x75\x9c\xa2\x7f\x80\xce\x90\x4f\x2d\x7c\x43\x32\x10\x97\x59\x5e\x90\x76\x39\xf2\x0f\x9e\x8d\xce\x70\x0c\x39\xd0\xe4\x42\xda\x88\x7a\x4d\xf0\x82\xeb\x7e\x17\x2f\xaf\xdc\xb0\x0b\x00\x8c\xaf\x55\x23\xd1\xfe\x5f\x24\x0a\xe9\x91\x49\x6d\xb9\x33\x89\xaf\x41\x85\xe9\xc9\xcc\xbd\xcb\x97\x31\xce\x7a\x77\x0a\xe2\xab\xac\x9d\x8c\xdd\xf3\x13\x23\x1a\x55\xe1\x27\x7b\xd3\x6c\x1e\x44\x84\x2b\x38\x72\x55\x5c\xcd\xcb\x3a\x06\x84\x59\x13\x21\xff\x15\xdc\x6d\x2c\xef\xfd\x58\x5d\xbe\xb9\x90\xe4\x05\x4f\xab\xc1\x8a\x9e\x9f\x1d\xe1\x3b\xfa\xd9\xde\x7f\x8d\xeb\x6b\x6c\x47\x2c\x42\x33\x67\xee\xad\x52\x50\x04\xde\xfa\x9e\x17\xc6\x79\x02\x36\x0b\xf1\x63\xa0\x1e\x98\xf6\xe7\x55\xcf\xf6\x28\x2a\xee\xbd\x1e\x8a\x09\x71\x5c\x15\xb9\xed\xaa\x50\x0d\xe0\x74\xc2\x8b\xad\x6d\x03\x57\x8c\x5e\x1c\x87\xbe\x71\x17\xf5\x4e\xef\xc3\x31\x3c\x38\xb6\x1d\x88\xa6\xa5\x0a\x0f\x36\xfd\xbf\x08\x4c\xb4\x14\x47\xc6\x90\xd3\xff\xcc\x83\x14\xe9\x1a\xda\x81\xd3\x4a\xcc\xd3\xe0\x6d\x19\xbc\xa2\x8f\xb4\x9b\xed\x5e\x32\xf4\xeb\xd5\x49\x29\xe4\xab\x51\xa6\x59\xb8\x1c\x1c\x35\xdf\x9e\x51\x47\x69\xb9\xeb\x31\xd7\x1d\x43\x78\x64\xf5\x4e\x99\x2a\x2b\x9b\x15\xe2\xfd\x32\x07\x81\x77\x56\xb4\x86\xd0\x81\xaf\x39\x7b\x21\xa2\x58\x44\x3d\x86\xa2\x0a\x82\xda\xb3\x09\x4a\x48\x83\x32\x47\x91\xd6\x7c\xea\x91\x8b\xec\x79\x94\xab\xce\xc1\x80\xf8\xfb\xd4\xae\x90\xad\x2c\x78\x5d\xe7\x74\x73\x08\xd8\x0a\x73\x31\x86\x4b\xd1\xa9\xbf\xfb\x51\x44\x07\x78\x51\x93\x92\x74\x05\xf7\x78\xa1\x66\x51\x4a\x33\x9b\xfe\x16\xf5\xcb\x8e\xe3\x49\xa0\x8e\x25\xb9\x4d\xc3\x51\xc7\x2e\x98\xc6\xba\xf1\x86\x02\x50\x60\xcd\x98\xd7\xd1\x4b\xf8\xee\x06\x02\x40\x40\x5a\x1c\x10\x20\x2c\xb3\x48\x57\xab\x67\x4e\xff\x41\xcd\x46\xc0\x3d\x2f\xfc\xca\xbf\x19\x4e\x0f\x35\x16\x58\xab\x02\xd9\xa1\xf9\x28\x30\x61\x7d\xe6\x91\x35\x50\x95\x34\x64\x7b\xc4\xcc\x20\x52\x87\xb2\x51\x55\x3f\xcc\x76\x89\xd5\xe6\x69\xf9\xba\x4b\xdb\x40\x36\xe0\x64\xb2\xa7\x91\xea\x5d\xe9\x3c\x66\x91\x8a\xd6\x1c\xf1\x0b\xe4\xf5\x56\x4a\x07\x1b\x02\xb9\x36\x5b\xc5\x87\x31\x6e\x65\xbd\x12\x64\xfe\x1f\x8d\xc7\xd2\x44\xab\x33\x19\xe9\xa9\x05\xe2\x44\xa0\xd0\x00\xbf\x3c\x56\x68\x11\xf7\x29\xd1\x0f\x9d\x81\xb0\x60\xcb\x7f\xf9\x3d\xa8\x05\x6d\x64\x1f\x93\x12\x1c\x50\xb9\x87\xe4\x14\x9d\x44\xc2\x34\x91\xe9\xde\x6a\x5c\x1d\x6b\x26\xf6\x44\xb3\xb0\x20\x62\x7c\xaf\x32\xd4\x7f\x95\xa4\x85\x7b\x36\x53\x0f\xf5\xc5\xbe\x38\xca\x37\xb9\x0d\xec\x3b\xde\x10\x75\x61\x58\xd6\xdb\x91\xbc\xbb\xea\x66\x65\xfa\x14\x08\xae\xc0\x02\x5d\x9d\xfe\x3d\xe8\xa5\x7b\x8a\xf3\x00\x17\x9b\xff\x26\x03\x2e\x61\xdb\x60\xd6\xe2\x0a\xcb\x67\x15\x95\x05\x6f\xd6\x5e\x84\x03\x80\x40\xf0\x7d\x46\xdb\xd4\xcb\x8c\x0d\x3c\xe9\xfd\xa0\x02\xd2\x2e\x24\x75\x0f\x14\x58\x01\xaf\x85\xd7\x82\x68\x1b\xb9\xb1\x22\x8f\xb2\x81\xc5\x43\xe5\xdc\xde\xf8\x4b\x7a\x26\x26\xde\x59\xe1\xec\x79\xe4\x4d\x1a\x23\x0f\xed\xda\x6e\x30\x37\xb0\xe9\xc4\xca\x47\x5d\xcd\x31\x9b\x86\xbd\x4a\xb2\xcc\x3c\xd5\xee\x47\x85\x7a\xda\xa8\x8e\x7e\x77\xaf\xaa\xb3\xfd\x85\x07\x6e\xdb\x36\x15\xba\x44\xe9\x7b\x5e\x18\x1b\x5e\x8c\x86\x11\x78\x48\x54\xa8\xae\xbd\xcc\x09\x83\xe0\xb8\x37\x45\x5a\x29\x01\xb9\x19\x80\xb0\x5e\xfc\x92\x23\xd2\x06\xdc\xaa\x5b\xe6\x74\x5c\xbd\xfb\x6f\x9a\xf1\x38\x73\xb3\x77\x3f\x5a\x59\xbe\xaa\x0f\x4a\x36\xdd\xd3\x83\xd6\x3e\x12\xf5\x0e\x0f\x7c\x53\x3e\x6a\x55\x9e\x54\x5d\x28\x51\xd0\x4b\xd3\x6e\x41\x2d\x89\x1e\xac\x7b\xbf\xf3\x99\x36\x93\x7f\xa3\xe4\xfb\xfa\xf5\x10\x37\xc5\x0a\x7d\x57\x30\x05\x1e\x4c\x69\x84\xf3\x94\xf3\xf5\x9f\xaa\x61\xac\x96\xfc\x2b\xa4\xe3\x35\x64\xc2\xbb\xc6\x07\xb1\x8e\xf8\xae\xf1\x9b\x88\xb7\xac\x63\xce\xf3\xe0\x97\x1f\xa1\x15\x62\x33\x37\x3f\xa5\xb5\x8f\x16\xfa\x99\x31\x2d\x84\xa6\xb7\x90\xe7\xa6\x63\xba\x05\xe2\x37\x38\x5e\xb4\x13\xe4\x26\x0e\x02\x1b\xa3\x87\x91\x23\x57\xfe\xd3\x9f\x13\x66\xe7\x31\x8e\xbe\xa7\xb9\x21\xde\xd5\xd9\xf9\xab\x5a\x86\x12\x16\x48\x31\x0f\x09\x04\x25\x8a\x9e\x4d\x59\x0d\x65\x43\x1d\x23\xe6\x22\x30\x9d\xe9\x64\xcb\x77\xdf\x8f\x28\x07\x66\x7b\xd5\x81\x81\xe4\x85\xc2\xe0\x3c\x29\x5c\x15\xe5\x27\x4c\x70\x6c\x1a\x00\x27\xb6\x75\x1e\x40\x95\x9a\x15\x81\xc7\x10\x77\x4b\xd5\x57\x53\x67\xc9\x3c\x17\xfb\x84\x44\x97\x6e\x38\x47\x11\xd4\xde\xbc\xe0\x97\x54\xe9\x7b\x04\x8d\x47\xb3\xdd\x82\xf7\x5f\xa9\x39\x37\xd0\x72\x2c\xb2\x37\x9e\x8b\x4b\x02\x67\x59\x91\xed\x1b\xc5\xf1\xf1\x5f\xea\x5f\xbe\x59\xc6\x3a\x29\x91\xaf\x99\x8a\x21\x99\x1f\x1d\x46\xcd\x3d\x21\x1a\x53\x2c\xee\x73\x2f\xfb\xcf\x55\xb2\x87\x90\xc4\xba\xdb\xa7\x68\xc5\x7a\x26\x23\xdf\x69\xb3\x96\xc2\xac\xcf\x92\x58\x06\xd5\x52\x61\xb7\x08\x74\x35\xe4\x97\x45\x29\x75\xb1\x52\x66\x52\x2e\xf9\x76\x37\x95\x6f\xaa\x20\xe8\xec\x65\x3c\x9c\x0c\x07\x73\x60\x3d\x77\x67\x7d\x0e\xf1\xec\x99\xa0\xf6\x1c\xcc\xf7\xe1\x10\x30\x51\xa7\x85\x2a\x00\x77\xf9\x73\x36\x9f\x6d\x80\x56\xb7\x9c\x53\x7a\xea\x6b\x41\x07\x09\xdf\x69\x37\xb6\xb7\xce\x03\x39\x8e\x1a\x7a\x1e\xf8\xe0\x62\xbf\x5b\x5a\x11\x0b\xc0\xda\xf2\x76\x5c\x92\xe6\x95\x83\x4a\xdd\x9a\xc0\x3f\x5e\xa5\x6f\x8e\xc1\xd6\x4a\x8f\xad\x07\x41\x0e\x30\x19\xd8\x4c\x0e\x7c\xdf\x1c\x49\xe9\x50\x91\x79\x4a\x3a\xad\x82\xab\xf6\x3e\x9c\x6c\xeb\xab\xdf\x05\xe8\x05\x03\xd1\xba\x70\x37\xe9\xb0\xb3\x5a\xad\x55\x17\xa0\x29\x88\xa3\x43\xb6\xa4\xaf\x6d\x82\x77\x96\x4f\xcd\x3e\x72\x0c\x19\xeb\xcb\xca\x7c\x4a\x87\x7c\x4b\x17\x40\x5d\x4e\x04\xe2\xbf\xf0\x36\xd6\xf5\xe8\xda\x62\xd6\xec\x70\xd1\xcd\xd9\x70\xe8\xba\x36\xf7\xfa\x95\x6c\xbd\xe7\x89\x25\xa4\x43\xb9\x57\x9b\xe0\x39\xe5\x65\x39\x66\xe7\x45\xb1\xd9\x3c\x62\x97\x0f\x29\x07\xfb\x53\x5c\x88\x82\x0b\x95\xb2\x44\x09\xd1\xbb\x81\xe0\xcd\xfb\xdc\x39\x72\x78\xa8\xb1\xeb\xa6\x32\x5e\x69\x3a\x93\xb5\x50\xdc\x2d\x7f\xf0\x55\x98\xf8\x24\x67\x94\xb2\xd0\x1b\x58\xf3\x03\x24\xe4\x4c\x43\x9e\xc6\xe1\x70\xb6\x92\xef\x2d\x55\x2f\x33\x22\x42\x10\x1f\xe2\x45\x86\x56\x4b\x87\xe4\xd0\x4c\x5c\x41\x37\xf4\x53\x45\x1d\xc8\x2c\xe4\x9f\x93\xd5\x0e\x49\xac\xf2\xb9\x66\xd0\xd5\x00\xff\xf9\x9b\x98\x4d\x70\xfa\xa2\x06\x11\x87\x36\x9a\x3d\xd5\x03\x37\x87\x2c\x23\x0e\x6f\xbd\xa2\x42\x0e\x56\x58\x86\xb6\xee\xf5\x3e\xb5\x32\x23\x9a\x98\x23\x7b\xf8\xcf\x35\x49\xf6\x0b\x08\x3d\x81\xa1\x6e\x6a\x30\xc2\x6a\x74\x45\x6f\xbf\x8d\xdc\x24\x76\x78\x4e\x77\x6d\xf7\x49\x0a\x31\xe1\x11\x3c\xb0\xd8\x76\xd5\xca\x9f\xbf\xc3\x2c\xf6\x08\x1f\x75\x42\x01\x5b\x41\xae\x86\xf9\xc0\xbb\xfe\xd2\xb8\x47\x4b\xfc\xd7\x82\x84\x46\x7c\x22\xf1\xd6\xdf\x54\xbb\x3e\x28\xf5\xcf\xf0\x07\xe9\xd5\xd5\x59\x7c\x83\x7a\x72\xeb\x04\xef\x8d\x1f\x3a\xc0\x60\xb9\xf1\xff\xf3\xd7\x4d\xa3\x5b\xf1\xcc\x3f\xf9\xd8\x36\xbf\xc8\xd2\xcc\xb0\x72\x14\xaf\xd3\x57\xc2\x96\xae\x04\xa5\xce\x01\xfd\xc7\x79\xe9\xb4\xae\x6d\x67\x7c\x6f\xc4\x8f\x73\x83\x06\x4f\x2d\x21\x7d\x51\xe3\x90\x60\x9d\xad\x93\x30\x22\xed\x7c\x35\xf8\x9e\x83\xb5\x55\xc8\xe3\xcc\xec\x20\x4e\x59\x32\x28\xf3\x24\x44\x27\xcf\xed\x43\xbd\x37\x1e\xe5\xf5\x84\xce\xab\x01\xf8\x8d\x1c\x99\x47\x41\x89\xb8\x76\xc9\x53\x40\x89\xdd\x5d\x04\x60\xda\x83\x3a\xfb\x14\xcb\x1c\xb1\xf4\xbf\x85\x17\xff\xf8\x6f\x94\xa9\x19\xb9\xf8\xee\xb3\x60\x88\x7b\x13\x9f\x67\x59\x05\xce\xee\xfa\x05\x78\x6f\xd7\xea\xa8\xcc\x60\x10\xee\x28\x69\x89\xb6\x26\x9a\x45\x05\x2d\x4c\x62\xf7\x42\xbd\xc2\x52\xfb\xfd\xb2\x16\x6f\x9b\x02\x15\x31\x6c\xe5\x69\xd5\x3f\x12\xd7\xff\x1e\x92\xd2\xbf\x11\xb6\xed\x6a\xec\x3f\xe3\xf6\x2c\x49\xa4\xcd\x2f\xeb\xca\xe8\xe1\xb4\x4b\x38\xea\xf1\xa6\xe7\x8f\x2d\xa3\xcd\xd9\x4e\xde\xa7\x15\x00\x00\xd7\x01\x5c\xb6\x52\xba\x46\xd3\xb2\x31\x5b\x64\x9e\xdc\xcf\x47\xb5\x1d\x45\x85\xdb\xc7\x60\x64\xa1\x2b\x05\xce\xd6\xfd\x11\xfe\x37\x03\xad\x22\x67\xf9\x62\x97\xbc\xd4\x55\x81\x07\x69\x74\x6e\xe2\x64\xe7\x3d\x90\x43\x38\x4e\x3a\xf7\xb4\x45\xfd\xa9\xf1\x2f\xff\xbc\x7d\x63\xcd\xc1\x05\xeb\xf8\xec\x1f\x52\x47\x5c\x73\xb0\x6b\x4a\xf0\x80\x03\x7b\xab\xda\x88\x88\xb0\x5b\x3d\x00\x51\xd7\xaa\x6c\x94\x91\x40\xdf\x65\x80\x6c\x83\x66\xf8\xe3\x64\x0f\x5a\x74\x70\x26\x26\x96\xbd\x3c\xd4\xdb\x85\x50\x2c\xbd\x5f\xe2\x2b\xb0\xf5\x92\x87\x76\x8f\xb9\xc5\x2e\x69\x33\xe5\x68\xe0\xd3\xce\x72\x83\xa4\x20\xc8\x9f\xd0\x4e\x93\xe5\x65\xdf\x0f\xf6\x8c\xc7\x43\xcd\xcf\x4d\xfc\x7f\xf0\x9c\xbe\x8a\x77\xa0\x20\x80\x4f\x4c\x17\x61\x28\x46\x16\xd9\x58\x40\x1f\x57\xaf\x9d\xc7\x13\x62\x99\x2b\x3f\xf3\x43\x9c\xcf\x85\xf4\x3b\x6c\x08\x50\x98\x96\x50\xd8\xf5\x5b\xa1\x92\x2a\x65\x00\xd2\x72\xdd\x42\x38\x6c\xbb\x23\xe6\xe6\x7e\xc9\x26\xa1\xca\x93\x57\xf4\xc8\x4b\x76\x71\x52\xe6\xc4\x36\x17\xde\xf9\x4a\xc6\x01\x4a\xa3\xc6\xca\x84\x18\x59\xdc\x57\x52\x4a\x72\x27\x41\x24\x65\x30\xda\x55\x06\x71\xec\x17\xd2\xa3\x42\xe5\x57\xb4\x3c\x08\xa9\x3c\x12\x67\x63\x7f\xff\x37\xff\x4a\x40\x85\x52\x8e\x7c\xe6\xd0\x9d\xe6\x42\x99\x6f\xff\x98\x68\x85\x44\xa7\xc2\x3b\xff\x8b\x6f\xdb\xe5\x33\x42\x4c\xcb\x11\x9a\x56\x7f\x1f\x15\xc0\xb4\x65\x0e\xd8\x0e\xfe\x24\xab\x4d\x1c\x1e\x33\x30\x5a\xfd\x2c\xea\xc6\x82\xc0\xea\xca\xa5\x66\x9e\x44\x34\xf6\x34\xb1\xc6\x12\x71\xd9\x5b\x00\x95\xc7\xb1\xa6\x2a\x2d\x07\x3a\xad\x80\xc5\x10\x15\xbb\x51\x50\x84\x5c\x11\x86\x33\xa3\xc4\xc9\x4b\x74\x63\xfe\x73\x39\x18\x2e\xa0\x1a\x7e\x28\x63\x7c\x27\xb5\xf8\x60\x68\xa7\x37\x4a\xe7\x7c\x5c\xdd\x6d\xd9\xb4\x69\xdd\x9a\x47\x5c\x37\x52\x8e\x2f\x1c\x40\x13\x23\x59\xe9\xe6\x5e\x23\xad\x45\x95\xb1\x60\xad\x9a\x2d\x83\xcc\xe0\x78\xf4\xd6\x18\x1f\xd3\x02\x6c\x2a\x0b\x13\x02\xfa\xa6\x9a\x51\x80\xa2\xc2\x0b\x3a\x32\x87\x6e\xfc\x2a\x62\x81\xc4\x09\xc2\xe6\x6e\x00\xde\xb5\x30\x98\x19\x7f\x13\x18\x5b\x7d\xa5\x89\xb0\xcf\xe2\xa3\x12\xf0\xf6\x1e\xfa\xb2\x9a\x7b\x1b\x61\x4f\xaa\x57\xed\x37\xe0\x1f\x8b\x0c\xdf\xb2\xea\x78\x67\x74\x5d\x66\x69\xa4\xa8\x95\xb9\x7e\x1e\xd2\x4c\x2f\x3c\xf2\x3e\x88\x51\x13\x8d\x9a\x64\x0c\x2c\x0b\x32\x1d\x00\xf0\xa4\xdd\x9a\x72\xfe\x5b\xa4\x3a\xc4\x7d\xd3\x1a\x01\x4d\x31\xb7\x25\xee\x28\xcd\x8f\xbe\xd0\xbc\x78\x14\x59\x80\xb5\x86\xd3\x71\x84\x8b\xb9\x67\x48\x30\x3d\x0a\xd1\xfe\x2a\x2e\x7f\x5d\xd3\x40\x70\xc6\xfc\x50\xe1\x09\xdb\xb1\x5c\xdd\xcb\xc0\x4e\x1c\xf6\x35\x8d\x10\x50\xe6\x31\x9a\x34\xf1\x45\x2f\x44\x43\x6d\x8c\xea\x13\x7a\x37\xa1\xda\xd1\x3e\xfc\x2b\x9a\x95\x87\xa4\x3c\x2c\x3f\x3d\x5a\xa3\x2c\x09\x78\x52\x0d\x24\xda\xdd\x18\xef\xa8\x12\xa7\x2d\x33\xb2\xf4\x41\xac\x88\x52\x26\x55\x5f\x7c\xd2\x54\xab\x27\x71\x75\xc4\x35\x68\x3c\x36\xdf\x69\x7c\x2f\xb5\x36\x27\x19\x48\xe5\x38\xdd\x3b\xce\x39\x09\xa5\xc8\xc3\x7e\x97\xea\x37\x36\xcd\x1a\xda\x26\xf1\x3f\x12\x1a\x99\x06\x33\xd9\x5b\x59\xe6\x73\x93\x43\x29\x93\xc0\xc8\x4f\xd6\xd5\x2b\xeb\x7e\x3d\x02\xa4\x37\xeb\x28\x1a\xf5\x73\xba\x1c\x47\xf3\x73\xf6\xcc\xd6\xe0\xb1\x83\xa2\x1c\xbe\x9f\xdb\xb8\x2c\xcc\x39\x6f\x16\xaf\xf1\x99\x9f\xb8\x39\xeb\xca\xff\x97\xfa\x0b\xfd\x0d\x34\xcf\x8e\x57\x60\x6f\xd8\x23\x41\xdb\x31\x8e\x40\xcd\x9e\x85\xc1\x54\x46\x5d\xcc\xe1\xb7\xfd\x8b\x22\x80\x8f\x0e\x0d\x45\x4e\xf9\xa2\xb5\xa4\xc3\x5c\x0a\x12\x5b\x92\x37\x07\x00\x72\xd1\xcd\x82\x7c\xfd\xea\x8e\x3d\xe8\x33\xb0\x81\x4c\x8f\xf2\x60\xe6\xb3\x98\x07\xef\x86\xac\x67\x7a\xbd\xeb\x50\x7d\xd5\x7f\x69\x93\xd3\x03\xd5\x55\x17\x84\x0b\xd7\xaf\x1d\xb3\x98\x08\x21", 4096); res = syscall(__NR_shmctl, /*shmid=*/2, /*cmd=*/6, /*buf=*/0x200000004040ul); if (res != -1) r[14] = *(uint32_t*)0x200000004048; break; case 23: *(uint32_t*)0x2000000042c0 = 2; *(uint32_t*)0x2000000042c4 = 0; *(uint32_t*)0x2000000042c8 = 0; *(uint32_t*)0x2000000042cc = 3; *(uint32_t*)0x2000000042d0 = 0x44; *(uint32_t*)0x2000000042d4 = 7; *(uint16_t*)0x2000000042d8 = 0xff00; *(uint32_t*)0x2000000042dc = 0x80; *(uint64_t*)0x2000000042e0 = 0xe5; *(uint64_t*)0x2000000042e8 = 0; *(uint64_t*)0x2000000042f0 = 8; *(uint32_t*)0x2000000042f8 = r[7]; *(uint32_t*)0x2000000042fc = r[4]; *(uint16_t*)0x200000004300 = 0x800; *(uint16_t*)0x200000004302 = 0; *(uint64_t*)0x200000004308 = 0x200000004180; memcpy((void*)0x200000004180, "\xb8\x47\x2d\xa7\x63\xb7\xf2\x33\xe5\xd2\x38\x7c\x99\x8e\xd4\x35\x56\x57", 18); *(uint64_t*)0x200000004310 = 0x2000000041c0; memcpy((void*)0x2000000041c0, "\x10\xf1\x21\x59\x35\x43\xac\x48\x3e\xe5\xd9\xfc\x00\x93\xe2\x03\xb9\x27\xb4\x4b\xb5\x34\xa8\x71\x1a\x28\xdf\x30\xc8\x75\x70\xf2\x5d\x8d\xd6\x43\x46\x7a\x2c\x9e\x53\x1e\x8a\x4a\xa6\xe0\x33\xf5\x71\xb9\xfe\xea\xe8\xb6\x5d\x09\x3f\x91\x56\x28\x88\x5d\x3f\x02\x8c\x3f\x44\x47\x63\x2b\x36\xf2\x2e\x16\xc1\xfc\xb5\xe7\xbd\x69\x92\xc0\x89\xdf\x96\x1f\xee\x65\xda\x52\x26\x3c\x86\x54\x31\xc8\x32\x4d\x25\x20\x54\x27\x65\x39\x02\x00\x0e\xe5\xf2\x31\xb0\x3d\xf0\x0c\xf5\xb4\xff\x9f\x87\x79\xd3\x31\xa8\xb5\x11\xc4\xdd\xf3\xba\x9b\x68\xb4\x81\x33\xa4\xcd\x4f\x26\xe7\x37\x66\x50\xcb\xa6\x10\xc6\x2a\x68\xf4\x81\x02\x20\x00\x97\x06\xa8\x5a\x06\x31\x03\xdc\x90\xdf\x67\x13\x7a\x34\xa2\xdc\x60\xea\xcd\x86\x8a\x66\xd7\xf6\x8e\x69\xc0\x4c\xc1\x95\xfd\xc8\x08\x1c\x4b\xe4\x14\x86\x03\x24\x2c\xaf\x94\x67\x0f\x9e\x25\x55\x7e\xf9\xad\xa0\xf2\x3c\x59\x61\xfc\x07\xfe\x58\xc7\x8b\xff\x01\x3f\x83\x44\xdd\x96\x11\xe2\x31\x49\x63\xbf\x51\xdf\x6c\x98\x4c\x56\xb9\xaf", 236); res = syscall(__NR_shmctl, /*shmid=*/0x10000, /*cmd=*/2ul, /*buf=*/0x2000000042c0ul); if (res != -1) { r[15] = *(uint32_t*)0x2000000042c4; r[16] = *(uint32_t*)0x2000000042c8; } break; case 24: *(uint32_t*)0x200000004540 = 0x9732; *(uint32_t*)0x200000004544 = 0xee01; *(uint32_t*)0x200000004548 = 0xee01; *(uint32_t*)0x20000000454c = 5; *(uint32_t*)0x200000004550 = 4; *(uint32_t*)0x200000004554 = -1; *(uint16_t*)0x200000004558 = 5; *(uint32_t*)0x20000000455c = 0x80000000; *(uint64_t*)0x200000004560 = 9; *(uint64_t*)0x200000004568 = 5; *(uint64_t*)0x200000004570 = 0x8001; *(uint32_t*)0x200000004578 = r[7]; *(uint32_t*)0x20000000457c = 2; *(uint16_t*)0x200000004580 = 0xffc; *(uint16_t*)0x200000004582 = 0; *(uint64_t*)0x200000004588 = 0x200000004440; memcpy((void*)0x200000004440, "\xae\xb6\xd5\x07\x3a\xfa\xa3\x1c\x2e\x2b\x2c\x26\x91\x12\xdf\xff\x49\x39\x37\x39\x22\x07\xd1\x3f\xcd\x1a\x8e\xba\xa9\x97\xfd\x97\x6c\xcf\x81\x7f\x42\x90\xa8\x95\x65\xf4\x5f\x54\x38\x2b\x31\x3d\x34\x98\xe2\xa6\x76\xfb\x90\x8e\xe4\xd8\x92\x13\x1f\x01\xb8\x3d\xed\xd0\x94\x98\xc8\xc2\xc5\x6d\xf4\xef\x1c\x82\x32\x32\x0b\x42\xd5\x83\xcc\x60\x61\xc9\x2c\xc0\x6c\x76\x4f\xb0\xd4\x46\xa8\xb9\xa5\xf1\x90\x3c\x9b\x2b\x2b\xa4\x5c\x1e\xce\x47\xcd\x24\x9f\x20\x1b\x45\x7e\xe0\x3c\x79\xfb\xe2\x6f\xee\xa6\xde\xc1\x42\x68\x9a\xe2\x1b\x9c\xed\x84\x39\xf1\x0a\x2e\x3b\x65\x7a\x1e\x3a\xb7\x38\x54\xc1\x33\x8b\x6d\xb9\x05\x24\x8a\xe4\xbc\xee\x97\x3d\x06\x8e\x9b\xd4\x9b\xf4\xf9\xe8\xd0\x17\x7c\x72\x61\x2b\xce\x4e\xf6\xb4\xd7\x6c\x09\x39\x96\xde\x65", 183); *(uint64_t*)0x200000004590 = 0x200000004500; memcpy((void*)0x200000004500, "\x24\xa7\x29\x1c\x4a\xbc\x17\xba\x4a\xcd\xe1\xc6\xfb\xdb\x58\x89\x6a\xd2\x7d\xad\x25\x64\x40\x20\x7f\xf6\xa5\xe4\x8f\xf2\xa6\x18\x5f\x2c", 34); res = syscall(__NR_shmctl, /*shmid=*/0xfa95, /*cmd=*/0xbul, /*buf=*/0x200000004540ul); if (res != -1) { r[17] = *(uint32_t*)0x200000004544; r[18] = *(uint32_t*)0x200000004578; } break; case 25: memcpy((void*)0x200000000700, "\x2b\xce\x17\x78\xfe\xc9\xa1\x28\x6b\xf6\xab\xa5\x3c\x3a\xc4\x02\x86\xad\x6a\xa7\x11\x2d\x6f\x2f\xca\xbf\xd2\xba\x71\x3e\xaa\xdc\x81\x39\xe1\x4f\x61\x80\x70\x12\x6a\xc3\xa3\x8a\xd9\xcd\x7b\x5c\x94\xb1\x78\x3b\x26\x11\x52\x07\x29\x35\x3d\x56\xfc\x5b\xd5\xcb\xd4\xf1\x1d\x01\x35\x9c\xa9\xeb\x2e\x0c\x4c\xc6\x60\x95\x84\x6c\x2b\x10\xd4\x1e\xb8\x46\x77\xf1\xc3\x52\xbd\x90\xeb\xfa\x66\x12\x3a\x7a\x19\xf4\x5c\xae\xa8\x4f\x12\xe7\x76\x57\x93\x32\x46\xc4\x4a\x20\x9a\x4b\x9f\x15\x56\x87\xe2\xa4\xfd\x90\x2f\x57\xea\x49\x08\x5f\xaa\x76\x01\x19\x40\x68\x27\xdb\x2e\x6a\xde\x20\x29\xf8\x20\x1d\xe4\x7e\x97\xb1\x33\x85\x3a\xe7\x32\x14\xa7\x96\xe4\x81\x8d\x39\xcf\x10\xa8\xe6\xa6\xf1\x1a\x88\xe0\x82\xc9\xaa\x25\x85\x7a\x67\xa3\x2f\x35\xbc\x8f\x86\x7f\x04\x4d\x0f\x32\x99\x53\xdc\x06\x02\x24\x9d\x83\x19\x7e\x0e\xf5\xc9\x83\xb9\xd5\x56\xbd\x52\x7a\x6a\x59\x9f\x52\xa2\x11\xf9\xc7\x11\x3e\xdc\xc0\xe9\x3f\xc1\x8e\x79\xed\x69\xfb\x2a\x7f\xde\x97\xc9\xc3\x5e\x31\xe3\x5f\x07\x71\x37\xc8\xfd\x8b\xec\x40\x18\x14\xfb\x99\x81\x6d\x1e\xe5\xa5\xe7\xed\xc2\x10\xc6\x10\x97\x0d\xaf\x8a\xea\x89\xac\xbb\x75\x40\x82\xd8\xf6\x8e\xb4\xa0\x01\x06\x53\xc7\x06\x84\xa8\xdd\x7c\x00\x2b\xa7\xe4\x61\xc8\xdc\xc4\x5c\x22\x86\xda\x34\x27\x35\x14\x18\xcb\x24\xa9\x4d\x65\x56\xd6\x9e\x2a\x31\x9b\x5c\x0e\x69\xe6\xbf\x11\x1a\x9c\x45\x46\x7c\x41\x57\x5f\xdb\xfc\x26\x46\xda\xfd\xa3\x17\x9b\x0f\xca\xcc\x14\x9b\x45\xef\x10\xdc\x13\xf5\xfc\xe2\xe4\xa2\xc2\x2c\x2a\xe9\x92\xbc\x6b\xd5\x13\x23\xe7\x24\xe4\x66\xc7\x36\xdb\x1d\x34\x57\xee\x0f\x7d\xe1\x47\x66\x1d\xba\xdc\x94\x2b\xf0\xdf\x2f\x08\x9e\x98\x03\x81\xae\x88\x8a\xb0\x22\xfb\x54\x5c\x03\x43\xc4\x08\x7f\x2c\x1b\x6a\xe0\xcd\x21\xd0\xfd\x65\x65\x79\x09\x58\xc9\x3a\x67\x59\xa5\x75\x4b\x70\x0a\x6f\x53\xab\xbc\xa7\xd2\x2c\xdd\xcd\xd7\x09\xb2\x79\xd1\x11\xd6\xce\x1f\xd7\x91\xeb\xca\xf2\x60\x48\x09\x86\xb3\x21\xce\xcc\xf9\x55\x61\x8b\xbe\xa2\x78\x1d\x33\x14\x90\xcd\xe5\x73\x47\x93\xab\x07\x5f\x5a\x72\x93\x21\xae\xe1\x77\xfc\x3c\x20\xef\xd0\x79\x74\x46\xe5\x12\xc6\x25\xa3\xbc\x1a\x56\xf4\xc0\x18\x89\xf5\x74\x93\x3b\x72\x6f\x74\x37\xee\x04\x94\x91\xbc\xb9\x1f\x1c\x63\xa0\xb1\x75\xe2\xce\x56\x75\x07\xdd\x35\x4b\xf2\x6b\x08\x05\x9a\xc2\x29\x04\x6a\x6e\x75\xd3\xd3\x21\xee\x63\xc5\xab\xc1\xa7\x40\x9e\x20\x7e\x6f\xc5\x16\x79\xdf\x37\xbc\x7b\xa3\x39\xcb\xce\x32\xd4\x5a\x96\x09\x06\x88\x51\xb0\xa7\xf5\x81\xaa\xed\x7e\x99\x5c\x36\x77\x9d\x07\xc3\x57\xe5\xd9\x76\xf6\xde\xee\x4f\x36\x84\xf9\x7e\x7c\x61\x9d\x3c\xcc\x28\x72\x2f\x13\x0d\x93\x6d\x3c\x07\x3b\x9b\xb5\x19\x4e\xb9\xff\x69\x91\x0c\x6a\x3d\x58\x58\xc2\x86\x2b\xa8\xce\x94\x25\xce\xc1\xe8\x01\x18\x2a\x7f\xb5\xc7\x01\x7a\x41\x85\xd1\x3f\xeb\x35\x38\x29\xdc\x68\x1a\x56\x19\xf0\xa0\x2d\xb6\xeb\xde\x86\x0c\xf7\xc6\x29\x4d\x21\x45\xf9\xa5\x29\x18\x49\x76\x2d\x93\x81\x66\x82\xd1\x91\x89\xdd\x76\x82\x80\xdf\x4a\x68\xc8\x08\x01\xf6\x6a\xba\xbd\xf7\x22\xec\x21\x3a\x7b\x7f\x58\xc4\x61\x48\x68\x69\x00\x66\x9b\xdb\x0c\x64\x3d\x00\x5d\x60\x0d\x95\xc5\xcb\x5d\x28\xac\x4c\xd4\xc7\x02\x22\x94\x35\x2e\xd1\x35\x0c\x4e\x75\xfe\x89\x27\x89\x53\x92\xb0\x06\x2c\x78\x29\x2f\xc1\x5a\xd7\x03\x8d\x1b\xdd\xc9\x94\x53\x5e\x73\xcc\xc3\x3c\x9a\xb2\x33\x11\xd6\xf6\x5d\xe5\x98\xf5\xee\x9f\x91\x34\xca\x4e\x4b\x40\x9f\x21\xb0\xb0\xe4\x0f\x36\xaa\x5c\x78\x2b\x7b\xb8\x64\x70\x7a\xfd\xce\x1e\x7c\xfe\x5a\x27\xc1\xef\x3d\x2d\xc1\x41\x05\xd6\xa4\x89\xb8\x7e\x7a\xe1\x67\xae\x87\xa5\xf3\xcd\xa0\xb8\xa6\x22\x17\x62\x97\xf5\x32\x8b\x79\x69\x0d\xf9\x89\x79\xa4\x80\x6d\xea\x06\x93\x95\xf5\xb8\xe5\xbc\xec\x68\x3f\xd3\x9b\x86\xbc\xef\x86\x5d\xe6\x0f\xe4\x07\x29\x1d\x12\x7c\x4f\x00\x68\xbe\xc8\xae\x95\x73\x8f\xce\x42\x20\x5e\xf7\xcb\xba\x2a\x10\x76\x6e\x32\x19\x1c\xb4\xe5\x0c\x06\xdc\xf6\xca\x3a\xe7\x8c\x0c\xaa\x65\x8f\xd5\x8b\x65\x2c\xab\xdd\xe1\xdf\xa9\xd1\xf5\x4a\x44\x79\xad\x61\xd2\x5a\x47\xff\x08\xb3\x12\x25\x60\x09\x9b\xde\xc5\x5d\xeb\x11\x0e\x40\x6e\x08\x59\x53\x40\x88\x7e\x49\x67\x74\x54\xb6\x08\x60\x15\x3c\x4b\x1f\x7c\xeb\xef\x25\xda\xd0\x82\xf4\xd3\x40\x20\x78\x29\x8b\xfd\x39\x0b\xc7\x66\x23\x45\x95\x91\x8c\xbb\x3b\x6c\xdb\x99\x61\xe1\xbb\x1d\x4f\x7c\x7f\x24\x01\xa8\xd8\x0a\xc6\x2b\x14\x62\x4a\x3b\x16\xd9\x70\x46\xfc\xef\x8d\x02\x5d\xeb\x79\x40\x94\xd2\xce\xa5\x0c\xcb\xe2\x72\xe1\xc7\x9a\x71\x67\x80\x3c\x40\xa4\xcc\xee\x13\x84\x44\xe7\xa4\x15\x34\x77\x83\xbf\xe0\xff\xda\x3d\x50\x01\x6d\x0f\x6b\x1b\x06\x12\x6f\xcd\xd9\x23\x7a\xac\x40\x0b\x85\x49\xe4\xc1\x91\x7a\x25\xdb\x59\xcd\xba\xe2\x9d\x1e\xa5\xbd\x7d\x25\xc5\x75\x02\x2d\xc5\x5f\xf3\x2e\xd4\x2a\x61\x0e\x23\x94\x79\xbe\xab\x0d\xd6\x2a\x30\xa4\xfb\xed\xa0\xfc\xfe\x1d\x0b\x61\x3a\x8d\x06\x69\x33\x46\x6a\x9a\xb3\x12\x62\x70\x1d\x08\xe7\x79\x28\xf8\x8c\xf8\xa8\x38\xe9\x72\x98\x93\xe5\x50\x70\xef\xcc\x83\x73\x6f\x3c\xb3\x2e\xef\xc0\x8f\x24\x0d\x44\x9a\x61\xcd\xf2\x11\x6c\xe4\xea\xe7\xb9\x66\x9c\xe6\xfc\x52\x8b\x98\x34\x01\x2b\x0f\x7c\x54\x25\xc2\x62\x23\x7a\xe8\xa3\x01\xb6\xcf\xc0\x3a\x57\x9c\xb1\x09\xdf\x41\x7d\x85\x14\xaf\x61\x2d\x32\x0d\x0e\xd9\x6b\x7f\x7e\x4a\x48\xaa\xa3\x0f\x6c\x8f\x42\x7d\xb2\xf9\x81\xbe\xf3\x60\xb9\xd8\xc2\x77\xc8\x4a\x80\x15\xf4\x9b\xb8\x84\x0d\xfd\xbf\xd5\x40\x2a\x05\x3f\xbe\xdc\x07\x51\x58\x7e\xbf\x6d\xf4\xd6\x92\x85\xcc\x39\x8e\x98\xa7\xfc\xd6\x88\x76\xeb\x2b\xf6\xf9\x4f\xc0\xd0\x3d\x7a\x93\xb1\x44\x6c\xf2\xac\x7e\xc1\x1f\x8c\x3b\x62\xfc\xc0\x74\x1c\x37\x6d\x15\xcc\xd8\xdc\x9c\x85\x92\x94\x53\xa1\x77\xbc\x24\x24\xb3\x74\xcc\xad\x51\xa5\x7b\xd0\x52\x90\x24\x1e\x00\x38\x9e\x5d\x97\x33\xda\xc8\x43\xb2\x5f\x43\x94\xdb\x45\x0f\xe1\x6f\xdc\xbb\x56\x33\x37\x90\x04\x4d\x65\xad\x60\x6a\xe8\xca\x97\xce\xec\x3f\x80\x9d\x78\x90\x49\xa3\x29\x88\x81\x33\x9d\x2e\xd1\x60\x2f\x2b\xf2\xbd\xe3\xcc\x87\x16\x3c\xf1\xdc\x3f\x8e\x32\xe8\x59\xac\x7b\x2d\x27\x1a\xe4\x2a\x7a\xd0\x5e\x6f\xda\x9b\x98\xc1\x4b\xe9\xa3\xf6\x5b\x16\x25\x37\x43\x99\x59\x82\x23\x7d\x31\x30\xd1\x5a\x18\xf8\xf5\x32\xa8\xd0\x27\x3e\xab\xb3\x38\x67\x02\x85\x98\x33\x84\x47\x81\xdc\xeb\xf2\x16\x4f\x0a\x4b\x14\x11\xd8\x82\x99\xfa\x82\xe7\xba\xb7\x1a\x08\x36\xd5\x0b\x41\x8a\x6a\x47\xf7\x47\x22\x0f\xef\xee\x26\x85\xaf\x32\xc2\xde\x7c\x33\x75\xcc\xa1\x19\x14\xf2\xda\x17\xec\xc4\x6e\x63\x5a\xfd\xa8\xc3\x6f\xef\xf1\x0c\x7d\x6e\xbd\xcf\x7d\xa4\x41\x4b\x4f\xdb\x28\xc4\x2f\x73\x8c\x95\x61\xa6\x56\xb0\x1c\xa0\xbc\xb0\x22\x4e\xc8\x03\xe6\xa2\x38\x64\xe0\x14\x38\x97\x4b\xba\x22\x36\x92\x12\xca\xf0\x53\xe5\x60\xcf\x11\xac\x83\xec\x04\x85\xf5\x70\xf6\xe5\x36\x74\x42\x43\xc2\x11\xfd\xc0\x3c\xb3\x59\x04\xf1\xb3\xad\x1e\x79\x65\xd4\x73\x1a\xa0\x48\x21\x5d\xbe\x3b\x33\xd0\x96\x3b\x0d\x5c\x0e\xcc\x90\xfa\x99\x99\x7f\x19\xb5\x83\x57\x48\x68\xb4\x08\x1c\x9e\xa2\x71\x23\x43\xb9\x18\xd2\x2f\xa3\x7e\x8d\xf4\xdb\x67\x0a\x4b\xe4\x29\x5f\x69\x9c\x92\x4c\x4b\x7f\xeb\x71\x10\x3d\x9a\xef\x02\x70\xde\xd2\x9d\x4f\x42\xaf\x37\xa4\x87\xe2\xbc\x8d\xc0\xb0\xbd\x3f\x68\x70\x38\x5a\x1a\x8a\x98\x42\x20\xf7\x9a\x47\xa9\x81\xe9\x87\xdc\xa4\x46\x95\xce\x64\x87\xd5\x3c\x01\x90\x10\x54\x3b\x20\x42\x22\xef\xae\xf7\x20\x8d\xfa\x23\xf8\x08\xc4\x56\x13\xd5\x14\x46\x8b\x97\xfe\x57\xdf\x91\x1e\xac\x0c\x90\xed\x04\xf0\x06\x49\x32\x1c\x3a\xbd\x27\x01\xec\x1a\x01\x22\xb4\xbb\x48\x37\x7b\x5e\x92\x51\xc0\x20\x3f\xaf\x08\x98\x26\x0f\xf7\x47\xc5\xa8\x2e\xed\x23\x42\x50\x15\x88\x51\xa5\x09\x06\xac\x54\x92\x71\x9f\x97\x0a\x90\x62\x00\x5e\xf1\x67\x55\x76\x35\x1a\x8b\x3d\x9d\xda\x73\x5c\xc6\x5b\x82\x09\xe9\x86\x68\xb8\xd4\x97\x88\x5f\xb1\xd9\x1d\x89\x3e\x3e\x3f\xe9\x6d\xbf\x56\xb6\x1c\x60\x6a\x84\x63\xc4\x1f\xd8\xc9\xbe\x64\xdf\x1a\x59\x56\x27\xfc\x71\x14\x38\xee\xa8\xdf\xb7\x32\x35\xa4\x7b\xe9\xc0\x37\x04\xfe\xda\x19\xe5\x4f\x65\xa2\x87\x62\x94\x49\x5a\xca\x4d\x61\x1c\x9b\x43\x84\x29\x15\xfa\x7a\x51\xe4\x5e\x16\xc7\xd2\x28\x17\xc1\xb1\x59\xe0\xbf\x53\xdf\xfe\x16\xed\x63\x41\x61\xbe\x4c\xc9\x16\x9c\x95\x2b\x0b\xb5\xfb\xf4\x45\xae\xe0\xe9\xd3\x86\xd3\x00\x61\x18\x57\xc7\x0e\x95\xcf\x2e\x42\xa3\xe7\x9b\xf7\xc2\x02\xb7\x7c\xe4\xf5\x2d\x5e\x8d\xdf\x50\xd5\xdb\x3f\xa1\x0e\x95\xf2\x4d\x65\x61\x86\xd3\x56\xde\xdc\x85\xc6\xf8\x68\x4b\x81\x02\xeb\x01\x9c\x18\xda\x8a\x66\x3d\x70\xbe\x24\xea\xd9\xf1\xdc\xed\x78\xbd\x06\x8a\x6c\x9b\x32\x4d\xd7\x47\x73\x43\x18\xeb\xc6\x2a\x4a\x9c\x74\xeb\x34\x22\xcc\xde\xe0\x2f\x94\x7c\x1a\x76\xe7\x38\x54\x28\x06\xff\x2c\x9c\x85\x1a\xb7\x12\x17\xf7\x53\x9d\xa9\xc3\x35\x0a\x1f\xbd\x5e\x53\x90\xa0\x48\xcc\xac\x1f\x54\x13\xab\x2d\x81\x47\xd7\xb2\xd7\xd4\x93\x3e\x24\xd7\xff\x0d\x16\xfa\x34\xe2\x38\xe9\x31\x62\x27\x30\xda\x47\xe8\xee\x85\x35\x49\xf5\x7d\x8c\xd0\x41\x1f\xd3\xdd\xcd\x5d\x6b\xf3\x63\x88\xd0\x36\x86\x62\xf9\x5d\xae\x7d\x3b\xcb\x93\x2d\x62\xe0\xf8\x95\xa5\x6b\xd8\x79\xd1\xf5\x70\x43\xeb\x6a\xd4\x6e\x35\x97\x6c\x4f\xa6\x24\x42\x21\xe9\xa6\x8f\xb5\xa9\x3f\x25\x68\xc1\x77\x2a\xd1\xfa\xef\x2a\xab\x00\x21\xfe\x7d\xbc\x57\xf3\xa7\x77\xdd\xfe\x61\xf4\x1c\xc3\xf7\xdb\x0b\xbf\x63\x7b\xd4\x8f\x72\xd1\x1d\xd0\x52\xfb\x4e\x32\x52\x0d\x41\x39\xce\x9b\x92\x06\x21\xf1\xeb\x6f\x37\x88\x71\xf1\xe7\x94\xc3\x87\x59\x65\x0a\x0a\x74\x2c\x0e\x34\x03\xb6\xbe\x88\xe3\x19\x20\xc0\xf3\xaf\xb5\x8c\x68\x6b\xea\xee\x1d\x65\xd6\xd8\x3b\x8e\xaf\xa7\xd0\xbc\xaa\xef\x87\x5e\xfa\x7a\x27\x37\x1c\xac\x05\x99\xd4\x1b\xa5\x1a\xa5\xce\x65\xce\x48\xbc\xa2\x4d\x4a\x43\x8e\x6e\x3a\xc3\x3c\xf1\xfc\x7c\xd8\xcc\x3c\xd9\xb7\x51\x16\xb5\x3a\x09\xd9\x81\x41\xfc\xcd\xf0\xb0\x8d\x8f\x9d\x6e\xfd\xed\x52\xd1\x01\xc3\xed\x6b\x27\xf6\xc6\xe4\x2f\x9b\xa1\x99\xf3\x9c\x9a\x33\x77\x28\xbd\xe0\x5b\xbe\xee\x63\xe4\xdc\x68\x0e\xcf\x0f\x02\x0b\xcb\xbb\x7b\x6a\xd0\xba\x9b\x2a\xa6\x14\x39\x1e\x8a\xa4\x15\x52\x13\x73\x56\x95\x3e\xf2\x15\x35\xca\x4e\x32\x20\xa2\x6f\x06\x1c\x7e\x78\xeb\x42\x42\x88\x98\x16\x95\xe6\x51\xf6\xda\x90\x57\xc6\x11\x02\xf5\xd5\x8d\x33\x13\x58\xd6\x91\xce\x1b\xd7\xf6\x81\x60\xcb\x76\xfe\x77\xf0\x3f\xfd\x46\x0e\xcd\xa1\xfd\xb1\xa7\x83\x33\x89\x3f\x1d\xc5\xd0\x35\x7d\xc2\x43\x35\xd3\xf1\x2d\x7d\xf9\x13\x31\x69\xd9\xd2\x14\x45\xb6\xa5\x81\x95\x66\x3d\xa0\x33\x06\x31\xb7\x32\xc1\xdc\xc3\xe6\x58\xf2\x37\xf0\xf6\x9a\x11\x60\x2d\x4c\xac\x64\x68\x35\x3f\xaf\xcb\xf4\xca\xd1\xa3\xa2\x6d\x2d\xed\xdb\xa7\xcc\xc8\x86\x34\x7f\xf0\x59\xda\xcf\x96\x96\x98\x00\x18\x53\x30\x7a\x3c\x5b\x36\x34\xde\xa1\x62\xe6\x3b\xd2\x7b\x7c\x9d\xab\x63\xa6\x70\x59\x29\x9d\x69\x42\x67\x5d\x10\x68\x8a\x79\x7d\x6b\x51\x63\xea\xb8\x3b\x45\xb1\x84\x60\xc2\x8d\x6a\x83\x37\x1e\xca\x62\x6e\x9b\xdb\x94\xb9\x0a\x11\xa7\xfb\x7f\x7d\x9f\xec\x0d\x77\x3c\xc0\x56\x66\x36\x29\x2c\x7d\x90\xde\x64\x79\xae\x9f\xfc\xe8\xc3\x4e\x28\x4f\xf2\xfb\x4d\xa4\xc0\xb4\x62\x9a\x02\x3f\x1e\x9c\x1e\x79\xc5\xd6\xba\xe6\x25\x2c\xd4\xa3\x01\x53\xe8\xc1\xeb\xf0\x83\x89\xc2\x06\xd6\x6b\xec\xe9\x02\xed\x87\x7c\x36\x75\x6b\x3f\x9c\xaf\xe8\x41\xca\x61\xbf\xf3\x15\xfa\xe3\xaf\x3a\x18\x56\x3f\x71\xa7\x7e\xeb\x6f\xde\x0d\xb2\xce\xa7\xfe\x49\x4a\x78\x39\x1a\xfc\x1b\x21\xb2\x33\xe0\xc4\xb4\xa1\xa2\x3e\xee\x6f\xeb\xa1\xae\xe1\x12\x4e\xb0\x4e\xc4\xd2\x3b\x6a\xe5\xcc\xaf\x13\xac\xdb\x65\x6c\x72\x70\x7f\xed\x01\x0f\xc4\xab\x31\xba\x09\x3a\x22\xfa\x85\xe4\x73\x89\xac\xaf\xe2\xa2\x22\x98\xe5\x1d\x36\x73\x26\x95\x00\x8e\x65\xaf\xfd\xa7\x56\x13\xbb\xd2\x2f\x86\x9b\x05\xe9\xda\xfe\x41\x1d\xa8\x54\x9f\x14\x1e\x01\x8b\x36\x20\x49\xc6\xaf\x4e\xd7\x82\x37\x81\x72\xc5\x5a\xe7\xb1\xd0\x05\xa1\x90\x86\xc2\xab\x19\x74\x2f\xf7\xf9\xb3\x29\xdc\x56\x7f\x61\x47\x30\xef\x3e\x74\x78\xb6\x22\x09\xec\x2d\xb9\x0f\x3a\x60\x37\xaf\x0c\xb7\xbd\xcc\x8b\xad\x8b\x32\x86\x4a\x41\x67\xa3\x70\xd0\xf9\x16\xdc\x75\x1f\xb2\x8e\xe9\xc8\x00\xe5\x9e\x2e\x37\x20\xdb\xff\x36\x3b\x28\xcf\x26\x98\xfd\xb3\x06\x1b\xc3\x91\x97\x67\x7e\xfb\xca\x4f\x86\xda\x8a\x97\x6a\x1f\xe5\xf9\xe1\x83\xab\x9f\x3b\xdc\x9a\xb6\xae\x44\xb8\x71\x3a\x1e\xe0\x7b\x89\x4b\xf3\x74\x90\x46\x4f\x9d\x2c\x4f\x5a\x2a\x46\xc6\xb3\x03\x53\x43\xb9\x26\xdc\xa5\xd9\x93\xec\xb0\x74\x19\x1d\xf0\xe5\x0f\xbb\x11\x4c\x82\xb3\x69\xe1\x9d\x8c\xe9\x58\x02\x5e\x12\xa6\xe1\x35\xc3\x3c\x4e\x70\x40\xf2\xe5\xe4\xab\xb1\x43\xba\xfb\x7c\x71\x21\x44\xa9\x91\x09\xb0\x0d\xfd\x72\xf6\x6d\x6a\x5d\x7d\x1e\x6a\xea\xef\x79\x4f\xa4\x04\x57\x53\x28\xfe\xef\xd9\xc2\x08\xae\x71\x02\x36\xda\x12\xde\x52\x5c\x78\x40\x3e\x78\xfd\xcf\xb5\xcb\x34\x48\xf9\x38\x09\xea\xdb\xf8\xc6\xca\xec\xa7\x02\x83\x3a\x3d\x30\xbb\xaf\xe9\x4c\xa1\x4b\x5e\x91\x86\x4a\xa5\x75\x40\x94\x98\x93\x9c\x5b\x2c\xce\x2d\x33\xd1\xf1\x4a\xe3\xd7\x16\x9f\xfd\x51\xa7\x42\x1d\x2b\xe6\xa4\xf6\xce\x0d\x7f\xd5\xdd\x83\x4e\x02\x0c\x3e\x69\xcf\x5d\xeb\xe6\x9e\xe8\x63\xf5\x70\x2b\xab\x78\xfe\xcc\xd2\x85\xab\x47\x2b\x56\xd1\xc0\x6c\xe4\x0a\x79\xef\x15\xc0\x72\x36\x16\x36\x31\x74\x13\x72\x66\x43\xc9\x50\xc6\x7e\x57\x6f\xfd\x80\xd5\xf8\x08\x07\xb6\x72\x97\x36\x54\x7b\x00\xa0\xd4\x58\xe9\x3b\xf9\x64\xf4\x7d\xa3\x50\x77\x47\xec\x32\x3d\x31\x08\xc4\x49\x82\x62\x24\xea\x09\xaf\xa3\x66\x13\x33\x1a\x96\x1c\x5c\xf2\x59\x25\x2d\x0d\xac\xb5\x02\xfb\xc9\x87\xbb\xf6\xb1\xc8\xc6\x22\x5a\x6c\x0e\x65\xeb\xb5\xa5\x59\x45\xc5\xa0\x64\xec\x34\x6f\x84\x27\x0e\x3b\x38\xa1\x2a\xe7\x2c\x17\x80\x99\x75\xad\xa7\x2b\xad\x05\xa1\x2f\xda\x83\xf1\xb0\x0a\x42\x31\x04\x81\xca\x2a\x09\x90\xb6\x63\x96\x4e\x19\x4c\x92\x5c\x99\xce\xe8\x62\x79\xf6\x2c\x64\x54\x8a\x57\xd3\xf1\x67\xd6\x21\x3a\xcc\xbe\x67\x9a\x9f\xc2\x04\xd2\x10\x31\xf6\x4b\xd5\xf6\x8e\x8c\x75\xcf\x80\xaf\x20\x7c\xba\x25\xaa\x42\xfb\xc7\xdf\x07\x34\x25\x70\x00\xe5\xe9\xc2\x23\x36\x6d\x1d\xf4\x6f\x50\x8b\x8a\x8f\xba\x49\x33\x35\x2c\xb7\xc3\xf0\xe2\x5d\x66\xd8\xc5\x12\x9b\xdc\x46\x7d\xcd\xaf\x4f\x4a\x87\x1f\xea\x52\xb7\x07\xc8\x5c\xa1\xad\x30\xf0\x08\x04\xba\x50\x0c\xfb\xb2\xee\xe1\x8c\x68\x42\x09\x1c\x12\x0f\xf9\xf5\xfe\x91\x5a\x75\xa6\x23\xe5\x40\x7e\x77\xb2\xf2\xd7\xaa\x46\xe2\x4c\x96\x98\x6a\x60\x86\x55\x17\xc2\x67\x94\x5d\x39\x16\x92\xa1\xd3\xfe\xff\xc9\x35\x57\x67\x87\xc9\x0d\xa8\x46\xf9\x59\xe2\x6e\xef\x2f\x98\xce\x0b\x13\x17\x4f\xe4\x56\xc5\xd3\x3f\xb6\xbb\x65\xe8\x60\x3a\xf4\xf1\x02\x92\x9d\x84\x22\xb8\xbb\x5a\x24\xe0\xbe\xc7\x21\x4e\xe2\x3d\x9b\x8d\xd0\x7e\x7d\xaf\x18\xd8\x3f\xa6\x6d\x84\x9b\x91\xc7\x08\xf9\x9b\x46\x85\xc7\xb5\xdc\x95\x6d\x95\xc7\xfc\xea\xe7\x75\x9f\xea\xa0\xd2\xa0\x1f\x26\xb1\x7b\x9e\x5a\x23\x0c\x18\xc6\x10\xa7\xe7\x24\xdb\x79\xbe\xcd\x4a\xc0\xf1\x76\xbc\xf2\x04\x49\xe9\x0c\x3f\xae\x89\xc3\xa9\x93\xe2\xf9\xc5\x1e\x42\x8d\xc0\xbd\xdf\x67\xa7\xcd\x11\xf9\xce\x0d\xaf\xb4\x27\x7c\x32\x81\xb8\x8f\xa7\x13\x8d\x21\x7d\x79\xfe\x3e\xd7\x2b\x19\x5f\x27\x82\x0e\x33\x22\x9c\x5a\x6d\x7f\x49\x37\x20\xf9\x19\x0a\x1c\xb2\x29\xa3\xbe\xa0\xa7\x8f\x62\x9d\x00\x59\x3c\x98\x8c\x2d\x3f\xa0\x9f\x89\x35\xe2\x5b\xcd\x4c\xe0\x27\x6a\x16\xf2\x30\x6f\x7c\xbc\x89\x12\x52\x35\x91\xed\x88\x92\x1a\xa7\xae\xfe\x26\x71\x2f\x81\x02\x89\x06\xd7\x30\xfb\xe8\x19\x95\x52\x1e\x02\xe3\xdd\xfc\xa0\xf8\x81\xcb\x98\xa6\x61\xd2\xcf\x8d\x1f\xc3\x10\x84\x5d\xf4\xec\x58\x8c\x2b\x30\xfd\xfc\xe1\x81\xe6\xef\x9a\x65\x4e\x83\xfa\x69\xb7\x73\xfb\x51\x71\x77\x74\x93\x6e\x6d\x03\x77\x54\x78\x2f\xbf\xf1\x3d\x32\xa5\x0c\x75\xe2\x75\x3b\xca\xf4\xae\x37\x35\x26\xe6\x10\x60\x5f\x07\xc6\x77\xae\xda\xc8\xda\xf3\x79\x28\x3f\x2e\x59\xae\xdd\xe2\xc0\x19\x53\xd1\xbe\x45\x91\xef\x16\x5c\xa1\x90\x6d\xeb\xdc\x0b\x8e\x47\xde\xf1\xa3\x4d\x3c\x3a\x4c\x12\xea\xe8\x96\x68\xd1\x43\xd1\xb0\x98\x4f\x94\x50\x44\x70\x9d\xf8\x68\xd0\x97\x55\x14\xdc\x10\x93\x09\x0b\x0f\xe4\x29\x62\x34\x5e\xf4\x0b\x0d\xd8\x4f\xf7\xa2\x0f\x39\x4d\x5b\x3f\xc5\xa5\x5d\x69\xb4\xbb\xd0\x0b\x53\xe3\x17\x4c\x76\x0c\xb9\xc7\x9f\x27\x52\x75\x55\x8c\x69\x67\xf0\x3c\xb7\xb5\x4e\xc6\xc2\xa8\x60\x2a\x55\x57\xc4\x8e\x0c\xce\xae\xbc\x38\xc4\xcb\x35\xf1\x71\xfa\x42\x62\x2b\x1e\x8b\xe6\xdd\x32\x33\x75\x03\x3e\xde\x7b\xea\x93\xb6\xd6\x67\x75\x8f\xb9\x97\xcc\xee\x89\x6c\xb3\xa0\x3e\x47\xfe\x8b\x51\xbf\xef\xd7\x16\x5b\x4b\x16\x25\x46\xc2\xe4\xd4\x67\x10\x35\x3b\x73\xf6\xf1\xde\xa1\x7e\x44\x2b\x82\x72\xf6\xaf\xf9\x9c\x86\x43\x72\xe4\xc3\xe5\x63\x1b\xb7\x39\xb5\x9a\xd1\x23\x5a\x18\xaf\x7d\x59\xb7\x93\x20\xa4\x1b\x7c\x0e\x8d\x64\xd5\xa7\x94\x81\xcc\xe1\xe3\x1b\x33\x4a\xb3\x3e\x92\xe6\xa4\x29\x7f\x3d\xef\x0f\x1b\x34\x67\x5c\x7d\xe9\x10\xfe\x38\xe4\x94\xee\x01\x4b\xb8\x44\xe7\x07\xbd\x30\x2b\x24\x78\x6b\xd6\x06\x2b\xac\xb8\x2d\x52\x7a\xcd\xca\x23\x6f\x21\x7b\xf0\x47\x47\x42\x47\x6e\x6a\x93\x25\xd9\xee\x28\x2d\xee\x43\x63\x6b\xeb\xa5\x41\xe6\xaf\x65\xba\xb1\xf5\x82\x33\xa6\xf5\x58\xd8\xc6\x01\x9f\x4e\xe4\xc8\xe8\x33\xea\x16\x18\xb0\x53\xb3\xcd\xb8\xf8\x8f\x09\xce\x12\x25\xa6\x8f\x31\x9d\xe5\xbc\x58\x3e\xb3\xd2\x2f\x27\x32\x34\x3e\x9c\x0a\xcb\xd8\xef\xde\x7d\x9c\x0f\x22\x40\x6b\x9d\x1b\xeb\x10\xe7\xbc\x92\x80\x7c\x7b\xbd\xc0\x0b\x1d\x88\x53\x4e\x65\xdb\xa2\x56\x21\x67\xe2\xcf\x12\xa6\xf4\xb1\xe8\x9b\x24\x95\xbe\x63\x1f\xe9\xa7\xaf\xaf\x3e\x44\x02\x54\xa2\xda\x7e\xeb\x26\x1b\x40\xb4\xb2\xc8\xa2\x25\x7d\x75\xb0\x9b\x85\xb8\x1d\x79\x54\xac\x55\x31\x3a\xc4\x99\x0c\x54\xae\x40\x79\x3c\x21\x58\xcf\xeb\xf3\x29\xb2\x67\x40\x5d\xd2\xa5\xe7\x61\x54\xd2\x1d\x74\xed\xd4\xa1\xe0\x86\xf0\xf2\x40\xe7\x19\x96\xa0\x4e\x8f\x96\xec\x88\x22\xbc\x5f\xc9\x18\x38\xd1\x7d\x97\xb0\x3c\xab\x99\x58\x33\xaa\xd9\xfe\xd8\xdb\xd9\x44\xfc\x11\xab\x74\xfc\x51\x5f\xd8\xbc\x5c\x06\x74\x24\xd3\x2d\xbb\x99\xe4\x9e\x0d\x42\xa5\x97\xdd\x80\x73\x17\xd6\x69\xdf\x7c\x08\x97\x9d\xd6\x47\xca\xe4\xb9\xd1\x23\xa6\x44\x03\x7c\x68\xfd\x7b\x45\x4d\x15\x8b\x51\x28\x18\x5b\x7a\x07\x1b\x77\x45\x3e\x29\xef\x51\x83\xc0\x3f\x3d\xac\x27\x58\xfa\xd6\x67\x3d\x17\xb9\x5a\x42\xd4\x28\xb5\x6d\xd7\xac\xd6\xb4\x4a\x15\xf8\xa6\xac\xc4\xc7\x3d\x23\xfd\xdf\xc4\x4f\xe5\x7a\x9a\xdd\x19\x57\x96\xcf\x45\xc0\x00\x6f\x6a\x24\x16\x0d\xfb\x87\x98\x62\xb0\x11\xe7\x4b\x88\x0f\x5a\x4f\x5d\xc8\x05\x3a\x1f\x2c\x7d\x0e\x1d\x77\x2c\x62\xca\x02\x8b\x09\xce\xba\xc8\x8e\xa7\xa8\xa1\x85\x59\x96\x20\x16\x74\xf2\xeb\x71\xac\x52\x6c\x0a\x0e\xc4\x49\x3d\xaf\x01\xa5\x51\x6d\x2b\xf8\x8b\xd8\x11\x72\xa2\xf7\x5f\xaf\xb3\xcd\xe2\xc9\x2b\x7a\x02\x0e\x07\x67\xcb\xda\xdf\x65\x57\x55\xc3\x71\x5c\x6b\xf9\xcc\x3d\xf3\x8c\x38\x34\xa7\x24\x95\x05\xa6\x89\x48\x0c\xa3\xa9\x78\x79\x2a\xe9\xbe\xfd\xfb\x3f\x25\xe3\xdf\xec\x22\xa9\x0d\x66\xac\xbc\xe1\x63\x3a\x29\x7c\xc2\xbe\xd9\x75\x73\x1f\xbc\x97\xc0\x9d\xa8\x94\x22\x65\x33\x6d\x17\xb1\x3a\x52\xef\xff\x98\x62\x6a\x8b\x7b\x18\x8c\xfb\x9d\xfd\x33\xeb\x28\x76\x34\x08\x73\x2b\xba\xe7\xb8\x01\x22\xa9\x1a\xd9\x81\x38\x97\x75\x7e\xff\xb8\x43\x58\xdb\xd6\x2b\x01\x33\x24\x1a\xb9\xaf\xa7\x9e\x35\x3f\x5e\x7d\xb9\x16\x39\x21\xd6\x5e\xfc\x93\xe4\x08\xbc\x38\xff\x95\x84\x29\x05\xa9\x13\xd0\x84\xd2\x4f\xa2\x23\x59\xdf\x71\x0b\x39\x69\x4d\xe2\x40\x38\x98\x31\xe3\x44\xe9\xd5\x33\x2a\xc0\xc5\x48\x4e\xdc\x3a\x9a\xc6\x12\xf6\x68\xe4\xe7\x81\x80\x10\x9e\x12\x49\xef\x5d\xc2\x7c\xfd\xed\x52\xea\x37\xef\x3a\x7d\x1d\x02\x88\xa9\xf7\x53\x2f\xb9\xf3\xa3\x80\x29\x4c\xf0\x33\x29\x62\x8f\xe8\xfa\xc3\xb8\x12\x11\x30\xbc\x3d\xff\x51\xed\x6f\x83\x00\x80\x67\x86\xf9\xe5\x05\xde\x5d\x25\xd6\x87\xc4\x02\xc0\xbe\xdb\x7d\x41\xcd\xb9\xcf\xb8\x77\x14\xba\x29\x28\xbe\xce\xcb\xe1\xaa\x32\xdf\xda\x00\x17\x07\xc7\x84\xce\xe7\xf6\x46\x48\x77\xef\x87\x98\xc1\x60\x8c\x48\x7c\xe0\x88\xd0\x73\x08\xb4\xf1\x67\x2f\xb2\x8e\xfa\xd8\xae\xe8\x45\xff\x99\xe0\x0d\xb8\xd0\xa4\xef\xf1\x0e\x7e\x04\x82\xe1\x0d\x2d\x4f\x53\x6b\x90\xa1\x7f\x2c\xd0\x64\x99\x58\x61\x9a\x3b\xfc\x4c\x72\x65\x4a\xb9\xa0\xda\xe3\x09\x9d\x69\x58\xcc\x43\xac\xee\x94\xa4\x50\x15\x24\xe0\xa9\xdd\x76\x70\x0d\x81\x46\x1f\xfc\x9c\xde\x22\x27\x15\xd4\xc8\x91\x7c\x2e\x53\x56\x0b\x63\x53\xa0\x98\xc9\x48\xce\x16\x13\x1b\xca\xc5\x69\x48\x46\x94\x26\x57\xfb\xbd\x47\xd1\x4f\x0b\x9e\x6e\x0e\x38\x3e\x7d\x60\xef\xe2\xd9\x93\x5c\x04\xdf\xee\x10\xe2\x2f\x47\x4c\xf3\x82\x32\x9c\xce\x12\xae\x8d\x21\x0f\xfb\xd1\x7d\xd0\xf1\x86\x8f\x6c\x10\xaa\x34\xdc\x1f\xb7\xbb\xb7\xa2\x5d\xb0\xcd\xb0\xaf\xcb\x3a\x52\x34\x45\x56\x4c\x6b\xc6\xc0\xf8\x43\x3a\x67\x75\x88\x18\x52\xd9\x97\x0a\xa4\x20\x3c\x92\x58\xa9\x44\x27\x41\x68\x89\x9d\x5a\x81\x5d\x66\x50\x37\xda\x71\x6d\x53\x04\xe4\xf2\x6c\x28\x9a\x46\x38\x4b\x96\x5f\x2c\xa5\xaa\xcc\x1c\x81\x23\xb5\x4c\x14\xe8\x3a\x59\xb9\x97\x99\x64\x88\x14\x79\x77\x84\x25\x4e\x3f\xcc\xca\x53\x79\x0c\xe3\xf0\xc2\x4b\xa0\x17\x22\xd4\x2b\xaf\xfc\x81\x68\xa3\x6c\x95\xb5\x38\x8d\xef\x13\x7e\x6c\x92\x9e\x2e\xd1\x42\x99\x10\xd1\x38\xe7\x91\xf8\xc4\x5c\x37\xea\x0b\x8d\x5f\x25\xdb\xb2\xb4\x3a\x4c\x2e\x05\x27\x32\x7a\x58\x47\xdf\x44\xa2\x14\x22\x23\x30\x14\x4d\x26\x44\x63\x66\x76\x4f\x81\x6d\xb2\x84\x7b\xba\x48\x60\xf2\x2d\xca\x28\xae\xa5\xba\xd2\x98\xdc\x4e\x58\x88\xce\x73\x7b\x16\x96\xc9\x52\xc2\xa5\x15\x57\x4d\x10\xd4\xd2\xc3\xd0\xa2\x12\x32\x42\x2d\x0d\x60\x07\x45\x86\x2a\x31\x51\x3c\x97\x8c\x84\x42\xbe\xba\xb3\xe3\xef\xbc\x5b\xf0\x65\x72\x70\xd1\xdb\x26\xe9\x79\xcf\x50\xef\x7a\x3c\xfe\xe8\x80\xf7\x7a\x0b\x80\x2c\x7b\x37\x1b\xf9\x66\xa5\x41\x3d\x68\x74\xd9\x11\x1e\x7b\x98\xa9\x72\xbe\x26\xe2\x8f\xa9\xec\x1f\x77\x93\x91\xe3\xa4\x91\xd5\xe8\x69\x5f\x73\xd8\x87\x73\xa3\xd4\x06\x82\xff\xe1\xce\xa2\x37\xfa\x5a\x91\xd4\x8b\xd8\x2d\x8e\xcd\x25\xe6\xa6\x29\x2d\x17\x77\xe3\x8b\xe3\x7c\xcc\x8d\x96\xcf\x9d\x19\x1b\xa9\x05\x85\xe7\x28\xdc\x41\x5b\xc4\x06\xfd\x94\xe5\x3c\x67\x40\x71\xdf\x12\xea\x08\x9d\xcd\x94\xf9\xd9\x6b\x03\x86\xf7\x26\x05\x12\x67\xc9\x6e\x5c\x3d\x79\x49\xe8\x55\x02\xb5\xda\x43\xf1\x04\x93\xba\xa2\xfd\x77\xa0\x2f\xaa\xca\x33\x55\x8f\x78\xf0\x9f\x00\x43\x3b\xa9\x91\xef\x1b\x40\xc5\x99\x90\x39\xbe\xe1\x77\xfd\xa3\xba\x5d\xc0\x92\x51\x62\xe5\x9a\x8e\x32\x7c\x19\xe7\xd4\xe0\xaa\x8f\x13\x71\x07\x02\x71\xe0\x03\xce\x63\xf4\x27\x26\x5b\x6a\x2d\xfb\x1d\x68\x64\xf8\xcd\xf2\xa9\xd0\xf8\xb3\x8e\x57\x71\x2b\x85\x43\xa2\x0b\xe5\x02\x4a\xef\xfd\x25\x0a\x10\x6e\x78\x3a\x08\xa5\xae\x38\x5a\xc9\xa5\x76\xb3\xc1\xb0\x90\x36\xc5\x0f\x1a\x8d\x56\x99\xf1\xba\xd3\xd1\x69\x68\xf1\x1e\x9b\x1f\x54\xef\xdf\x3c\x2e\xc0\x3a\x1f\x12\x4a\xb5\xe5\xc4\x53\xd1\x9b\x93\x9b\x68\xd0\xa3\x39\x95\x1b\x5b\xb5\x5d\xa3\xeb\x45\x9c\x3f\x86\xa1\xde\x1b\x8b\x9c\xef\xe6\xe6\x0d\x14\xd8\xc6\x14\x31\x45\xe2\x4a\x85\xe9\xc0\x62\xa8\xf6\xbf\x5c\x9a\x51\xb2\xa5\x07\xff\xdf\x6f\x60\x1c\xd7\xd1\x0a\x7f\x3c\xb1\x6f\x38\xd7\xf2\xc4\x6e\xb2\xc1\xeb\xd2\x05\xd5\xb6\x0c\x5d\x5e\xc3\xd6\x0e\x15\x18\x9b\x9f\x44\x5c\xbf\x29\x17\x7b\x83\x55\xd8\xaf\x6b\xad\x6c\x6e\x3a\xda\xb3\x9d\xf7\x1e\xe2\xcf\x90\xdf\x9a\xb8\x68\x08\xe6\x2d\x1e\xc2\x4f\xf2\xbd\xe6\xfd\x56\xa2\x31\xe4\xe5\x56\xcc\x22\x7f\x5f\xa6\xd6\x17\xd5\x49\xae\xd8\xe2\xe3\x66\x01\x3d\x8a\x2c\x28\x99\xa5\xc7\x52\x62\x0d\x54\x47\x1f\x9c\xfe\x17\xb6\x87\xfe\xe4\x27\x99\xeb\x86\x21\xca\xbf\x3b\x81\x76\xdf\x65\x4b\x20\xf3\x48\xc9\x16\x7d\x70\xe9\x59\x22\x13\x38\xbf\x47\xcf\x3b\x34\x7d\xdb\x46\xe4\xea\x71\xfc\x82\x50\xcf\x48\x18\x60\x7a\x35\x95\x16\x65\xae\xec\x1b\x46\x84\xa9\xf2\xd5\x40\x39\xb6\x44\xe3\xff\xcf\x5e\xf2\xa2\x67\x3d\x97\x40\x8f\xb9\xc5\xb9\xee\x80\x28\x67\xfc\xfc\xbf\x3c\xed\x42\x95\xe5\x9e\x78\x36\x5d\xe8\xf3\x8d\x98\x06\x6b\xc1\x63\xb7\x55\x56\x8b\xb0\x2e\xec\xa3\x8e\x04\xfe\x45\xb7\x80\x9c\xc4\x42\x40\x23\xa2\x3b\x15\xe3\x74\xe3\x83\xd0\x1e\x02\xdc\x66\x92\x48\x47\xf3\x72\xd8\xad\xc3\xb8\xaa\xdd\xb6\xea\xf9\x57\x5f\x52\x42\x51\xca\x6f\xea\x93\xfa\x33\x57\xe8\x1e\x94\x71\x5f\xbb\xe3\xce\x2b\xbc\x0c\x3d\x44\x7a\x51\x18\xd8\x59\xb1\xa7\x43\xb3\xe8\xee\xbf\xd3\x52\xfc\x50\xc2\x8c\x89\xd9\xfb\xf2\x08\x7c\xbe\xdc\xdd\xad\xd1\x99\x3a\x35\xf7\x1b\xff\x4b\x6e\x91\x90\xfb\x18\x26\xfa\x2b\x30\x89\x01\x87\x61\x65\xc7\x04\x17\xdc\xe1\x6e\xa0\xc1\x97\x55\x74\xbd\xc7\xcc\xf8\xd9\x2b\x3e\x77\x2b\x57\xfb\xad\xee\x74\xfc\xfe\x7b\x73\xdb\xef\x59\xc7\xf2\xe5\xba\x57\xb9\xbe\x68\x43\xe0\x6d\x0c\x13\xda\x2f\x48\x78\x40\x73\x7a\x8d\xfc\x79\x0c\xd5\x53\xc6\x93\xa9\xd1\x26\x8a\x13\xac\xfa\x44\xfa\x5e\x4b\x4f\x0d\xa3\x76\xfc\xc0\xec\x82\x94\xfd\xc0\x18\x23\x89\x7f\x91\x21\x27\xdb\x76\x90\x3d\xf2\xcd\xbf\xb9\x90\x24\x00\xc8\x6b\xf5\x26\xdd\xbb\x47\xc8\xe4\x9b\x67\x30\x55\xf7\x0a\x7d\x90\x08\x1c\xd3\x19\x64\xe0\x51\x9d\x50\x4c\x17\x1c\xd4\x1a\xb7\x99\x79\x16\xa7\x11\xcd\xec\x24\xf8\x0f\x80\x39\xce\xc9\xf6\x5b\xfb\xfa\x93\xe7\xbf\x22\x83\x51\xa8\x18\x92\xe5\x71\x80\xae\xce\x3e\x6b\x0f\xf3\x36\x6d\xc6\x66\x44\x47\xfa\xe5\xbe\xd3\x81\xf6\x29\x13\x4a\xdf\xcc\x51\xec\xa2\xab\x32\x76\x68\x2e\x5d\x9f\x67\x7b\x30\x1d\x6e\x6d\xcf\xa8\x64\x61\xa5\x67\xcb\x9c\xbf\xda\x3d\x2f\x91\xb3\xab\xc2\x0a\x5a\x7d\x46\x5d\x57\xc5\x07\xfe\x9c\xad\x83\x43\xd6\x4f\x51\xbe\x63\x0c\xe8\x18\xab\x78\xe9\x2c\xc5\x40\x8f\x48\x02\x5f\xbb\xf8\x39\x6d\x88\x20\x1c\x04\x2f\xd7\x11\x82\xc3\xd5\xdd\x62\xac\xe3\xec\x92\x31\xf8\x47\xbd\xff\x19\xb7\xbc\xe4\xe0\x4d\x10\x22\xb3\x2d\x46\xc7\x47\x09\xaa\x49\x63\x16\x6a\xef\xc5\xad\x6e\xd9\x47\x01\xd4\x32\x7f\x39\x4e\x1c\x9d\x01\xfb\xd3\xf2\x59\x03\xc5\x02\x0a\x84\x87\x96\x30\x08\xf8\xe4\xee\xdf\xe9\xc8\xd6\x2c\xa9\xcd\x72\xa9\x62\x39\xb1\xc0\x42\x7c\xb4\xe1\x71\x18\x21\x9b\x42\xcb\x89\x73\x53\x62\x1d\x66\x7a\x53\x8d\x3b\xa3\xe9\x26\x67\x38\xfd\x25\x24\x68\x1f\xd6\x33\xc1\xf7\x1a\x51\x28\x62\x10\xbc\x79\x3f\xc8\x9c\x0f\x04\x38\x66\x48\x0b\x7e\x08\x62\xb7\xa1\x08\x59\x3b\x2e\x9f\x8d\x1f\xc6\x2b\x7c\x67\xf5\x0d\xff\x63\x8f\x93\x18\xfa\x26\x0f\x37\x30\xce\xc7\x08\x0a\xfd\x74\x36\x41\xde\x7d\x59\xbc\xa4\xd3\x21\xf0\x31\xf3\x5f\xa6\x16\xc4\x33\xed\x57\x2a\x39\xbb\x17\xb9\x3c\x85\x81\xb1\x2a\xa1\xd2\x51\x54\x1b\xb5\xb2\x1c\x63\x91\x7c\x5b\x70\xec\x65\xe9\x57\xc5\x9c\x64\x3a\x6c\x0a\xb0\x02\xb5\x46\xdd\x97\x03\x50\xbe\x2a\x57\xe1\xa8\xf0\xf4\x6b\x01\x19\x95\x0a\xab\x33\x01\xe5\xca\x05\x43\x53\x2e\x1f\x08\x19\x90\x75\x60\x9f\x22\xcb\x8c\x8f\xfc\xba\x4b\xc8\x1d\xf5\xda\x4b\xa7\xae\x6b\x11\x1b\x4c\xd9\xc6\xe2\xe6\xc2\x0a\xda\x23\x28\x20\xb4\x77\x53\xd6\x26\x2c\x2b\x9e\xa6\x1e\xad\x28\x1b\xa0\xc3\x1c\x3b\xdf\xc0\x6b\x8a\x42\x98\x22\x82\xa2\x15\xbe\xad\xa3\xae\x9b\x2e\xad\x9a\xfd\x24\xf5\x0b\xc2\x28\x18\x90\x09\x77\x91\xcf\x37\xb1\x96\x9b\x45\xba\x7e\xb1\x30\x53\x66\x76\x7e\xda\x01\xef\xd0\x57\xda\x56\x74\x31\xc4\x9e\x79\xc5\x5a\x58\x95\x4f\x12\xda\xb8\xf1\xb6\x88\x51\x3f\x4c\x3c\x49\xa5\xf2\x7e\xe5\x37\x50\xd8\x9b\x63\x37\x79\x98\x00\x58\x78\x9d\x26\xa6\xb1\x72\x0b\xe7\xca\x54\x9d\xe7\x4b\xdb\x76\x3f\x4d\xb1\xa6\xbb\x86\x0b\x05\xdb\xc4\x77\x5b\x20\xce\xd8\x71\xb4\xa9\xd9\xd8\x77\xab\xef\x6c\x4b\xb3\x9d\x36\x8e\xf7\xe7\xfb\xba\xc5\xcb\x88\x21\x2d\x87\xf3\xc7\x62\x06\x59\xcf\x4c\xe1\xc6\xee\xb0\xea\x83\x84\xa6\xdf\x2f\x29\x13\x34\xe5\x80\x84\xfc\x55\xa3\xb6\xd7\xa8\x35\x1f\x62\x5a\x71\xee\xce\x16\xfc\xb5\x2f\xcc\xa8\x88\x09\x3a\x04\x0f\x5f\x15\x7a\xe2\x7d\xd7\x9d\x26\xae\x55\x5d\xd0\xd2\x19\xb5\x85\x53\xdb\x3b\xd8\xb4\x8d\x85\x6b\x3e\x23\x3d\x19\x72\x65\x78\xd3\x82\xbe\x3d\x12\x3f\x86\x56\xdb\xa5\xe6\x1d\xb1\x4b\x62\x7e\xb0\x74\xdb\x68\xd5\xa6\x9c\x93\x51\x17\x44\x92\xb5\x08\x24\x82\x4d\x3d\x3a\xf7\x92\x95\xf0\x5c\xdb\xb4\x7c\x8e\xf7\xc8\x5d\x81\x5b\xdc\xba\xcf\x4b\x86\x27\x96\x5c\x07\xc8\xe1\x07\x9f\x20\x1e\x50\x98\x02\x84\xf2\x00\x5a\x92\xba\x82\x15\xd0\x6e\xf5\xef\xed\x59\x1f\x52\x79\xf1\x8a\x2f\xea\x04\x24\x66\xd7\x83\xe1\x08\x64\xe9\x3a\x54\xb8\x64\x9b\xb4\x43\x6d\x88\x6c\x78\x81\x9e\x92\x7c\x16\x3c\x76\x9c\x22\xfd\x6c\x1f\xfc\x50\x98\x49\xf6\x85\xac\xbc\x5c\x6e\xab\xe4\xbf\xb2\xe2\x65\x0b\xab\x17\x39\xa6\x95\x3b\x27\xa1\x84\x64\x64\xea\x8f\x56\xa7\x6c\xd3\x71\xa7\x47\x45\x95\x94\x9b\x6f\xd4\xdb\x07\x6d\x44\xce\xca\x31\x12\x22\x74\xec\x56\x8c\x58\x1d\x08\x8e\xe7\xf5\x68\xc0\x02\x4a\x49\x19\x20\x40\x1f\x16\x5d\xd1\x71\x1a\x2f\x9b\x03\x7e\xf4\xb4\x01\x9d\x22\x72\xe1\x9e\xd5\xcf\x41\x40\xe5\x8d\x74\xae\x1d\x93\x01\x8d\x09\xfe\xe3\x26\x3e\x81\x19\xfc\x7a\x48\x09\x45\x9c\x43\x4e\x93\xd3\x04\x70\x2f\x11\x0f\xc3\xa4\x0d\xfa\x78\xfd\xac\x5e\xdf\x24\x25\xd8\xdc\x16\x29\xbc\x95\xba\xb9\x32\x70\x32\x59\x8c\x2f\x55\x30\x78\x18\x7c\x3d\x07\x6f\x15\x67\x4c\xfb\x9e\x0f\x18\x2b\x68\xce\xdc\xec\x34\xcf\x04\x90\x90\x1a\xf1\x0a\x2d\x10\xac\x87\x31\xf7\x9e\x60\xea\x1e\xb1\x78\xa6\x01\x42\x97\xa5\xa3\xb8\x4b\x80\xde\xb5\xf3\xb5\x62\x04\xcd\xaf\x3a\x4c\xa0\xbc\xa0\x08\x3a\xca\xc6\xd2\xa5\x63\x71\x7e\xb7\x0b\x9d\x82\x75\xbb\x31\xdd\x4d\xa2\x5f\x6a\xaf\x3b\xb5\x76\x15\x2c\xc5\x98\x39\x9b\xfc\x1f\x70\x3f\x9d\x65\xc7\xca\x6f\xc4\x5d\x7c\xd8\x19\x12\x07\x1a\x94\xb4\x98\x17\x28\xbd\x3f\xa5\x32\xdd\x3a\xb9\x5e\xdc\x2c\x8a\x87\x92\x31\x6b\x78\x28\xc1\x7a\x0a\x11\x5a\x80\xee\x5f\x7c\x63\x2f\xa1\x23\xfc\xce\xae\xcb\x31\x19\x15\x34\x9c\x9b\x26\xf2\xed\x27\x52\x23\xd7\x9b\xac\x0c\x13\x76\x71\xc3\xac\x5f\x48\x9b\x42\xfb\xf5\xb1\x9b\x3a\x46\xae\x22\xa7\x2f\xe3\x47\xd8\xab\xf1\x11\x42\x96\x85\x62\xc6\x32\x9d\xfb\x94\x22\x49\xb5\x93\xd3\x7d\x17\xf4\x0d\x79\x3a\x48\x18\x92\x10\xe0\xb6\x0b\x95\x83\x75\xc0\x89\x93\xd3\x4e\x3e\xb0\xba\x69\x32\x43\x5c\xde\x73\xd5\x68\xd8\x1e\x0d\xf7\xf7\x6d\xab\x7c\x1c\x1f\x7e\x5b\x76\x41\x44\x89\x6f\xe5\xa8\x19\xa4\xf0\xae\xfa\x09\x9e\x1d\x84\xf8\xc1\x12\x02\xbc\x14\x1f\x7a\xe0\x3f\xb4\xfd\xbf\x5b\x6c\x30\x83\x4a\x4d\xcc\x7f\x9a\x64\xbb\xe1\x40\x76\x11\x0b\x97\x29\x76\x7e\x5f\x31\xed\xbf\x5d\xdc\x54\x0f\x3a\x31\xa3\x6f\x4a\x33\x2b\x5a\x24\xd9\xe0\xbe\x54\xf8\x16\x1b\x52\xf7\x6b\x78\x08\x3e\x40\xa6\x63\xc8\xd2\x0b\xfb\xc4\x46\x53\x3c\x2c\x4b\x78\xe6\x30\xbb\xc9\x4a\x24\xd9\x51\x60\x18\xfa\xff\xed\xc2\xe8\x5f\xb0\x91\xde\xea\xd3\x61\x2c\x8a\xb2\x41\xb1\x26\x47\xc2\xe7\x14\x07\xa9\xbb\xef\x11\xc9\x75\xed\xbb\x97\x22\xab\x61\x74\xa9\x19\x1c\x5f\x01\x28\xc1\xe0\xf4\x39\x33\x53\x68\x9a\xd1\x8b\x96\x78\x5a\x7d\x8e\x04\x5a\xdb\x80\x1a\xfe\x79\x00\x0f\x18\xec\xbc\x07\xea\x83\x93\x06\xbe\xcb\x86\x2b\x17\x53\xfe\xd5\x04\xdf\x00\x95\x46\x67\x2f\xd6\x5e\x60\xa2\xb5\x23\xae\x74\x77\x50\x2d\xb7\x5d\xeb\x99\x44\x52\xe0\xb3\xf7\xa8\x41\xa9\x8b\x8c\x0b\x0e\x82\x8f\x0c\xa6\x79\xe1\xfb\x97\xf8\xdf\x29\x2e\x2d\xb3\x0f\x75\x6f\xba\x17\x75\x45\xa0\x9b\xeb\x2b\xe1\x93\xfb\x3a\x1a\x94\xd3\x44\x56\xd9\x07\x1e\x63\x4b\xb8\xa4\x33\x09\x30\x2f\x6c\xe4\xc3\x38\xd4\x39\x27\x0c\x42\x6b\xaa\x04\x8b\xb9\x2e\xc1\x39\xe5\x0f\xc4\x57\xdb\x0f\x37\xb4\x94\xc5\x91\xf6\x71\x15\xbc\x9c\x52\x21\x52\xd2\x8f\x9c\xad\x16\x10\xbf\xfc\xea\x13\x9b\xf2\xc5\xe0\x23\x9d\x4f\x8d\xb1\x25\xf0\xc6\x68\x76\x8a\x02\xab\x70\x28\x14\xab\x61\xb5\x7e\x0d\xd8\x39\x54\x9c\xd7\x8c\x1d\x33\x1d\x3c\xf4\x2e\x0e\x94\x35\x9d\xf9\xf9\xd8\xd4\xfa\x2b\x98\x2a\x19\x77\xcc\x55\xa8\x88\x80\x56\x46\x23\x15\x45\xc2\xe9\x6a\x8b\x80\xc9\xdb\xda\xf7\xb7\x64\x40\x21\xf8\xdb\xdd\x8f\x3c\x37\x3a\x72\xa9\xc5\xa8\xad\x05\xc6\x7f\x50\xbd\x32\xa9\x6e\x19\xa6\x06\x17\x00\x61\x54\x2a\x0b\x1e\xe9\x0e\x3c\x75\x61\x9d\x95\x41\x6e\x1d\x2f\x6c\x76\xef\x08\xf6\x11\x88\x2c\x87\xd0\x96\xb2\xf8\x4c\x1b\x5f\x79\xc7\x28\x72\x7e\x00\xb0\x58\x9f\xf8\x67\x82\x4b\x88\x93\x9c\x3a\xcb\xa9\x6f\x59\xa3\xe3\x08\xef\x70\x68\xbd\x4a\xd8\x47\x8b\x9f\x0d\x6d\x5c\x90\xc8\xd3\xfd\xb1\xbc\xe0\x82\x2f\xd4\xdb\xf6\x04\x33\xd0\xfd\x9a\x1d\x00\xfa\xd0\x5b\x13\x5b\x0f\xca\x52\x29\x82\xbd\x41\xa1\xd3\x2c\xa9\xe1\x3c\xc2\xde\x18\x09\xe5\x1e\x12\xb5\x40\xdf\x58\xcc\x4b\xca\xcb\xc3\x94\x53\xe6\x2e\xff\xe1\xcb\xa6\x2a\x72\x5b\x7b\x69\x0a\x53\x1a\x16\x9b\x16\xcd\x4f\xb4\x23\x00\x18\xad\xbf\xeb\xfd\x58\xec\x47\x67\x42\xa8\xea\x7e\x8f\xf7\xe5\x6a\xb4\x63\xb3\x45\xa8\x42\x99\x86\x7f\x85\x7d\xe6\xea\x30\x75\x9a\x8d\xd0\x93\xe9\x8f\x99\xc6\x2f\x40\x95\x97\xf9\xa3\xdd\xd4\x90\xc8\x81\x33\xd9\x83\x1a\x7d\xdd\x0b\xbc\x35\x36\xd8\x0d\xea\xee\x38\xac\xb1\xba\x95\xba\x0c\xda\x91\x0f\x4b\x12\x0a\x59\x2b\xc9\x15\x04\xf4\xb0\xd9\x91\x71\xe2\xc4\x5d\x4e\x25\x6d\xc0\x3f\xed\xe6\x8e\xe1\xda\xbf\x80\x29\xc9\x9d\xec\x19\x8c\x4a\xad\xdb\x68\x17\xf8\x39\xf1\xda\x74\x97\x12\x67\xc2\x12\xbd\x22\x69\xf8\xcc\xcd\x32\x49\x5e\x8f\x72\x04\x48\x6d\x98\x59\x87\xc2\x5a\x5c\xb7\xef\xd6\x39\xb1\xdb\xd2\x50\x60\x22\xf6\xca\xf2\x4b\x09\x22\x62\x27\xd8\x03\x5c\xea\x83\xb9\xcb\x82\x1a\xc3\xfd\xae\xda\x5f\x22\xdf\xb1\x19\x15\x93\xf4\xd1\x65\x5e\x23\x54\x6c\x84\xa8\xff\x48\x27\x89\xbc\x92\xf1\x94\xdd\xa5\xf6\x14\xd6\x98\x6e\xac\x82\x9b\xab\x2b\x7a\x29\x22\x5b\xd5\x51\x76\x12\xd4\x0f\xda\x6a\x15\x3f\xc5\x2b\x24\x66\x33\x68\xad\xc2\xed\xf5\x6b\x07\xbb\x22\xf1\xb5\xd5\x26\xbf\xfb\x21\x28\x2c\x65\x4a\x77\x95\xa2\x76\x31\xf9\x5d\x88\x5d\xf4\xc0\xbc\xeb\x07\x12\xbf\xdd\xc0\x58\xdc\xbf\x32\x83\xa8\xb9\x66\x64\xdf\x54\x83\x40\x46\x6b\xd7\x17\x32\x9e\x6d\x54\x25\xcb\xd8\xf9\xe6\x44\x2e\xc4\x67\x13\x81\xb8\x01\x7e\x04\xba\xf1\x66\xd7\xb1\x4d\xdb\x51\x6a\x62\x4a\xc5\xc7\x65\x87\xa0\x0c\x65\x02\xa9\x40\x1c\xee\xc4\x82\x69\xc4\xeb\xf6\x70\xbd\x1c\xaf\x46\x13\xbc\xe8\x6e\x29\x7f\x9d\xd0\x02\x24\x08\xaf\x5c\x7a\x7e\x9c\xa4\xa1\xa2\xc7\xea\x50\x6d\xcc\xd7\xf8\x40\xeb\x4d\xe4\xdd\x3c\x73\x40\x06\xcb\x85\xe9\xa0\x53\x9f\x98\x8a\xb4\x5f\x59\x3d\x1d\x96\x06\x12\x2a\x2f\x10\x6e\x9f\x84\xf5\x2f\xf9\x17\x97\x07\x61\x03\xd0\x42\x58\x68\x46\xff\x73\x05\xc2\x73\xfe\x8e\xaf\x05\x3f\x6f\x2c\x7f\xd4\xf1\x18\x13\x4a\x8c\x82\x4b\xbb\x27\xe3\x19\x1a\x8b\x19\x25\x55\xc6\x61\x49\x08\xba\x54\x36\xa6\x73\x83\x0c\x27\xa6\x31\x69\xd3\xc6\x9d\x3f\x7e\x05\x2a\x6b\x6d\xe6\xfd\x2a\x54\x45\x72\xcb\xce\x67\xf6\x7a\x3b\x37\x83\xf4\xc8\xdb\x22\x71\xa4\xa1\x3c\x03\x55\xa9\x2c\x6b\x03\x6e\x5e\xf0\x6f\x53\x32\x3d\xb1\x43\x2b\xd5\xbe\xd2\x60\x15\x44\x38\x7d\xfe\xa3\xf5\xed\x9b\x25\x2f\xc9\xa2\x04\x11\x99\x94\x23\x94\x4f\xdc\x2d\x16\x3f\x66\xba\x18\x26\xc7\xbd\x6d\xa8\xe8\x95\xef\xb1\x9b\x4f\xe0\xf2\x03\x81\x42\xd7\x66\x5f\xaf\xaf\x97\x9c\x56\x35\x29\x40\xb5\x5c\xae\xf5\xf8\xf8\x81\xdb\x23\x06\x0d\xdd\x71\xf9\x9f\xca\xb6\xbf\xe4\x12\xbe\xb2\xa1\x7d\x10\x6f\xa4\x50\x91\x4a\xa7\x92\x0c\xb2\x12\x67\xe1\x6c\xb4\x94\x36\x05\x60\x98\x36\x14\x9f\x19\x70\xd5\xca\x6f\x31\x10\x14\xd5\xb6\x91\xc1\x45\xba\x81\xb4\xff\x94\xc7\x2f\xe1\x50\xea\x49\xe5\x60\x70\xcf\xf3\x4a\xbe\xe3\x70\x61\xe8\x71\xae\xcf\x5d\xcf\x9f\x91\xb5\x2a\x36\xeb\x99\x3c\x67\x89\xf0\x21\xbe\x51\x70\x89\x2c\xa8\x0d\x1c\x2a\xd5\xbb\xce\x3c\xe4\x06\xcf\xb4\x12\xbd\x66\xfd\x64\x42\xd7\x0e\xbe\x18\xcd\xcc\x29\x58\xc5\x09\x34\x1f\x05\x10", 8192); *(uint64_t*)0x200000004700 = 0x200000002700; *(uint32_t*)0x200000002700 = 0x50; *(uint32_t*)0x200000002704 = 0xfffffff5; *(uint64_t*)0x200000002708 = 6; *(uint32_t*)0x200000002710 = 7; *(uint32_t*)0x200000002714 = 0x2d; *(uint32_t*)0x200000002718 = 2; *(uint32_t*)0x20000000271c = 0x400000c; *(uint16_t*)0x200000002720 = 7; *(uint16_t*)0x200000002722 = 0x6b; *(uint32_t*)0x200000002724 = 0x80; *(uint32_t*)0x200000002728 = 3; *(uint16_t*)0x20000000272c = 0; *(uint16_t*)0x20000000272e = 0; *(uint32_t*)0x200000002730 = 1; *(uint32_t*)0x200000002734 = 4; memset((void*)0x200000002738, 0, 24); *(uint64_t*)0x200000004708 = 0x200000002780; *(uint32_t*)0x200000002780 = 0x18; *(uint32_t*)0x200000002784 = 0xfffffffe; *(uint64_t*)0x200000002788 = 4; *(uint64_t*)0x200000002790 = 5; *(uint64_t*)0x200000004710 = 0x2000000027c0; *(uint32_t*)0x2000000027c0 = 0x18; *(uint32_t*)0x2000000027c4 = 0; *(uint64_t*)0x2000000027c8 = 8; *(uint64_t*)0x2000000027d0 = 0x101; *(uint64_t*)0x200000004718 = 0x200000002800; *(uint32_t*)0x200000002800 = 0x18; *(uint32_t*)0x200000002804 = 0xfffffffe; *(uint64_t*)0x200000002808 = 4; *(uint32_t*)0x200000002810 = 0x50bf; *(uint32_t*)0x200000002814 = 0; *(uint64_t*)0x200000004720 = 0x200000002840; *(uint32_t*)0x200000002840 = 0x18; *(uint32_t*)0x200000002844 = 0; *(uint64_t*)0x200000002848 = 3; *(uint32_t*)0x200000002850 = 0xffff; *(uint32_t*)0x200000002854 = 0; *(uint64_t*)0x200000004728 = 0x200000002880; *(uint32_t*)0x200000002880 = 0x28; *(uint32_t*)0x200000002884 = 0; *(uint64_t*)0x200000002888 = 6; *(uint64_t*)0x200000002890 = 0xfffffffffffffff7; *(uint64_t*)0x200000002898 = 0; *(uint32_t*)0x2000000028a0 = 0; *(uint32_t*)0x2000000028a4 = r[4]; *(uint64_t*)0x200000004730 = 0x2000000028c0; *(uint32_t*)0x2000000028c0 = 0x60; *(uint32_t*)0x2000000028c4 = 0; *(uint64_t*)0x2000000028c8 = 0xa2; *(uint64_t*)0x2000000028d0 = 0xfffffffffffffffb; *(uint64_t*)0x2000000028d8 = 0; *(uint64_t*)0x2000000028e0 = 0x2867; *(uint64_t*)0x2000000028e8 = 0xd7f; *(uint64_t*)0x2000000028f0 = 2; *(uint32_t*)0x2000000028f8 = 0x28; *(uint32_t*)0x2000000028fc = 0xafb; *(uint32_t*)0x200000002900 = 7; *(uint32_t*)0x200000002904 = 0; memset((void*)0x200000002908, 0, 24); *(uint64_t*)0x200000004738 = 0x200000002940; *(uint32_t*)0x200000002940 = 0x18; *(uint32_t*)0x200000002944 = 0; *(uint64_t*)0x200000002948 = 0; *(uint32_t*)0x200000002950 = 0xb; *(uint32_t*)0x200000002954 = 0; *(uint64_t*)0x200000004740 = 0x200000002980; *(uint32_t*)0x200000002980 = 0x13; *(uint32_t*)0x200000002984 = 0; *(uint64_t*)0x200000002988 = 0x80000000; memcpy((void*)0x200000002990, "&,\000", 3); *(uint64_t*)0x200000004748 = 0x2000000029c0; *(uint32_t*)0x2000000029c0 = 0x20; *(uint32_t*)0x2000000029c4 = 0; *(uint64_t*)0x2000000029c8 = 0x41f; *(uint64_t*)0x2000000029d0 = 0; *(uint32_t*)0x2000000029d8 = 0; *(uint32_t*)0x2000000029dc = 0; *(uint64_t*)0x200000004750 = 0x200000002b80; *(uint32_t*)0x200000002b80 = 0x78; *(uint32_t*)0x200000002b84 = 0xfffffff5; *(uint64_t*)0x200000002b88 = 5; *(uint64_t*)0x200000002b90 = 0; *(uint32_t*)0x200000002b98 = 0x30; *(uint32_t*)0x200000002b9c = 0; *(uint64_t*)0x200000002ba0 = 0; *(uint64_t*)0x200000002ba8 = 0; *(uint64_t*)0x200000002bb0 = 0x9cb; *(uint64_t*)0x200000002bb8 = 6; *(uint64_t*)0x200000002bc0 = 0x45ff; *(uint64_t*)0x200000002bc8 = 8; *(uint32_t*)0x200000002bd0 = 0x7fffffff; *(uint32_t*)0x200000002bd4 = -1; *(uint32_t*)0x200000002bd8 = 2; *(uint32_t*)0x200000002bdc = 0x8000; *(uint32_t*)0x200000002be0 = 0xffff0001; *(uint32_t*)0x200000002be4 = r[10]; *(uint32_t*)0x200000002be8 = r[11]; *(uint32_t*)0x200000002bec = 0xb; *(uint32_t*)0x200000002bf0 = 7; *(uint32_t*)0x200000002bf4 = 0; *(uint64_t*)0x200000004758 = 0x200000002c40; *(uint32_t*)0x200000002c40 = 0x90; *(uint32_t*)0x200000002c44 = 0xffffffda; *(uint64_t*)0x200000002c48 = 0xfffffffffffffc00; *(uint64_t*)0x200000002c50 = 3; *(uint64_t*)0x200000002c58 = 0; *(uint64_t*)0x200000002c60 = 6; *(uint64_t*)0x200000002c68 = 4; *(uint32_t*)0x200000002c70 = 7; *(uint32_t*)0x200000002c74 = 6; *(uint64_t*)0x200000002c78 = 6; *(uint64_t*)0x200000002c80 = 0x5d; *(uint64_t*)0x200000002c88 = 8; *(uint64_t*)0x200000002c90 = 0; *(uint64_t*)0x200000002c98 = 0xfffffffffffffffc; *(uint64_t*)0x200000002ca0 = 1; *(uint32_t*)0x200000002ca8 = 3; *(uint32_t*)0x200000002cac = 8; *(uint32_t*)0x200000002cb0 = 8; *(uint32_t*)0x200000002cb4 = 0xa000; *(uint32_t*)0x200000002cb8 = 2; *(uint32_t*)0x200000002cbc = 0xee01; *(uint32_t*)0x200000002cc0 = r[12]; *(uint32_t*)0x200000002cc4 = 6; *(uint32_t*)0x200000002cc8 = 7; *(uint32_t*)0x200000002ccc = 0; *(uint64_t*)0x200000004760 = 0x200000002d00; *(uint32_t*)0x200000002d00 = 0xc8; *(uint32_t*)0x200000002d04 = 0xfffffffe; *(uint64_t*)0x200000002d08 = 1; *(uint64_t*)0x200000002d10 = 6; *(uint64_t*)0x200000002d18 = 5; *(uint32_t*)0x200000002d20 = 5; *(uint32_t*)0x200000002d24 = -1; memset((void*)0x200000002d28, 170, 5); *(uint64_t*)0x200000002d30 = 2; *(uint64_t*)0x200000002d38 = -1; *(uint32_t*)0x200000002d40 = 6; *(uint32_t*)0x200000002d44 = 7; memset((void*)0x200000002d48, 255, 6); *(uint64_t*)0x200000002d50 = 5; *(uint64_t*)0x200000002d58 = 5; *(uint32_t*)0x200000002d60 = 6; *(uint32_t*)0x200000002d64 = 0xc828; memset((void*)0x200000002d68, 2, 6); *(uint64_t*)0x200000002d70 = 3; *(uint64_t*)0x200000002d78 = 0xa; *(uint32_t*)0x200000002d80 = 0x1f; *(uint32_t*)0x200000002d84 = 2; memcpy((void*)0x200000002d88, "bpf_lsm_kernel_create_files_as\000", 31); *(uint64_t*)0x200000002da8 = 5; *(uint64_t*)0x200000002db0 = 0x100; *(uint32_t*)0x200000002db8 = 5; *(uint32_t*)0x200000002dbc = 9; memset((void*)0x200000002dc0, 170, 5); *(uint64_t*)0x200000004768 = 0x2000000040c0; *(uint32_t*)0x2000000040c0 = 0xb0; *(uint32_t*)0x2000000040c4 = 0; *(uint64_t*)0x2000000040c8 = 0xffffffffffff51c6; *(uint64_t*)0x2000000040d0 = 0; *(uint64_t*)0x2000000040d8 = 1; *(uint64_t*)0x2000000040e0 = 0x7fffffff; *(uint64_t*)0x2000000040e8 = 4; *(uint32_t*)0x2000000040f0 = 0x80; *(uint32_t*)0x2000000040f4 = 0xe; *(uint64_t*)0x2000000040f8 = 5; *(uint64_t*)0x200000004100 = 6; *(uint64_t*)0x200000004108 = 9; *(uint64_t*)0x200000004110 = 0; *(uint64_t*)0x200000004118 = 0x80; *(uint64_t*)0x200000004120 = 3; *(uint32_t*)0x200000004128 = 7; *(uint32_t*)0x20000000412c = 0xffffff01; *(uint32_t*)0x200000004130 = 5; *(uint32_t*)0x200000004134 = 0x6000; *(uint32_t*)0x200000004138 = 5; *(uint32_t*)0x20000000413c = r[13]; *(uint32_t*)0x200000004140 = r[14]; *(uint32_t*)0x200000004144 = 9; *(uint32_t*)0x200000004148 = 4; *(uint32_t*)0x20000000414c = 0; *(uint64_t*)0x200000004150 = 1; *(uint64_t*)0x200000004158 = 0x7fffffff; *(uint32_t*)0x200000004160 = 6; *(uint32_t*)0x200000004164 = 7; memset((void*)0x200000004168, 2, 6); *(uint64_t*)0x200000004770 = 0x200000004340; *(uint32_t*)0x200000004340 = 0xa0; *(uint32_t*)0x200000004344 = 0xfffffffe; *(uint64_t*)0x200000004348 = 0x4f4; *(uint64_t*)0x200000004350 = 0; *(uint64_t*)0x200000004358 = 3; *(uint64_t*)0x200000004360 = 0x58be8e49; *(uint64_t*)0x200000004368 = 0x88; *(uint32_t*)0x200000004370 = 0x80; *(uint32_t*)0x200000004374 = 2; *(uint64_t*)0x200000004378 = 0; *(uint64_t*)0x200000004380 = 7; *(uint64_t*)0x200000004388 = 0x8000000000000000; *(uint64_t*)0x200000004390 = 6; *(uint64_t*)0x200000004398 = 2; *(uint64_t*)0x2000000043a0 = 0; *(uint32_t*)0x2000000043a8 = 0x81; *(uint32_t*)0x2000000043ac = 0xb; *(uint32_t*)0x2000000043b0 = 0xfff; *(uint32_t*)0x2000000043b4 = 0x8000; *(uint32_t*)0x2000000043b8 = 0xc093; *(uint32_t*)0x2000000043bc = r[15]; *(uint32_t*)0x2000000043c0 = 0; *(uint32_t*)0x2000000043c4 = -1; *(uint32_t*)0x2000000043c8 = 0x9e9; *(uint32_t*)0x2000000043cc = 0; *(uint64_t*)0x2000000043d0 = 0; *(uint32_t*)0x2000000043d8 = 4; *(uint32_t*)0x2000000043dc = 0; *(uint64_t*)0x200000004778 = 0x200000004400; *(uint32_t*)0x200000004400 = 0x20; *(uint32_t*)0x200000004404 = 0xfffffffe; *(uint64_t*)0x200000004408 = 4; *(uint32_t*)0x200000004410 = 0x1000; *(uint32_t*)0x200000004414 = 4; *(uint32_t*)0x200000004418 = 7; *(uint32_t*)0x20000000441c = 3; *(uint64_t*)0x200000004780 = 0x2000000045c0; *(uint32_t*)0x2000000045c0 = 0x130; *(uint32_t*)0x2000000045c4 = 0; *(uint64_t*)0x2000000045c8 = 6; *(uint64_t*)0x2000000045d0 = 7; *(uint32_t*)0x2000000045d8 = 0xf; *(uint32_t*)0x2000000045dc = 0; memset((void*)0x2000000045e0, 0, 16); *(uint32_t*)0x2000000045f0 = 4; *(uint32_t*)0x2000000045f4 = 0xfffffffb; *(uint64_t*)0x2000000045f8 = 0xc3f; *(uint32_t*)0x200000004600 = 0xc6; *(uint32_t*)0x200000004604 = r[17]; *(uint32_t*)0x200000004608 = 0xee01; *(uint16_t*)0x20000000460c = 0x1000; memset((void*)0x20000000460e, 0, 2); *(uint64_t*)0x200000004610 = 0xc42b; *(uint64_t*)0x200000004618 = 0xfffffffffffffffb; *(uint64_t*)0x200000004620 = 8; *(uint64_t*)0x200000004628 = 0xfffffffffffff3f4; *(uint64_t*)0x200000004630 = 7; *(uint32_t*)0x200000004638 = 9; *(uint32_t*)0x20000000463c = 0; *(uint64_t*)0x200000004640 = 0x893b; *(uint32_t*)0x200000004648 = 0xc160; *(uint32_t*)0x20000000464c = 0; *(uint64_t*)0x200000004650 = 3; *(uint32_t*)0x200000004658 = 0x6a48; *(uint32_t*)0x20000000465c = 0; *(uint64_t*)0x200000004660 = 0x40; *(uint32_t*)0x200000004668 = 6; *(uint32_t*)0x20000000466c = 0; *(uint32_t*)0x200000004670 = 5; *(uint32_t*)0x200000004674 = 0; *(uint32_t*)0x200000004678 = 9; *(uint32_t*)0x20000000467c = 3; memset((void*)0x200000004680, 0, 112); syz_fuse_handle_req(/*fd=*/r[9], /*buf=*/0x200000000700, /*len=*/0x2000, /*res=*/0x200000004700); break; case 26: res = syscall(__NR_pidfd_getfd, /*pidfd=*/r[6], /*fd=*/r[9], /*flags=*/0ul); if (res != -1) r[19] = res; break; case 27: memcpy((void*)0x2000000047c0, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x2000000047c0, /*fd=*/r[19]); break; case 28: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 29: res = -1; res = syz_io_uring_complete(/*ring_ptr=*/0); if (res != -1) r[20] = res; break; case 30: *(uint32_t*)0x200000004804 = 0x87d1; *(uint32_t*)0x200000004808 = 0x200; *(uint32_t*)0x20000000480c = 3; *(uint32_t*)0x200000004810 = 0x92; *(uint32_t*)0x200000004818 = r[19]; memset((void*)0x20000000481c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x70d3, /*params=*/0x200000004800, /*ring_ptr=*/0x200000004880, /*sqes_ptr=*/0x2000000048c0); if (res != -1) { r[21] = *(uint64_t*)0x200000004880; r[22] = *(uint64_t*)0x2000000048c0; } break; case 31: *(uint8_t*)0x200000004980 = 0x1c; *(uint8_t*)0x200000004981 = 0x40; *(uint16_t*)0x200000004982 = 0; *(uint32_t*)0x200000004984 = r[20]; *(uint64_t*)0x200000004988 = 0x200000004900; *(uint64_t*)0x200000004900 = 0x8000; *(uint64_t*)0x200000004908 = 0x190; *(uint64_t*)0x200000004910 = 0x10; *(uint64_t*)0x200000004990 = 0x200000004940; memcpy((void*)0x200000004940, "./file0\000", 8); *(uint32_t*)0x200000004998 = 0x18; *(uint32_t*)0x20000000499c = 0; *(uint64_t*)0x2000000049a0 = 0x23456; *(uint16_t*)0x2000000049a8 = 0; *(uint16_t*)0x2000000049aa = 0; memset((void*)0x2000000049ac, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[21], /*sqes_ptr=*/r[22], /*sqe=*/0x200000004980); break; case 32: memcpy((void*)0x2000000049c0, "*(z,\000", 5); memcpy((void*)0x200000004ac0, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x8a\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x7e\xf6\xbf\x4c\x19\xc0\x4a\xa5\x7c\x4c\x2f\xf9\x2e\xe1\x46\x0e\xbf\x0e\x57\x59\x5c\xc3\x55\xaa\x22\x67\x95\x47\xef\x84\x49\x9e\xf9\x9d\x9b\xdd\x69\x1a\x9a\x0e\xe1\x9f\xba\x5f\xee\x97\xd9\xa9\x2b\xb7\xae\x3d\x75\x4a\x98\x45\x6c\xdb\xfd\x27\xda\x20\xf9\x77\xf4\xbf\x46\x30\xc3\xca\x42\x1a\x6a\xcf\x8d\x9f\x81\xd2\x93\xd3\xa0\xb0\x23\x27\xe4\x06\x32\x3e\x77\x3c\x64\xb8\x65\xc2\xc7\xa1\x02\x36\xfb\xbb\xb9\xc9\xea\xc5\xd1\x4f\x18\x75\x2a\x03\x89\xa5\x81\x59\x64\x04\x1b\x84\x4f\x71\x45\x5e\xa1\x2d\xdc\x9d\xcf\xb6\xe9\x00\xa3\x66\x57\x58\xcb\xa3\xc7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 192); syz_kfuzztest_run(/*name=*/0x2000000049c0, /*data=*/0x200000004a00, /*len=*/0xc0, /*buf=*/0x200000004ac0); break; case 33: *(uint64_t*)0x200000014f40 = 0; *(uint64_t*)0x200000014f48 = 0x200000014ac0; *(uint64_t*)0x200000014ac0 = 0x17d; *(uint64_t*)0x200000014ac8 = 0x20; *(uint64_t*)0x200000014ad0 = 0x25000; *(uint64_t*)0x200000014ad8 = 0x5591; *(uint64_t*)0x200000014ae0 = 0x64; *(uint64_t*)0x200000014ae8 = 0x18; *(uint32_t*)0x200000014af0 = 8; *(uint32_t*)0x200000014af4 = 0x57; *(uint64_t*)0x200000014af8 = 0x12d; *(uint64_t*)0x200000014b00 = 0x18; *(uint64_t*)0x200000014b08 = 3; *(uint64_t*)0x200000014b10 = 0x64; *(uint64_t*)0x200000014b18 = 0x18; *(uint32_t*)0x200000014b20 = 0; *(uint32_t*)0x200000014b24 = 2; *(uint64_t*)0x200000014b28 = 0x69; *(uint64_t*)0x200000014b30 = 0x20; *(uint64_t*)0x200000014b38 = 0xc003; *(uint64_t*)0x200000014b40 = 1; *(uint64_t*)0x200000014b48 = 0x64; *(uint64_t*)0x200000014b50 = 0x18; *(uint32_t*)0x200000014b58 = 0x10; *(uint32_t*)0x200000014b5c = 0xc; *(uint64_t*)0x200000014b60 = 0x12d; *(uint64_t*)0x200000014b68 = 0x18; *(uint64_t*)0x200000014b70 = 0; *(uint64_t*)0x200000014b78 = 0x12e; *(uint64_t*)0x200000014b80 = 0x7e; *(uint64_t*)0x200000014b88 = 1; memcpy((void*)0x200000014b90, "\x36\x2e\x36\x3e\x66\x43\x0f\x57\xa9\x00\x98\x00\x00\x66\xba\xf8\x0c\xb8\x28\x8f\xc6\x86\xef\x66\xba\xfc\x0c\xed\xb9\x71\x03\x00\x00\xb8\xc7\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x30\x42\x0f\x01\xc8\x66\xb8\x78\x00\x0f\x00\xd0\x40\x0f\x01\xc5\x66\xba\x43\x00\x66\xed\x40\x1d\x03\x00\x00\x00\xc7\x44\x24\x00\x00\x00\x00\x00\xc7\x44\x24\x02\x49\x3a\x56\x64\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\x0f\x32", 102); *(uint64_t*)0x200000014bf6 = 0x64; *(uint64_t*)0x200000014bfe = 0x18; *(uint32_t*)0x200000014c06 = 0xf; *(uint32_t*)0x200000014c0a = 4; *(uint64_t*)0x200000014c0e = 0x12e; *(uint64_t*)0x200000014c16 = 0x60; *(uint64_t*)0x200000014c1e = 0; memcpy((void*)0x200000014c26, "\xc4\x21\xf8\x10\x7a\xf0\x0f\xe7\x64\x9a\x4f\x47\xfb\x0f\x01\xca\x46\x0f\x08\xb9\x80\x00\x00\xc0\x0f\x32\x35\x00\x80\x00\x00\x0f\x30\x0f\x01\xcb\x40\x0f\x01\xcb\xc7\x44\x24\x00\x8d\x00\x00\x00\xc7\x44\x24\x02\x07\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\x0f\x52\x4b\x00", 72); *(uint64_t*)0x200000014c6e = 0; *(uint64_t*)0x200000014c76 = 0x18; *(uint64_t*)0x200000014c7e = 2; *(uint64_t*)0x200000014c86 = 0x12d; *(uint64_t*)0x200000014c8e = 0x18; *(uint64_t*)0x200000014c96 = 3; *(uint64_t*)0x200000014c9e = 0x17f; *(uint64_t*)0x200000014ca6 = 0x10; *(uint64_t*)0x200000014cae = 0; *(uint64_t*)0x200000014cb6 = 0x18; *(uint64_t*)0x200000014cbe = 4; *(uint64_t*)0x200000014cc6 = 0x12f; *(uint64_t*)0x200000014cce = 0x18; *(uint64_t*)0x200000014cd6 = 2; *(uint64_t*)0x200000014cde = 0x12e; *(uint64_t*)0x200000014ce6 = 0x56; *(uint64_t*)0x200000014cee = 3; memcpy((void*)0x200000014cf6, "\x0f\x01\xdf\x0f\xa8\x66\xba\xf8\x0c\xb8\x82\xca\xa9\x8f\xef\x66\xba\xfc\x0c\x66\xed\x67\x0f\x01\xca\x0f\xfd\xca\x46\x0f\x01\xb3\x90\x4e\x00\x00\x66\xba\x20\x00\x66\xb8\xb7\xea\x66\xef\x0f\x01\x32\xc4\xe1\x61\xeb\x58\x00\xb9\x81\x05\x00\x00\x0f\x32", 62); *(uint64_t*)0x200000014d34 = 0x180; *(uint64_t*)0x200000014d3c = 0x38; *(uint64_t*)0x200000014d44 = 1; *(uint64_t*)0x200000014d4c = 0x17; *(uint64_t*)0x200000014d54 = 4; *(uint64_t*)0x200000014d5c = 4; *(uint64_t*)0x200000014d64 = 0; *(uint64_t*)0x200000014d6c = 0x183; *(uint64_t*)0x200000014d74 = 0x18; *(uint64_t*)0x200000014d7c = 3; *(uint64_t*)0x200000014d84 = 0x65; *(uint64_t*)0x200000014d8c = 0x20; *(uint64_t*)0x200000014d94 = 0x32c; *(uint64_t*)0x200000014d9c = 0x10; *(uint64_t*)0x200000014da4 = 0x68; *(uint64_t*)0x200000014dac = 0x20; *(uint64_t*)0x200000014db4 = 7; *(uint64_t*)0x200000014dbc = 2; *(uint64_t*)0x200000014dc4 = 0xa; *(uint64_t*)0x200000014dcc = 0x56; memcpy((void*)0x200000014dd4, "\xf3\x41\xaf\x66\xb8\x3e\x00\x8e\xd0\xc4\xe1\x35\x73\xfa\xe7\x66\x0f\x74\xa6\x00\x00\x00\x00\x47\xdb\xc1\x45\x0f\x08\x66\x41\x0f\x38\x82\x94\x1f\x0e\x58\x39\xba\x47\x0f\x79\x55\x00\xc4\x01\x56\x51\xaf\x41\x04\x00\x00\x66\xba\xf8\x0c\xb8\xe2\x7f\xf4\x8d\xef\x66\xba\xfc\x0c\xec", 69); *(uint8_t*)0x200000014e19 = 0xc3; *(uint64_t*)0x200000014e1a = 0x12d; *(uint64_t*)0x200000014e22 = 0x18; *(uint64_t*)0x200000014e2a = 3; *(uint64_t*)0x200000014e32 = 0x12c; *(uint64_t*)0x200000014e3a = 0x18; *(uint64_t*)0x200000014e42 = 0; *(uint64_t*)0x200000014e4a = 0x12e; *(uint64_t*)0x200000014e52 = 0x6f; *(uint64_t*)0x200000014e5a = 3; memcpy((void*)0x200000014e62, "\xf3\x41\x0f\x22\x17\x66\xba\xf8\x0c\xb8\x61\x8e\xa1\x84\xef\x66\xba\xfc\x0c\xb0\x00\xee\x36\x64\x0f\x21\x39\xc4\x62\x41\x40\x32\x66\xba\x43\x00\x66\xb8\x0b\x00\x66\xef\x66\xba\x43\x00\xec\x40\x0f\x23\x38\x3e\x0f\xc7\x32\xc7\x44\x24\x00\xac\x00\x00\x00\xc7\x44\x24\x02\x90\x7c\x03\xe6\xff\x2c\x24\xb8\x05\x00\x00\x00\xb9\x97\x00\x00\x00\x0f\x01\xd9", 87); *(uint64_t*)0x200000014eb9 = 0x69; *(uint64_t*)0x200000014ec1 = 0x20; *(uint64_t*)0x200000014ec9 = 0xc3e5; *(uint64_t*)0x200000014ed1 = 2; *(uint64_t*)0x200000014ed9 = 0xc8; *(uint64_t*)0x200000014ee1 = 0x20; *(uint64_t*)0x200000014ee9 = 0xa1; *(uint64_t*)0x200000014ef1 = 2; *(uint64_t*)0x200000014ef9 = 0x65; *(uint64_t*)0x200000014f01 = 0x20; *(uint64_t*)0x200000014f09 = 0x12f; *(uint64_t*)0x200000014f11 = 2; *(uint64_t*)0x200000014f19 = 0x12c; *(uint64_t*)0x200000014f21 = 0x18; *(uint64_t*)0x200000014f29 = 0; *(uint64_t*)0x200000014f50 = 0x471; res = -1; res = syz_kvm_add_vcpu(/*vm=*/0, /*text=*/0x200000014f40); if (res != -1) r[23] = res; break; case 34: res = syscall(__NR_mmap, /*addr=*/0x200000fff000ul, /*len=*/0ul, /*prot=PROT_GROWSDOWN|PROT_SEM*/0x1000008ul, /*flags=MAP_PRIVATE*/2ul, /*cpufd=*/r[23], /*offset=*/0ul); if (res != -1) r[24] = res; break; case 35: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[24], /*exitcode=*/2); break; case 36: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[20], /*run=*/r[24], /*exitcode=*/0x10); break; case 37: *(uint64_t*)0x200000015140 = 0; *(uint64_t*)0x200000015148 = 0x200000014f80; memcpy((void*)0x200000014f80, "\x04\xea\xa0\xef\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x04\x01\x63\x60\x14\xc2\x80\x3c\xd1\xc0\x84\x60\x04\x00\x84\x78\x83\x0a\x84\x64\xbe\x01\x84\x60\x27\x3b\xa0\x3c\x00\x3c\xa5\x60\x04\x00\xa5\x78\x27\x72\xa5\x64\x9d\x4f\xa5\x60\x7c\x62\xc0\x3c\xdf\xa5\xc6\x60\x04\x00\xc6\x78\x78\x11\xc6\x64\x30\xb5\xc6\x60\xf2\xd6\xe0\x3c\xac\xca\xe7\x60\x04\x00\xe7\x78\x51\x98\xe7\x64\xfb\x3b\xe7\x60\x02\x00\x00\x44\x00\x00\xe0\x3f\x00\x00\xff\x63\x04\x00\xff\x7b\x00\x00\xff\x67\x00\x48\xff\x63\x60\x7b\xff\x1b\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\xfc\xf4\x63\x60\x76\x09\x80\x3c\x6c\xdf\x84\x60\x04\x00\x84\x78\x7c\xb5\x84\x64\x5d\x85\x84\x60\xf3\xc8\xa0\x3c\x84\x98\xa5\x60\x04\x00\xa5\x78\xa1\x6b\xa5\x64\x7c\x44\xa5\x60\x02\x00\x00\x44\x00\x00\x20\x3e\x00\x00\x31\x62\x04\x00\x31\x7a\x00\x00\x31\x66\x98\x00\x31\x62\x00\x00\x40\x3f\x00\x00\x5a\x63\x04\x00\x5a\x7b\x00\x00\x5a\x67\xe5\x13\x5a\x63\xaa\xfe\xf9\x7d\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x00\x80\x84\x60\xdc\x39\x00\x7c\x00\x00\x40\x3d\x00\x00\x4a\x61\x04\x00\x4a\x79\x00\x00\x4a\x65\x71\x99\x4a\x61\xa7\x5f\xc0\x7f\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x08\xef\x63\x60\x09\xc6\x80\x3c\x1c\x64\x84\x60\x04\x00\x84\x78\xb4\xf7\x84\x64\x66\xcc\x84\x60\x03\x80\xa0\x3c\x45\x8f\xa5\x60\x04\x00\xa5\x78\xcf\x35\xa5\x64\x75\x97\xa5\x60\xae\x5a\xc0\x3c\x19\x31\xc6\x60\x04\x00\xc6\x78\xa9\x6d\xc6\x64\x6f\x30\xc6\x60\x22\x00\x00\x44\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x12\x00\x00\x60\x24\x01\x00\x7c\x00\x00\xe0\x3f\x01\x00\xff\x63\x04\x00\xff\x7b\x00\x00\xff\x67\x00\x00\xff\x63\xa7\xff\xa0\x7e", 420); *(uint64_t*)0x200000015150 = 0x1a4; *(uint64_t*)0x200000015180 = 1; *(uint64_t*)0x200000015188 = 1; syz_kvm_setup_cpu(/*fd=*/r[20], /*cpufd=*/r[5], /*usermem=*/0x200000fe8000, /*text=*/0x200000015140, /*ntext=*/1, /*flags=*/0, /*opts=*/0x200000015180, /*nopt=*/1); break; case 38: syz_kvm_setup_syzos_vm(/*fd=*/r[5], /*usermem=*/0x200000c00000); break; case 39: *(uint32_t*)0x2000000151c0 = 1; syz_memcpy_off(/*ring_ptr=*/r[21], /*flag_off=SQ_FLAGS_OFFSET*/0x114, /*src=*/0x2000000151c0, /*src_off=*/0, /*nbytes=*/4); break; case 40: res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0xb704, /*arg=*/0x200000015280ul); if (res != -1) r[25] = *(uint32_t*)0x200000015280; break; case 41: memcpy((void*)0x200000015200, "adfs\000", 5); memcpy((void*)0x200000015240, "./file0\000", 8); memcpy((void*)0x2000000152c0, "gid", 3); *(uint8_t*)0x2000000152c3 = 0x3d; sprintf((char*)0x2000000152c4, "0x%016llx", (long long)r[16]); *(uint8_t*)0x2000000152d6 = 0x2c; memcpy((void*)0x2000000152d7, "uid", 3); *(uint8_t*)0x2000000152da = 0x3d; sprintf((char*)0x2000000152db, "0x%016llx", (long long)r[17]); *(uint8_t*)0x2000000152ed = 0x2c; memcpy((void*)0x2000000152ee, "uid", 3); *(uint8_t*)0x2000000152f1 = 0x3d; sprintf((char*)0x2000000152f2, "0x%016llx", (long long)r[13]); *(uint8_t*)0x200000015304 = 0x2c; memcpy((void*)0x200000015305, "othmask", 7); *(uint8_t*)0x20000001530c = 0x3d; sprintf((char*)0x20000001530d, "%023llo", (long long)7); *(uint8_t*)0x200000015324 = 0x2c; memcpy((void*)0x200000015325, "ftsuffix", 8); *(uint8_t*)0x20000001532d = 0x3d; sprintf((char*)0x20000001532e, "%020llu", (long long)0x100); *(uint8_t*)0x200000015342 = 0x2c; memcpy((void*)0x200000015343, "othmask", 7); *(uint8_t*)0x20000001534a = 0x3d; sprintf((char*)0x20000001534b, "%023llo", (long long)8); *(uint8_t*)0x200000015362 = 0x2c; memcpy((void*)0x200000015363, "fowner<", 7); sprintf((char*)0x20000001536a, "%020llu", (long long)r[25]); *(uint8_t*)0x20000001537e = 0x2c; memcpy((void*)0x20000001537f, "func", 4); *(uint8_t*)0x200000015383 = 0x3d; memcpy((void*)0x200000015384, "FIRMWARE_CHECK", 14); *(uint8_t*)0x200000015392 = 0x2c; memcpy((void*)0x200000015393, "smackfsdef", 10); *(uint8_t*)0x20000001539d = 0x3d; memset((void*)0x20000001539e, 0, 1); *(uint8_t*)0x20000001539f = 0x2c; memcpy((void*)0x2000000153a0, "hash", 4); *(uint8_t*)0x2000000153a4 = 0x2c; *(uint8_t*)0x2000000153a5 = 0; memcpy((void*)0x2000000153c0, "\x78\x9c\x6a\x9b\xe0\xf0\xd7\x80\xc9\x48\xed\x7f\x7b\xc9\xbd\xed\xdf\xf6\x00\x02\x00\x00\xff\xff\x38\xa7\x08\x1f", 28); syz_mount_image(/*fs=*/0x200000015200, /*dir=*/0x200000015240, /*flags=MS_PRIVATE|MS_NODIRATIME|MS_NODEV|MS_DIRSYNC*/0x40884, /*opts=*/0x2000000152c0, /*chdir=*/0, /*size=*/0x1c, /*img=*/0x2000000153c0); break; case 42: memcpy((void*)0x200000015400, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000015400, /*id=*/0xe, /*flags=__O_TMPFILE|O_TRUNC|O_NOFOLLOW*/0x420200); break; case 43: memcpy((void*)0x200000015440, "net/mcfilter6\000", 14); syz_open_procfs(/*pid=*/r[18], /*file=*/0x200000015440); break; case 44: syz_open_pts(/*fd=*/-1, /*flags=*/0); break; case 45: syz_pidfd_open(/*pid=*/r[8], /*flags=*/0); break; case 46: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=PKEY_DISABLE_ACCESS*/1ul); if (res != -1) r[26] = res; break; case 47: syz_pkey_set(/*key=*/r[26], /*val=PKEY_DISABLE_WRITE*/2); break; case 48: memcpy((void*)0x200000015480, "\x78\x9c\x00\x43\x00\xbc\xff\x1a\xa5\x3b\x2d\x97\x22\x56\x58\x64\x62\x48\x11\x35\x5b\x94\xa0\xd2\xd7\x8d\x09\xd2\x09\x51\xdf\x3c\x2c\x1a\x49\x88\xca\x48\xd4\x52\x61\xcc\x47\x3e\x4f\x65\xf6\x76\xe4\xe9\xb3\x8c\xde\x4a\xab\xa0\x5c\x20\xea\x6f\x37\xa5\x29\x42\x97\xe2\xc2\xa7\x6d\x7e\x55\x2d\xca\xd8\x01\x00\x00\xff\xff\xd6\x63\x1f\xa5", 83); syz_read_part_table(/*size=*/0x53, /*img=*/0x200000015480); break; case 49: syz_socket_connect_nvme_tcp(); break; case 50: *(uint8_t*)0x200000015500 = 0x12; *(uint8_t*)0x200000015501 = 1; *(uint16_t*)0x200000015502 = 0x310; *(uint8_t*)0x200000015504 = 0x99; *(uint8_t*)0x200000015505 = 0x45; *(uint8_t*)0x200000015506 = 0xdf; *(uint8_t*)0x200000015507 = -1; *(uint16_t*)0x200000015508 = 0x19d2; *(uint16_t*)0x20000001550a = 0xfff8; *(uint16_t*)0x20000001550c = 0xcd35; *(uint8_t*)0x20000001550e = 1; *(uint8_t*)0x20000001550f = 2; *(uint8_t*)0x200000015510 = 3; *(uint8_t*)0x200000015511 = 1; *(uint8_t*)0x200000015512 = 9; *(uint8_t*)0x200000015513 = 2; *(uint16_t*)0x200000015514 = 0xd8d; *(uint8_t*)0x200000015516 = 4; *(uint8_t*)0x200000015517 = 0xc; *(uint8_t*)0x200000015518 = 0xd4; *(uint8_t*)0x200000015519 = 0xb0; *(uint8_t*)0x20000001551a = 8; *(uint8_t*)0x20000001551b = 9; *(uint8_t*)0x20000001551c = 4; *(uint8_t*)0x20000001551d = 5; *(uint8_t*)0x20000001551e = 0xe; *(uint8_t*)0x20000001551f = 6; *(uint8_t*)0x200000015520 = -1; *(uint8_t*)0x200000015521 = -1; *(uint8_t*)0x200000015522 = -1; *(uint8_t*)0x200000015523 = 5; *(uint8_t*)0x200000015524 = 0xa; *(uint8_t*)0x200000015525 = 0x24; *(uint8_t*)0x200000015526 = 2; *(uint8_t*)0x200000015527 = 2; *(uint16_t*)0x200000015528 = 0x82; *(uint16_t*)0x20000001552a = 0x97; *(uint8_t*)0x20000001552c = 9; *(uint8_t*)0x20000001552d = 9; *(uint8_t*)0x20000001552e = 7; *(uint8_t*)0x20000001552f = 0x24; *(uint8_t*)0x200000015530 = 1; *(uint8_t*)0x200000015531 = 0x91; *(uint8_t*)0x200000015532 = 0x10; *(uint16_t*)0x200000015533 = 1; *(uint8_t*)0x200000015535 = 0xa; *(uint8_t*)0x200000015536 = 0x24; *(uint8_t*)0x200000015537 = 2; *(uint8_t*)0x200000015538 = 2; *(uint16_t*)0x200000015539 = 0x64; *(uint16_t*)0x20000001553b = 5; *(uint8_t*)0x20000001553d = 5; *(uint8_t*)0x20000001553e = 9; *(uint8_t*)0x20000001553f = 0xa; *(uint8_t*)0x200000015540 = 0x24; *(uint8_t*)0x200000015541 = 2; *(uint8_t*)0x200000015542 = 2; *(uint16_t*)0x200000015543 = 9; *(uint16_t*)0x200000015545 = 1; *(uint8_t*)0x200000015547 = 1; *(uint8_t*)0x200000015548 = 0x18; *(uint8_t*)0x200000015549 = 0xa; *(uint8_t*)0x20000001554a = 0x24; *(uint8_t*)0x20000001554b = 2; *(uint8_t*)0x20000001554c = 2; *(uint16_t*)0x20000001554d = 5; *(uint16_t*)0x20000001554f = 0x100; *(uint8_t*)0x200000015551 = 0; *(uint8_t*)0x200000015552 = 0x1f; *(uint8_t*)0x200000015553 = 0xa; *(uint8_t*)0x200000015554 = 0x24; *(uint8_t*)0x200000015555 = 2; *(uint8_t*)0x200000015556 = 2; *(uint16_t*)0x200000015557 = 0x200; *(uint16_t*)0x200000015559 = 2; *(uint8_t*)0x20000001555b = 6; *(uint8_t*)0x20000001555c = 6; *(uint8_t*)0x20000001555d = 9; *(uint8_t*)0x20000001555e = 0x24; *(uint8_t*)0x20000001555f = 2; *(uint8_t*)0x200000015560 = 1; *(uint8_t*)0x200000015561 = 0; *(uint8_t*)0x200000015562 = 9; *(uint8_t*)0x200000015563 = 4; *(uint8_t*)0x200000015564 = 1; *(uint8_t*)0x200000015565 = 0xdc; *(uint8_t*)0x200000015566 = 0xb; *(uint8_t*)0x200000015567 = 0x24; *(uint8_t*)0x200000015568 = 2; *(uint8_t*)0x200000015569 = 2; *(uint16_t*)0x20000001556a = 5; *(uint16_t*)0x20000001556c = 9; *(uint8_t*)0x20000001556e = 6; memcpy((void*)0x20000001556f, "\x42\xe9", 2); *(uint8_t*)0x200000015571 = 0x12; *(uint8_t*)0x200000015572 = 0x24; *(uint8_t*)0x200000015573 = 2; *(uint8_t*)0x200000015574 = 2; *(uint16_t*)0x200000015575 = 2; *(uint16_t*)0x200000015577 = 0xaecb; *(uint8_t*)0x200000015579 = 0; memcpy((void*)0x20000001557a, "\xe0\xff\x89\xcc\x39\xb2\x42\xb2\xb0", 9); *(uint8_t*)0x200000015583 = 7; *(uint8_t*)0x200000015584 = 0x24; *(uint8_t*)0x200000015585 = 1; *(uint8_t*)0x200000015586 = 0xc; *(uint8_t*)0x200000015587 = 2; *(uint16_t*)0x200000015588 = 2; *(uint8_t*)0x20000001558a = 9; *(uint8_t*)0x20000001558b = 5; *(uint8_t*)0x20000001558c = 1; *(uint8_t*)0x20000001558d = 0x1d; *(uint16_t*)0x20000001558e = 0x20; *(uint8_t*)0x200000015590 = 5; *(uint8_t*)0x200000015591 = 9; *(uint8_t*)0x200000015592 = 0xf; *(uint8_t*)0x200000015593 = 9; *(uint8_t*)0x200000015594 = 5; *(uint8_t*)0x200000015595 = 4; *(uint8_t*)0x200000015596 = 0x10; *(uint16_t*)0x200000015597 = 0x10; *(uint8_t*)0x200000015599 = 5; *(uint8_t*)0x20000001559a = 7; *(uint8_t*)0x20000001559b = 1; *(uint8_t*)0x20000001559c = 0x49; *(uint8_t*)0x20000001559d = 1; memcpy((void*)0x20000001559e, "\xbe\xdb\xdc\x40\xb6\x57\x91\x5a\xee\xa3\x6b\xef\xa7\x43\xbb\xf4\x76\xbb\xcc\x3a\x55\x77\x74\x37\xfd\x0c\x08\x62\xa5\x59\x1f\x0b\x80\x91\x62\x6c\x65\x64\xa6\x2b\x69\x95\xd0\xb1\xac\x34\x99\x5d\x44\x2d\xe5\x0d\x21\xf3\x0d\xa0\x8f\x64\xd3\xbb\x0e\x86\x08\x6e\x62\x96\x82\x16\xd8\xcb\xfe", 71); *(uint8_t*)0x2000000155e5 = 0xc; *(uint8_t*)0x2000000155e6 = 0xe; memcpy((void*)0x2000000155e7, "\x1c\xca\x42\xd0\xd4\xc1\x24\x78\xdb\xc7", 10); *(uint8_t*)0x2000000155f1 = 9; *(uint8_t*)0x2000000155f2 = 5; *(uint8_t*)0x2000000155f3 = 0xc; *(uint8_t*)0x2000000155f4 = 0xd; *(uint16_t*)0x2000000155f5 = 0x10; *(uint8_t*)0x2000000155f7 = 4; *(uint8_t*)0x2000000155f8 = 0xef; *(uint8_t*)0x2000000155f9 = 0xd; *(uint8_t*)0x2000000155fa = 9; *(uint8_t*)0x2000000155fb = 5; *(uint8_t*)0x2000000155fc = 0; *(uint8_t*)0x2000000155fd = 2; *(uint16_t*)0x2000000155fe = 0x40; *(uint8_t*)0x200000015600 = 1; *(uint8_t*)0x200000015601 = 0x92; *(uint8_t*)0x200000015602 = 1; *(uint8_t*)0x200000015603 = 7; *(uint8_t*)0x200000015604 = 0x25; *(uint8_t*)0x200000015605 = 1; *(uint8_t*)0x200000015606 = 8; *(uint8_t*)0x200000015607 = 0xf; *(uint16_t*)0x200000015608 = 9; *(uint8_t*)0x20000001560a = 0x9c; *(uint8_t*)0x20000001560b = 0x24; memcpy((void*)0x20000001560c, "\x94\x62\xe7\x8d\x67\xa7\x93\x83\x09\xf8\x93\x38\x8b\x58\x5f\x99\xed\x3c\xae\x5a\xeb\x24\x1e\x37\xea\xcc\x73\xfb\x04\x0b\x91\x7d\x69\x75\x87\xfd\x88\x85\xdc\xc8\x92\xbf\xee\x22\x87\x19\x88\xc7\x01\x88\xe9\xe8\x45\x46\xa7\x96\xe5\x6e\xa4\x83\x70\xdf\xca\x68\x9a\xaa\x0f\xfd\x08\x41\xc7\xe2\x8c\xbc\xec\xbc\x3b\xee\xb2\x54\xd9\x02\x49\x8d\xde\x37\x3f\x5e\x92\x09\x32\xac\xdf\x32\x22\xa5\x61\x17\x4a\x85\xce\x36\xd5\xf5\xc7\x09\x82\x9a\x04\x29\xf4\x8d\xe3\x26\x62\x11\xe3\x53\x22\x35\xca\xcb\x3a\x64\xff\xf3\xe3\x01\x82\xcd\x02\x7e\xa6\x60\xbc\xe2\x4c\xc1\x97\xbf\x35\x8f\x77\x95\x3c\x96\x4d\xe4\x53\x04\x16\x90\x7f\xa1", 154); *(uint8_t*)0x2000000156a6 = 9; *(uint8_t*)0x2000000156a7 = 5; *(uint8_t*)0x2000000156a8 = 6; *(uint8_t*)0x2000000156a9 = 0; *(uint16_t*)0x2000000156aa = 0x400; *(uint8_t*)0x2000000156ac = 4; *(uint8_t*)0x2000000156ad = 0; *(uint8_t*)0x2000000156ae = 6; *(uint8_t*)0x2000000156af = 9; *(uint8_t*)0x2000000156b0 = 5; *(uint8_t*)0x2000000156b1 = 0x1f; *(uint8_t*)0x2000000156b2 = 0xc; *(uint16_t*)0x2000000156b3 = 0x20; *(uint8_t*)0x2000000156b5 = 8; *(uint8_t*)0x2000000156b6 = 0x80; *(uint8_t*)0x2000000156b7 = 4; *(uint8_t*)0x2000000156b8 = 7; *(uint8_t*)0x2000000156b9 = 0x25; *(uint8_t*)0x2000000156ba = 1; *(uint8_t*)0x2000000156bb = 4; *(uint8_t*)0x2000000156bc = 0x40; *(uint16_t*)0x2000000156bd = 0xfff; *(uint8_t*)0x2000000156bf = 0x4a; *(uint8_t*)0x2000000156c0 = 9; memcpy((void*)0x2000000156c1, "\x13\xdf\x6f\x0c\x72\x3d\x23\x38\x80\xc0\x86\x9f\x46\xc9\x39\x9e\x14\x8e\xf0\xd9\x87\x29\x76\x35\xb6\xbf\x6f\x36\x9c\xbf\x8f\x07\xb3\x4b\x93\x76\xff\x57\xdc\xbd\xf2\x74\x65\xeb\x51\x53\xfb\x8d\xd7\xca\x2f\xab\x27\x37\xdd\x51\x5e\xde\xf1\xc9\x66\x91\x5e\x06\x76\xdb\x83\x1f\x2b\x91\x8d\x82", 72); *(uint8_t*)0x200000015709 = 9; *(uint8_t*)0x20000001570a = 4; *(uint8_t*)0x20000001570b = 0xe4; *(uint8_t*)0x20000001570c = 0xb; *(uint8_t*)0x20000001570d = 0xd; *(uint8_t*)0x20000001570e = -1; *(uint8_t*)0x20000001570f = 0xde; *(uint8_t*)0x200000015710 = 0x55; *(uint8_t*)0x200000015711 = 3; *(uint8_t*)0x200000015712 = 0xa; *(uint8_t*)0x200000015713 = 0x24; *(uint8_t*)0x200000015714 = 1; *(uint16_t*)0x200000015715 = 3; *(uint16_t*)0x200000015717 = 0xa; *(uint8_t*)0x200000015719 = 2; *(uint8_t*)0x20000001571a = 1; *(uint8_t*)0x20000001571b = 2; *(uint8_t*)0x20000001571c = 9; *(uint8_t*)0x20000001571d = 5; *(uint8_t*)0x20000001571e = 1; *(uint8_t*)0x20000001571f = 3; *(uint16_t*)0x200000015720 = 0x20; *(uint8_t*)0x200000015722 = 1; *(uint8_t*)0x200000015723 = 0x66; *(uint8_t*)0x200000015724 = 7; *(uint8_t*)0x200000015725 = 0x8c; *(uint8_t*)0x200000015726 = 0x23; memcpy((void*)0x200000015727, "\xc3\x44\xbd\x7f\x69\x0e\x11\x22\xd6\x52\x4c\xcd\x02\x57\xc1\x18\x5e\x61\xc3\xab\x3c\xcb\x36\x6e\xf9\x03\x7a\x58\x03\x54\x18\x72\x8d\x9a\xab\x96\x71\x7e\x22\x0d\x72\x20\xfb\x96\x4b\x7e\x92\x8d\x75\xef\x45\x85\x91\x31\x15\x90\x97\xfa\x85\xb2\xd2\x4e\xeb\x7f\xc5\x90\xe0\x48\xeb\x1b\xa8\x30\xac\x34\x3b\xfd\x9a\x3c\x32\xdf\xc9\x3f\xad\xcb\x90\xf9\x3a\x63\xc7\x37\x83\x4f\x5e\x2d\x4e\x73\x68\xe0\x2e\xc5\xf2\x10\x6b\xef\x93\x5e\x5e\x74\xc3\xe7\xd2\xd3\xd1\x6e\xbf\xfa\x13\xa8\x29\x49\x9d\xa4\x42\xf0\x17\x26\xd0\x7a\x33\x8f\xeb\x61\x2c\x3b\x6e\x51\x93\xb8", 138); *(uint8_t*)0x2000000157b1 = 9; *(uint8_t*)0x2000000157b2 = 5; *(uint8_t*)0x2000000157b3 = 1; *(uint8_t*)0x2000000157b4 = 0xc; *(uint16_t*)0x2000000157b5 = 0x10; *(uint8_t*)0x2000000157b7 = 6; *(uint8_t*)0x2000000157b8 = 0x73; *(uint8_t*)0x2000000157b9 = 2; *(uint8_t*)0x2000000157ba = 9; *(uint8_t*)0x2000000157bb = 5; *(uint8_t*)0x2000000157bc = 0xe; *(uint8_t*)0x2000000157bd = 1; *(uint16_t*)0x2000000157be = 0x40; *(uint8_t*)0x2000000157c0 = 0; *(uint8_t*)0x2000000157c1 = 0; *(uint8_t*)0x2000000157c2 = 0xe; *(uint8_t*)0x2000000157c3 = 7; *(uint8_t*)0x2000000157c4 = 0x25; *(uint8_t*)0x2000000157c5 = 1; *(uint8_t*)0x2000000157c6 = 8; *(uint8_t*)0x2000000157c7 = 8; *(uint16_t*)0x2000000157c8 = 0x9df1; *(uint8_t*)0x2000000157ca = 7; *(uint8_t*)0x2000000157cb = 0x25; *(uint8_t*)0x2000000157cc = 1; *(uint8_t*)0x2000000157cd = 4; *(uint8_t*)0x2000000157ce = 3; *(uint16_t*)0x2000000157cf = 0x84; *(uint8_t*)0x2000000157d1 = 9; *(uint8_t*)0x2000000157d2 = 5; *(uint8_t*)0x2000000157d3 = 7; *(uint8_t*)0x2000000157d4 = 0x10; *(uint16_t*)0x2000000157d5 = 8; *(uint8_t*)0x2000000157d7 = 0xd; *(uint8_t*)0x2000000157d8 = 6; *(uint8_t*)0x2000000157d9 = 6; *(uint8_t*)0x2000000157da = 0x9c; *(uint8_t*)0x2000000157db = 0x11; memcpy((void*)0x2000000157dc, "\x61\xc2\xc5\x81\xbc\xf0\xdc\x3a\x09\xec\x54\x65\xd8\xb3\x95\x93\xb5\x1c\xb5\x68\xad\x67\xbf\x21\x9f\x28\xa6\x37\xf8\xb8\xf3\xaa\xe7\xb6\xcf\x31\x06\x9d\xa5\x51\xc5\xd9\x0a\x29\x7a\xb0\xcf\xed\xa5\x43\xa0\xf7\x62\xc8\x18\x5b\xab\xc4\x3a\x4c\x9b\xb3\xb0\x95\xc0\xee\x13\x96\xf8\xb1\xfd\x62\x19\xb3\x16\x13\xb7\x56\x0d\x30\x9f\x17\x3c\x80\x67\x3f\xb0\x85\x29\xfc\x8f\x17\x52\x91\xf9\x98\x56\xaf\x19\x8c\xf4\x7a\x32\xc7\x6d\xf6\xbe\x44\x94\x93\xe5\xa6\x6e\xb4\x66\x4b\x84\x22\x6c\xa1\xe2\xc8\xf2\x02\x9a\xde\x7d\x75\x31\x6b\x10\x4a\x34\x80\xfb\xf7\xd4\x50\x9d\x74\x8c\x36\xf6\x59\xf8\xf5\x27\x43\xfd\x07\x7f\xc7\xdf\x42", 154); *(uint8_t*)0x200000015876 = 0x4e; *(uint8_t*)0x200000015877 = 4; memcpy((void*)0x200000015878, "\x57\xfa\xd1\x47\xfa\x12\xcd\x27\x89\x6e\x4e\x92\xba\x1a\xd4\x05\x8c\x8d\x43\xec\x21\x50\xd8\x73\x2f\xc5\xae\x10\x5a\x17\x4e\xd8\x39\x42\xdc\xb7\x9a\x05\xb1\x0f\xd4\x95\x7d\xbc\x1a\xc0\x27\xa2\xdf\x57\x28\xb2\xb2\xbb\x9b\x5b\xc5\x1f\x9a\x8c\x88\xe9\xfa\x85\x11\x38\xc7\xcd\xd7\x62\x66\x41\x91\x1c\xbe\x0c", 76); *(uint8_t*)0x2000000158c4 = 9; *(uint8_t*)0x2000000158c5 = 5; *(uint8_t*)0x2000000158c6 = 0; *(uint8_t*)0x2000000158c7 = 0xc; *(uint16_t*)0x2000000158c8 = 8; *(uint8_t*)0x2000000158ca = 8; *(uint8_t*)0x2000000158cb = 0x20; *(uint8_t*)0x2000000158cc = 0xc; *(uint8_t*)0x2000000158cd = 7; *(uint8_t*)0x2000000158ce = 0x25; *(uint8_t*)0x2000000158cf = 1; *(uint8_t*)0x2000000158d0 = 4; *(uint8_t*)0x2000000158d1 = 6; *(uint16_t*)0x2000000158d2 = 0x101; *(uint8_t*)0x2000000158d4 = 7; *(uint8_t*)0x2000000158d5 = 0x25; *(uint8_t*)0x2000000158d6 = 1; *(uint8_t*)0x2000000158d7 = 8; *(uint8_t*)0x2000000158d8 = 0xfd; *(uint16_t*)0x2000000158d9 = 2; *(uint8_t*)0x2000000158db = 9; *(uint8_t*)0x2000000158dc = 5; *(uint8_t*)0x2000000158dd = 0xb; *(uint8_t*)0x2000000158de = 0xc; *(uint16_t*)0x2000000158df = 0x10; *(uint8_t*)0x2000000158e1 = 0xf0; *(uint8_t*)0x2000000158e2 = 3; *(uint8_t*)0x2000000158e3 = 9; *(uint8_t*)0x2000000158e4 = 9; *(uint8_t*)0x2000000158e5 = 5; *(uint8_t*)0x2000000158e6 = 2; *(uint8_t*)0x2000000158e7 = 2; *(uint16_t*)0x2000000158e8 = 0x7b7; *(uint8_t*)0x2000000158ea = 9; *(uint8_t*)0x2000000158eb = 2; *(uint8_t*)0x2000000158ec = 0x78; *(uint8_t*)0x2000000158ed = 7; *(uint8_t*)0x2000000158ee = 0x25; *(uint8_t*)0x2000000158ef = 1; *(uint8_t*)0x2000000158f0 = 4; *(uint8_t*)0x2000000158f1 = 2; *(uint16_t*)0x2000000158f2 = 0x6e8; *(uint8_t*)0x2000000158f4 = 9; *(uint8_t*)0x2000000158f5 = 5; *(uint8_t*)0x2000000158f6 = 0xe; *(uint8_t*)0x2000000158f7 = 0; *(uint16_t*)0x2000000158f8 = 8; *(uint8_t*)0x2000000158fa = 0xb6; *(uint8_t*)0x2000000158fb = 0x47; *(uint8_t*)0x2000000158fc = 1; *(uint8_t*)0x2000000158fd = 0xea; *(uint8_t*)0x2000000158fe = 0xd; memcpy((void*)0x2000000158ff, "\xd7\xee\xf8\xad\xff\x59\x3f\xef\x60\x12\x57\xeb\x29\xf1\x12\x3c\x0f\x04\xcf\x50\xd2\xf0\x65\xa5\x2a\xb8\x35\xd4\x04\x54\xac\x46\xb6\x63\x87\x38\xe9\x75\x3c\x66\x06\x2b\x76\xd4\x57\xd6\xb3\x63\xf7\xb7\x63\x4f\xea\xac\x71\x9c\x3e\x90\x0c\xce\xb8\xd9\x69\x21\x0b\x57\x3a\x62\xd4\x51\x64\x98\xd5\x98\xa6\x1e\x6f\xa5\xbb\xd0\xfd\x38\x6f\x9f\x1d\x7a\xfe\xf4\xdd\xbe\x39\x49\x5d\x6e\x55\x5d\x24\x55\x5b\xf1\xbf\xfe\x21\xfc\x47\x2a\xb2\xa8\xd5\xd0\xf8\xa6\x11\xab\x5a\x46\xae\x9b\x23\xbb\x6a\x6b\x36\x39\x46\xda\xfb\xb2\xe7\x41\xd3\x4f\xe4\x56\xf5\x81\x63\x32\xd7\x2d\x43\x5f\xbd\x1f\xae\x47\x63\x32\x5d\xac\x58\xc2\xde\x0a\x67\x27\x7e\x2d\x74\xfe\xf5\xd8\xba\x6d\xe1\x7c\x31\xd5\xc7\xfb\x01\xa1\x3d\x3b\xf0\x0c\x31\x13\x41\x6b\x72\xb3\xe2\xe0\xb8\x0b\x4a\xb9\xcd\xa7\x7d\x2d\xe3\xed\x36\x8f\xab\x48\x41\xfd\x62\xac\xf6\x6e\x43\x21\x21\xb5\xf5\xd7\xc8\xc0\x36\x66\x0d\x7a\x35\x10\x33\x15\x5e\x3e\xef\x2f\xf2\x0f\x2a\xed\x82\x41\xd1\x76", 232); *(uint8_t*)0x2000000159e7 = 9; *(uint8_t*)0x2000000159e8 = 5; *(uint8_t*)0x2000000159e9 = 0xe; *(uint8_t*)0x2000000159ea = 3; *(uint16_t*)0x2000000159eb = 0x200; *(uint8_t*)0x2000000159ed = -1; *(uint8_t*)0x2000000159ee = 0x62; *(uint8_t*)0x2000000159ef = 5; *(uint8_t*)0x2000000159f0 = 0x55; *(uint8_t*)0x2000000159f1 = 0x23; memcpy((void*)0x2000000159f2, "\xd5\x22\xb5\x6c\x6d\xde\x6a\x69\x8a\x23\xe1\x0e\x4f\xc0\x79\x8f\x87\xc9\x46\xfa\x28\x48\xc7\x17\xa9\xa3\x31\x38\xfd\xb3\x47\x57\x93\xc1\xb4\xd1\x72\x2b\x3b\xcc\x36\x38\x4d\x25\x89\xa2\x7e\x5f\x22\xb2\x89\x72\x7e\x23\xf0\x39\xff\xdf\x2a\xb2\x5d\xa6\x2c\x09\x2e\xd0\x1c\xb1\x51\xb0\xad\x8b\xa7\x75\x8c\x32\xab\xd0\x7f\x79\x51\x4e\xba", 83); *(uint8_t*)0x200000015a45 = 0x96; *(uint8_t*)0x200000015a46 = 8; memcpy((void*)0x200000015a47, "\x70\xf4\xe5\xb8\x33\x74\xf7\xb0\xde\x44\xec\x45\x10\x5a\xc3\x14\x02\x14\x0e\x17\x62\x14\x64\x1e\x37\x97\xba\x0a\xea\x40\x13\xe3\xe7\xc2\x87\x1f\x78\x52\x8a\x25\x6a\x22\x49\xdc\xad\x68\x4f\xd5\x77\xa4\x28\xa1\x4f\x44\x6c\xe9\xd7\xde\x49\x36\x4a\xa1\x63\xc6\x8d\xd1\xe4\xe2\x0c\x0a\xa9\x8a\x26\x35\x47\xf0\x7d\xae\x9c\x3e\x45\xff\xec\x5b\xdc\xcf\xb9\x0b\x1a\xd9\x05\x4d\xa6\x28\x66\x62\x6b\xfb\xc3\x94\xa1\xe9\xae\xc6\xb3\x00\x42\x0a\x61\x67\xe6\xe6\xef\x43\x96\xdf\xfb\x6b\xfc\x18\xd3\xb2\x53\x77\x89\x27\x04\x23\x86\x75\x35\xf7\x5b\x14\x54\xcc\x3b\x8a\x6a\xef\x5b\x65\xb9\x77\x41\x39\xad\xcf", 148); *(uint8_t*)0x200000015adb = 9; *(uint8_t*)0x200000015adc = 5; *(uint8_t*)0x200000015add = 0xc; *(uint8_t*)0x200000015ade = 0x10; *(uint16_t*)0x200000015adf = 0x20; *(uint8_t*)0x200000015ae1 = 8; *(uint8_t*)0x200000015ae2 = 1; *(uint8_t*)0x200000015ae3 = 8; *(uint8_t*)0x200000015ae4 = 9; *(uint8_t*)0x200000015ae5 = 5; *(uint8_t*)0x200000015ae6 = 0xd; *(uint8_t*)0x200000015ae7 = 0x10; *(uint16_t*)0x200000015ae8 = 0x400; *(uint8_t*)0x200000015aea = 3; *(uint8_t*)0x200000015aeb = 0x6d; *(uint8_t*)0x200000015aec = 7; *(uint8_t*)0x200000015aed = 0x85; *(uint8_t*)0x200000015aee = 0xe; memcpy((void*)0x200000015aef, "\x1a\x54\xb4\xa0\x79\x76\xe1\x6c\xec\x50\x7f\x7c\xfe\x00\xc9\x35\x99\xf9\xfd\xef\xaf\x8b\xf8\x6c\xb9\xae\x60\xf5\xe7\x42\x6c\x78\xb3\xe0\x1c\xc8\xca\xb0\xaa\xf0\x9d\xeb\xba\xcd\x78\x5c\x9d\xe3\xbb\x89\x55\x1d\x0a\x24\x1f\x2d\x65\x83\x0f\x53\x64\x75\x49\x91\xfe\xea\xd8\x7f\xe8\xc8\xb9\x28\xac\x16\x85\x3a\xe9\x59\xea\xc2\x7b\x59\xcc\xc8\x6d\x22\x44\x2c\xa6\x29\xd1\x20\xb1\xa0\x9c\xf1\x41\x84\xa9\xc4\x87\x3f\x74\xae\x74\x82\x01\xf5\xf4\xe6\x49\xe3\x72\x4c\x7d\xdb\x89\xf4\x58\x47\x2b\x28\x5f\x9c\x10\xea\x40\x39\x3f\x30\x60", 131); *(uint8_t*)0x200000015b72 = 9; *(uint8_t*)0x200000015b73 = 5; *(uint8_t*)0x200000015b74 = 9; *(uint8_t*)0x200000015b75 = 0; *(uint16_t*)0x200000015b76 = 8; *(uint8_t*)0x200000015b78 = 0xa; *(uint8_t*)0x200000015b79 = 7; *(uint8_t*)0x200000015b7a = 2; *(uint8_t*)0x200000015b7b = 7; *(uint8_t*)0x200000015b7c = 0x25; *(uint8_t*)0x200000015b7d = 1; *(uint8_t*)0x200000015b7e = 0; *(uint8_t*)0x200000015b7f = 4; *(uint16_t*)0x200000015b80 = 0x4fb3; *(uint8_t*)0x200000015b82 = 9; *(uint8_t*)0x200000015b83 = 5; *(uint8_t*)0x200000015b84 = 7; *(uint8_t*)0x200000015b85 = 0x10; *(uint16_t*)0x200000015b86 = 0x3ff; *(uint8_t*)0x200000015b88 = 1; *(uint8_t*)0x200000015b89 = 0x88; *(uint8_t*)0x200000015b8a = 6; *(uint8_t*)0x200000015b8b = 9; *(uint8_t*)0x200000015b8c = 4; *(uint8_t*)0x200000015b8d = 0x10; *(uint8_t*)0x200000015b8e = 8; *(uint8_t*)0x200000015b8f = 0x10; *(uint8_t*)0x200000015b90 = -1; *(uint8_t*)0x200000015b91 = 0x5d; *(uint8_t*)0x200000015b92 = 0x81; *(uint8_t*)0x200000015b93 = 3; *(uint8_t*)0x200000015b94 = 0xb7; *(uint8_t*)0x200000015b95 = 0; memcpy((void*)0x200000015b96, "\xbe\xa8\xfd\xb5\x0e\x62\x4b\x76\x3d\xdd\xda\xf5\xed\x85\xd8\x17\x0c\xa8\x58\xcf\x74\xac\x67\x8e\xb5\x4d\x20\x45\xe5\xfb\xb2\x77\x21\x40\xe2\xcf\x18\x95\xcb\x69\x3a\x91\x4f\xfb\x89\x1c\xd2\xc9\x0d\x48\x27\xbc\xd3\x43\x59\xd7\x01\x07\x46\x2e\xad\x88\x9a\x6e\x4e\xd6\x96\x89\x35\xa8\x1a\x14\x7a\xc0\xcc\xc8\x1c\x38\xd6\x2d\x6a\x84\xcf\x50\x45\x52\xec\x37\xd6\x09\xb5\x47\x50\x18\xbd\xa1\x24\xc0\x9e\xa9\xf2\x13\x03\x86\x5f\xe4\x64\xab\xc3\x8c\xd8\x4a\xe4\x2d\xe3\x3e\x46\x91\x12\x7e\x2b\x85\x53\x83\x7d\x58\xcd\xa5\x1f\x11\xa0\x5a\x15\x38\xec\xff\x55\xe9\x0f\x34\xa1\xc5\x66\xc2\x34\xc0\x06\xd0\x0b\x50\xb4\xb2\x9e\x49\xb8\xd0\x90\xf5\xa2\x74\xae\x37\xe0\x3e\x49\x68\x2c\x44\xc2\xb1\xd9\xdb\x62\xf6\x32\x33\xf9\x67\x0c\xb2\xac", 181); *(uint8_t*)0x200000015c4b = 9; *(uint8_t*)0x200000015c4c = 5; *(uint8_t*)0x200000015c4d = 0xc; *(uint8_t*)0x200000015c4e = 0x10; *(uint16_t*)0x200000015c4f = 0x40; *(uint8_t*)0x200000015c51 = 9; *(uint8_t*)0x200000015c52 = 8; *(uint8_t*)0x200000015c53 = 2; *(uint8_t*)0x200000015c54 = 9; *(uint8_t*)0x200000015c55 = 5; *(uint8_t*)0x200000015c56 = 6; *(uint8_t*)0x200000015c57 = 2; *(uint16_t*)0x200000015c58 = 8; *(uint8_t*)0x200000015c5a = 3; *(uint8_t*)0x200000015c5b = 0x18; *(uint8_t*)0x200000015c5c = 0x1c; *(uint8_t*)0x200000015c5d = 0xf6; *(uint8_t*)0x200000015c5e = 0xc; memcpy((void*)0x200000015c5f, "\xd7\x72\x97\x11\x23\x6e\xb7\x89\x69\x91\xe6\xff\xe3\xdd\x76\x22\xe9\x6e\x2e\x7d\x17\x60\xab\x64\x52\x47\x2b\xba\xc1\xd0\x68\x61\xd9\xd4\x9e\x41\x00\x60\x6a\x22\x7d\x34\x2c\x61\x75\x94\x5a\xde\x9c\xc3\xf4\x6e\xc4\x62\x7f\x92\xca\xa5\xd7\x32\x27\xfa\xe7\xa3\x60\xd2\x5f\xac\x9e\x57\x44\x07\x3f\x0c\x05\x4c\x9a\x5b\x82\x58\xdd\x27\x9b\x73\x68\x76\x58\x4b\x90\x4d\x94\x3b\x23\xc2\x6d\x9e\x6b\xc2\xdd\x3b\x98\xf3\x62\x44\x15\x8c\x76\x0f\x0b\xf9\x75\x02\x91\x42\xb3\xf5\x8b\xb6\x3e\xc3\x76\xd7\xf5\xd9\x61\x18\x20\xd3\x80\xef\xd7\xde\x61\x63\xac\x8d\xc2\x71\x44\xe2\x1d\x92\xc9\x3f\xfe\xcc\x2d\x8c\x7b\x3b\xc5\xea\xd1\x81\x86\x3c\xd9\x6a\x0a\xbf\x28\x89\xeb\x10\xb6\x87\x91\x3f\xa8\x21\x4b\x89\xde\x11\xf5\x2b\x7d\x19\x36\xad\x9c\x1c\x45\xda\x86\xa1\x5e\x86\xb6\xc9\x06\x02\x91\xd8\x5b\x48\xeb\xc2\x34\x4d\xb8\xad\x8c\xc5\x2f\x79\xd4\xf0\x37\x7a\x89\x3b\x3d\xa6\x1c\xfc\x15\x13\xd2\xba\x95\x36\xd6\x19\x0d\xe8\x86\xa2\xd1\x8f\xf8\xab\x1f\x46\x3f\x15\x47\x1d\x7f\x96\xdc\x92\xd0\xac", 244); *(uint8_t*)0x200000015d53 = 9; *(uint8_t*)0x200000015d54 = 5; *(uint8_t*)0x200000015d55 = 7; *(uint8_t*)0x200000015d56 = 4; *(uint16_t*)0x200000015d57 = 0x20; *(uint8_t*)0x200000015d59 = 9; *(uint8_t*)0x200000015d5a = 2; *(uint8_t*)0x200000015d5b = 0x37; *(uint8_t*)0x200000015d5c = 9; *(uint8_t*)0x200000015d5d = 5; *(uint8_t*)0x200000015d5e = 0xf; *(uint8_t*)0x200000015d5f = 0x12; *(uint16_t*)0x200000015d60 = 8; *(uint8_t*)0x200000015d62 = 0xd; *(uint8_t*)0x200000015d63 = 6; *(uint8_t*)0x200000015d64 = 0xf; *(uint8_t*)0x200000015d65 = 0x40; *(uint8_t*)0x200000015d66 = 5; memcpy((void*)0x200000015d67, "\x71\xaf\xb2\x61\x7a\x61\xe7\x55\x29\xdd\xe0\xf3\x2f\xa6\xca\x4b\x85\x7a\x84\xb3\x12\x0b\x93\x61\x68\x64\x2c\x34\x04\x8f\x29\x2f\xc2\x7a\x3a\x8f\x1f\x74\x58\x0c\xdc\x36\xe9\xa4\x0b\x4f\xf6\x92\xf1\x32\x24\xb9\x14\xa8\x9f\xb7\x30\x85\x79\x3a\x5c\x22", 62); *(uint8_t*)0x200000015da5 = 9; *(uint8_t*)0x200000015da6 = 5; *(uint8_t*)0x200000015da7 = 0xd; *(uint8_t*)0x200000015da8 = 0xc; *(uint16_t*)0x200000015da9 = 0xf5f1; *(uint8_t*)0x200000015dab = 4; *(uint8_t*)0x200000015dac = 1; *(uint8_t*)0x200000015dad = 0; *(uint8_t*)0x200000015dae = 0x50; *(uint8_t*)0x200000015daf = 3; memcpy((void*)0x200000015db0, "\x17\xff\xd4\x73\xba\x28\xc3\x60\x59\x1f\x57\x1d\xc6\x0f\x13\x24\xd4\xa3\x4a\xb8\xd9\xd3\xc0\x68\x6c\x13\xa6\x1b\xda\x24\x64\xe1\x63\x54\x23\xeb\xf4\xed\x34\x03\x7b\xab\x62\xfd\x30\xa8\xdd\x0a\x89\xf1\xbc\xbf\xf3\xaf\x4f\x0c\x98\x9d\xdb\x6f\x03\x76\x0a\xe7\x6f\x63\xff\xdc\xbf\xbb\xfe\xe9\xa1\x35\x25\x73\x14\xaa", 78); *(uint8_t*)0x200000015dfe = 9; *(uint8_t*)0x200000015dff = 5; *(uint8_t*)0x200000015e00 = 6; *(uint8_t*)0x200000015e01 = 0; *(uint16_t*)0x200000015e02 = 8; *(uint8_t*)0x200000015e04 = 0x2d; *(uint8_t*)0x200000015e05 = 0x10; *(uint8_t*)0x200000015e06 = 0xba; *(uint8_t*)0x200000015e07 = 9; *(uint8_t*)0x200000015e08 = 5; *(uint8_t*)0x200000015e09 = 0xe; *(uint8_t*)0x200000015e0a = 0; *(uint16_t*)0x200000015e0b = 0x10; *(uint8_t*)0x200000015e0d = 8; *(uint8_t*)0x200000015e0e = 7; *(uint8_t*)0x200000015e0f = 0xac; *(uint8_t*)0x200000015e10 = 9; *(uint8_t*)0x200000015e11 = 5; *(uint8_t*)0x200000015e12 = 0xa; *(uint8_t*)0x200000015e13 = 8; *(uint16_t*)0x200000015e14 = 0x20; *(uint8_t*)0x200000015e16 = 9; *(uint8_t*)0x200000015e17 = 0x7c; *(uint8_t*)0x200000015e18 = 1; *(uint8_t*)0x200000015e19 = 7; *(uint8_t*)0x200000015e1a = 0x25; *(uint8_t*)0x200000015e1b = 1; *(uint8_t*)0x200000015e1c = 8; *(uint8_t*)0x200000015e1d = 9; *(uint16_t*)0x200000015e1e = 4; *(uint8_t*)0x200000015e20 = 9; *(uint8_t*)0x200000015e21 = 5; *(uint8_t*)0x200000015e22 = 0xb; *(uint8_t*)0x200000015e23 = 0x10; *(uint16_t*)0x200000015e24 = 0x3ff; *(uint8_t*)0x200000015e26 = 1; *(uint8_t*)0x200000015e27 = 4; *(uint8_t*)0x200000015e28 = 0xbd; *(uint8_t*)0x200000015e29 = 9; *(uint8_t*)0x200000015e2a = 5; *(uint8_t*)0x200000015e2b = 7; *(uint8_t*)0x200000015e2c = 3; *(uint16_t*)0x200000015e2d = 0x20; *(uint8_t*)0x200000015e2f = 6; *(uint8_t*)0x200000015e30 = 0xf; *(uint8_t*)0x200000015e31 = 0xe; *(uint8_t*)0x200000015e32 = 9; *(uint8_t*)0x200000015e33 = 5; *(uint8_t*)0x200000015e34 = 0xd; *(uint8_t*)0x200000015e35 = 0x10; *(uint16_t*)0x200000015e36 = 0x7f7; *(uint8_t*)0x200000015e38 = 4; *(uint8_t*)0x200000015e39 = 0x1c; *(uint8_t*)0x200000015e3a = 1; *(uint8_t*)0x200000015e3b = 9; *(uint8_t*)0x200000015e3c = 5; *(uint8_t*)0x200000015e3d = 0; *(uint8_t*)0x200000015e3e = 0; *(uint16_t*)0x200000015e3f = 0x5f33; *(uint8_t*)0x200000015e41 = 0x40; *(uint8_t*)0x200000015e42 = 6; *(uint8_t*)0x200000015e43 = 0x81; *(uint8_t*)0x200000015e44 = 0x54; *(uint8_t*)0x200000015e45 = 9; memcpy((void*)0x200000015e46, "\x22\xa0\x3d\x11\x7e\xdd\x7f\xf8\x02\xcd\xb5\x09\xb4\x9c\xf0\x7b\x18\x84\xa5\xd0\x6a\x28\x72\xff\xdd\x1f\x6a\x97\x4c\x05\x74\x87\x1d\x68\xb2\xfd\x80\xb9\xdd\xe5\x57\xda\x7e\xec\x4d\x7f\x27\x78\xa5\xc3\xa4\xbb\xef\x51\x9d\x15\x8a\x59\xf1\x52\xfe\x19\xf5\x98\xe4\x33\x60\xf8\xa2\x4a\xa9\x73\xc5\x6f\x46\xc4\xa6\x8a\x27\x3a\x1f\xc4", 82); *(uint8_t*)0x200000015e98 = 9; *(uint8_t*)0x200000015e99 = 5; *(uint8_t*)0x200000015e9a = 0xf; *(uint8_t*)0x200000015e9b = 0x10; *(uint16_t*)0x200000015e9c = 8; *(uint8_t*)0x200000015e9e = 5; *(uint8_t*)0x200000015e9f = 0x38; *(uint8_t*)0x200000015ea0 = 1; *(uint8_t*)0x200000015ea1 = 9; *(uint8_t*)0x200000015ea2 = 5; *(uint8_t*)0x200000015ea3 = 4; *(uint8_t*)0x200000015ea4 = 0x10; *(uint16_t*)0x200000015ea5 = 0x10; *(uint8_t*)0x200000015ea7 = 4; *(uint8_t*)0x200000015ea8 = 2; *(uint8_t*)0x200000015ea9 = 7; *(uint8_t*)0x200000015eaa = 0xda; *(uint8_t*)0x200000015eab = 0x26; memcpy((void*)0x200000015eac, "\x32\x16\x2d\x9c\xff\xd7\x54\x8d\xdc\x15\x24\xc6\x65\x1f\xa1\x12\xcb\x83\x99\xeb\x7d\xaa\x74\x6a\xf4\xa3\xf4\x58\x15\x9b\xd8\xa4\x87\xda\xde\x32\x17\xae\x32\x24\x61\x5d\x50\xba\x56\x43\x30\x19\x52\xfd\xd0\x82\xab\x52\xf6\x4e\xb3\x8b\xdd\xcf\x02\xb0\x67\x28\xa3\xbf\x4f\x73\xd3\xb7\x80\xa3\xa5\x80\x4b\xad\x04\xec\xc2\x27\x87\x69\x0f\x67\x25\x76\x74\xf7\x28\xb1\x02\x31\xba\x2d\xb8\x3c\xb4\xeb\x84\x1e\x55\x23\xeb\x43\xf3\x48\x2d\x3e\xc3\x3c\xb8\x18\x7b\x87\xaa\x08\xa2\x1e\x94\xe0\x39\x4a\x1e\xe8\xd8\xf0\xcc\x08\x89\x10\xab\xa4\xdb\xe5\xfe\xef\xc2\x45\x38\x0f\xf1\x44\x3e\x3a\x97\xbd\x4d\x5a\xdd\xd0\x1f\x11\x26\xd4\xb7\x0a\xbc\xbb\xe1\x40\x71\x6a\x1c\x66\xda\xc6\x1f\x66\x51\x4f\xce\xbe\x67\x64\x7b\x43\xbb\xd8\xe8\x48\x33\x3f\xf9\x95\x7e\xba\xac\xe9\xd0\x57\xb6\x27\xa6\x67\xe6\xf5\x1d\xae\xac\x30\x2b\x21\x29\xc2\x6d\x41\x5b\xc9\xa2\xee\x74\x95\xb3\x31\xb7\xda", 216); *(uint8_t*)0x200000015f84 = 7; *(uint8_t*)0x200000015f85 = 0x25; *(uint8_t*)0x200000015f86 = 1; *(uint8_t*)0x200000015f87 = 0; *(uint8_t*)0x200000015f88 = 7; *(uint16_t*)0x200000015f89 = 1; *(uint8_t*)0x200000015f8b = 9; *(uint8_t*)0x200000015f8c = 5; *(uint8_t*)0x200000015f8d = 3; *(uint8_t*)0x200000015f8e = 1; *(uint16_t*)0x200000015f8f = 0x40; *(uint8_t*)0x200000015f91 = 8; *(uint8_t*)0x200000015f92 = 7; *(uint8_t*)0x200000015f93 = 5; *(uint8_t*)0x200000015f94 = 9; *(uint8_t*)0x200000015f95 = 5; *(uint8_t*)0x200000015f96 = 0xb; *(uint8_t*)0x200000015f97 = 0x10; *(uint16_t*)0x200000015f98 = 0x40; *(uint8_t*)0x200000015f9a = 0xfe; *(uint8_t*)0x200000015f9b = 0; *(uint8_t*)0x200000015f9c = 0xd; *(uint8_t*)0x200000015f9d = 0xe1; *(uint8_t*)0x200000015f9e = 0x24; memcpy((void*)0x200000015f9f, "\x66\xc9\x68\xf6\x7f\x56\xd0\xab\x89\xd6\x81\x9c\x67\xd1\xd6\xc2\x15\xd2\xf3\xcf\x61\x5b\x37\x02\x8d\xb2\x69\xd9\x36\x08\xcd\xf0\x70\x41\x18\xe0\xdd\xbf\x97\x16\x6c\x27\xaf\xb5\x1a\x13\x2c\xd7\x0f\x0f\xa3\xb7\xad\x5e\xe3\xa4\x41\x02\x7a\x74\x12\x27\x81\xab\x0f\x1c\xe5\xfe\x7b\xd1\x15\x3c\x8f\xfc\xcd\x3e\xf1\x09\x21\x3f\x20\xd2\xba\xfd\x0e\x33\x1a\xbc\x5c\xd1\xfb\x54\x80\x9a\x06\xc8\xfa\x60\xa9\xf0\xfc\x8e\x11\x3f\x31\x8c\x3a\x7f\x7b\xc6\xfa\xbe\x19\x30\x94\xec\x49\x3d\x24\x6c\xbd\x70\x2b\xf0\x19\x79\x6a\x88\x72\xb3\xc4\x02\x34\xd8\xe9\x07\x31\xb2\xdf\xf8\x8a\x1f\x0c\x4f\x17\x86\xa1\x90\xeb\x16\x65\x1e\x3a\xc4\x5e\xdb\x14\xd9\xfb\x89\x86\x44\xbe\xd6\x15\x76\xbd\x7a\x9f\xd9\x0c\x52\x17\x21\x7f\x6b\x9a\xed\x19\xd4\xa2\x2b\xff\x48\x2d\x05\x8e\x60\x3d\x2a\x0c\xdc\x48\xb1\xb2\x71\xb7\x9b\x1e\x25\xd7\xfe\x6b\xb8\x20\x50\x6e\x48\x57\x9a\x78\xaf\x99\xe7\xe9\x42\x9b\xcd\x4b\x07\xbc\x01\x34", 223); *(uint8_t*)0x20000001607e = 0x40; *(uint8_t*)0x20000001607f = 5; memcpy((void*)0x200000016080, "\x8f\x82\xcc\x05\xdf\x67\x73\x41\x41\xe3\x56\xe9\x36\xa6\xe0\xa7\x24\x7a\xc2\x3b\x30\x90\x0c\x5f\xc4\x14\x8a\x14\x99\x0b\x50\x04\x68\x6d\xe6\xca\xce\x04\xad\xe3\x50\xf0\x4a\x3d\x07\x8c\x39\x10\xf7\xdb\xa4\x92\xaf\x85\xda\x64\x94\x32\xe2\x6a\x78\x54", 62); *(uint8_t*)0x2000000160be = 9; *(uint8_t*)0x2000000160bf = 4; *(uint8_t*)0x2000000160c0 = 0x88; *(uint8_t*)0x2000000160c1 = 1; *(uint8_t*)0x2000000160c2 = 8; *(uint8_t*)0x2000000160c3 = 0xeb; *(uint8_t*)0x2000000160c4 = 0x43; *(uint8_t*)0x2000000160c5 = 0x23; *(uint8_t*)0x2000000160c6 = 4; *(uint8_t*)0x2000000160c7 = 9; *(uint8_t*)0x2000000160c8 = 5; *(uint8_t*)0x2000000160c9 = 0xc; *(uint8_t*)0x2000000160ca = 0; *(uint16_t*)0x2000000160cb = 0x40; *(uint8_t*)0x2000000160cd = 8; *(uint8_t*)0x2000000160ce = 8; *(uint8_t*)0x2000000160cf = 5; *(uint8_t*)0x2000000160d0 = 9; *(uint8_t*)0x2000000160d1 = 5; *(uint8_t*)0x2000000160d2 = 0; *(uint8_t*)0x2000000160d3 = 0x10; *(uint16_t*)0x2000000160d4 = 0x20; *(uint8_t*)0x2000000160d6 = 0x9a; *(uint8_t*)0x2000000160d7 = 0x5f; *(uint8_t*)0x2000000160d8 = 7; *(uint8_t*)0x2000000160d9 = 7; *(uint8_t*)0x2000000160da = 0x25; *(uint8_t*)0x2000000160db = 1; *(uint8_t*)0x2000000160dc = 0; *(uint8_t*)0x2000000160dd = 0x81; *(uint16_t*)0x2000000160de = 4; *(uint8_t*)0x2000000160e0 = 7; *(uint8_t*)0x2000000160e1 = 0x25; *(uint8_t*)0x2000000160e2 = 1; *(uint8_t*)0x2000000160e3 = 0xc; *(uint8_t*)0x2000000160e4 = 0xf9; *(uint16_t*)0x2000000160e5 = 2; *(uint8_t*)0x2000000160e7 = 9; *(uint8_t*)0x2000000160e8 = 5; *(uint8_t*)0x2000000160e9 = 0xb; *(uint8_t*)0x2000000160ea = 0x10; *(uint16_t*)0x2000000160eb = 0x40; *(uint8_t*)0x2000000160ed = 7; *(uint8_t*)0x2000000160ee = 1; *(uint8_t*)0x2000000160ef = 2; *(uint8_t*)0x2000000160f0 = 7; *(uint8_t*)0x2000000160f1 = 0x25; *(uint8_t*)0x2000000160f2 = 1; *(uint8_t*)0x2000000160f3 = 4; *(uint8_t*)0x2000000160f4 = 6; *(uint16_t*)0x2000000160f5 = 1; *(uint8_t*)0x2000000160f7 = 7; *(uint8_t*)0x2000000160f8 = 0x25; *(uint8_t*)0x2000000160f9 = 1; *(uint8_t*)0x2000000160fa = 0xc; *(uint8_t*)0x2000000160fb = 0xd; *(uint16_t*)0x2000000160fc = 0x103; *(uint8_t*)0x2000000160fe = 9; *(uint8_t*)0x2000000160ff = 5; *(uint8_t*)0x200000016100 = 0xb; *(uint8_t*)0x200000016101 = 0xc; *(uint16_t*)0x200000016102 = 0x3ff; *(uint8_t*)0x200000016104 = 0xa9; *(uint8_t*)0x200000016105 = 1; *(uint8_t*)0x200000016106 = 6; *(uint8_t*)0x200000016107 = 0xfb; *(uint8_t*)0x200000016108 = 0x2c; memcpy((void*)0x200000016109, "\xdf\x60\xd2\x33\x06\x38\x67\xe6\x38\xf4\xac\x47\x4e\x68\x5f\xef\x8f\x86\x15\x57\xd0\xa3\x15\x66\xd5\x8b\xde\x1f\x04\xa1\x13\xf6\xcb\x64\xc9\x60\x56\xa8\x16\x85\xa6\xdf\xa2\x97\x8a\x60\xc2\xd9\x4e\x45\x0f\x66\x75\xe3\x8b\x44\xc9\x6b\xfb\xff\x6c\x5f\x37\x46\x60\x93\x46\x49\x74\x83\xdf\xc8\xac\x21\x27\x36\x2c\xdb\xda\xa0\x25\x39\x51\xa1\x82\x27\x21\x83\xf4\x56\xaa\xe2\xbd\x12\xb2\x92\xc6\x09\xe8\xe1\x4b\x4f\x8c\x18\x53\xe0\xd8\x7e\x0c\x31\x79\xc8\xbe\x7b\x07\x30\x72\x1b\xb3\x01\x59\x04\x08\x26\xf0\x93\x51\x0c\xe0\x22\x58\x76\x91\x62\x7b\x23\x6a\x66\x21\x56\x20\x41\x8d\xf3\x34\xd2\x8d\x1d\x14\xf0\xca\x3b\x9f\x4f\xcf\xf0\x6b\xa2\x49\xdd\x19\x50\x81\x98\x50\x3a\x2c\x2c\xd4\xf3\xab\xda\xdb\xd4\xf1\xac\xe4\xe6\x27\xbe\xc9\x72\x99\xa0\x02\x28\xe0\x9c\x06\x4e\x5f\x34\x2e\x00\xd8\xc8\xf2\xd5\xb1\xfb\x56\x48\x5e\x73\x6a\x87\xdc\xfe\x51\x0c\x21\x86\x32\x72\x91\x22\xa4\xeb\x5d\x5b\x5d\x81\xdf\x8b\xe5\x85\x27\x18\x3e\x48\xf7\x60\xb8\x5c\x59\x9f\x88\x13\xf8\x9d\x70\x6a\xf7\xb2\x2f\x77\xd6\x8d\xc1", 249); *(uint8_t*)0x200000016202 = 0x6b; *(uint8_t*)0x200000016203 = 4; memcpy((void*)0x200000016204, "\x07\xec\xe0\x65\x86\xe0\x15\x05\xf1\x26\xe0\xdb\x2e\xd1\xac\x18\xb5\x75\x49\xf0\x80\xd7\x41\xf3\x8b\x0c\xce\xc6\xba\x03\x4d\x09\x64\x29\x40\x56\x19\xd0\x1a\xf4\x35\xc8\x09\x2b\xe0\xe9\xc4\xa9\x3c\x1b\x64\x7e\x7c\x7f\x14\xf0\x5e\xff\xf3\x05\xd2\xb8\x5d\x51\xfe\xdf\xf7\x50\xb8\x7e\x59\x90\xd0\x28\xfd\x33\x86\x45\x02\x9b\xd9\xed\x95\xe0\x03\x05\xac\xce\x8b\x89\x9a\x78\x6d\xbf\x30\x89\x5b\xe0\x31\x48\xa7\xa1\xe3\xbf\x25", 105); *(uint8_t*)0x20000001626d = 9; *(uint8_t*)0x20000001626e = 5; *(uint8_t*)0x20000001626f = 6; *(uint8_t*)0x200000016270 = 8; *(uint16_t*)0x200000016271 = 0x400; *(uint8_t*)0x200000016273 = 3; *(uint8_t*)0x200000016274 = 5; *(uint8_t*)0x200000016275 = -1; *(uint8_t*)0x200000016276 = 9; *(uint8_t*)0x200000016277 = 5; *(uint8_t*)0x200000016278 = 0xa; *(uint8_t*)0x200000016279 = 0x10; *(uint16_t*)0x20000001627a = 0x200; *(uint8_t*)0x20000001627c = 6; *(uint8_t*)0x20000001627d = 0x14; *(uint8_t*)0x20000001627e = 6; *(uint8_t*)0x20000001627f = 7; *(uint8_t*)0x200000016280 = 0x25; *(uint8_t*)0x200000016281 = 1; *(uint8_t*)0x200000016282 = 0xc; *(uint8_t*)0x200000016283 = 9; *(uint16_t*)0x200000016284 = 4; *(uint8_t*)0x200000016286 = 9; *(uint8_t*)0x200000016287 = 5; *(uint8_t*)0x200000016288 = 5; *(uint8_t*)0x200000016289 = 8; *(uint16_t*)0x20000001628a = 0x210; *(uint8_t*)0x20000001628c = 0xe8; *(uint8_t*)0x20000001628d = 5; *(uint8_t*)0x20000001628e = 3; *(uint8_t*)0x20000001628f = 9; *(uint8_t*)0x200000016290 = 5; *(uint8_t*)0x200000016291 = 0xa; *(uint8_t*)0x200000016292 = 8; *(uint16_t*)0x200000016293 = 0x10; *(uint8_t*)0x200000016295 = 0x64; *(uint8_t*)0x200000016296 = 8; *(uint8_t*)0x200000016297 = 0xe; *(uint8_t*)0x200000016298 = 7; *(uint8_t*)0x200000016299 = 0x25; *(uint8_t*)0x20000001629a = 1; *(uint8_t*)0x20000001629b = 4; *(uint8_t*)0x20000001629c = 5; *(uint16_t*)0x20000001629d = 2; *(uint32_t*)0x200000016780 = 0xa; *(uint64_t*)0x200000016784 = 0x2000000162c0; *(uint8_t*)0x2000000162c0 = 0xa; *(uint8_t*)0x2000000162c1 = 6; *(uint16_t*)0x2000000162c2 = 0x201; *(uint8_t*)0x2000000162c4 = 3; *(uint8_t*)0x2000000162c5 = 8; *(uint8_t*)0x2000000162c6 = -1; *(uint8_t*)0x2000000162c7 = 0x20; *(uint8_t*)0x2000000162c8 = 0x10; *(uint8_t*)0x2000000162c9 = 0; *(uint32_t*)0x20000001678c = 0x28; *(uint64_t*)0x200000016790 = 0x200000016300; *(uint8_t*)0x200000016300 = 5; *(uint8_t*)0x200000016301 = 0xf; *(uint16_t*)0x200000016302 = 0x28; *(uint8_t*)0x200000016304 = 4; *(uint8_t*)0x200000016305 = 0xb; *(uint8_t*)0x200000016306 = 0x10; *(uint8_t*)0x200000016307 = 1; *(uint8_t*)0x200000016308 = 0xc; *(uint16_t*)0x200000016309 = 1; *(uint8_t*)0x20000001630b = 7; *(uint8_t*)0x20000001630c = 7; *(uint16_t*)0x20000001630d = 6; *(uint8_t*)0x20000001630f = -1; *(uint8_t*)0x200000016310 = 3; *(uint8_t*)0x200000016311 = 0x10; *(uint8_t*)0x200000016312 = 0xb; *(uint8_t*)0x200000016313 = 0xb; *(uint8_t*)0x200000016314 = 0x10; *(uint8_t*)0x200000016315 = 1; *(uint8_t*)0x200000016316 = 2; *(uint16_t*)0x200000016317 = 0x61; *(uint8_t*)0x200000016319 = -1; *(uint8_t*)0x20000001631a = 0xf; *(uint16_t*)0x20000001631b = 6; *(uint8_t*)0x20000001631d = 5; *(uint8_t*)0x20000001631e = 0xa; *(uint8_t*)0x20000001631f = 0x10; *(uint8_t*)0x200000016320 = 3; *(uint8_t*)0x200000016321 = 2; *(uint16_t*)0x200000016322 = 1; *(uint8_t*)0x200000016324 = 3; *(uint8_t*)0x200000016325 = 0xb; *(uint16_t*)0x200000016326 = 0x100; *(uint32_t*)0x200000016798 = 7; *(uint32_t*)0x20000001679c = 4; *(uint64_t*)0x2000000167a0 = 0x200000016340; *(uint8_t*)0x200000016340 = 4; *(uint8_t*)0x200000016341 = 3; *(uint16_t*)0x200000016342 = 0x457; *(uint32_t*)0x2000000167a8 = 0xff; *(uint64_t*)0x2000000167ac = 0x200000016380; *(uint8_t*)0x200000016380 = -1; *(uint8_t*)0x200000016381 = 3; memcpy((void*)0x200000016382, "\x85\xa7\x64\xd8\x29\x53\x29\x17\xb6\x64\x7a\x68\xa2\x49\xb2\x52\xf0\x1a\x99\xf8\x87\x67\xa2\xe9\xf1\x3a\xee\xfa\xb3\x9c\xf6\xa4\x05\x49\x7e\x32\x44\x29\x4b\x1b\xd4\x85\xc0\xec\x99\x33\x86\x40\xa5\x08\xfa\xbb\xf1\x1e\x0f\xd6\xa0\x3b\xcc\x9c\xeb\xaf\x83\x03\x7a\xa7\x73\x97\xcb\xdf\x09\x11\xc8\xdf\xb8\x42\xf6\x2f\x94\x76\x6a\xa4\x45\x92\x57\x73\xc4\xf7\xc6\x70\x1b\xe8\xa0\x56\x73\xaf\xe9\x5c\xf1\x9c\x27\x9a\xc6\x2f\xd2\x72\x0e\xd2\xda\xe6\x89\x37\x1c\x51\x51\xbf\x6b\x9e\x77\x27\xf8\xf4\x97\x09\x1c\x3a\xaa\x90\x2f\x81\xe4\x4c\x51\x73\xac\xf2\x21\x52\xfc\xbc\x4d\x72\xa7\x5e\x9a\xb4\xba\xdc\x67\x88\xb2\xfd\xbb\x7e\x34\xb2\x02\xe0\xe7\x1f\xeb\x1c\xc9\xb1\xca\x79\x1e\x92\x37\x4c\xfc\x63\xcc\x7d\xb5\x64\x85\x91\x77\x8b\xfc\x19\x48\xf9\xda\xd9\xb7\xfe\x74\xa5\x88\xdd\xc9\xad\x49\x99\x93\x06\x26\x66\xb3\xe0\xdf\x0a\xca\xa6\x78\x02\xad\x37\xa8\x6f\xcb\x41\x1a\x22\x30\xbd\xd4\x3f\xe8\x61\x0f\x29\xc1\x51\x79\xbf\x42\x9f\x81\x87\x6e\xe9\x0b\x7d\x35\xa2\x26\x3f\x91\xeb\x8d\x3c\x7c\x87\xc4\x66\x00\xb4\x52\x82\xee", 253); *(uint32_t*)0x2000000167b4 = 4; *(uint64_t*)0x2000000167b8 = 0x200000016480; *(uint8_t*)0x200000016480 = 4; *(uint8_t*)0x200000016481 = 3; *(uint16_t*)0x200000016482 = 0x8406; *(uint32_t*)0x2000000167c0 = 0x49; *(uint64_t*)0x2000000167c4 = 0x2000000164c0; *(uint8_t*)0x2000000164c0 = 0x49; *(uint8_t*)0x2000000164c1 = 3; memcpy((void*)0x2000000164c2, "\xcb\x9d\x5f\x1c\x5f\xbc\x94\x74\xd5\x9f\xfa\x54\xa9\x2b\xa7\xaf\xf9\x7b\x2f\x65\xab\xf4\x8a\xad\x8e\x2b\x09\xb6\x0a\x5d\xc2\x74\x4b\x25\x0f\xe7\x52\x90\x97\xbf\xbb\x2b\xcf\x99\xd0\x54\x8a\x03\x4f\xb7\xae\xca\xf8\xdd\x80\x84\x95\xbe\x13\x2e\x1b\x8c\x84\xab\xe5\x33\x75\xdc\xf5\x40\xd5", 71); *(uint32_t*)0x2000000167cc = 4; *(uint64_t*)0x2000000167d0 = 0x200000016540; *(uint8_t*)0x200000016540 = 4; *(uint8_t*)0x200000016541 = 3; *(uint16_t*)0x200000016542 = 0x407; *(uint32_t*)0x2000000167d8 = 0x102; *(uint64_t*)0x2000000167dc = 0x200000016580; *(uint8_t*)0x200000016580 = 2; *(uint8_t*)0x200000016581 = 3; memcpy((void*)0x200000016582, "\x04\xdd\xeb\x57\xb5\x07\x2b\x0d\xc9\xdc\x62\x4c\xf2\x79\x2d\xaa\xc5\x35\xb0\x25\x70\xdb\xb7\x01\xe1\xdb\x0e\x6c\x25\xd6\x80\xf0\x7b\x51\x7f\x65\x82\x12\x5b\xaa\x7a\x78\x49\xeb\x0b\x11\x13\x0e\x00\x24\xef\xe8\xa1\xc9\x51\x36\x3b\xf4\x7a\x68\xfb\x5b\xd9\xac\xf1\x85\xae\xa1\x62\x73\x81\xf5\x03\x43\xcb\x4b\xb8\xd7\x17\x51\x31\xf2\xae\x52\xa8\x42\xdb\x75\x39\x04\xd3\x05\x1a\x0a\xb0\x82\x60\x85\x60\xe8\xac\x66\xb8\x7d\xdd\xbb\x9f\xa3\x51\x4a\x31\xe5\x59\x51\x70\xe3\xd2\x1c\x01\x8b\x37\x85\x59\x92\xa2\xa4\xb3\x48\xde\x99\x46\x9b\x63\xf5\x43\x8e\x24\x0e\x23\xcf\xe0\xa2\x6d\x30\xa9\x1d\x95\x36\x91\xd7\x41\xb9\xd5\xd8\x5d\xab\x27\xd4\x0d\xa7\x1f\xc9\xd8\x67\x7b\x0d\xc3\xe1\xd6\x06\x0d\x0d\x98\xa7\x13\x00\xd3\x74\xe7\xbd\x55\x0f\x6a\x57\xb6\xfc\xd4\x44\x31\x3f\x37\x36\x7f\x5b\x55\xc2\x0f\x1a\x2d\x44\x86\x1e\x8a\x1a\x36\xbc\xdc\x76\x9f\xfc\x14\x6b\xb7\x1a\xb5\x84\x6d\xcb\x82\x31\x24\x7f\x16\x36\x48\x3d\xab\xb7\x10\xd0\x74\xfd\x2b\x80\x18\xd4\xc3\x56\xd1\x82\x5b\xb1\x7b\xf9\x63\x27\xe9\x6e\xe8\x67\x58\x32\x43\xe8\x25\x4e", 256); *(uint32_t*)0x2000000167e4 = 0x9e; *(uint64_t*)0x2000000167e8 = 0x2000000166c0; *(uint8_t*)0x2000000166c0 = 0x9e; *(uint8_t*)0x2000000166c1 = 3; memcpy((void*)0x2000000166c2, "\xef\x2a\x4e\x82\x9a\x0f\x6c\xdb\x32\xa4\x49\xbb\xa1\xd4\x8f\x5d\xfe\x86\x5e\x51\xf2\x28\x7e\x21\x77\x39\x1a\x43\xf9\xbb\xf1\xca\x78\xd5\x73\xf2\x00\xea\xe4\x0c\x60\xa2\x1d\xdc\x2a\xd4\x82\xdf\x2a\x85\xf2\x75\x59\x81\x5b\xb4\xeb\xca\x56\x05\x30\xb8\x65\x53\x45\x0e\xe3\x8e\xae\xb8\x71\x2f\x6b\x77\xc1\x4d\x47\xf8\x5d\x8b\xbf\x64\x1e\x1d\x9e\x09\xfa\x1e\x2b\xe5\xe9\x2c\x18\x7c\xe5\x6e\xf9\x94\x9a\xe1\xd8\x7c\xfb\xfe\x0e\xa1\xba\x9f\x9b\x2f\xf0\x18\x2d\x4b\x05\xce\x50\x68\x91\xc5\xa3\x47\xee\x33\xcc\xf9\xce\x7d\x86\xd7\xdd\xf2\xbf\x38\x57\x4d\x21\xd9\x65\x4b\xbe\x80\x65\x86\x80\xbe\xf5\x58\x9e\x2d\xb6\x07\x2d\x9f\xd0\xfd", 156); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_LOW*/1, /*dev_len=*/0xd9f, /*dev=*/0x200000015500, /*conn_descs=*/0x200000016780); if (res != -1) r[27] = res; break; case 51: *(uint8_t*)0x200000016800 = 0x12; *(uint8_t*)0x200000016801 = 1; *(uint16_t*)0x200000016802 = 0x200; *(uint8_t*)0x200000016804 = -1; *(uint8_t*)0x200000016805 = -1; *(uint8_t*)0x200000016806 = -1; *(uint8_t*)0x200000016807 = 0x40; *(uint16_t*)0x200000016808 = 0xcf3; *(uint16_t*)0x20000001680a = 0x9271; *(uint16_t*)0x20000001680c = 0x108; *(uint8_t*)0x20000001680e = 1; *(uint8_t*)0x20000001680f = 2; *(uint8_t*)0x200000016810 = 3; *(uint8_t*)0x200000016811 = 1; *(uint8_t*)0x200000016812 = 9; *(uint8_t*)0x200000016813 = 2; *(uint16_t*)0x200000016814 = 0x48; *(uint8_t*)0x200000016816 = 1; *(uint8_t*)0x200000016817 = 1; *(uint8_t*)0x200000016818 = 0; *(uint8_t*)0x200000016819 = 0x80; *(uint8_t*)0x20000001681a = 0xfa; *(uint8_t*)0x20000001681b = 9; *(uint8_t*)0x20000001681c = 4; *(uint8_t*)0x20000001681d = 0; *(uint8_t*)0x20000001681e = 0; *(uint8_t*)0x20000001681f = 6; *(uint8_t*)0x200000016820 = -1; *(uint8_t*)0x200000016821 = 0; *(uint8_t*)0x200000016822 = 0; *(uint8_t*)0x200000016823 = 0; *(uint8_t*)0x200000016824 = 9; *(uint8_t*)0x200000016825 = 5; *(uint8_t*)0x200000016826 = 1; *(uint8_t*)0x200000016827 = 2; *(uint16_t*)0x200000016828 = 0x200; *(uint8_t*)0x20000001682a = 0; *(uint8_t*)0x20000001682b = 0; *(uint8_t*)0x20000001682c = 0; *(uint8_t*)0x20000001682d = 9; *(uint8_t*)0x20000001682e = 5; *(uint8_t*)0x20000001682f = 0x82; *(uint8_t*)0x200000016830 = 2; *(uint16_t*)0x200000016831 = 0x200; *(uint8_t*)0x200000016833 = 0; *(uint8_t*)0x200000016834 = 0; *(uint8_t*)0x200000016835 = 0; *(uint8_t*)0x200000016836 = 9; *(uint8_t*)0x200000016837 = 5; *(uint8_t*)0x200000016838 = 0x83; *(uint8_t*)0x200000016839 = 3; *(uint16_t*)0x20000001683a = 0x40; *(uint8_t*)0x20000001683c = 1; *(uint8_t*)0x20000001683d = 0; *(uint8_t*)0x20000001683e = 0; *(uint8_t*)0x20000001683f = 9; *(uint8_t*)0x200000016840 = 5; *(uint8_t*)0x200000016841 = 4; *(uint8_t*)0x200000016842 = 3; *(uint16_t*)0x200000016843 = 0x40; *(uint8_t*)0x200000016845 = 1; *(uint8_t*)0x200000016846 = 0; *(uint8_t*)0x200000016847 = 0; *(uint8_t*)0x200000016848 = 9; *(uint8_t*)0x200000016849 = 5; *(uint8_t*)0x20000001684a = 5; *(uint8_t*)0x20000001684b = 2; *(uint16_t*)0x20000001684c = 0x200; *(uint8_t*)0x20000001684e = 0; *(uint8_t*)0x20000001684f = 0; *(uint8_t*)0x200000016850 = 0; *(uint8_t*)0x200000016851 = 9; *(uint8_t*)0x200000016852 = 5; *(uint8_t*)0x200000016853 = 6; *(uint8_t*)0x200000016854 = 2; *(uint16_t*)0x200000016855 = 0x200; *(uint8_t*)0x200000016857 = 0; *(uint8_t*)0x200000016858 = 0; *(uint8_t*)0x200000016859 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000016800, /*conn_descs=*/0); if (res != -1) r[28] = res; break; case 52: *(uint32_t*)0x200000016b40 = 0x2c; *(uint64_t*)0x200000016b44 = 0x200000016880; *(uint8_t*)0x200000016880 = 0x20; *(uint8_t*)0x200000016881 = 0xb; *(uint32_t*)0x200000016882 = 0xc8; *(uint8_t*)0x200000016886 = 0xc8; *(uint8_t*)0x200000016887 = 0x21; memcpy((void*)0x200000016888, "\x01\xf4\x8f\xe8\x31\xd8\xd1\x99\x24\x72\x17\x3e\xa8\x19\xa3\xa2\xad\xe9\x61\x21\x34\x13\x54\xe8\x5c\xa1\x98\xec\x1f\xcf\x85\x90\xc9\x39\xf7\x27\xaa\x0e\x85\x85\x6b\x35\x7c\x23\xbc\x06\x8f\x24\xa2\x2c\xc6\xb7\x1b\xd4\xad\xd3\xae\x66\x95\x5e\x3c\xeb\x2a\x8f\x15\x5c\x4f\xea\xf3\x6d\x9c\x48\x02\x96\x8a\x53\xb0\x86\xa4\xa5\x0d\xc3\x54\x75\xe7\x5c\x18\x51\xe7\xd4\x08\x54\x07\x74\xe8\x98\x21\x91\xe5\x06\x06\x99\x1f\x3f\x33\xfa\x70\x8e\xf6\xa9\x40\x41\x51\x10\x98\xb0\x26\x7e\x73\x7b\x9f\x39\x9f\xad\x65\xb7\xcc\x2e\xfa\x80\xea\xfc\x73\x4b\xd5\xab\x1f\xdc\x3d\xec\xc0\x26\xfa\x76\x75\xef\x45\xa1\xd1\x7f\xfe\x1c\x0b\x1e\x00\xb1\x02\x73\xd7\xc5\x7d\x18\x3c\x74\xa3\xd9\xb1\x47\x13\x22\xb5\x9a\x98\xce\xbd\x12\xd1\x6c\x28\x34\xb2\x26\xce\xca\xea\xf9\x60\xe3\xd9\x07\x76\xc2\x39\x23\xea\xe6\x8d\x1e", 198); *(uint64_t*)0x200000016b4c = 0x200000016980; *(uint8_t*)0x200000016980 = 0; *(uint8_t*)0x200000016981 = 3; *(uint32_t*)0x200000016982 = 4; *(uint8_t*)0x200000016986 = 4; *(uint8_t*)0x200000016987 = 3; *(uint16_t*)0x200000016988 = 0x280a; *(uint64_t*)0x200000016b54 = 0x2000000169c0; *(uint8_t*)0x2000000169c0 = 0; *(uint8_t*)0x2000000169c1 = 0xf; *(uint32_t*)0x2000000169c2 = 0xc8; *(uint8_t*)0x2000000169c6 = 5; *(uint8_t*)0x2000000169c7 = 0xf; *(uint16_t*)0x2000000169c8 = 0xc8; *(uint8_t*)0x2000000169ca = 5; *(uint8_t*)0x2000000169cb = 0x14; *(uint8_t*)0x2000000169cc = 0x10; *(uint8_t*)0x2000000169cd = 0xa; *(uint8_t*)0x2000000169ce = 3; STORE_BY_BITMASK(uint32_t, , 0x2000000169cf, 2, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000169cf, 9, 5, 27); *(uint16_t*)0x2000000169d3 = 0xf; *(uint16_t*)0x2000000169d5 = 0; *(uint32_t*)0x2000000169d7 = 0xc0cf; *(uint32_t*)0x2000000169db = 0xf; *(uint8_t*)0x2000000169df = 0x10; *(uint8_t*)0x2000000169e0 = 0x10; *(uint8_t*)0x2000000169e1 = 0xa; *(uint8_t*)0x2000000169e2 = 4; STORE_BY_BITMASK(uint32_t, , 0x2000000169e3, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000169e3, 0x30ec, 5, 27); *(uint16_t*)0x2000000169e7 = 0xf0f; *(uint16_t*)0x2000000169e9 = 0x82; *(uint32_t*)0x2000000169eb = 0xc00f; *(uint8_t*)0x2000000169ef = 7; *(uint8_t*)0x2000000169f0 = 0x10; *(uint8_t*)0x2000000169f1 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000169f2, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000169f3, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000169f3, 8, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000169f4, 0xf, 0, 16); *(uint8_t*)0x2000000169f6 = 0x8d; *(uint8_t*)0x2000000169f7 = 0x10; *(uint8_t*)0x2000000169f8 = 0xa; memcpy((void*)0x2000000169f9, "\x42\x2d\x46\xfc\x73\xf8\x4b\x4d\xd0\xc3\xd2\x4d\x79\xf2\x70\x97\x5a\x97\x8d\x73\x6a\x0a\xa3\xe5\x86\xae\x4e\x9a\x23\x24\x83\xcf\x25\x26\x97\x18\xcb\xb9\xdf\x73\x03\x62\xce\x6b\x7c\xf0\xe3\xd1\x00\x79\xc3\x28\xee\x2b\xe8\xf5\xff\xc2\x42\xa0\x7e\x20\xf7\xc3\xdb\x60\x7c\x73\xe2\xca\xc8\x2f\x1c\x73\xc8\xfc\xac\xeb\x15\x1e\x20\x22\xfe\x0c\x73\xad\x66\x19\xa4\xda\xce\x08\x65\x96\x99\xed\x76\x60\xd4\x52\x02\x74\x9c\xda\x47\xdf\xa1\xe0\xdb\x87\x66\x4d\x1e\xff\x73\xf0\x60\x6d\x30\xb7\x78\xcb\x88\x08\xdf\xa6\xb2\x4c\xc1\x8a\xdd\x57\x9f\x29\xe8\x1b\x12\xe3", 138); *(uint8_t*)0x200000016a83 = 0xb; *(uint8_t*)0x200000016a84 = 0x10; *(uint8_t*)0x200000016a85 = 1; *(uint8_t*)0x200000016a86 = 2; *(uint16_t*)0x200000016a87 = 0x48; *(uint8_t*)0x200000016a89 = 6; *(uint8_t*)0x200000016a8a = 0xf2; *(uint16_t*)0x200000016a8b = 0; *(uint8_t*)0x200000016a8d = 2; *(uint64_t*)0x200000016b5c = 0x200000016ac0; *(uint8_t*)0x200000016ac0 = 0x20; *(uint8_t*)0x200000016ac1 = 0x29; *(uint32_t*)0x200000016ac2 = 0xf; *(uint8_t*)0x200000016ac6 = 0xf; *(uint8_t*)0x200000016ac7 = 0x29; *(uint8_t*)0x200000016ac8 = 1; *(uint16_t*)0x200000016ac9 = 3; *(uint8_t*)0x200000016acb = 0xf6; *(uint8_t*)0x200000016acc = 5; memcpy((void*)0x200000016acd, "\xd7\xdb\x75\x8c", 4); memcpy((void*)0x200000016ad1, "\xcb\x02\x4e\x33", 4); *(uint64_t*)0x200000016b64 = 0x200000016b00; *(uint8_t*)0x200000016b00 = 0x20; *(uint8_t*)0x200000016b01 = 0x2a; *(uint32_t*)0x200000016b02 = 0xc; *(uint8_t*)0x200000016b06 = 0xc; *(uint8_t*)0x200000016b07 = 0x2a; *(uint8_t*)0x200000016b08 = 2; *(uint16_t*)0x200000016b09 = 2; *(uint8_t*)0x200000016b0b = 0x80; *(uint8_t*)0x200000016b0c = 5; *(uint8_t*)0x200000016b0d = 7; *(uint16_t*)0x200000016b0e = 7; *(uint16_t*)0x200000016b10 = 0xff24; *(uint32_t*)0x200000016f40 = 0x84; *(uint64_t*)0x200000016f44 = 0x200000016b80; *(uint8_t*)0x200000016b80 = 0x20; *(uint8_t*)0x200000016b81 = 0x13; *(uint32_t*)0x200000016b82 = 0x2a; memcpy((void*)0x200000016b86, "\xb3\x64\x4b\x33\xa4\x96\xf2\x18\x7a\x58\x63\xe6\x4c\x40\x7c\xec\xd2\xd6\xd1\x3a\xe2\x3e\xcf\x1c\x3c\x53\xf7\x8f\xf2\x17\xcf\xf0\x21\xe4\x71\x8c\xea\x7f\xbe\x4c\x3b\xa3", 42); *(uint64_t*)0x200000016f4c = 0xffffffff81000000; *(uint64_t*)0x200000016f54 = 0x200000016bc0; *(uint8_t*)0x200000016bc0 = 0; *(uint8_t*)0x200000016bc1 = 8; *(uint32_t*)0x200000016bc2 = 1; *(uint8_t*)0x200000016bc6 = 6; *(uint64_t*)0x200000016f5c = 0x200000016c00; *(uint8_t*)0x200000016c00 = 0x20; *(uint8_t*)0x200000016c01 = 0; *(uint32_t*)0x200000016c02 = 4; *(uint16_t*)0x200000016c06 = 2; *(uint16_t*)0x200000016c08 = 1; *(uint64_t*)0x200000016f64 = 0x200000016c40; *(uint8_t*)0x200000016c40 = 0x20; *(uint8_t*)0x200000016c41 = 0; *(uint32_t*)0x200000016c42 = 4; *(uint16_t*)0x200000016c46 = 0x40; *(uint16_t*)0x200000016c48 = 0x20; *(uint64_t*)0x200000016f6c = 0x200000016c80; *(uint8_t*)0x200000016c80 = 0x40; *(uint8_t*)0x200000016c81 = 7; *(uint32_t*)0x200000016c82 = 2; *(uint16_t*)0x200000016c86 = 2; *(uint64_t*)0x200000016f74 = 0x200000016cc0; *(uint8_t*)0x200000016cc0 = 0x40; *(uint8_t*)0x200000016cc1 = 9; *(uint32_t*)0x200000016cc2 = 1; *(uint8_t*)0x200000016cc6 = 3; *(uint64_t*)0x200000016f7c = 0x200000016d00; *(uint8_t*)0x200000016d00 = 0x40; *(uint8_t*)0x200000016d01 = 0xb; *(uint32_t*)0x200000016d02 = 2; memcpy((void*)0x200000016d06, "{*", 2); *(uint64_t*)0x200000016f84 = 0x200000016d40; *(uint8_t*)0x200000016d40 = 0x40; *(uint8_t*)0x200000016d41 = 0xf; *(uint32_t*)0x200000016d42 = 2; *(uint16_t*)0x200000016d46 = 9; *(uint64_t*)0x200000016f8c = 0x200000016d80; *(uint8_t*)0x200000016d80 = 0x40; *(uint8_t*)0x200000016d81 = 0x13; *(uint32_t*)0x200000016d82 = 6; *(uint8_t*)0x200000016d86 = 1; *(uint8_t*)0x200000016d87 = 0x80; *(uint8_t*)0x200000016d88 = 0xc2; *(uint8_t*)0x200000016d89 = 0; *(uint8_t*)0x200000016d8a = 0; *(uint8_t*)0x200000016d8b = 2; *(uint64_t*)0x200000016f94 = 0x200000016dc0; *(uint8_t*)0x200000016dc0 = 0x40; *(uint8_t*)0x200000016dc1 = 0x17; *(uint32_t*)0x200000016dc2 = 6; *(uint8_t*)0x200000016dc6 = 1; *(uint8_t*)0x200000016dc7 = 0x80; *(uint8_t*)0x200000016dc8 = 0xc2; *(uint8_t*)0x200000016dc9 = 0; *(uint8_t*)0x200000016dca = 0; *(uint8_t*)0x200000016dcb = 0xe; *(uint64_t*)0x200000016f9c = 0x200000016e00; *(uint8_t*)0x200000016e00 = 0x40; *(uint8_t*)0x200000016e01 = 0x19; *(uint32_t*)0x200000016e02 = 2; memcpy((void*)0x200000016e06, "\x1a\xc5", 2); *(uint64_t*)0x200000016fa4 = 0x200000016e40; *(uint8_t*)0x200000016e40 = 0x40; *(uint8_t*)0x200000016e41 = 0x1a; *(uint32_t*)0x200000016e42 = 2; *(uint16_t*)0x200000016e46 = 0x100; *(uint64_t*)0x200000016fac = 0x200000016e80; *(uint8_t*)0x200000016e80 = 0x40; *(uint8_t*)0x200000016e81 = 0x1c; *(uint32_t*)0x200000016e82 = 1; *(uint8_t*)0x200000016e86 = 7; *(uint64_t*)0x200000016fb4 = 0x200000016ec0; *(uint8_t*)0x200000016ec0 = 0x40; *(uint8_t*)0x200000016ec1 = 0x1e; *(uint32_t*)0x200000016ec2 = 1; *(uint8_t*)0x200000016ec6 = 0xc8; *(uint64_t*)0x200000016fbc = 0x200000016f00; *(uint8_t*)0x200000016f00 = 0x40; *(uint8_t*)0x200000016f01 = 0x21; *(uint32_t*)0x200000016f02 = 1; *(uint8_t*)0x200000016f06 = 0x4f; syz_usb_control_io(/*fd=*/r[28], /*descs=*/0x200000016b40, /*resps=*/0x200000016f40); break; case 53: syz_usb_disconnect(/*fd=*/r[27]); break; case 54: syz_usb_ep_read(/*fd=*/r[27], /*ep=*/0, /*len=*/4, /*data=*/0x200000017000); break; case 55: memcpy((void*)0x200000017040, "\xdd\x9c\x62\x25\x17\x5b\x3c\x37\xdc\x19\x63\xb4\xd0\xf4\x63\xd6\xe3\x82\xd9\x56\xed\xab\xd1\x31\xd4\x19\xff\x0b\x34\x34\x94\xa2\xc3\xc8\xbd\x5e\x32\x1a\x50\x6b\x68\xc9\x62\x1a\xb5\x44\xdc\x8b\xd1\x7c\x2f\x62\xf3\xc5\x6c\xae\xcb\x39\x08\xa6\x43\x0e\x4d\x9e\xaf\xd0\x2c\xa1\x3d\xfd\xcc\x2d\x07\xc5\x31\x31\x38\x62\xad\x42\x71\xec\xb0\x7f\x10\x14\x3f\x48\xff\x7e\x73\x8a\x4a\x77\x62\x3d\x0d\x4b\x89\x21\x08\x4f\x7c\x7a\x91\x14\x22\x06\x24\xe8\xf1\x22\x87\xc7\x36\x9f\x8b\x91\x93\xde\x6e\x3a\x67\xff\x4b\xf7\x59\x6f\xd6\xc1\x07\xe4\x77\xfc\x1d\xf6\x7c\x16\xfe\xc9\x51\xa2\x12\xd9\x60\xcd\x48\xe3\xa1\x75\x8e\x8e\xc8\xe7", 154); syz_usb_ep_write(/*fd=*/r[28], /*ep=*/4, /*len=*/0x9a, /*data=*/0x200000017040); break; case 56: syz_usbip_server_init(/*speed=USB_SPEED_HIGH*/3); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :6147:17: error: '__NR_socketcall' undeclared (first use in this function) :6147:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor2982842337 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/25 (1.47s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = syz_open_dev$admmidi(&(0x7f0000000000), 0x302d694, 0x32400) (fail_nth: 1) ioctl$SNDRV_RAWMIDI_IOCTL_PVERSION(r0, 0x80045700, &(0x7f0000000040)) (async) r1 = openat$hpet(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) (rerun: 4) ioctl$TIOCSIG(r1, 0x40045436, 0x17) getsockopt$inet6_tcp_TCP_REPAIR_WINDOW(r1, 0x6, 0x1d, &(0x7f00000000c0), &(0x7f0000000100)=0x14) syz_clone3(&(0x7f0000000340)={0x8800000, &(0x7f0000000140), &(0x7f0000000180)=0x0, &(0x7f00000001c0), {}, &(0x7f0000000200)=""/114, 0x72, &(0x7f0000000280)=""/109, &(0x7f0000000300)=[0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0], 0x8, {r1}}, 0x58) kcmp(r2, 0x0, 0x2, r0, 0xffffffffffffffff) getsockopt$inet_sctp6_SCTP_RTOINFO(r1, 0x84, 0x0, &(0x7f00000003c0)={0x0, 0x4, 0x0, 0x8}, &(0x7f0000000400)=0x10) getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r1, 0x84, 0x22, &(0x7f0000000440)={0x6, 0x8207, 0x96d, 0x10, r3}, &(0x7f0000000480)=0x10) ioctl$CEC_ADAP_G_CAPS(0xffffffffffffffff, 0xc04c6100, &(0x7f0000000500)) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@ctrl_frame=@pspoll={{}, @random=0x8000, @random="63448edb2fb0"}, 0x10) syz_80211_join_ibss(&(0x7f0000000080)='wlan0\x00', &(0x7f00000000c0)=@default_ap_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_kernel_create_files_as\x00') r4 = syz_clone(0x2080000, &(0x7f0000000140)="2803837cbcf37bce72c1a73b909c68fe5bf7a6363cdc90c00dc6013b35da02a66a0591667154a5567c0e5ee6933d6da8bfedac5d278a291efa3020ba15e390eb38da76261c3aeff9eea8abeace", 0x4d, &(0x7f00000001c0), &(0x7f0000000200), &(0x7f0000000240)="6a0b56ff4b8fac28773ca137652b5b0fd803a0413c282037f721cb96ecf2bb1a616dc3d56eeea26f6b16f4562d17c6d8b8838f1844b585ebcc0b562f0557b2c7e9f0dda1ce4cc61d") r5 = socketcall$auto_SYS_SOCKETPAIR(0x8, &(0x7f0000000480)=0xc2e0) syz_clone3(&(0x7f00000004c0)={0x18000000, &(0x7f00000002c0)=0xffffffffffffffff, &(0x7f0000000300)=0x0, &(0x7f0000000340)=0x0, {0x9}, &(0x7f0000000380)=""/41, 0x29, &(0x7f00000003c0)=""/107, &(0x7f0000000440)=[r4, r4, r4], 0x3, {r5}}, 0x58) syz_create_resource$binfmt(&(0x7f0000000540)='./file0\x00') syz_emit_ethernet(0x63, &(0x7f0000000580)={@remote, @link_local, @val={@void, {0x8100, 0x6, 0x0, 0x2}}, {@x25={0x805, {0x0, 0x0, 0x27, "ed9d0de7c64477f8a5d951f792474cf5075158244f9b1731f0f24acbf5389ee283a5851cd5cf33761e5cea7eddd7b163070852dce6e12da0688ac4ee0a17dcca77143e90d7e7935dc9bf2e32db4a"}}}}, &(0x7f0000000600)={0x1, 0x2, [0x9b6, 0xffa, 0x777, 0x5fe]}) syz_emit_vhci(&(0x7f0000000640)=@HCI_EVENT_PKT={0x4, @hci_ev_clock_offset={{0x1c, 0x5}, {0x80, 0xc8, 0x2}}}, 0x8) syz_extract_tcp_res(&(0x7f0000000680), 0x10001, 0xffff0001) r9 = openat$fuse(0xffffffffffffff9c, &(0x7f00000006c0), 0x2, 0x0) getsockopt$inet_IP_XFRM_POLICY(r5, 0x0, 0x11, &(0x7f0000002a00)={{{@in6=@local, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast1}, 0x0, @in=@empty}}, &(0x7f0000002b00)=0xe8) ioctl$auto_KVM_HAS_DEVICE_ATTR(r5, 0x4018aee3, &(0x7f0000002b40)={0x5, 0xee00, 0x1, 0x5}) ioctl$auto_EXT4_IOC_GROUP_ADD(r5, 0x40286608, &(0x7f0000002c00)={0xee00, 0x0, 0x8, 0x1, 0x6, 0x5}) getsockopt$inet6_IPV6_XFRM_POLICY(r5, 0x29, 0x23, &(0x7f0000002e00)={{{@in6=@private2, @in=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@dev}, 0x0, @in6=@ipv4={""/10, ""/2, @multicast2}}}, &(0x7f0000002f00)=0xe8) shmctl$auto(0x2, 0x6, &(0x7f0000004040)={{0x8, 0x0, 0xffffffffffffffff, 0x2, 0x10, 0x4, 0x7}, 0x7f, 0xbb, 0xf, 0x4, @raw=0x800, @raw=0x2, 0x5, 0x0, &(0x7f0000002f40)="a0fc0337faea631f704d04b5a594dd3a87e2747c38740f4357e5cb221bf4405795c29906227d364e0446ebf77d111ab6668106a002140a81071b6d28cfabb37aea4e26c4657db31916f17181ef2fbba8cf194a98c435a1007c270cd6eff5c6424537197a130202f28ce2586be0ceff0db47a35351218f49a4599a98e93fd6fa6be92176782d29ccfc900c767f4de102c3a7779577ff36f427dcaed1e8dd389650fbe9cc0cab5b4390e805ec30ad6411cff6065a8a57610ab7c610132a2a1bf37c871d06a9d78cc27688f4befa7bd112a69df64b551e3", &(0x7f0000003040)="64b9520eb174939ec87643a2fdaffea4527bbfd51b07ac9467169d3c7baa5dc65b8a38d950c858ff99237e6ec06b4656a52acb76c755c1cff1c0a65e3d1632fabd9e1b381852b6fcfc058744856a80a29fb4dbdd715b3cd08e15a53405d0fd2ff7eac836338c4eca0456ff78cc5712332146b671bc42861cd8bb43200985a362f39f15bd437f06458b867d4bea2227493250d83fb46f7297b8f8c27351ccbec4ffd07175a7c5e2319e94210d4af5061e743f050f2ea538a3ed9d0359f5a7546c3d0113e255268cd0483ab186f9c5550202a9fa3fa0c4a2a5805241819cf9c345cecc6b77dd7c299750b67ff8cb5d9a6b0d3d9816dbeb6fdbc5ea9fae4a25e19b48e510ddb5d4d1271ba0c4a083d04cc509b40f1a849195f3bc3e9f63b7cc7473ffc740cf1a979bd1d7e9317f6fc77a62e5acab36c4a063069cfb207dcc7af70b77a743b362d9d9fae0dbc680923a0e3454026b6da9579f352afef7abbca7bfc14aef0fb3d1305506b97940ea127ffed13eeea6cae0be96f5be7385e8e9ba4f00fdc51859d825192718dcf23e0b6da413aff854ba5221ba8d27ff02b6c0f9667f2ffe72f434f4c7085a52fee5f0871bc20aebc8ef87c17c49b2a434242154770e3ae268d5bae11f22f2146169d7a9c16b5daf83031111ce5ce992d275bb9bc5d1290f7fea356607e8dd9acc55849eeb502827374c45dc89dd1186ec9210bff8e005b7cb2c134a922d6ddc512281e6f5aa9b104d04bcc6000b9f95f74393f312c990f7d29dee0ef7a4b158fe69196b0683f35e8b4ba65bb49b313d92d6f67f72f7c3e7de4dd884d72c786d66bdf598a15f9ac296ea70740343d94591186448ae73eea6101de13df667ab6ea1f55aba4c113d0ac42bba7ec5bd1d56b6bc947045595c76c8f69339bd2f193de246533010f42ac93ce0af99f40ae8bf3a30543d6861b2ca306c0c081db792af448820409c05330bdbe44f70c5561dff8704b5eeb712acd321fb7bd58c809fb11d017c34879854f153241741fdf8de35356bee7a0cb40a726cc783175759e266ddbc98e3e5f822024e3359a7fec0e09f0d1e214262ea209a9ddf12280e28723393368817de6d200ac6f9d14cee80cb713547cad55333acaff3a32b48964845501bf108e8f515728b36726290b478f7f3da9a62ddb1d44f5ed569c7cff30451b1355d3491eb80345cfdb938475f9d16181cb1e3d733ea45aba04cbe419b1fe39de514e8b00db827fec195ae7731b2a64ad258c1cf2d4cd97dd9dec3564f9ca74ed625830ed32b0507ad8c97f63f5a2b39bbaec04b3b889b6d7c9fb98993d5e5ae40cd6b6372bc631d37dac4ab3d48b5895b0030e002e7f443bead14a5777ecf5ee99983b3c0f500539d02ba11cb4bf3259906bbcc34855e6d4b2c49316816d4d17340d8938dbbad5f2cbfe83da57f59e51c9eb6ff6215f794f6822820b05912df85fea53c046dd6e88924a18e71c0cda658b58aff26194f88df81daf06ee0942cda0df18b41b0e230b305b4f9a47fdb18c6d68cceba1f24f2756bd96a799112c3485e394d2dd9fc87ab1b4651ad058a3e44461d2c72f038ff881104cb75cc79683a9d97d881cffb92b05c12bf4d3ab4dbe17908fb799eaffa9cafa4a61ce20aa4b3ebc3c75220aa65c9803a77f181da3924cca5f6059612e45486106f22b8c891f7b14662abd64b3258ed13bdcd6d1a77c6a41519d66063743a1918bb13e9b7577fb6bb7df23ff1b96e782bda6394d4861a7e0ac80d1c6cc84a303b7841e589d66bed37ccc05f4e9b4dfbc53d3b50d50e02c87d41f53f86decb39c706f5372e9d6e3dde53059620d27845f3ed77cd5899e33aed5c4fb140f8e405fa2e0e1172eaa7d4e912987a0aa3acf7c2d8e94d16c998c987fd404b234ef7361d0c5387e6b9d55fb972c7dc217226ce13d82a59311fe269a09c384e739a66be4354791f381e74cc5dfb9a92fbfff8595df24b403eafb00473eb0b2e7fee36dba4a908938bcfcce961fd10ec29e56dfe40591e13d5e53f16c8759ca27f80ce904f2d7c43321097595e907639f20f9e8dce700c39d0e442da887a4df082eb7e172fafdcb00b008caf5523d1fe5f240ae991496db93389af4185e9c9ccbdcb9731ce7a770ae2abac9d8cddf313231a55e1277bd36c1e44842b3872555ccdcb3a0684591321ff15dc6d2ceffd585dbeb990e4054fabc18a9e9f1de13bfad9de7f8deb6b6c472c423367eead525004defa9e17c67902360bf163a01e98f6e755cff6282aeebd1e8a09715c15b9edaa500de074c28bad6d03578c5e1c87be7117f54eefc3313c38b61d88a6a50a0f36fdbf084cb41447c690d3ffcc8314e91ada81d34accd3e06d19bca28fb49bed5e32f4ebd54929e4ab51a659b81c1c35df9e514769b9eb31d71d437864f54e992a2b9b15e2fd3207817756b486d081af397b21a258443d86a20a82dab3094a4883324791d67cea918bec7994abcec180f8fbd4ae90ad2c785de7747308d80a7331864bd1a9bffb514407785193927405f778a166514a339bfe16f5cb8ee349a08e25b94dc351c72e98c6baf186025060cd98d7d14bf8ee060240405a1c10202cb34857ab674eff41cd46c03d2ffccabf194e0f351658ab02d9a1f92830617de69135509534647bc4cc205287b251553fcc7689d5e669f9ba4bdb4036e064b2a791ea5de93c66918ad61cf10be4f5564a071b02b9365bc587316e65bd1264fe1f8dc7d244ab3319e9a905e244a0d000bf3c566811f729d10f9d81b060cb7ff93da8056d641f93121c50b987e4149d44c23491e9de6a5c1d6b26f644b3b020627caf32d47f95a4857b36530ff5c5be38ca37b90dec3bde10756158d6db91bcbbea6665fa1408aec0025d9dfe3de8a57b8af300179bff26032e61db60d6e20acb671595056fd65e84038040f07d46dbd4cb8c0d3ce9fda002d22e24750f145801af85d782681bb9b1228fb281c543e5dcdef84b7a2626de59e1ec79e44d1a230fedda6e3037b0e9c4ca475dcd319b86bd4ab2cc3cd5ee47857adaa88e7e77afaab3fd85076edb3615ba44e97b5e181b5e8c8611784854a8aebdcc0983e0b837455a2901b91980b05efc9223d206dcaa5be6745cbdfb6f9af13873b3773f5a59beaa0f4a36ddd383d63e12f50e0f7c533e6a559e545d2851d04bd36e412d891eac7bbff39936937fa3e4fbfaf51037c50a7d5730051e4c6984f394f3f59faa61ac96fc2ba4e33564c2bbc607b18ef8aef19b88b7ac63cef3e0971fa1156233373fa5b58f16fa99312d84a6b790e7a663ba05e237385eb413e4260e021ba387912357fed39f1366e7318ebea7b921ded5d9f9ab5a86121648310f0904258a9e4d590d65431d23e622309de964cb77df8f2807667bd58181e485c2e03c295c15e5274c706c1a0027b6751e40959a1581c710774bd5575367c93c17fb8444976e384711d4debce09754e97b048d47b3dd82f75fa93937d0722cb2379e8b4b02675991ed1bc5f1f15fea5fbe59c63a2991af998a21991f1d46cd3d211a532cee732ffbcf55b28790c4badba768c57a2623df69b396c2accf925806d55261b7087435e497452975b15266522ef97637956faa20e8ec653c9c0c0773603d77677d0ef1ec99a0f61cccf7e1103051a7852a0077f973369f6d8056b79c537aea6b410709df6937b6b7ce03398e1a7a1ef8e062bf5b5a110bc0daf2765c92e695834add9ac03f5ea56f8ec1d64a8fad07410e3019d84c0e7cdf1c49e95091794a3aad82abf63e9c6cebabdf05e80503d1ba7037e9b0b35aad5517a02988a343b6a4af6d8277964fcd3e720c19ebcbca7c4a877c4b17405d4e04e2bff036d6f5e8da62d6ec70d1cdd970e8ba36f7fa956cbde78925a443b9579be039e5653966e745b1d93c62970f2907fb535c88820b95b24409d1bb81e0cdfbdc397278a8b1eba6325e693a93b550dc2d7ff05598f8246794b2d01b58f30324e44c439ec6e170b692ef2d552f332242101fe24586564b87e4d04c5c4137f453451dc82ce49f93d50e49acf2b966d0d500fff99b984d70faa2061187369a3dd50337872c230e6fbda2420e565886b6eef53eb532239a98237bf8cf3549f60b083d81a16e6a30c26a74456fbf8ddc2476784e776df7490a31e1113cb0d876d5ca9fbfc32cf6081f7542015b41ae86f9c0bbfed2b8474bfcd78284467c22f1d6df54bb3e28f5cff007e9d5d5597c837a72eb04ef8d1f3ac060b9f1fff3d74da35bf1cc3ff9d836bfc8d2ccb07214afd357c296ae04a5ce01fdc779e9b4ae6d677c6fc48f7383064f2d217d51e390609dad933022ed7c35f89e83b555c8e3ccec204e593228f3244427cfed43bd371ee5f584ceab01f88d1c99474189b876c9534089dd5d0460da833afb14cb1cb1f4bf8517fff86f94a919b9f8eeb360887b139f675905ceeefa05786fd7eaa8cc6010ee286989b6269a45052d4c62f742bdc252fbfdb2166f9b0215316ce569d53f12d7ff1e92d2bf11b6ed6aec3fe3f62c49a4cd2febcae8e1b44b38eaf1a6e78f2da3cdd94edea7150000d7015cb652ba46d3b2315b649edccf47b51d4585dbc76064a12b05ced6fd11fe3703ad2267f96297bcd455810769746ee264e73d9043384e3af7b445fda9f12fffbc7d63cdc105ebf8ec1f52475c73b06b4af080037babda8888b05b3d0051d7aa6c949140df65806c8366f8e3640f5a7470262696bd3cd4db85502cbd5fe22bb0f59287768fb9c52e6933e568e0d3ce7283a420c89fd04e93e565df0ff68cc743cdcf4dfc7ff09cbe8a77a020804f4c1761284616d958401f57af9dc71362992b3ff3439ccf85f43b6c0850989650d8f55ba1922a6500d272dd42386cbb23e6e67ec926a1ca9357f4c84b767152e6c43617def94ac6014aa3c6ca841859dc57524a722741246530da550671ec17d2a342e557b43c08a93c1267637fff37ff4a4085528e7ce6d09de642996fff98688544a7c23bff8b6fdbe533424ccb119a567f1f15c0b4650ed80efe24ab4d1c1e33305afd2ceac682c0eacaa5669e4434f634b1c61271d95b0095c7b1a62a2d073aad80c51015bb5150845c118633a3c4c94b7463fe7339182ea01a7e28637c27b5f86068a7374ae77c5cdd6dd9b469dd9a475c37528e2f1c40132359e9e65e23ad4595b160ad9a2d83cce078f4d6181fd3026c2a0b1302faa69a5180a2c20b3a32876efc2a6281c409c2e66e00deb53098197f13185b7da589b0cfe2a312f0f61efab29a7b1b614faa57ed37e01f8b0cdfb2ea7867745d6669a4a895b97e1ed24c2f3cf23e8851138d9a640c2c0b321d00f0a4dd9a72fe5ba43ac47dd31a014d31b725ee28cd8fbed0bc78145980b586d371848bb96748303d0ad1fe2a2e7f5dd34070c6fc50e109dbb15cddcbc04e1cf6358d1050e6319a34f1452f44436d8cea137a37a1dad13efc2b9a9587a43c2c3f3d5aa32c0978520d24dadd18efa812a72d33b2f441ac885226555f7cd254ab277175c435683c36df697c2fb536271948e538dd3bce3909a5c8c37e97ea3736cd1ada26f13f121a990633d95b59e67393432993c0c84fd6d52beb7e3d02a437eb281af573ba1c47f373f6ccd6e0b183a21cbe9fdbb82ccc396f16aff1999fb839ebcaff97fa0bfd0d34cf8e57606fd82341db318e40cd9e85c154465dcce1b7fd8b22808f0e0d454ef9a2b5a4c35c0a125b9237070072d1cd827cfdea8e3de833b0814c8ff260e6b39807ef86ac677abdeb507dd57f6993d303d55517840bd7af1db3980821"}) shmctl$auto_IPC_STAT(0x10000, 0x2, &(0x7f00000042c0)={{0x2, 0x0, 0x0, 0x3, 0x44, 0x7, 0xff00}, 0x80, 0xe5, 0x0, 0x8, @inferred=r7, @inferred=r4, 0x800, 0x0, &(0x7f0000004180)="b8472da763b7f233e5d2387c998ed4355657", &(0x7f00000041c0)="10f121593543ac483ee5d9fc0093e203b927b44bb534a8711a28df30c87570f25d8dd643467a2c9e531e8a4aa6e033f571b9feeae8b65d093f915628885d3f028c3f4447632b36f22e16c1fcb5e7bd6992c089df961fee65da52263c865431c8324d25205427653902000ee5f231b03df00cf5b4ff9f8779d331a8b511c4ddf3ba9b68b48133a4cd4f26e7376650cba610c62a68f4810220009706a85a063103dc90df67137a34a2dc60eacd868a66d7f68e69c04cc195fdc8081c4be4148603242caf94670f9e25557ef9ada0f23c5961fc07fe58c78bff013f8344dd9611e2314963bf51df6c984c56b9af"}) shmctl$auto_SHM_LOCK(0xfa95, 0xb, &(0x7f0000004540)={{0x9732, 0xee01, 0xee01, 0x5, 0x4, 0xffffffff, 0x5}, 0x80000000, 0x9, 0x5, 0x8001, @inferred=r7, @raw=0x2, 0xffc, 0x0, &(0x7f0000004440)="aeb6d5073afaa31c2e2b2c269112dfff493937392207d13fcd1a8ebaa997fd976ccf817f4290a89565f45f54382b313d3498e2a676fb908ee4d892131f01b83dedd09498c8c2c56df4ef1c8232320b42d583cc6061c92cc06c764fb0d446a8b9a5f1903c9b2b2ba45c1ece47cd249f201b457ee03c79fbe26feea6dec142689ae21b9ced8439f10a2e3b657a1e3ab73854c1338b6db905248ae4bcee973d068e9bd49bf4f9e8d0177c72612bce4ef6b4d76c093996de65", &(0x7f0000004500)="24a7291c4abc17ba4acde1c6fbdb58896ad27dad256440207ff6a5e48ff2a6185f2c"}) syz_fuse_handle_req(r9, &(0x7f0000000700)="2bce1778fec9a1286bf6aba53c3ac40286ad6aa7112d6f2fcabfd2ba713eaadc8139e14f618070126ac3a38ad9cd7b5c94b1783b2611520729353d56fc5bd5cbd4f11d01359ca9eb2e0c4cc66095846c2b10d41eb84677f1c352bd90ebfa66123a7a19f45caea84f12e77657933246c44a209a4b9f155687e2a4fd902f57ea49085faa760119406827db2e6ade2029f8201de47e97b133853ae73214a796e4818d39cf10a8e6a6f11a88e082c9aa25857a67a32f35bc8f867f044d0f329953dc0602249d83197e0ef5c983b9d556bd527a6a599f52a211f9c7113edcc0e93fc18e79ed69fb2a7fde97c9c35e31e35f077137c8fd8bec401814fb99816d1ee5a5e7edc210c610970daf8aea89acbb754082d8f68eb4a0010653c70684a8dd7c002ba7e461c8dcc45c2286da3427351418cb24a94d6556d69e2a319b5c0e69e6bf111a9c45467c41575fdbfc2646dafda3179b0fcacc149b45ef10dc13f5fce2e4a2c22c2ae992bc6bd51323e724e466c736db1d3457ee0f7de147661dbadc942bf0df2f089e980381ae888ab022fb545c0343c4087f2c1b6ae0cd21d0fd6565790958c93a6759a5754b700a6f53abbca7d22cddcdd709b279d111d6ce1fd791ebcaf260480986b321ceccf955618bbea2781d331490cde5734793ab075f5a729321aee177fc3c20efd0797446e512c625a3bc1a56f4c01889f574933b726f7437ee049491bcb91f1c63a0b175e2ce567507dd354bf26b08059ac229046a6e75d3d321ee63c5abc1a7409e207e6fc51679df37bc7ba339cbce32d45a9609068851b0a7f581aaed7e995c36779d07c357e5d976f6deee4f3684f97e7c619d3ccc28722f130d936d3c073b9bb5194eb9ff69910c6a3d5858c2862ba8ce9425cec1e801182a7fb5c7017a4185d13feb353829dc681a5619f0a02db6ebde860cf7c6294d2145f9a5291849762d93816682d19189dd768280df4a68c80801f66ababdf722ec213a7b7f58c46148686900669bdb0c643d005d600d95c5cb5d28ac4cd4c7022294352ed1350c4e75fe8927895392b0062c78292fc15ad7038d1bddc994535e73ccc33c9ab23311d6f65de598f5ee9f9134ca4e4b409f21b0b0e40f36aa5c782b7bb864707afdce1e7cfe5a27c1ef3d2dc14105d6a489b87e7ae167ae87a5f3cda0b8a622176297f5328b79690df98979a4806dea069395f5b8e5bcec683fd39b86bcef865de60fe407291d127c4f0068bec8ae95738fce42205ef7cbba2a10766e32191cb4e50c06dcf6ca3ae78c0caa658fd58b652cabdde1dfa9d1f54a4479ad61d25a47ff08b3122560099bdec55deb110e406e08595340887e49677454b60860153c4b1f7cebef25dad082f4d3402078298bfd390bc766234595918cbb3b6cdb9961e1bb1d4f7c7f2401a8d80ac62b14624a3b16d97046fcef8d025deb794094d2cea50ccbe272e1c79a7167803c40a4ccee138444e7a415347783bfe0ffda3d50016d0f6b1b06126fcdd9237aac400b8549e4c1917a25db59cdbae29d1ea5bd7d25c575022dc55ff32ed42a610e239479beab0dd62a30a4fbeda0fcfe1d0b613a8d066933466a9ab31262701d08e77928f88cf8a838e9729893e55070efcc83736f3cb32eefc08f240d449a61cdf2116ce4eae7b9669ce6fc528b9834012b0f7c5425c262237ae8a301b6cfc03a579cb109df417d8514af612d320d0ed96b7f7e4a48aaa30f6c8f427db2f981bef360b9d8c277c84a8015f49bb8840dfdbfd5402a053fbedc0751587ebf6df4d69285cc398e98a7fcd68876eb2bf6f94fc0d03d7a93b1446cf2ac7ec11f8c3b62fcc0741c376d15ccd8dc9c85929453a177bc2424b374ccad51a57bd05290241e00389e5d9733dac843b25f4394db450fe16fdcbb56333790044d65ad606ae8ca97ceec3f809d789049a3298881339d2ed1602f2bf2bde3cc87163cf1dc3f8e32e859ac7b2d271ae42a7ad05e6fda9b98c14be9a3f65b16253743995982237d3130d15a18f8f532a8d0273eabb3386702859833844781dcebf2164f0a4b1411d88299fa82e7bab71a0836d50b418a6a47f747220fefee2685af32c2de7c3375cca11914f2da17ecc46e635afda8c36feff10c7d6ebdcf7da4414b4fdb28c42f738c9561a656b01ca0bcb0224ec803e6a23864e01438974bba22369212caf053e560cf11ac83ec0485f570f6e536744243c211fdc03cb35904f1b3ad1e7965d4731aa048215dbe3b33d0963b0d5c0ecc90fa99997f19b583574868b4081c9ea2712343b918d22fa37e8df4db670a4be4295f699c924c4b7feb71103d9aef0270ded29d4f42af37a487e2bc8dc0b0bd3f6870385a1a8a984220f79a47a981e987dca44695ce6487d53c019010543b204222efaef7208dfa23f808c45613d514468b97fe57df911eac0c90ed04f00649321c3abd2701ec1a0122b4bb48377b5e9251c0203faf0898260ff747c5a82eed234250158851a50906ac5492719f970a9062005ef1675576351a8b3d9dda735cc65b8209e98668b8d497885fb1d91d893e3e3fe96dbf56b61c606a8463c41fd8c9be64df1a595627fc711438eea8dfb73235a47be9c03704feda19e54f65a2876294495aca4d611c9b43842915fa7a51e45e16c7d22817c1b159e0bf53dffe16ed634161be4cc9169c952b0bb5fbf445aee0e9d386d300611857c70e95cf2e42a3e79bf7c202b77ce4f52d5e8ddf50d5db3fa10e95f24d656186d356dedc85c6f8684b8102eb019c18da8a663d70be24ead9f1dced78bd068a6c9b324dd747734318ebc62a4a9c74eb3422ccdee02f947c1a76e738542806ff2c9c851ab71217f7539da9c3350a1fbd5e5390a048ccac1f5413ab2d8147d7b2d7d4933e24d7ff0d16fa34e238e931622730da47e8ee853549f57d8cd0411fd3ddcd5d6bf36388d0368662f95dae7d3bcb932d62e0f895a56bd879d1f57043eb6ad46e35976c4fa6244221e9a68fb5a93f2568c1772ad1faef2aab0021fe7dbc57f3a777ddfe61f41cc3f7db0bbf637bd48f72d11dd052fb4e32520d4139ce9b920621f1eb6f378871f1e794c38759650a0a742c0e3403b6be88e31920c0f3afb58c686beaee1d65d6d83b8eafa7d0bcaaef875efa7a27371cac0599d41ba51aa5ce65ce48bca24d4a438e6e3ac33cf1fc7cd8cc3cd9b75116b53a09d98141fccdf0b08d8f9d6efded52d101c3ed6b27f6c6e42f9ba199f39c9a337728bde05bbeee63e4dc680ecf0f020bcbbb7b6ad0ba9b2aa614391e8aa41552137356953ef21535ca4e3220a26f061c7e78eb424288981695e651f6da9057c61102f5d58d331358d691ce1bd7f68160cb76fe77f03ffd460ecda1fdb1a78333893f1dc5d0357dc24335d3f12d7df9133169d9d21445b6a58195663da0330631b732c1dcc3e658f237f0f69a11602d4cac6468353fafcbf4cad1a3a26d2deddba7ccc886347ff059dacf969698001853307a3c5b3634dea162e63bd27b7c9dab63a67059299d6942675d10688a797d6b5163eab83b45b18460c28d6a83371eca626e9bdb94b90a11a7fb7f7d9fec0d773cc0566636292c7d90de6479ae9ffce8c34e284ff2fb4da4c0b4629a023f1e9c1e79c5d6bae6252cd4a30153e8c1ebf08389c206d66bece902ed877c36756b3f9cafe841ca61bff315fae3af3a18563f71a77eeb6fde0db2cea7fe494a78391afc1b21b233e0c4b4a1a23eee6feba1aee1124eb04ec4d23b6ae5ccaf13acdb656c72707fed010fc4ab31ba093a22fa85e47389acafe2a22298e51d36732695008e65affda75613bbd22f869b05e9dafe411da8549f141e018b362049c6af4ed782378172c55ae7b1d005a19086c2ab19742ff7f9b329dc567f614730ef3e7478b62209ec2db90f3a6037af0cb7bdcc8bad8b32864a4167a370d0f916dc751fb28ee9c800e59e2e3720dbff363b28cf2698fdb3061bc39197677efbca4f86da8a976a1fe5f9e183ab9f3bdc9ab6ae44b8713a1ee07b894bf37490464f9d2c4f5a2a46c6b3035343b926dca5d993ecb074191df0e50fbb114c82b369e19d8ce958025e12a6e135c33c4e7040f2e5e4abb143bafb7c712144a99109b00dfd72f66d6a5d7d1e6aeaef794fa404575328feefd9c208ae710236da12de525c78403e78fdcfb5cb3448f93809eadbf8c6caeca702833a3d30bbafe94ca14b5e91864aa575409498939c5b2cce2d33d1f14ae3d7169ffd51a7421d2be6a4f6ce0d7fd5dd834e020c3e69cf5debe69ee863f5702bab78feccd285ab472b56d1c06ce40a79ef15c072361636317413726643c950c67e576ffd80d5f80807b6729736547b00a0d458e93bf964f47da3507747ec323d3108c449826224ea09afa36613331a961c5cf259252d0dacb502fbc987bbf6b1c8c6225a6c0e65ebb5a55945c5a064ec346f84270e3b38a12ae72c17809975ada72bad05a12fda83f1b00a42310481ca2a0990b663964e194c925c99cee86279f62c64548a57d3f167d6213accbe679a9fc204d21031f64bd5f68e8c75cf80af207cba25aa42fbc7df0734257000e5e9c223366d1df46f508b8a8fba4933352cb7c3f0e25d66d8c5129bdc467dcdaf4f4a871fea52b707c85ca1ad30f00804ba500cfbb2eee18c6842091c120ff9f5fe915a75a623e5407e77b2f2d7aa46e24c96986a60865517c267945d391692a1d3feffc935576787c90da846f959e26eef2f98ce0b13174fe456c5d33fb6bb65e8603af4f102929d8422b8bb5a24e0bec7214ee23d9b8dd07e7daf18d83fa66d849b91c708f99b4685c7b5dc956d95c7fceae7759feaa0d2a01f26b17b9e5a230c18c610a7e724db79becd4ac0f176bcf20449e90c3fae89c3a993e2f9c51e428dc0bddf67a7cd11f9ce0dafb4277c3281b88fa7138d217d79fe3ed72b195f27820e33229c5a6d7f493720f9190a1cb229a3bea0a78f629d00593c988c2d3fa09f8935e25bcd4ce0276a16f2306f7cbc8912523591ed88921aa7aefe26712f81028906d730fbe81995521e02e3ddfca0f881cb98a661d2cf8d1fc310845df4ec588c2b30fdfce181e6ef9a654e83fa69b773fb51717774936e6d037754782fbff13d32a50c75e2753bcaf4ae373526e610605f07c677aedac8daf379283f2e59aedde2c01953d1be4591ef165ca1906debdc0b8e47def1a34d3c3a4c12eae89668d143d1b0984f945044709df868d0975514dc1093090b0fe42962345ef40b0dd84ff7a20f394d5b3fc5a55d69b4bbd00b53e3174c760cb9c79f275275558c6967f03cb7b54ec6c2a8602a5557c48e0cceaebc38c4cb35f171fa42622b1e8be6dd323375033ede7bea93b6d667758fb997ccee896cb3a03e47fe8b51bfefd7165b4b162546c2e4d46710353b73f6f1dea17e442b8272f6aff99c864372e4c3e5631bb739b59ad1235a18af7d59b79320a41b7c0e8d64d5a79481cce1e31b334ab33e92e6a4297f3def0f1b34675c7de910fe38e494ee014bb844e707bd302b24786bd6062bacb82d527acdca236f217bf0474742476e6a9325d9ee282dee43636beba541e6af65bab1f58233a6f558d8c6019f4ee4c8e833ea1618b053b3cdb8f88f09ce1225a68f319de5bc583eb3d22f2732343e9c0acbd8efde7d9c0f22406b9d1beb10e7bc92807c7bbdc00b1d88534e65dba2562167e2cf12a6f4b1e89b2495be631fe9a7afaf3e440254a2da7eeb261b40b4b2c8a2257d75b09b85b81d7954ac55313ac4990c54ae40793c2158cfebf329b267405dd2a5e76154d21d74edd4a1e086f0f240e71996a04e8f96ec8822bc5fc91838d17d97b03cab995833aad9fed8dbd944fc11ab74fc515fd8bc5c067424d32dbb99e49e0d42a597dd807317d669df7c08979dd647cae4b9d123a644037c68fd7b454d158b5128185b7a071b77453e29ef5183c03f3dac2758fad6673d17b95a42d428b56dd7acd6b44a15f8a6acc4c73d23fddfc44fe57a9add195796cf45c0006f6a24160dfb879862b011e74b880f5a4f5dc8053a1f2c7d0e1d772c62ca028b09cebac88ea7a8a1855996201674f2eb71ac526c0a0ec4493daf01a5516d2bf88bd81172a2f75fafb3cde2c92b7a020e0767cbdadf655755c3715c6bf9cc3df38c3834a7249505a689480ca3a978792ae9befdfb3f25e3dfec22a90d66acbce1633a297cc2bed975731fbc97c09da8942265336d17b13a52efff98626a8b7b188cfb9dfd33eb28763408732bbae7b80122a91ad9813897757effb84358dbd62b0133241ab9afa79e353f5e7db9163921d65efc93e408bc38ff95842905a913d084d24fa22359df710b39694de240389831e344e9d5332ac0c5484edc3a9ac612f668e4e78180109e1249ef5dc27cfded52ea37ef3a7d1d0288a9f7532fb9f3a380294cf03329628fe8fac3b8121130bc3dff51ed6f8300806786f9e505de5d25d687c402c0bedb7d41cdb9cfb87714ba2928bececbe1aa32dfda001707c784cee7f6464877ef8798c1608c487ce088d07308b4f1672fb28efad8aee845ff99e00db8d0a4eff10e7e0482e10d2d4f536b90a17f2cd0649958619a3bfc4c72654ab9a0dae3099d6958cc43acee94a4501524e0a9dd76700d81461ffc9cde222715d4c8917c2e53560b6353a098c948ce16131bcac5694846942657fbbd47d14f0b9e6e0e383e7d60efe2d9935c04dfee10e22f474cf382329cce12ae8d210ffbd17dd0f1868f6c10aa34dc1fb7bbb7a25db0cdb0afcb3a523445564c6bc6c0f8433a6775881852d9970aa4203c9258a944274168899d5a815d665037da716d5304e4f26c289a46384b965f2ca5aacc1c8123b54c14e83a59b99799648814797784254e3fccca53790ce3f0c24ba01722d42baffc8168a36c95b5388def137e6c929e2ed1429910d138e791f8c45c37ea0b8d5f25dbb2b43a4c2e0527327a5847df44a214222330144d26446366764f816db2847bba4860f22dca28aea5bad298dc4e5888ce737b1696c952c2a515574d10d4d2c3d0a21232422d0d600745862a31513c978c8442bebab3e3efbc5bf0657270d1db26e979cf50ef7a3cfee880f77a0b802c7b371bf966a5413d6874d9111e7b98a972be26e28fa9ec1f779391e3a491d5e8695f73d88773a3d40682ffe1cea237fa5a91d48bd82d8ecd25e6a6292d1777e38be37ccc8d96cf9d191ba90585e728dc415bc406fd94e53c674071df12ea089dcd94f9d96b0386f726051267c96e5c3d7949e85502b5da43f10493baa2fd77a02faaca33558f78f09f00433ba991ef1b40c5999039bee177fda3ba5dc0925162e59a8e327c19e7d4e0aa8f1371070271e003ce63f427265b6a2dfb1d6864f8cdf2a9d0f8b38e57712b8543a20be5024aeffd250a106e783a08a5ae385ac9a576b3c1b09036c50f1a8d5699f1bad3d16968f11e9b1f54efdf3c2ec03a1f124ab5e5c453d19b939b68d0a339951b5bb55da3eb459c3f86a1de1b8b9cefe6e60d14d8c6143145e24a85e9c062a8f6bf5c9a51b2a507ffdf6f601cd7d10a7f3cb16f38d7f2c46eb2c1ebd205d5b60c5d5ec3d60e15189b9f445cbf29177b8355d8af6bad6c6e3adab39df71ee2cf90df9ab86808e62d1ec24ff2bde6fd56a231e4e556cc227f5fa6d617d549aed8e2e366013d8a2c2899a5c752620d54471f9cfe17b687fee42799eb8621cabf3b8176df654b20f348c9167d70e959221338bf47cf3b347ddb46e4ea71fc8250cf4818607a35951665aeec1b4684a9f2d54039b644e3ffcf5ef2a2673d97408fb9c5b9ee802867fcfcbf3ced4295e59e78365de8f38d98066bc163b755568bb02eeca38e04fe45b7809cc4424023a23b15e374e383d01e02dc66924847f372d8adc3b8aaddb6eaf9575f524251ca6fea93fa3357e81e94715fbbe3ce2bbc0c3d447a5118d859b1a743b3e8eebfd352fc50c28c89d9fbf2087cbedcddadd1993a35f71bff4b6e9190fb1826fa2b308901876165c70417dce16ea0c1975574bdc7ccf8d92b3e772b57fbadee74fcfe7b73dbef59c7f2e5ba57b9be6843e06d0c13da2f487840737a8dfc790cd553c693a9d1268a13acfa44fa5e4b4f0da376fcc0ec8294fdc01823897f912127db76903df2cdbfb9902400c86bf526ddbb47c8e49b673055f70a7d90081cd31964e0519d504c171cd41ab7997916a711cdec24f80f8039cec9f65bfbfa93e7bf228351a81892e57180aece3e6b0ff3366dc6664447fae5bed381f629134adfcc51eca2ab3276682e5d9f677b301d6e6dcfa86461a567cb9cbfda3d2f91b3abc20a5a7d465d57c507fe9cad8343d64f51be630ce818ab78e92cc5408f48025fbbf8396d88201c042fd71182c3d5dd62ace3ec9231f847bdff19b7bce4e04d1022b32d46c74709aa4963166aefc5ad6ed94701d4327f394e1c9d01fbd3f25903c5020a8487963008f8e4eedfe9c8d62ca9cd72a96239b1c0427cb4e17118219b42cb897353621d667a538d3ba3e9266738fd2524681fd633c1f71a51286210bc793fc89c0f043866480b7e0862b7a108593b2e9f8d1fc62b7c67f50dff638f9318fa260f3730cec7080afd743641de7d59bca4d321f031f35fa616c433ed572a39bb17b93c8581b12aa1d251541bb5b21c63917c5b70ec65e957c59c643a6c0ab002b546dd970350be2a57e1a8f0f46b0119950aab3301e5ca0543532e1f08199075609f22cb8c8ffcba4bc81df5da4ba7ae6b111b4cd9c6e2e6c20ada232820b47753d6262c2b9ea61ead281ba0c31c3bdfc06b8a42982282a215beada3ae9b2ead9afd24f50bc2281890097791cf37b1969b45ba7eb1305366767eda01efd057da567431c49e79c55a58954f12dab8f1b688513f4c3c49a5f27ee53750d89b633779980058789d26a6b1720be7ca549de74bdb763f4db1a6bb860b05dbc4775b20ced871b4a9d9d877abef6c4bb39d368ef7e7fbbac5cb88212d87f3c7620659cf4ce1c6eeb0ea8384a6df2f291334e58084fc55a3b6d7a8351f625a71eece16fcb52fcca888093a040f5f157ae27dd79d26ae555dd0d219b58553db3bd8b48d856b3e233d19726578d382be3d123f8656dba5e61db14b627eb074db68d5a69c9351174492b50824824d3d3af79295f05cdbb47c8ef7c85d815bdcbacf4b8627965c07c8e1079f201e50980284f2005a92ba8215d06ef5efed591f5279f18a2fea042466d783e10864e93a54b8649bb4436d886c78819e927c163c769c22fd6c1ffc509849f685acbc5c6eabe4bfb2e2650bab1739a6953b27a1846464ea8f56a76cd371a7474595949b6fd4db076d44ceca31122274ec568c581d088ee7f568c0024a491920401f165dd1711a2f9b037ef4b4019d2272e19ed5cf4140e58d74ae1d93018d09fee3263e8119fc7a4809459c434e93d304702f110fc3a40dfa78fdac5edf2425d8dc1629bc95bab9327032598c2f553078187c3d076f15674cfb9e0f182b68cedcec34cf0490901af10a2d10ac8731f79e60ea1eb178a6014297a5a3b84b80deb5f3b56204cdaf3a4ca0bca0083acac6d2a563717eb70b9d8275bb31dd4da25f6aaf3bb576152cc598399bfc1f703f9d65c7ca6fc45d7cd81912071a94b4981728bd3fa532dd3ab95edc2c8a8792316b7828c17a0a115a80ee5f7c632fa123fcceaecb311915349c9b26f2ed275223d79bac0c137671c3ac5f489b42fbf5b19b3a46ae22a72fe347d8abf11142968562c6329dfb942249b593d37d17f40d793a48189210e0b60b958375c08993d34e3eb0ba6932435cde73d568d81e0df7f76dab7c1c1f7e5b764144896fe5a819a4f0aefa099e1d84f8c11202bc141f7ae03fb4fdbf5b6c30834a4dcc7f9a64bbe14076110b9729767e5f31edbf5ddc540f3a31a36f4a332b5a24d9e0be54f8161b52f76b78083e40a663c8d20bfbc446533c2c4b78e630bbc94a24d9516018faffedc2e85fb091deead3612c8ab241b12647c2e71407a9bbef11c975edbb9722ab6174a9191c5f0128c1e0f4393353689ad18b96785a7d8e045adb801afe79000f18ecbc07ea839306becb862b1753fed504df009546672fd65e60a2b523ae7477502db75deb994452e0b3f7a841a98b8c0b0e828f0ca679e1fb97f8df292e2db30f756fba177545a09beb2be193fb3a1a94d34456d9071e634bb8a43309302f6ce4c338d439270c426baa048bb92ec139e50fc457db0f37b494c591f67115bc9c522152d28f9cad1610bffcea139bf2c5e0239d4f8db125f0c668768a02ab702814ab61b57e0dd839549cd78c1d331d3cf42e0e94359df9f9d8d4fa2b982a1977cc55a888805646231545c2e96a8b80c9dbdaf7b7644021f8dbdd8f3c373a72a9c5a8ad05c67f50bd32a96e19a606170061542a0b1ee90e3c75619d95416e1d2f6c76ef08f611882c87d096b2f84c1b5f79c728727e00b0589ff867824b88939c3acba96f59a3e308ef7068bd4ad8478b9f0d6d5c90c8d3fdb1bce0822fd4dbf60433d0fd9a1d00fad05b135b0fca522982bd41a1d32ca9e13cc2de1809e51e12b540df58cc4bcacbc39453e62effe1cba62a725b7b690a531a169b16cd4fb4230018adbfebfd58ec476742a8ea7e8ff7e56ab463b345a84299867f857de6ea30759a8dd093e98f99c62f409597f9a3ddd490c88133d9831a7ddd0bbc3536d80deaee38acb1ba95ba0cda910f4b120a592bc91504f4b0d99171e2c45d4e256dc03fede68ee1dabf8029c99dec198c4aaddb6817f839f1da74971267c212bd2269f8cccd32495e8f7204486d985987c25a5cb7efd639b1dbd2506022f6caf24b09226227d8035cea83b9cb821ac3fdaeda5f22dfb1191593f4d1655e23546c84a8ff482789bc92f194dda5f614d6986eac829bab2b7a29225bd5517612d40fda6a153fc52b24663368adc2edf56b07bb22f1b5d526bffb21282c654a7795a27631f95d885df4c0bceb0712bfddc058dcbf3283a8b96664df548340466bd717329e6d5425cbd8f9e6442ec4671381b8017e04baf166d7b14ddb516a624ac5c76587a00c6502a9401ceec48269c4ebf670bd1caf4613bce86e297f9dd0022408af5c7a7e9ca4a1a2c7ea506dccd7f840eb4de4dd3c734006cb85e9a0539f988ab45f593d1d9606122a2f106e9f84f52ff91797076103d042586846ff7305c273fe8eaf053f6f2c7fd4f118134a8c824bbb27e3191a8b192555c6614908ba5436a673830c27a63169d3c69d3f7e052a6b6de6fd2a544572cbce67f67a3b3783f4c8db2271a4a13c0355a92c6b036e5ef06f53323db1432bd5bed2601544387dfea3f5ed9b252fc9a20411999423944fdc2d163f66ba1826c7bd6da8e895efb19b4fe0f2038142d7665fafaf979c56352940b55caef5f8f881db23060ddd71f99fcab6bfe412beb2a17d106fa450914aa7920cb21267e16cb4943605609836149f1970d5ca6f311014d5b691c145ba81b4ff94c72fe150ea49e56070cff34abee37061e871aecf5dcf9f91b52a36eb993c6789f021be5170892ca80d1c2ad5bbce3ce406cfb412bd66fd6442d70ebe18cdcc2958c509341f0510", 0x2000, &(0x7f0000004700)={&(0x7f0000002700)={0x50, 0xfffffffffffffff5, 0x6, {0x7, 0x2d, 0x2, 0x400000c, 0x7, 0x6b, 0x80, 0x3, 0x0, 0x0, 0x1, 0x4}}, &(0x7f0000002780)={0x18, 0xfffffffffffffffe, 0x4, {0x5}}, &(0x7f00000027c0)={0x18, 0x0, 0x8, {0x101}}, &(0x7f0000002800)={0x18, 0xfffffffffffffffe, 0x4, {0x50bf}}, &(0x7f0000002840)={0x18, 0x0, 0x3, {0xffff}}, &(0x7f0000002880)={0x28, 0x0, 0x6, {{0xfffffffffffffff7, 0x0, 0x0, r4}}}, &(0x7f00000028c0)={0x60, 0x0, 0xa2, {{0xfffffffffffffffb, 0x0, 0x2867, 0xd7f, 0x2, 0x28, 0xafb, 0x7}}}, &(0x7f0000002940)={0x18, 0x0, 0x0, {0xb}}, &(0x7f0000002980)={0x13, 0x0, 0x80000000, {'&,\x00'}}, &(0x7f00000029c0)={0x20, 0x0, 0x41f}, &(0x7f0000002b80)={0x78, 0xfffffffffffffff5, 0x5, {0x0, 0x30, 0x0, {0x0, 0x0, 0x9cb, 0x6, 0x45ff, 0x8, 0x7fffffff, 0xffffffff, 0x2, 0x8000, 0xffff0001, r10, r11, 0xb, 0x7}}}, &(0x7f0000002c40)={0x90, 0xffffffffffffffda, 0xfffffffffffffc00, {0x3, 0x0, 0x6, 0x4, 0x7, 0x6, {0x6, 0x5d, 0x8, 0x0, 0xfffffffffffffffc, 0x1, 0x3, 0x8, 0x8, 0xa000, 0x2, 0xee01, r12, 0x6, 0x7}}}, &(0x7f0000002d00)={0xc8, 0xfffffffffffffffe, 0x1, [{0x6, 0x5, 0x5, 0xffffffff, '\xaa\xaa\xaa\xaa\xaa'}, {0x2, 0xffffffffffffffff, 0x6, 0x7, '\xff\xff\xff\xff\xff\xff'}, {0x5, 0x5, 0x6, 0xc828, '\x02\x02\x02\x02\x02\x02'}, {0x3, 0xa, 0x1f, 0x2, 'bpf_lsm_kernel_create_files_as\x00'}, {0x5, 0x100, 0x5, 0x9, '\xaa\xaa\xaa\xaa\xaa'}]}, &(0x7f00000040c0)={0xb0, 0x0, 0xffffffffffff51c6, [{{0x0, 0x1, 0x7fffffff, 0x4, 0x80, 0xe, {0x5, 0x6, 0x9, 0x0, 0x80, 0x3, 0x7, 0xffffff01, 0x5, 0x6000, 0x5, r13, r14, 0x9, 0x4}}, {0x1, 0x7fffffff, 0x6, 0x7, '\x02\x02\x02\x02\x02\x02'}}]}, &(0x7f0000004340)={0xa0, 0xfffffffffffffffe, 0x4f4, {{0x0, 0x3, 0x58be8e49, 0x88, 0x80, 0x2, {0x0, 0x7, 0x8000000000000000, 0x6, 0x2, 0x0, 0x81, 0xb, 0xfff, 0x8000, 0xc093, r15, 0x0, 0xffffffff, 0x9e9}}, {0x0, 0x4}}}, &(0x7f0000004400)={0x20, 0xfffffffffffffffe, 0x4, {0x1000, 0x4, 0x7, 0x3}}, &(0x7f00000045c0)={0x130, 0x0, 0x6, {0x7, 0xf, 0x0, '\x00', {0x4, 0xfffffffb, 0xc3f, 0xc6, r17, 0xee01, 0x1000, '\x00', 0xc42b, 0xfffffffffffffffb, 0x8, 0xfffffffffffff3f4, {0x7, 0x9}, {0x893b, 0xc160}, {0x3, 0x6a48}, {0x40, 0x6}, 0x5, 0x0, 0x9, 0x3}}}}) r19 = pidfd_getfd(r6, r9, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f00000047c0), r19) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r20 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x70d3, &(0x7f0000004800)={0x0, 0x87d1, 0x200, 0x3, 0x92, 0x0, r19}, &(0x7f0000004880)=0x0, &(0x7f00000048c0)=0x0) syz_io_uring_submit(r21, r22, &(0x7f0000004980)=@IORING_OP_OPENAT2={0x1c, 0x40, 0x0, r20, &(0x7f0000004900)={0x8000, 0x190, 0x10}, &(0x7f0000004940)='./file0\x00', 0x18, 0x0, 0x23456}) syz_kfuzztest_run(&(0x7f00000049c0)='*(z,\x00', &(0x7f0000004a00)="f77ef6bf4c19c04aa57c4c2ff92ee1460ebf0e57595cc355aa22679547ef84499ef99d9bdd691a9a0ee19fba5fee97d9a92bb7ae3d754a98456cdbfd27da20f977f4bf4630c3ca421a6acf8d9f81d293d3a0b02327e406323e773c64b865c2c7a10236fbbbb9c9eac5d14f18752a0389a5815964041b844f71455ea12ddc9dcfb6e900a3665758cba3c7", 0x8a, &(0x7f0000004ac0)="a58109a5e0dab93137d420471cbb19fc28b13363208467ace8722160a2bd5fa04e7573442cee6621bbaf3e0c408199fa9834f59a314bc375b4a23459d2020312ab4194c9fd9c5864c82edc3367a0f8cdb8a0ff39b96fe339e352c903af49c77365b3acb2eb431c8d988b517dfc639532eed4ae0b4ed9c64d53b29a18fbad20223062a257aa5e183089cbfdaa0c46a4b8ab8dab0990adb18eb03e5c0d4d72ae0de6f67dc96de9940f710684bcfc0bd26cde3ea3fce39ee9d71faf2324cc661626b1b6cf4189a0eef57977918a8b3e2c135549e367e4a7d2527e24cb424d663f00266d3996d6fe636e1a9d035a54ff46778c6b0d18c4acc3e5b23a5566323e1e0a256661d688b18da8298963f74441acd2b82ba472242de35402df8f05bdf0d54b383787dae5ae1d143d21df935fd0305a61f83cc42a45ba77a5317948705b59fbbc921815cd56984c44f89d8075bb7bc5afdad2beaee82b73df1eb95bb0389c04a3fcf33dd342b8353fff76a627d69c5a76bc39bc57c99732ea8830e692bc09bef94da07faf89d6302deb5111ae54523c2c16a35019d120b871e797a9a9f12e2d3b73e6ef1e7b9a4e8048e36b3ee1721b98743a96cab0c508a6a534058b341f4d917fbbff140b8c5b51b8b42c605ea4d2b0a935c501d5b9ae3f1ff3deba846c0d596308f1bf3e0496a7284732d79555c34ac567d731b4677e09287ea315b3eedd503596c4c601210d7ef8a6316359183e039d5b211db87457ea44f43384e3c37e668ccb54964b12ea874057cb6a75559812d939bed5a168e7ff02f22facd5fa33e3067996282f603fc71676d7ea9e38f7ca727b18b933adf118e8bf652cf36e2147b97fb298671a62480065d517c935c5b5d76014c13aefa1a7606018648676eacfe90065aabdeb53e1289471682cb6a1f3efe7d1ca73fe8ad262442414b266fe7dc1dfa1ec7135e9e64e1bfe49a1bfe7ce3bada05f01b47ea14a4c92b50654d7ce442725dae73d5e93f722316920670e213f8b09d9da58df0eecd0b0d98081d5355300e0231a0543793dca00255f3d189b046c999f70cdb5d4043594a486a23cb9c78fd4c0c6c3d9858de57bafe71fcc1cf3327a63b0d841bca21c72977a80c9f4d3dee4c10baeeecf7ccf8071b1f618c749f3b0fc699d910e5282a431a9767c064c7010bc390f8285035c462ef24c879ef11f3e42eb1513791c7da91608a95e5e2b4803c946dcd77b7ce004a6d8c6274ceb2ca3e07cbb1c41d70522c6ed156dfc3db146c3df4f2cc286f4bfe994e1d7e20cae2bab653590845b7105ccc12773330b05b52763bf42826fe3badf907716d8507f8e8a17e51507a0a9cb37e6a663e4c17880e21736f37d17f173685161cb9407007eef711927e6c3ddb5ed72df605cc1bf3b92af0a86ca60fe7f042cbdaeebd9a419b144d2772b10e673f1538c798b82f48a143abf4dfdb76f747517a13ab1f35e598586cf6a7fba9371b0ce35b14cd7f34685ef0c2afa71ce7dd13b4c31732a98dfba7bb9ed0dc35a8905debe4f7bd03bb2ee00ff45b955845a3a876dc0426d23a2c524b819aa04a671fa1cd09dbd35b6e63f64f9930b1f4ee1032e46adfbb94c65bc3d9ec61b6faf65e76a572cb3173fc3eff366435d99a370971c85274736fb87e72bc74e2eb4b6a195e4c7c4de5ca2d65b0ba4fca7fb335ba405b8f1e5ae24bee8d554d82a42d50fad4db1bed0570218f5a47a2e156d76c0956cab5c3a44d63abbd2b8dd54dd3055fade3c31b5946daa3cdac4fb507b3445e2a414d35044938aae903adde90f8412316b2a3b6fca7a908be62eb8c5460f3015b13b5ab43822538cc9b860984a4a257bc9ef6f7fd9193840c3e46361a1ebfc9117dd57f0d7e1cc21ddcf1b17ca21a8fe52108184730abcf9c0be332ad8c37fe842f65a54e869db23bbb6d44aefea29e1ddc32788d242e46989fe3ea6908056591ae9ed91efaf199618a6b6362892e55b83f83b80da9e0e716a2c6e42eaef2016de831f76a7c73c2c8d847595e03dd51a0e998b74b846b8c1f7ad4c528bfbe594e26b66b6fd9ae5c2701f1e1924a449634d64171d2eb2ed04c5accf540b477ce77474fda9fdfbe294b1c1bc051b8f3cadaadaa79aec8a99190afe7b64499d19e9dcb61f3d63c01810726b4956c28101070a1747de55f9baed6ed3bd4dccc963a2a882028bef5805a871fb35586e124616bc141f1c2db9056ac2bd367789beb277dc9583777f5708a95aebca263f57d96f70783919b012737c2c64997b154a26d5bb01fc5a288dbb01cc37e943114cb4d375bc82dc48737e15e209b48cb9645f408218751ae62cc86a38f37df83a0130248ecb35c484353408a343a02704a56321a7b46b6518ba59892b5839319d74f4ffd52efff0b25ab63d2bd33dcb193b785c87cedbf9985b0cdc7a105850f8fcf601647f299b6ce3da49bb042a3d6705a877a9fa60d16a946f2ba38bc73f03702fe63fa12814e9c0ebd6fbf41e55a88b275933d221dd957472c4e0592d2f1bea33feb1a1947ce0391b23b46e1244891d2507c0fcfdf60213e2904246fe0022db77b15466525a8e074ea9229f11a2ce2fa8b3c2184e64f26774d723a01213a7deb991b30e4a18e42a94e26e553c465b85397e8344c87dac3ac004b6094da9ff287b9100f770c7d5b919a22f84fc30534162660ecf71bbff9bff48ce42a1fed6dfdf2930f2974e341f6d8b4e9c551ee437934702e6bc0da5515712d7be5a6b49ada3b6322939df6fd5b319475e8312f41c5d37f52f82e7598d7d71f3001d2db5431c5520ae57ae3c7cc495dab8b7e8d04e5610eb5111184a857af2f0723a52cf4c602c6fe47a3b6f7805d95712ceb22e24860d6a5e17cfdc25ec795a7089ff927da535f2be46da244e3569712dabb82b007e156a17579217c5fb8b43d28836e9d280726cd7192ba8f018a73c129b09479ec3eb2651104f56719cff6adea42c320bdd528d6ab33bef8c807fd69e055bb1c1c89547d34badd8fc3a064eb7abfec85d8d4396cb221d7767282ed873561a7263cb241303825f1fda618a9e64dd6a4299581e7a2eec9e750506c20504ba2abd8856bcbeb36a17a63cc8c77619c29476bda703bf3bff6c2019cd8376713970b56f825fb72e83626c2bd6805031a2945ea9efd2f4780ccb5bd8a3607ba78cd79115849f6d95c93eda04e6fd8857b1f2ea0073e5db2116964e7f8d1d35909a3ef8336e07e0db4a93f5c902303191436b2623235b3c694eca299262184d983ba33a0bda2c04ceb8df35302ab079ca7ea4b52102e39593b2c375f10fb7906d10ef3c9149296dcca884c0181bbc3304519f797685038c4e66f90f414797f389334db759641025af4848af615061d903ce2146e4bf7936dc4f2be7f420ef7561fb341bed654e3f93c1253159f76a75d67378f5e9151f8b665d10676e848329b007ac9aea4c1b37c893df05e9dc2a631818620976190acb08cc4e413b1f371cb2601e1aaf3c2a4787b9aba6e11e838cc41a39983101825627f5591b85ce06044c61f5d6c00ffea265340c675a2171a31da662b7713eb49204e4fd5d478f3599dd76952a7d4875cb972fbce7a59165db90fce3ec9ce9a0311abab969a9e24a8eb5a33887835b198bbf51a857a70455186bc5f0e65660fadb5c7cf45bfac5046931b24ff30b32ed35a6abfd48efe4ff29cac0e03c9cbdb90ee70718fdc5f172ce01b680c30084ef62a41d421efcbba1077d88c6cb5d8f57cf6c896d96e5cac28f85bcfa21c5f929908d6e66f1e28063c1fd98e5079b60d12559bf6a164901337d10e0bb16b9d43b719bb6b482036eee61cedc39b7773dda85ea04826b8669b3c86873ca24d10b61dd16b6a54b7c416deec8b0287ca8f3d2f66aa53012cf10f6f7e2de8c9d63551485d98715337d106d6ae2b7a48f2ede892d8f04a9116d1d27765d4863ea0d2efd68fc1b8a39260e064e5c72ec53d18107b1ca044fd5b42808d71400b1526efba0ceb57c27e53f29327b314901e177564f92988aac81fa0780fda44257056bf6cd90a49a56f942f84d5b1a239d5067f00d0f4c3cfa7cd60c1a90c409b813aaa49e94587bfce1fff62303116ddda4e75bc058b06f46d58014083a4321c3d1a6899425874bbf9dc195448c0d29711c23a88fbd4351e457009a10d1d2ecd47651c5cd9dcede7f8231063437cfb05a319bbd6189d794c6f5c99b6278941c94931c876289ce33b3e3bce842b69689b9aee44a423d2d429d996c6bb6ceeafccb15e1f63366b790d68a093a85cd6b5bd476b283e17be3eaef83b701391d728e518edc491652c06e0a93ee98803f8fc051d90418f905344b5dc6585e2ab9ae7b8c9c8ffcc98f6a76ab30f337b5cdf14e99e353f152c8c30e98acb4452d7edd261fc1f176f9b5c6a4f207a26caa9da306f9c9441f88d274a2f89d8978922bd2af4d1a98ddbca53e08239f0e3ce8aa8ca7f554fd4ad5b84f12e4a6c44a85d8a649f461ff01e77faa59c6eed9d62c73ff34081a31a065f0a17ca7ba63c5fe753f5c1d7d4e11de3568409ad43bffc4da91b22970340ad4b5a5e7dc4574a4d436ee50745ab58b1f06a61ab3c2b16ba2df015be8f1237356cf133bca98ae7f78c87391ab7fa80edbd0ac93348019cf2db466cf046775b21c8d2522a6208b3db796ad26728e4bedf47c31976cf2f1a66207f9ac46c8cbb6cf005642d991fca160e9b259e422e565f510bcd996da07c64cf369d7f7348f61f234349b887a41ea2f98ab7eebfd3968762c50d84116bd21b0103581b54ea07ba388b96fb66024c9e208e506f107f7418884edffdb1fac8fc6ef9dbe021e9c9f8f86a98dded8c81713fcab3efa63509d188a3576f824cff6c5b622a82b6cb74e937f0957dbc0f55ad3d0b6573a7310fe31098bf875eab3b1211999ddac846e5c202a7262bc70e1568f88e349c6d315d39f2c30a2c9db3b97a7e6a3cbf45bb675e3cf75edf033d7b9a5e600c52c8e7bb899de1ad3d98b2ef30b85f1e5adce2837cb1e2190eb341a29a000a03b46552d4350eb6ca5a5d826c074874708580e4bac76cc11f88d368d531ff7248d3f624f2e409d330a2696793f58f7736c08c86d28a3225359730346be9437f035ecd92bc2c8aac40b2592b4c6b79af380f49d811ae459173f5cf917f63f229e87109198b6cd64f6c303a4f8a40972c837e0f51ff047bdcf4bc5347dd748756b295a921b652ef9fd55bed20f7ee4054b45214e54a366dc98ce23ac69fd75a3dc41691de2b0035924fb5e7d2d9ff777d7b0207e9398d1a6ab8496fe6245dcf3c8e6f745622a015e339602caadc9001c30d89ec31deb8cef3e15488d26c1704e30982cf45c9df58e293cdbca0a032da51a08df5d2fe0a93a5ac28d3d512d684be20f62fbdf066d345ebb642733de0331b2c9ac7a6001f8f6d248ea197cfbf662d7bb620d996ab31de7c4bb3ea1303321530c7f63d6a6fd53d9fea3d515f107cb881eecb0d749f84fb687d98cd27372fb06f49d628c4750edcc6b2bb1cf6c5d65c1650e3f8b759716f183314e9f7afe38cfe54fdc4768b624a7d054ff45588ebcccac5ac65b150103976625cdfacacab24c635eeaf40d99639585cfffbc3f16908336425ab7cbd0b6b4dae4e0ce1a0dab2592900a988638bdc9da5b824710a7dd7ec9b818c01b1cbfa687a4428d293579b2cb0593e5f1b1abeb116ecbe1c0c6ac5a2b3cee613676c16537391883ec7792f75b04e342ef1dffe504fdd124ded4e4fc547cef5c60ea3433cfac40ee734602288f94d1570031df971b2c457dc366e77b799dc14e002d29999c2426b124e1992dcc1618837d3a290ad7f892f8461634e67f9afa1b6f841827b289d1c82177f9b035ed14e7a2671adfa1bbf3b6737413364c49caa5dc32bc927143527144f3a46d19735aec0242a80e7ebabfa1bf7222c60e489f0a8706ea2ecd66ce3f9d500129d475c7eefe38545d0a696c8c8f01bae8393c89adbcb85e6eba1884c674d9091078d4c3759b25e7f511d4fbd70d3dac32352328c066ea2f81cc7f5427508270145ebfd80807d9ec0a6cbb2219d69ea0a30d5e20f914ebae00a9e37e49c6c611f17c799192c7120f8f89e3a316f98f54d36078e794464941fa43822a701b55ac941dd30f882d0795b9c9ce0e86cb670fe920d4f6fb595e657599e6da0f7de097c0193cbbacdaef6c3ee2294ae7217311315ac073b6780b6365e6a1039526eb313cc5dcc9dac4aadfdab4efdbff316d59091231cd1a54d6c6d644c8efd2baa527dde2c7aacb9dd305047d8bc04d67a7cb60d0270cc4a01f2a6dc9bd5bf0d5e0c52f45721e4508dbdfe9d1a37cc04769d82015844d10e74defdb36973ce0fe8a08ae859bc8d1fda984c99a6be8f024d99b6f1fb85f390cb2166b275f7376d5460c9181116b91778a91ffd5ccc4acb50d4e1d6e241aed090b7053303ab6ede389eb0302f7522e92778034d0a9a0bd5f56494734d7315d627dc7e9746ab1be23a4b4e6646b116ecd04131c56c6ca3a18f8d3754c35932ba5ecad1d5e0b5c37bc4519dbeeb4b9e7ad044a76e364c89bd52a3bc2fd089ef1229b55a378faad365fb36a6d363e0263d378f06862b7c6e16a0ae886b9b5392ac4f9ddaf86f5de4e463396e99de388cd4c346de1038a46b339a121a07aa415aaf8c76ca129a33ce42e00d59776e9ab89ffc92a01665bb5a10709c644ca3f8d8eca20029173a36b9d3741190e0d296cef78012d90962a4db05412c154f84f41a503ba3cf60decdc2ce4c947b4e379a4627cb5c09525e60133e8f80d1bd9201cf39762b95f66a40c62fcb7362293361319265d687bbd9cc645ee9e7125408ba40ee6f1e63b4d546f14976967c21cf74dcd824a73d9bd7041befbcfd6ea0a8d2b7758fc85e09baaee1bbc890d3134253e9b0491f719d8812532d65ce926390fadcdd25b05f45a61ae8e61e61bb83c8f9b6504312bde871b10a6c5b487cae61dd249ad157234ea8d28e136169f0559c93d67315ab3a67d947ca9b5551cb6be93dfe22bb1aa07c7dd99c493d0623bdd3650f09965054ecb738b5d5740322f57ea9f2494622f10a369f1dc8d38468b21931a5138a9fbb7814ea39d0b914a2c3fda44c1c63ed8725986fc07567befa41ca21adf7909beb981ce3944d4af2917dcef3e4581a6238a5280d7d613ad28528df86625ce764b8b03e26454cbd5d74ba7e047fa6715399f12f97cc5d0f74cf6c1085da2b86bba80a6354493ee32d9877a7c315a7f99b59a3831e61704086158fb751ea302eafc5bad6057a4280ba67c564f1347a775e428548e6e09bbc160eb1e8b3e40455390d59dfa1f0de5ab2e4f8f6decfde3cc1ba04938d9344b7a9beb36f78ba04dc031c9fab5c741da098cec3aedf4e253df7711b2d9cc38efcf310b6a777b8de675288d6c90786eeecf935f437b27738cee097d4978a9eb10c1ad686d5a4d739c85cb92c7694a5ce675beff415abede4b165881ad5f9ce9d0a17ae710c8a890f53420dbfc9f3935a8771b6a48324c13a6e5aae85dbeb26845a9469f0187793d0faba88ae60822dfdfd9f2f2921b863046d108be2f6f809c95e5e3e57413cfc0fc94a6d0c95faad1d7914c454502ae615cf562c86c8362285c35e7bc011fdeae0f402fdb813964ce1012243a791868b505bb4a62ffb9c2545b5e2d39b2696839a510f0a1c41ad45da72de7a077c39a24312b8edd290d0fb6774c6d4a47dd3a6f4856a6d9108af7d5042164a578616ee49dd3a1cc74e8d083cae83bc1117889f9744bf95092d70ca295d8f66a1a18454ee9ec6982ef1a1ed9550a87cfeedfe12ca5b7cd9099591f6f9f978c938640a4fb880fb9b61ff04b8073857b18c87ec2f038febdd6162909523fed57387bf0aad4429f3ce8b99663cd060bb2f9a09922e579ab34765be81b0aa877d99d8aa0ab0ea03ebc4cf3d8e4af1725651386ad6dbfda41888a0dd20c8b2de01123bfb8d496fed4070056c666004cc73568e760e2276a1baee496a5c836d8854dc3ac3f645f5433ca815b580f787c3864b232df3d372c50474e45640d8e2933aad519fa64cf4fdfaf029b41dfa454f423a8a8d4655290ecab35136ea1fde850d3e7c67937b909fdf0de0af7a2fcde657a601b970471cf992e4e2ccc8df88f7064911024c0306f59734ddf01e0c864f5c314f658588aa179c1077d0f2804858359173cdaddc4f9c15816c8738e6aea3a83c28a12e1f1bbb9d9b46be631268aff72b605bd6115d0af106fb0e362f82170f8c2b0f67d91496a2da8783105529c996af674c80daed482297dee05d32bcc55e046f7d81348946cd183b63e34ca25d624a66e448bb8d532c335eaaabcdc2ca8c822eb6849cacb1fb0039f90fc0f7868327e9b3474880c15030ca2490e0de01e254e4a257d730bfdbdb1897e37ef516e2af7cdb9108308350f77bdc500a3740d181ee8e9ba6064f6af79624512b736a03969ab5735c247f2b417b87597fd33cf0cd406a42747f938d871186fc6b20e02a0f379834d0a2c1afb2d07ef20e857bcaa16fb795e66405ffa3867b35e88f54b953ad8907d89b62f56eb148cc5a051f2cda1f4774a251b9f9a69a1c048928c4fe0fc24f9f77ec55d864e9c3b6afb0ec5c1832e8eb6d560c900a347bd85f7d017da13daf645667db3ed1dc3970b5a5c246858d556f5b266a212c2d70e7473c359e967879bd39c574d22f17402bfa850a0eeed253035c4b79209d95ff3fcfbca84e14412953c8c690708699a035d021a2a61d317bd19ed34418b5ff4bd53b685b9bcb0eff6341eb2c749b1896e2d4f14b782b0a43b78eac491bf1c49c9512d848630d7d7bd80b9356bf60540c8465f7f6b0920ca8d7e9fdef6d64bbd81ac6f838193b8146b047c7ac4b934ca28e742eb73b4d3d2b6bb795a74684192157e4a1b0192c3115f49ae45f06296794757b27c19f33e0f3ee30d756164695ab589aef025da931b2c3153220b7ea56043bc27f806affb93296ac617f3abb21a2a34f96c7257d1a8efbf252ed417dfa42886eaed942cd06c3281e6df3fba6a2cec9b90ddb63ca533b21aef73bfb8db3666785fad461b7479688d8f5530018dd8a52849a8c256f4aa86460574c702b9bdc1ec1e6bc246913b8f2686f697b0809b9f55fa9b8521d69b246cee705ebf7964c8e9200b6600b488033fc88a834b00efbe385326395df0f530f34d1d88c6a9c605a67ed64da81b4021874bd8e66f96953cd8bec7b1eaa4543f158bb4e1027895cb8e8c8ea9cfddde92de0f79387543b2021739b1156b828ce23ac3ae6aeb250692b9f25733207aadcbc0aea4f46ac4dc8cfe8d53b5839e9544002bff2a791ddff2b3bc7efdfae13842732a8bfb7d971526f6ca2998f9287fe03397e01321b3a13a128bb61689534b06550085290c7f9202b07b3583ce0461e9bb3716362bcff7f28ced83aa57311c7dd7368f0e285a9b7ef805ae8d43406d70e753ecdb7f9ec942a0370f69468583615ca7cf746b497642b8bd3545d5218880f6a439e4b57318a6f9b11f04def62c91d7d39082209687d93bad79f4cd874f5b9f9615ad75bf02ae6689f4142683212bf4abdf2662259dc3007002b791bbb17caef153e14f0999f33ef3e9288401626e2d4acc4040f735e88214454a59bfd412b090d6c3e9ffb1e0512cf033c60fbd04ccff556e8735ee57bf3e78870bf8382d85f51a9afaaa8d23eb7ef95cd64d2c14e4df21d675379e8b62373d11b60e4c3cbfeeef453048bffc69e13dde6bccdf3a598e0c4954b3c91f842e8d48da9ab294b49bf1e7c085c6eab52d9529c2dd4244f731997ba0858480a17d125e3e735d4dd1fa420db3889e57a6f00b5d88d669d837fe46978e99c8fd3c0daa663aee7442868a7be6530f72fd2da551611641530967d5e3f44fe15fb437d6675ba911a947804a92495d57fc0038e9f4956846f0ddeaf5c7173a4d642bf70f4c4a09d00a67306873e2e01fe789e16c334949cc4bd802a5890361eba8efedda780afe2026ce5d9da88bb9a5c01f098d7a45fee1c213db3b1421c4d8bdea3477654e24bc40b152e9871b174e3a94d6968b21a24c1abf795edb89308fe666e1b22fe4002b8c419f98c1244e0a032d18f0e10def94a12b4b38266489e34ad7361af7a860f8ae19fe08f8f76e5b458212dc62aec387667342598f5bac9c12c57808e218c85822436ff75b12998078373d1f7a0c4076b5d0785df6c0a5c8af9422cf89058607b69c701712684a30d4db89f32334ba86f5ca420cb38765e612237962292066772b0f407d0c0ec346d4eca1bb80bf8cc68f807d0f59baa4f9d5f505e67737d5d6b7d730d6d146b604900563067893d08c31660fffdcde2c57619f4717b1086bd14c417c3c893e777a92a2a00cde56012bb1fda1ee20c922417efccc828247cd4e3d62aaf1e889e0c7862474288c8bd145e7345c3110e941b5113b05d84d1cdc54c8c8b1cc3f2b93ca822559cbdbb4e5629ab98b6cd9021c84f385415d3b3acdc4a751bb22fc0f643bc39c03264dbeb81dfc7b1953767f2c5db305c18a636ea6fcb5eb685cf38a0539bffd437265b966f46c062291cdd14a380bda6e7b31301b8db274be67a2260865c5187660aef5d16642102a7c61671b13505909173cfdcf6c1aaa6633f4730d2cd0c8500e8cebfea8bb2241daf9ad9447c67569b31abf33e914617bbf1d0c4342507be61144ff0d3eafeed6776d60e07f02cc120e6db38245ceb8f08ae630ed9e548e459878c84abedab3176030d820d72eca7808688868aa72324834377e201f42b6e5c017eb8ebe2c2758720823d645f37d33c072955cdcad179dcf14f008283ff3a7382296e9272ccb6d3ad0a1163cb970ffd1d5dad50b31f75733f792a7dca4fd13bca3391c90d7828cd044c0e72225f7146875717af9ce4e65a06f8ecd67f1899b4cab06bac1bc2e4944e62419ec9fa1b0735666e4f2360b9fe3b51cdc4d6523cb4f8820c5bcb8feade4cc2c09533cfb326e090eed808040182373cfc2619662356cc5ff8535df5d03f68fa01020f149d13327554320ec2b199cec922d0d7f0495e3bf5a35e9ba8cbe717fc2d5f2d7724b7016cb07c3db1f06e9dfb890b45a8cc036422739771011c4a4124b1600c2cdf16fb9df3f76ce1b31236ef41ef4c3d085f9c8f44ef82bf042a1eedb77f515489c5cf7ecc245965dfd29b9bf27664a5684ac5343228e42bc1779ad40476ac8860a59418d683568a907f678471ba9df5a7ddd28d7058609d3e577fc1ad425d8707f9503718859f28273755924876d469a1fa1f447b7612d2b80768ab044dfa3f662e969885a82896dfb88707aee9c11f96c8c273cc87facc17778e5d1a1d0d2a781068a56e56c0d7421aaf33167cdef4022802cc12ceafc99948fa2a02c766758ed98da6cfb3a2148b9f78095dad01e35bb36ed8d49af270ebce76d37ca39e7ee7fc614dbe7e85d78f4619888289b0a4dd2f965e8314ad4069b6750fbcce00e64a3fc33119453227645b8182078e6c813db7e5ab787fb990ff52ad1033ce56a2c849fb8fbde6259a6af5fae321ec771fb59e15c052b71336cd46b8a993e2a335c64f25fd588f1463247fea99bdf9cf90e1f83218c4c43e97f0938cf991e4a735763e565918177b951071df51c3a17dbbe319681912fb4814bf47c9830697aeb7a5a923750236479cafa956692d983d24b2e848052af874df7a8cb2987b7a80c10cb4266fc47fa7603f56f0b8cae45cde5632540a7e6bdee9a44656adb538dc504a898f2a6bafb396239031e70081eff03a5999f942db7696a8da01c99817a71cea8129cd27f7fbbc6f171034a84305cb33e08e7d9979fe70b5dc18da2db64973dbcdb085368b18aed290f36135d634343d068fcb94774b0266cd45928406930994702d39dd87326b2ace2bdfe10bbe9ff1044faeee498ef18182f228424f53abd6b70ac64c907913956b4241a4d98b6f392a61a984d98020bd7594ac09ca269eb7dd86261021b5f1aa3772cee8de11bf8512cdab489ad67fbf2f6f86c124f5f781b288344d7c6117e75ad3bc097b4d17026aed559de65219044a8d5aefda109dca57011e888183055ee2112453096028aeef3196b8350ce5c7af28ae0b187b64c7b6796c801d93f620f9e8af2499a27e5a59ddfa907e826bad8c3b46250ac1561ec0e21fa17b72565f3fe1b0a369273de5bd04e65512b41333ed743a51a57d8debac85ecc46a41408b551f2f46fcba4babde89d353e654a1f7cccb06389c4bb30dcabd5f7f468bd6a1eed6933f85e9eebd0348f1c4dff82e39a1a198837f8aa69c6251fe1d64211e379b1b84a1f2f430db7d158ddae9d0d2da1a7aff1fb5cfd59f0c6b8afec6f0e48c4ef7ac2a764b54469d78fea5d9b2b5445747b69d4f70e9f980928b816e354175ba1291733844ab959772eafb60a32e6eaff4779eacb11356385845e4a2598688eee44b54af6b0285fc7fc5e2b7297398ebdba3190a3ee656f54849be33da2d679700ec4f78d45e7e3fdf9c67d822434dea8cef46d34148277dced030e80b3214f3e568de522f744e66c61d08165aecd311d86d3b343a33e20c1cd965fc72f37a34a63f1eae73d3b03fa704589353f586e202c458234cf4d52af8e583077c784229b3db98189c760c97b3f02af5ed34b0b3a87ebad6a2d47fe6c060f9c08c573549e649eb894ace871adfeb681bd4e6ea5065393afb66cffe8c025c18f398a373dd8ba0c543f9fcec2ec7fff239d967b1c1d17ba2bd7fefc473c75685e844ed73703738c25bef71ee392f70d5105fb6c477e254d0c6e42b62906dcf7b74744899a0f199512a0bea3dc7d1ed1f64d316fc1d8aee157b3e22d00c129fe798a8d3bb1baac4812ab9c3f914a080e484b3894cc72dc2113570660106741d08c8f0199e2196866a83fa53b304d36cc682f11f7c925ed532feffe9db4f855eae8b1ba9cee4463b669b5cd91323a2d51e72e24aa292d2a1579a034b9a39ac3711ec9974ff6f91375e0a91975ea3259964156329f47d6fe8d6596ebb46feb7557bad5c3c7492745bd7e214888174cd1573bde3b044b98437ff6917366b1d07a445b95c604c098fbc25f53712ae786f56326d9580704ee3b44d1106f7b7997e37367e108b46886511019cac3ce31d759c267e067e8f2518bab84cf27bd430274ce4f62e9741effc8447d4f7bf98881e48b94c575e6304a0015f10ff9ae6a942d0a410595f55e3b9a55460cf84b0590ab869aa4dfd2b02d248040214a3549b9031ef29c639335f68910a65e105fd83e16f7dbbf76eb9829935231ba7409c1b4ac81f20097a0e60eda384adf185e64b056805c80eb485aa975f35a571b3de5b7d6108e89049d1a37f121a3be8818b69c6141f342fd75f7c5ed80aaf42b9152d8356716f47781de9e63e4af5ddad120d1bbf7bc68a2f4e5cffaf80021606949e4e2311f6a15df4eae8a2d6733cd77612115047a9aed3524edde7df72ea1c3d976df25dbed5e7ba341a7bcce987039f7b99a93d13b2c14eeef72ff7b4611c13b37e6f6ca2d54bc8756ef444030b7996b42b8f58c9ed18f7b719378fbe94f64baad4273c51efcb2beeb57545490debc9bea9450a8d781b21376f6c62c440940887af80a0ae87c17d624b9493e37402dc741c65524ed09aa115b43967ee8153966b435ce3f204811fab2bea5f2ef5e5186df86a2ce2370597894ef31ec2c0c19208daed00be9bc9c0306f1889ef797ac87eec61e5cc61ed110f6590578a91f987ff86deed1f4dce08f5f2b96c0502f5cdf88a59d9628ec41a7ccf192d3aefa8ec975bba4a877059138488664adcdb393a47735ca5f43153e0c79c403ce9bec7012259333cd11e9e42e3863be2711a48bf5330c207c0d8da651a1ce0c53b94ddf246d1054689502763b34acf020c4ce280e0c8f22d406319f54cad6e6d5b3976969e687138a52a292277634f2cb6c1337ebaf11684d1e2601a0f92f2864c40c57547e5efc32b08cea3964860f90f0133a17e13c60ea71d16e6861cf3e1865f584303b0f16b80e6128aada9fc0e6fae29dba4a3fc993b406795bfac7afb5ec9ec8e6b4eac7a86418ce9513ea353ee47811aacc144975eabc6dc9278631a9e92ce0668b0db8bbbf5a54c79906ff638809f7d696ef49ae47e0740922b15c503559f0118b0a979e2ec8d25081043c72ec0c5f3e20f6182594bf5f3aae3be1bcc90b994a7a88c35363e12f76fe9a67c256b4a30d73668676cb87e1aa1cb90eb253a2f6642b9a2315f48f6b44b5857e692d8a6db0e064cdbd0b8ae746352cad11812e180df03eae8de9e5804edff73d19a22af88a7fea01ae7888c77f06f42c216d30edadcad5ec56ab99c94248b6fdc1d5fe0411ee122f375ec47bd9ab630255a2b14e71fed7068d3e2d58c558a5106fd0ff61c6e9309bb5899ddc993d529baa355e9c4bfdbd04e88f67c564b34f1c4093a83ab27a05929f29162b448bda177a4725008ca3d61e31f10192918371c568e917f3212de031a5c5696caf0b2f85e778c26fac0c642e69f759da27c8c7a44cae86e0d0972ed8ba0e87416740b3f0687f052dededf00101e230c3662c36dad8537592871199e48a7235f125cf031311e1ee339b7a62387b52ac1640d5b2795ee2af827f09c8314b013536373548592d64bc54e36c850c44c39dc230cc99da7bc514d29043bb9ef2a227f1f912e2c6d906123c1d1db2b813985db6ffe2c41b3dc5f82620b9eb51f9e351eb6a115409b70eb5227122437bc53ad500af869b84c624cbbf5a0020ac0cbfde82229b3e7bc3063969474efdbbee571cc553ce2f1e08be6c494c5c660a220e9107be93dbb4e04cebfcb8107737432b144f90cb9b6b078d813de2c803c09003606af461c18a2b5e6d472f3144984007ed13474ecc167fca167cb9ebd6f7e37070b4d5ef787d90eb776d94ba5fd63cd3dc1c555176f1d5e090aff9013665ecbe4ffaebed5ddfc40434dc1e94c954a3e5c6fc8a2ccf679c1ad8c5c98bc3107f5bc7b639f23203aeb8d3c00d89a0675f14d486b83b72bb453ac3fb74da84aba00322d7716cae55a3865e5f4d18070e02d3d19df09479a41c8da91fb084a429849a7907d2b9f0776fe0bb5d51bbdd0045894e96a1f090be36417c6603d5ef01864f221b36dc34ad05f43dd8b099afad95f23f2c611ad9581deefec4e8314fab34761f9bcb47fa508b38ab19142148bcb6bcd8d35074919d89de51fdebcb40ae9608a7edfbf3cdf00db9dbf33bbace91ffbd5c25c29a71305a2abf343160ccf922dee487519aea764bde66617977f0be874a35d468240bb81038252ae8994dff0053fe21a82f68f039fae01c52cf1f6857ee51e17d5cb2c6c8dbf8560afec66f1a0d527507bab2b7df5e8984d12eba2d07d836ee7e01967fb23599a3583b625a75e7553bc66b2cda3a4b67b0e864dc868dd1c78904a74686a91919e670e7fc918037c4f76df3a78b860bc0459a12bc207c30b1badd85324f5a1e623b661aec28027bc086ccea49bd22f39560d289e233c4231252e8cfb6af721ac7cd1b6b37a14fbde4393e44e1b25e302b1ce29bea6344912d1f7e90633816845fccd3ff7242a008a743e5a47d48ab3e01c21f2e4606e96b08567496789315d87936f45c66db50de407fc101153536949306822e1bba513ea3375581b8f235b827b3bde08213cd1852f36744d9ec05fc35de3b5fd1912b14a38eed439a6f7dbb37c3e55690af6cb75945423ee6dd24362327874e960677072199c4d3d03181f6db4370a7269d9d778d0cddf67e266a29a22d5eb7129f2d5204ab8c3c5d01bbcbfa60b11fcac944ddccb27661860a8addf6377a3a3b9f7747334f233c5a44a55ed08ad05d233c7c43e6eaac0f89e0082ddf70c406814c3dd60178c23ea58ff7e6ee0a3a57358337e7fb83be96255a35d17914e6237a3a74215bd4ceb8e9fd3f0850dca086c46efdbd99ffd86f07d219d1e2b087b000b8ccef9e49337563b48a27a505970f30cd550b873e32a8447d8853b129d0a40afbcd900aa29a9a59332435587b38d2da503171da6f7f50d2442ae1d23cd4069c38d0a6eca268f9e162ca56f920aa7b0e6799d2029e82ba34a82959ae737db3e7906dc8dd1bdfb36e4107e36a54875348b9e45b8e7233ae4a1c0fe85755ba6166ade7d34bf631e9af8f5f90548ac7acb613f32c74addaf42d97fc9be84d30d18821b796be490f28274fe68233003641a956acc9bc3a09d5f43aa22fe3a2b98a8b2a15b23265ec438e3b15a1d137ac2761f7349311c8e4ee18dfda5f96d66e16ddc255fe70ff2a051ccf744fb7eafbe2b5fb713918c8c776436f09004deaef5da7409fae7876850bbf62f17c0d48ca74d902338c756a337d3286a72087788f7a42f4f1675d6f0ee957b7984f21cd95074559b8b2ca49e67b4cb7634f513a1722351ee15e9059ffe289e8c989ada53b47483d4077e9d146e5428da1cc19194ff182f7d2a2287635fa4e4a81a290a3cfe38f376eae489e1df5e9a5d59beaec83a30e9af78893e4f3eca07fd4379b15353c7534c639c7b33a0ad5b58b956e8fea983ee12896bb61f07564ab52345ecda4c181f4d810db0088f6054b8609aabb4fcd48205dce63810eda0775307d72544adf2828a2a3bf105b6a6af965b8ce30eebec78f49383e9e0542f0d3aad5bf48f639e022a021b1e661b10fa7ac6a86322537822c42a4883b0522bae9ced98b1e4812992384859925860eecc78fd0ecd14f4cc117d9350537a8d80c2a6c952ac2cfc4fd7adbedea1c0634438d88126307f01042ba7a13869802d0798cc0b42cf2c1db9132dc7b5e69c807b5a2baab3a35563cff152cdec01c47aa9accb546d2b0287fbed70359e15b1f7a78d79d32cb6047d9de5dc87850e23976280dda2e1622be5df43f0bd2f71234c631cb60a6736f1cd27545dab2db2fad1b6ca00b85b6180bf8ffd8b32a353d1c251e8d0401a7dc818b51efbdb52cbbb4f7370d2ff05d320e97862c7ceb40972f58f6175e88d22db6b18d0ffbee99f0f90bfaca89b94296dda5d2babcbee5189332d9ec6f9223f0197e5a98b85e6bc00e8801f52ae06bbc73cf8d2ff6ffdf9211f95d5c18b27c44a9d33dafd6b6ea8568154a0168610898f9b143f5aaebfdea26c0b7e789036c99d9ac8652794bed15212203b8dc3ffc5fe9a50cb3f493dc4e0e463f828d0d9f1b50681c30e155f1e3748769a61ec7f305aa303f32a1a149f399793041ed3cbe612b6a73b03f61c9ef4477311026bfff61678d33970f92c2375e862e8c5d2c682d45f47cd59d9c2bf7f5bdaefa550d4cafb6650fb5bdc3842215efa90e6d259e05098df0d27adca16a386b6f9f2f94a477bf10c3bf9d06544ab19d9d0da819dde1d61d317db510cf3483d0d7cb4ff99e076a2be55348c2a1d3fbcfc0855ff8492d2e1b87fa50771fd68ef7dd2c20ce5fc7b19b7333a8945ef4b614d487ffd49bba89bbf0eafd5980ee6d196f8dda8b07c723d1fce05295c646f0d20eb0ba3792f657c0408d2ee889022c169461bd494b62d2b9ce26742a324ec630cab022637122976bd24e587ccee270c82f0e5c182ce82eea8ba0b67b7a78f2604ff9770b9943516b471867a6d9f1cca6a49dd717ff8d2528e54f9d297dcf248805b9228ac6f072a947aeab962ac407d712ee40891f2a09d6265950fc05f4ffab6068a59043a3ebb67a3b947ee0cbccafbc5e543fd6c685c864f32c5b37c1e4b0420dd1fbf4ec519e6e8b38ede98dc0daab773bbf3c9c3eca5d3d50ad2204fab49c3772c369bad9df71c00624f24eef6770cc0a151154252ef33a2585b53cfcac85e22dc8aae052038a31e9d55013ebee2204775d07aa5210e86cd63ef1b0466431cd16adb9bd78b0e1f8ceeb86c052ea9c986afdcd6f9c297afd4b14011c34060203f4e13965e12d518785dfea41d7c726f4918d20e5f1249bc84e380fe0dbce2548c1d85cd6bc6c996257a101e28d3d62b75b7fa492f49561f1046590ffb2838e2da043b1d83aac7b5e9b8a3f9ef22740e1f91fe9b0957e5d3b4187e4380a47599ffce0a56f92260708ae42df7a7c69517f2f9995edd32ae81bddde727945fdf1a99b13a00131f978a354f54b7c3816c168ccd15d5c7985357e1dfa254713ef6608a4a4ed8190baa0fad97ba418c2a9aff145bf721f1fe9952e848a46073e9876ddf1a91b1be116016e17c6f0eda76c4bb577d24069f116c327383e1f01b189fbca1d553eddc8848e9d7ca67274811e2f80c6b4b523e95e0429bb6fbf818f1270fc90b32afc8b2324cb746bea8f14123323d253a8eb005561fa1be4d4a155ab4e26c92d48aaa0e10f9822cf267cfa4b5bffd4c89f80a7b84cebf71de8f1b49ced1cefed76fc5235228fd98d68bd1646e54c77eca6839209d3f088cdd806cfbcd863456b41801b68cdb5b8106955013a56b5b829c8d3591ec6bd8328bad2dacb62c98ac8dde7591b4350c2b7cf3e20e99ac8c19aa1c52a164815cdd1c56f053dd0e4f293c1cf06c133e11448bf2c1f26dda792c3cef658b714f1f7de70a3c42211558289625ed699242aac645613b7faf7cb1cc76fa0e346092dca4f88d59ee9791db16bbe92085fa1fb1521cbe0db5c00378a5af17ca725c1de4a9fab6d291d55a2432f6f8f035a1e0a4eadbeaee9ffdf7b11a2074f2b7f5e495029a7e63c9af460ec7c34fbef8b874ad06bf7c08f78b0c683d0d89bba894de6d6147f6de02b1872ad8d86183189b11ad67dde3adc51355819bc5d1225cd326ea3daaa9cc4184ad92db15188b1e39058cf730eafcdf6b169f1655032a5b7311beec7f145232683178e15ff8440f2801e5e840a48103d82be492e5bd17dba0c47b653b781c1af173a0c7273db72a674e3a00d70b897451fc903dc43574e64fc7569f881ca7379c6da873732611d5fbfc234d758ec0c16a141ef17763689beb502081ede9b11a9a492debdc9a09a5cea5e2316cbc0eb5f5246ee0fc838173eddbff63a68dfcf4265a5db77db823748209a5aefb86d17d90f9b61b64f8e789888a29595b5fc475fddd1242dbde9662cee751041174e5387506b332de62511b2b3bf89ef6ca8498b42ce1cc1aea01f4827ca8c4989008b10acdf2662b06f7635b26c8a95ff6d4d4c4dc60b44b9e8364a98a7d98e6abfaff73c1c2dd69c52dd12deac3ca415645b1c1c7b963a0ff113b44f54ea1444eb907f2657df2e95a73d8cdd783c4676bfe5fe5a71abbf2aae079f49e6d51e10cdc8a7fb8e26b2f605e54596fdb178133f746fa96435455d5fbf1b19b585d34e8205c92e7e03500b8b80e41c42eaeea933b76fdf2c0accffd051cc0f77b9d85cfe84ab71662c7f83f3b6e272b82fe886d0febb4345d9afdfcff94a1ff107b6678805ade9f768aa6e33394b391779ca937c90282e9124c41425289cc23507eba96df73e2af99993cea1306f59b8c59816b538cca401d7f2bfee84b3aec9e054d048054ac2cd280d3e55c5e027716938b7b31ee1b2f00f95f1b3ca9540011a4844e86d2cc75f681394e4679493e9d18075a659a458299961d18cde645dae173364a4dc0be39f4b6fd5ca7b619b26686a812417a9f1d3e46646c730eea7b4f61a8152101a56732e09d2507b3a0eedc180bbd4e61280283f783aa8e9759d6670bf28e13526d89aca86780216f137077d761972a988e1bd9303d44b7e00027bc7f537ba703a2d285b659e7c8a5d14c5ca705a1eae9ce67dd99f5bf5992bc612c5a0a01d161d8547211c072d33f6bf88ea8980da01cb87712e9a0c8b93f80e6deed1b6a092326a1da99bfa9de4dd9fcb53e586ba169cd008b7623468fd1bcd7ccf915902158a139311a02ad62c6272a50349349f8a6aef9d44038f759ee57b816122a5ce8c2d7c14a65f24694c5338d596d0458c484afeeb8c25fdfa10560aa42ae8cfc82eaa108b567f86e33e9123e69d84dcad2f1fd9ff60f90ff413a22b2870f16b0d35c388183595d5bdfce35b314af588ce9e5ee061b8e8f1089b14e1e77b2b3f6acb232fadffdccb18bac721d90a852384fe51a16fd4da788bb76645211cc162a9f1d0dfc1eb29aa11d85b783ec23db41db8caacd9e88614a51cd444eae3db3e22c5a92b0d30cfa5403a2f28778bd9df158cc082bb8c7e7bc6484dab455c390b85a4304a8bc23a268c6faf3bf85c98056d0f715e74eaa86c4b6af45458a3b0e40b658702fd883a55eb4b6fd3fd65556157bd58d0ec42f06f23214c537a5b6bd1394c74615748b337c8c1d7fdf44bf49e35f7bbbea1d8ba854c060f883fc03f3d3dcb7244977f5ac62e696a0ecf3c419e0794d3abe77d156e0b97ed5a043b6dcde1f7f2ec010d9e4fd5d53a13956027a489eee7b497ad2649a0523de4767a8fdef6fb66bd49744ccd599d2efeb267f0d2990f234cc80fd069a97d1875390d6e2aff8fe2f1eddeaaa4f3ed528cae8c9ee67953e3a3c32732f0db007f106f584390c5370e3edbe2bad78fdf2ac2056a9faf243546d26b856b788eb5d7969837b3ba153c655b4c41048192b77f5528bc75abb50d85eddd8e9686a48d722b03ed945276a83d9abada8825f6a97eba1fc9fdcf92a74b05db9ce32fee161182999d06727875439ff109491da219e0d53e03dc46d205d4e690f2543fcac1cf45ebc60194306761d8683dd2586929a5dadc2547f953d99b7bfcf9b4c2c44937e7de619643b392a866bc88a8eb9b6d0a925e4d6f0d574be68f31059d14edbb50bb75b705f531b66bfc5af6d29095f38a127b46c01b2640f952496e7246ddafa8d3289b36b800431fafa24795b4a73ba1ff13bde91b5a1f69e151e6ee9eb795197bfc9ff7ab1b3ddbfbd959fcefedbe5bb15b64e1122f231870f7c3d4c372a4c1123d30aa097b4764f4d14851833355d7b1a01e5a37b867ddd53026ba9038f8fda171ea1f1f9d85ed47d90739a85e0006b0ed40a2b10b4154178240ee2e42cbed699efa0720943cd35836ab42246a1e3f890d727d1cff39f7fe2c70851065f0c52631770f62ea024f60a8ca18e0ae7afcc8a184cb6fa4a2c6d6c311a91ec25e7efd7e8d09525fdbdb9904364ea00d331c354d33c2ee010c6294a9acf7cc0ce7c184eec91fa95accad3dd7e43d66d5c5b8440769563bedec750cd4157b1e96a57bcad3ba84fde6998591d2a435a0af48be7810693a3e4dd4ef072db8b5a14b9496a53b818bcb124c0b6beff036c373f1a9afdb2344819903f173a800a29d412aa3d22bea42d70e95e061e543902e60a1a2747a2e0344189f942c03a2b1fb004bcb11bf0e495ac79b58cab4dacaad7d8b84ab2e0fd199728029b16e0bf714a8dd10750931d167e819802ffa3c177e0e6d8df2d43daa2c55db0e3edea123d0da42b4d8c0c12c92586594444030f217c8e545eee3a723c57070f02def3f50bc6d21a6ffb635d74117e23d80b14c36a0c741189dc77b5c9cfaaae1b736e8663db61fb5b6d354a53b6344ac549ef3ca9ae5edbdff88ca10f1ae2fb33d2f2b230827a50aa40a09fe87a34ec4dd49a76de5483b7f58ef1ab4d8d78214818a8667f9e9e72f9cd9a6adeed0f63aac8fd5a3510e5627f5f3ab8ee216f9dc3c718c04237ec3ac1f67e119753704ff4c6a7b913890cc3d1e18ec06691808e72ad057896ede0974cb10b0e70388384f377499575836a24bdecfa92aa379307caab1a27882439707814b25bbedd64d7b030a6bfbe5d3048e6cd9ea43008a018a77f3ce008a22d07fcb237e462674bacfe0862f255625b2f455f61bf9e5fa363ac46afac12a0fc687b6d802c6c04a5db7ca3428e7afbd73d1934058e6e2836cf9bfc19f7b796bb5aab698cf9cf1d9cd031862780cd05cf6a9c3285070a5745b43d8c52303308aab14ef77982dfbf4fd8f5b08480cd283246eab28d678a22a692588eef2c63044c739fde5f96d13b4b21b19b8d926752d061c7dd09c94aefa338be45987a2b038d0db15be1254e9afc337b321aef2dae93708b388bd1c0661ad11d461e69927dd0c9710d89de9ed029d99b9ce06f739b69d8184354aef35d8783f7cef2a3aa3edcd4786605a743def859c6c9ae766eb73ed46e2a58fa655f0c8c12404ad083d0f76d6ba561cc152956b636fba83fc612bc544f9f926c35fc508e7d382372b26a2f0c3b3633f76c0805201ef9e35a83fb69371b5c6aa9b3840740e26d62c3d908ccde8dac511bfcffc039bf3fcd91e89e6f9a77ef342fbf2cce80ce2ba8648e61210ce698455e3c90a099f8409b73acc15cf99f7969a5d9d6ce52a7f9b590579f3292324e1ff18908467ead6d425938e715c640179429668be956a52011e16dd94e2bcefd176d7f8f3a68729d72322889ef6cf64e0cf040318620167df45b71a80f3db12bc8645c055268a5b7ccfcbe2635d64862b8c75c070171f234035ffe120e6395a2be238c02b1324cf52937b49f915c23a31ef3c8b36cbc20df99f0be4af200cadc4be04de5af0152b9f95e5980a4c94efa65d86d95a7d9533c643f2db6a9f9054aae02a4b9715405b6cda9062c8edcf925c8ee3eff1fdfdb29117b8ecd6bd15bcdb82977286bc771991d11110941b3ac2c5091249d1867a8ec1fd63415966c4cbfd3a686fac9cc89212dfdc6d980665c5857d3add0045cd0a7fcae14a929c8672f95c5aa8fb24af5fa88208c2ecc5bc647cc8e29bfd7e27ab76509efe431c13fdd015336f36c1adccca0def73d33ea6e540421b4c54377f4c4ddb53ac33b2e547fc0dcaf801a8be09afeb183a3eee9f04e935296f297aae794d42ff0fa99d5a4a80989f29738c30d7fd66ab2de83d6409f7c09133f3b6f77e56f443b419d42a814d86d8ec4f6e7fe3bbeb7af41cb7d4956be1c5668c6bc5761139bcc3a4a15d6d8c904a8877f336643abe7da978ec24c59e991502c4d7912f86a77d7d2f10742fecd1cbd3758d69989af8032bd91ca0ba4c82d7883a47e07bc6990e21876bd590df875ba7b434f53512be5e8e069e5fbef1c09a2e78946f4bc93d067f5e5bbac905fb3ebb3001346c40270998de04524d1c94959b1c0a4a858be5139590d5a082763b98de9f9871238494d985f8eb9a063fcb08005742a4675312f40183a2a72a3a230c2655f4bc880388a7697ccca97be15aab36de2c275963b4650c636112800401c6aed61351839fe1d0716c0e9ed48c16015dbfdede31f614443f10a52d357fcfb884da7adfcea1787de1aae9380b505189f14e50d55f297306fae7f7ca911cb0a11b8c17c64146dd1b1f20092788f90151bba09717769a3aa09e8fb2474fa8d7594115e8a6e4c201f07692f14ba61e295c029e379a6337a6ddb24ce5ca6479516131784f727f10ac32186e1b5a7cee6560b5244a68bc79049ac92e97f20a9f1c0c3243b8efdc25599fce6d2dee1658e8eb2fb82db4c683f814df56f3c02dcfb4061b579423db569cf6a7b1ca97658b8884696419273320e7d533ebbcb69841a73bb49c1fd4b64730808c08e9672ca774010c6b23fe3b52e5d23a06023ea3d83c03a75a8d8bd0dc6c7752d120c68e48e69dc32cfebfc7d33de0138d7f0b6eeac085381f6daba83fe587177db68a6d789b1b0cbc59c72caaf525b0948f3034181a4a8a9a0c5a854b41ad44e987fbb3c7451fca963b90148445edc4bc7b53a821992bc547d06f14dd456788dbf4bb3e0f390a4df70d67fdd906b60a4abd72982df615ab711e1b564fb29af96a217b35453fb7ed9c3ec684b9cd6fd6bacb88e60c39eed8a95baea27af6ad12b5525d91a3b41ed009d5e87683a2d7cedfe25ddae724bb60bd22c54ebe8724edfcf6ad0cafa63c4163370fea7565bd7e12875b77ece62f399e594e3af27f75dbd14b7ba859dbd6b4480c6b9ef34dafdee8c2b36d28e52f320e9f8f3f635b7eb03e584f5b376dd81fb1a41316b6ef01072772a33ccae1c43c5c9e22435badc3d8ff28864a39f2c0dc7ac3d5feba33e70aba25e0c49084c1710078e1cbb5525fa17c3e0b128fc45028b6c266bd3ab04e11a6fb07ffb58ef4f6dee7bf2ff554b759d35b50e0be22f7eaa3250265282185772e08293b0dc8bee4c8d7db097556e860f482c8c3e9b6e864fb477d45c955ac82f034b397e6e75a4404637f0c61d4ed90dfe15382e85ef48e6fc1d248dc1b943dc4fca20568fdf634b9b0baaa7874186ac02a887b0344275a985785fdf59b3a71d3c75b275d10d8b591d6b72096a77e2b996d0349dc4d9c54830616c73e8c48a472c4551ac4660e196d38e890f7931c1d0cd6d90c551315e85fc3661338773bd4a4ff861f0f3e892fb4d58069b3ad97b2d1bfd72ec44e4a295684d1422b30e1ae95b5c1c7f275a75dfc4f7a1c2e3bc0f0f42252883992912c95ffb334b1878c65a4bbe1e34f926babb642924229b1021f326c8a50e5525121f49dae936dd56844d9dec93aa1435a16574ecd414bb039032db875a2d729d47a3d8f0386fe9b067cf025b7e1dd3341827055ccc88677999609ece87add06b2f07f957703524e99aa0c3389741b14233b5eded5af8e44a47031803ab23f734aed4121ad93b12e7f632733c2b57219ef9879b4aed4af9094a4924efda16615fe74f3585a70ed067d38f722541082ca2546b032a991beec9efdf6d055f9cfe33717ee55af6b33cf61fbff69b1c1301173d20a2511249b5c6438cb510b36c54c7fec67c3bff5cf712baa3a2c36c415f488e883a4bec4c2a10cb3fa105d1aa3c829ef6967ee6d6add1aa9b3a88f7a6e69c4a0cc253f17902f37cbbef417195127b21d4fc95848312bb82992d5a95431aa8eaebf16e10a4030ad676d5f29032c611fd5da2d4c887433bbf3280d7d0626989ad5f31f5bb8d85e3d83bafc3747a52e5cf844d6130679d5893f9211eb9d09d1fc90d83fc56c5809a86c055c14489712ffc6606144fed013bbd2795bbc477afd5712c41d2a23ea998f73e5f0f6ac6c5a7debdff6f978295c1385d946e5e388c05903d77264bb45db975d1a4aa53d6e76599507827b86ac522a63f999d5bef7c517f1c8a80027e04c39222588e5b405576b0c2a902207c0d5cd38ff267969479d0111c21fe4559c4d9cc5173d761211b2490cef996cfd500a457f774f2a2180b1e2962851f8e50086fb27808cb4e58d835124633238778ecb04dcca45142657da5766f2cf330cf5c8de8ae869036da37cd3e43291590c3a22df431d2e271c78d3bf1c2554497ac43523af157b96b799b8c52fd5a7530c4065c4e23f9be087d911d9123ad6193db87bf4bbac1c62d1ef5af2f12e86d23342c14e814bce96b58bf22957152ea290ae0916e88beffd93704f7895a2c8a329bef11680989dd1d3e0aedced41acbf80efc3f21c71c2c1c2e93ab1d9984f76b70ade85a391a4bfc05192b2b773dd3209ca50c35be3344b143142b25912763cb1555faf6155e83e57cdf5f0e4c0d865d297547a6087fcc7df7e4512f4691c90d25b1a8693e76b4ef8dd37f8f93e982a2beaef083c4fcd49f904b7c9d1ecd8bd2cb56282fa90314ee4f601565c497557d4d3f304cf2dd67bd973d7c6bf2ab1c4027d207218b71f2e19622c655689f1551bad47d5d9537a48cbe5a2c3288413c2b458deded658a4f604205d58915514bee43c783082d656b431af8b2e29db931f4a6871a587905571937c7e08b2080f901364f029bbe175d1c317abc8048461b717c36afd3ff608f6242c0b256cb5fe817b87fc75d07cd0e477023ca620c454b339557802842e5d60ca94e6cb89185ebccfc1b34b8a00a5ec56d350581318b8dc021d85223cb6a07bc512885577763c99274ae4d295514b94aab14ae0d0dbb9508e2eaada54a66de04fa0d848ea67ced8d6adf278a0de8ca8bd6f36ccff7cba1ed67e145201d5258b40bf1ca99279ecff9d78ee85a88276e5533c620e80ed6c7c17a9a12b03f5a740c37774e889de0e0761501ae589562d3240cbac3855eff6eea626f2c64d297e9cc97dc739ec7a7cf9c33b54055e630c8a84887281bcc48e8b4caf4054fac8ea7d0c0b06f220f80f9f141346fb8df194c314104f623b44621bcb35443346ea09914a96d6c7ed59cedc7c4ce71912bb8dbf8fdcf13bfa13080ac1e04bdeb46c5c57be88db4fe1f7dd916bb44a34afa1902f502587d7f910eb91fe910f359759975a7748fda76d42bb488b0c346ead2bb433ec158b1ef83f1a65581861656a32221f74598e38217c9b39405221c74b16682fc98a52b1e139de85e3b4329609449d4dfa4f21ee40dcaec4e827416f3636203abc837275bb08b69e55fd274fda90c1cdb3482c47ce59523e136b2302b300bc86bf088a6952a56fe1627cd6aecdf5a5260f78c4a677ed1a21d8952e2e161a7378a181479825c437a8ae26bd4e9690b1f18086decfcb311b625f40b31082d143c4f0e4d2c61cd2bd111d35855fb2ad1fae254175a6ec2c997ec8120b1e87c132d477ec5aff4b011b82355a2bbe72b7b191e0ed3583900fd1ed473a11ceb50b218e064ab7042b751628fadc59d1c5041224abce2e3ae008a0fef5efbacb160c2b5a712310012ccff9d20bf50a7465b621d860f73af8d3f6c195ec548d31e13a179a21b0ffaffd762fd48fb955a6f5a97632c4af55dbca3ff6ad479600bd96ae31f3204aa83407f8b8b1e16e497e26d6b1e64d45d8e9ecf7a2dde939cfbca025246b7ffe29fc2388aae16dbe4577a920e00c27975174d0207e458e55f4778c5a9e62954645c322310cf09fece830043ba6b437be2ad91212c3d5219dab65d10c76052ee3945fbc37ae320b016cb7052911063c65cc5ba42bd91f62371a0fb6dfdf5f79d179cb96e21b40a4bbd95847055efc523e264679c8fbdfbd89608a227e413619536ef2481e9b1e9c888e0c96a0882e9a0d3cd8fd3a152b3b41d8e7c25ac72734fb31697e42246c33392201b5209e75f148ebfe5bfaac751ff30e1c2ff276b1b55232350bdc0183763833429e3e92d522fd00e1a6db089b89d9ed044886d9c6574b874eebb5d0f53f57cb97172d09a93c1ef21676c24143be15dcf7a9da0a9dfcd864d029065dfaf64a9f3aefc34598c40d374a79bfc1ea338f85918e1150aa97794932aeafa662fac1ecfdbc2aa798b1b73485a0d1f5f518e05c1f6625756237a934e5e1c8b018d349ed85f592d9294e5a2a62b90f76c29e2e031fb7c2b0d00fc6ce1f01140c3c9b38e5e8055b05eed83d78f1b8b004f3d5d3eaef72bb7e007d99d74b0bb171aa057bd8f61bd370c2bcf8223a236380fa5e509811ddd96479126cd358aabb4b3260c1a18a94e108ed69aaa11e9518c0ed7e3e57aac3e8f515624b473700777ce1d04bb181d4e184579eead6c344ddc948bd8806e84dc0cc9920d9022b56bd040278e3aab3085baa8495858567578cb3c6e4f923e2a342877acc4d201ee570954c39c88942aecbb26a9536d037c6ea9c494f837b8075075d6749c4bc34c0a99351a488367a3b04431459ec541372a55dedf8fa7f82aced1ec8e35aec3c7e5982d764625e82f5180cc2a80f9320dd83a69952a3058dab1afe582877574eea63f0e480e4a6ac3f97cfd767603b9f3f80599a928fb07242a3bd9b351d019a22c5a1a3e0be03ee2a196fb5bea872ea5ecf879347b0e0a90291d99ea55058df72d2968bfcca089e3aeee0a1dedfc8788384daad697ad0576a744182bfe2753800b15864a858979faf21e447548892c100fb563a6b30d6d3ff16179eaa0cdd1ee1e0fc66d14c949c88d6ee66a75cb200656be83f4450ca6c0dd082df80c6ee04a97bf9e70007fbd80342b879c2b84c7b1891e6b53f47e5b935247c67bdc86cdc14c86e138282c61abf08dc80644aa56210c8441d2a928c7e0114cb9b60e13b40c9439a9c45c49296b0b5965ae7d67062ffbf9d41ed4159085d00b6089b0ce0bc273a7e9ce3f2ddf551f1b3c3665fc2d10dac4e2474057634bd8f416750b093ea4ee6e2545c7e8d6c9cea3c6f526aa3a26c18bbb9843cdd6a13a07ba65ff28e54b30ee85adc3436d63bdcbb27f9d0b311eee89435baffeabf61eabeef68adfeca8c90c075e64f63d6b2706219bf37d32ee804a42e3893470a5a2e2262e02cd49d7371a65bb54326f1a770d8d497cc47018262db5bb76a5d7176ed4f00d37ab55cbbb09d4800e5db5f4e15bdeb8922e4841c6a69782658b1bfc1f8571ac40aef4cf29573b600f1c8ba9bb97b1a52938bb1badd102c9b886b13da8ca1fc5a6775fb2014cbbd00d44595d9ab996020e64993cd7d0a7e9668a736d9383063a807f455d3940cd60a778308d40f6b4b3f6c44a6a7c384ce205f7253fcaf58fc872294827aa0fdf2acaa80b13901a39b54a5c4068fabd3db4edb01395abab31fc93ea622fbefef1f1be3bfd3821f6324b5f2136bd859a73bfde1c2e1f03a35e39e511e9d75dfcd141961ac295731c12650a34c3d4ae62a520597c1a6796f0c9837c1d1f6f489a885ec3c817223c9e4e00b5316326cfa04ed0c96ec2982800f7e24efacb9d318eed725bf09985f568e2edf9cf339e0955e07c3d13c46d390977dceff5ae53574cf11d0bdf761e0a63faba357cbef4848cfdee7d6c4c8d0b25726272fb16d91b644e2782f24f3e9c8f248590c67da670854100eca4152665c8a19270feaf30fc7640a859141aa7891b1f31bf4820de7b9494c1eef30b82d51772813ab49586e15d60651e679325bd92fbd462d85a44bbfbe2784392881c5049c047d8fe58d492948189fe172b1eff1159af539a1a5e29930dc6075ec1cd33828fe3095af3aa657f58b2ddbd714d2a3fd9b4361222b4ac303421a8f956ab8999812d6e48e9b232d3a87d192035d90b5df5e02da633e0eaf432dc1c9a695129e6f43d399a7c9415455e022426c28063da8084fd7019ba2674da9d70f7f6a821e46f6dcdd6680c9a10b455626a7eeb736aa57b4a22d42eadaa207a517c8528f030920d778f43e61eea485220dc76c39a987eef36f3134cf6c11fb4cd6a19be039c8c6c30f69228b045054f5e92a8f682448143b0c94065d783f8b62365002a3cfac75fd0b4074a35b704a3de7aacb72a86ccabb9f5d03357f41728fbcf954befdd68a24bc29a5b9177cbefcc9ce022d5f64bdeac623b30a53a8de8047174be91f54bda1ea8f753aee703a53e47dc02c3f84676b743c56fd2b2516ea9f2fd4c32ba085bdd7e39ccc47b6b0ec9a41ce6b5c35ecb79bea1d47f7088963d2cc5e1744d5a89da8fc5f2dfecf5e10809d28b575c32536e6057f22e98f53c2e5245c633c2147596e75777b707c670a8339d69c4444979a291bb167f4f410dc17cc215ec3cee119869821cc925f8e432689eb1b73e31473eeab613966dbb11b0f3749ec4828abde9f28044dbe4437ba556e01f16f68a763b7484ab8ea0b14263130fe1f00a1171396f1ca7a2c8a0f495a9731a9e37b50cdc9fa88bd723a572002b07a7ec9cf93fa6d0deeb97962baa2b4b0e31cb14630968c9690ad0d278a893d1c345eb7788ccdd4b9337a6f5d2d70c1f28fdd9a1270b124f7772e843b8e2a849caa11a3689813b4ccab6cd43276fc64d28aadf3e8e7b3437c2f5c8a6f3ae9151c07d30860b27c9d2934478f10a86bd583bb4f2ddecbe23f4edff95ddb2fd4fc9d7061dd74f4bbe620acd61874bd2e9af9f70061d764a87c9abf3b7eb296f7a0edf17034571b7c28c43edfa27bc5a3e0745dd73e22d0bc7dc4a7d110bf2158e9bc9c8a8bb7b6ad1ab7ecb68f47fef387383e8794507783e03bca6c9b671b4739c0f11f38664485ca3712ebc32f613ace20e734ca5755b940d9dba51d342f2611ac2734b20353c8c1075c7661f85c65e86fe92405b8c2032ba1dd5bca75af90434f911de577093fffae2195fe621c74b3cd8558a7cbb49861da17abb9fbc064c1c4955f8910107bf2989bd29fce7976d4500f537d6e233770b8022bae47c133f5b89088847d0ca3dde83547d8496c04b718496637c54b79a0503487f06e91f082216cdba4ea80b572b488cd69982e1352bdc9b0e544e068f73d1dd7fc2e5f5c5d6ebc22a0e6953c8b196607f12e9e31386e584ea5210eb666460b36e82bdf986f3f8ca1ade7bf79b9dcf1a6a06fd0a2f51271124db1ee9cb39adad646e20ae318e49b7aa8dbaae5f857b63ae802719e80105d3663cf006da07c9e06e0d40c7907f07fab03ab70dc5262a56e04ac7756b0fcc89b18c67642732341c25212136b9d325b324cb197612b30ee9b9f022f04ff454000858ddac08749670ba112884ea4b2ed85fabede4b892c554336c9451bfcf36d78dbd9ddd9767b550d0cf7ef7c264fced822116991445e717c8d69e975e3d9d541ceb413983a6d96426e62d2a921ec7600dfc3931f32d3cba4e51dde53e212fe07ee159ca4ade9e30d09f7c2b3b0fccf6d187d589535a3aaf209732ac42fe81cb00a889ad8b9bb75f1772c18b44d3f4261af589eabdf9b8e9b469096b41b2b8eb98078c9ffc798d64f81d043cd3f66744e86416cd4bc5f71f24a0311a4dd0fe4fc510d832680b89334ec7ff9118b7281928d7e4b2932de5b4082a677eded64c7bdcdd467eda1fa33b62e260461124d865452cf7491f960dad10a51069ba3dbb9f083c434789cf69c8902bb4969c5f0647967ca12a5f899352b3b024c576f8ce6b7dc50781f2465d1737765f056c72428207c2fa19fe1d3f2b706685cd7eb1073d491e414953322ba3cf13cf92dc474f6bab9d8f313475b0394a48bd78677a6451ecc945bf4fa497e859fa682a01778728717fe908e3d48bc82db826d9703bf504ddb3cb5c84d38ce5839caa6207dbf71a12d172c77c1ee024d3be331d0cc96a67927fad13efc14227e0ad78119d6880733a4002e3cb350653fe7b0e4958b0817599367aa6411da366d21aa606f139a3285e3e74a0f40e6bf85638bb03280e4c027b39b35b2703e15436c613ee72c7a0674a48d4d20ca92a0d425ffc8fa74835fd405406b282bd33620b314351e7f3e5562cc2daa2dcf5231858c7359c97a2226c8486738b22197a015ff487b5448ef37ea634d2cca81cad4d61fefbca05390bf40e7f27115c3229644c919d4fa094642bf85294640c521bd5a3e2141f97205757c4894997b5daf67a4a62dda7b38652c3fdcabdfe520508db54ee4c17f9385f14e61f5d707099356c979cafe94e6d298735f45cdfa27beb45cc223408afa53003f5541b066e5573171b00d8d53bc4396853dba190411c8b8089ce92b632bd48ff54840a5dc25965d6e37aa6395925a752fd7ebfce007bccc40e14c6f8f58304a3d0e7dbf03cbb5d836b17c3ffe71c2456f7f5147154dffda5cd403165913bb3486ed6e8c15b8a1e221a468cd0761e8d2e615721528879dc68124c5b9122e643ba77050542ae563871e048585e53bfbb4b34694916a917cd822bb773569b80fad04beca3bcdc4b58003fc2451ceeddae5110f5c836b759df3a096d0b577d5c337c584baa1e33661abbf15888a07e9d77edc465a39911492daa3a7f3854a081f1c099055ca034bf2c3051a3e3b89a3bba56d7d0394b8dafc4a5d32d6a2e9a459a72a5874da011ce1fba698bc5004fef10eb9174955f8c2e8ebd6fd879304fa0261631999ae144e904d58af1f8942dc9e5ca7f4d9cfe325e21839f1a5416754e3a8516c8cb44918d614060a876dec4ec9d178553af480f2ce021419e34c0c94183c6d69518f4429707ee433551cece21aeed9871baa3f661ee0c9d188fe58107842664dbfd62703be0be82b8434ccac61ea1e8eba609411a4e8eba9b5b706cafc22684f7c4702a8a6c04584f95f62e4be8452920ceb06606589a502c41ec5524daeeb527b84af3eabbea7b4cbef34b62a2503f32ee7713668e637336e51042a109fc7447f0c5a29b5a8daeb2347cd393f097f57bc1f4cce1fc8e2f4d7df8e1962fc8d60ef1857db7040147606d0ab30e6192c549eb49f22d93b3ac7dab5c309746d564db0c4b2a7298d9204d703cc6926423e0ef97fcf64dc459b3c709e1cc8cdecbd9ccbe0d9767bab9204ef39273aed5607963a86db08cd32d7294a1167404f0827b905a0d9d72440b221a637094f2b9d7a278356a10ce2791bcd5fb948c0711036192df7d0d5c48d1874351d90b385a81952499fdee3d0feec349b148cfdf69ef89b4ebe2b49eadb9a67e9b329c8106ca2ba96919501820294489a53721d194571c01e21a3a742862d0dcfcc80ad2533c35d68a40b4c052ce26c6ddd1e99f1d195534858ccd4bd86ebbdb9548d00dec3e65cd5e99dd701d86452208d00dde644c74a928ae4014e22c40646a5cd68ff740ce9e45a8df5cf11d7e42b7ea56f67ac9de7f581eb01ce9951c251e19e9a8750b4b08742d94582cc348589220beb8630d293d8fccac127e160da78f942d86e3b6ac03084bbd5c0d8dd69a6d9dd81e118ae7b703ba2bd0373cb93794f10584e0920700efe62c2c3fa3d3ab5ab310bb08eb714d597a531593a283a56a195e61d190410e9101cb3eefd7ebdb59c72735bd614a50693b8b5f8d60974a2886355ce6ef33290cfb0fa4cfef47db3f54742057dd6f449dabb06806736e96587368d0cf2cc8d6b5d88c2880c58b60c28dcf8ef8b8183348fa7c958ed5867a13a897f830f6050b4dc6971bda930a175bf1e8922471362a3d8924497465c5db18371bf6138d7d43599eb498bf42589250bf81a17eac6876d939939b377c5a2d36034d0946b9fccce67b753e705ccc014560bae394f9433bce16b8eed5cb857cd575b4bf406878fb325cbe98a0ad637b90613a4d4fb9c59d9885f2c16d44fe43a5209c49b0e6c4d300f5d7cf93d3aa5483c5884c6a457d035c1a68c4f55ff153d8115584def9cb093a5fc8176f57699d9736a63d3dbb5cff0c286985e81026ef6ddd660ca636c4e2ce29b85e7cf0053850ac8b35ef628f9d26aa7d43aff1f9bb4bd4573df7fa4594aebe69d7f9b3495a2ad47a79d430cf9853c334c4fa0808dd39cdb61a009decb23137377c84422f37b2d37801d7cabae0ee026534d57111a549f872ef6c401a9f438da15462b8ff7b124a18b04d3f9f5f5d9412dd0b902f455a5b91e4eda472e2c79e09e6595e3327ff1fa25a22abfe7249b3b75d9d3c28514a156ea721fab6a1d5ab86c6651aed8e4ce344290bc50191a9827190c4e111cdd866f1218e0e580b4677e2f3dedb97b62dfc1707038f562ce1b112b154a008c87e7d7e0d57a54de120e06285984db8837486d9b88208375ad5e672362d6cfee921b4bd99f3d9ce654ac9746713ceba947d45fb77879dedd89cfa09ef8b36279a3966216bc7e6737f8352d6acf7839d547e6c8f60197937af1ef1c40d7a8d68b37389465c1a253f509a1ef224ace5d352a45103638b4aee55edbc86b4ed1b8c57bde8305ef11ae3b7dbfda735141d5c5109ce18cabccb84b84af3f5a7c7d15f47ee7b2ad7dd16165537e9cca3a286f0e1c329ea9aacf5e7cbed343388cbdfc846c09717d35037a73c48e0df81e0a743845332b783185824e43b09e4fb3c3af605c568d967a679086b305e1b20e31d83627d5a186fcdf6853134da031a6038f8ddc96b056db1005c4c9866ef831e20a14e29395102f6aae11bf7e9df48511dba8e0939362a20faf369a7848f12e390d89f5a6c020d43b97756fb4d9ae1bc02025fb5099fac5e5c60eece74b99dc3259abb6fb1a28bb134f9cf89ec17cc0ce8d76575c3e16e59e48271fee7193354e41affea19b6840767244b7903a4ea44d3c541301a6db9aa403dbc7f961b03b4e253ecf4392e1fc170b81a62594157271dd89825510c10c502603366b4dbef6b112b7a2c68f50f189cbe6a187caec6abab643abf8943eb2889a818f314b0b7dafb178b2a4898efae1b18953ebe25a503024c9d7cc61213d332f76871dc6e57b42ba6185fde1926a745c8660f433b16c10262ddce1f4ef61440e94ccf4ec05c68a350f7fd6bc53809af8296005fc48ccf4681eb6387d0830dad5cb6b78ea044633e9c07714d5231ff329cacec19254403f55eb1064b9d900babb4bdcede3169bd43c8205bdc10a33bb48952afd1361e3dcbee0928ddcefa310f262abffc71a009b57c5bec4f8c7376813f5858712d46a053dd4cb4a7b3ba6dc5cc6f14fd6ab8a8ff6842972b91f5478818caa679859639ec8c8d4315a4e60634e03b7d38f638dab4724704a4b1158a0ca18f353ab2567cc3c4af0372b50f2457fd58791aa15bac8f0e089bb2fccf3616df85d579d99dd36742c5636aa79a0a81d2f482d5e349c25f53466b8590deef67eb326c67843629037394937ab5f63cbd9b005fcbe6ddadc1e42607a8a9ebebfc0cc67102d78c3c30fa219f054f256fb0ebcb86dfd1b53412cad52e1b1af8db229187c0ac79ec7f694451705aa508baf79dccfb074a08518757dc1b1ebb6b9690dcf987c1e89192b611819b5139c1a387f111b99f64443eef1a174289e0b5a5121b1e049f34c2bdc44375852269ad6e79fad6ecd78400d788f337a8c6a4f763d51cc7acafdf26cabb4f2d4c26d7f041a876e74f600758cbc497fc3ef5a1562af0047a278504f321b219e81af6130b0a0c7ea0664e6e173a87c3bec8c9f6bc7648a3765c2e04e62f71d03e12f97c971f63c34f2be07d8e702744370e818a690ab2ac354dc43d0a57aae77897679665d14f9b51e74856ef47548d9ffd8879ce92fb17b37d0e82927901fc93bf4b83c26584150fdb31caa28753bc146a37f4ed3088461a79ac84d4b770b0379b303efe3bd29b03642ef42e182571943f99715c4e836dad10262e0b1ac46525eb5a04cfac7fddac48482e5144f3be1eed50994371262df1617e1c339ab0da7daf130cee62f1d8d29cb4d3a80159dbb4c2d76468dffb16e6f0121b97f63639f9833656b0a31882eb95de199c7a82eb9af95cca03a4cb0b16c8757e4524b9ddc0ca0defe255411ab47699351ea8ae0e06279769899c3964c71183850e7b17c488567c74547242b7b863c6d6add597b46769a4eeb41f383e79c8b186b77afca4875cb377809dfafe197e440d07cec9f1fc2d588d206282cec08ca99ec3b31bf38102a297ae26804390ce1e5a3f21771a9856ac0ac9d94519fa79b4cf9e09ca292f8f01c1ff6f038cd8f05ce647240ac71bcd3c1f1e561705077ae8551d218bba050ee59fbe09d983bd690703cbccfefa6cce9535f0cbb9365eaf1fd46a823f254d143c85f9045cf1a4d1432350465585f888ba1be810f479a97f1691530145bb5c0f77d01f607dc801ee3a2a7d1f5e1245183e91ed4170121abd7e7fac429c1476fc332e7d9ba5ecb4a63cc9bd343ec1104abab38504706f1f53bb5bf2e2fc2393389144d7f3871051aea5846c976e4f7d4f0b73d8299f0a545842eda16924b5008e31a5306c961f7dd9d00a428c02f8e37d0e199270a27515ae73472eb9d8b20ce24053873cd123250efac0c95b86cabc4b096f0df6c9f69fbec30489b0f1b53d81c3331a2dac9435eaf7334fb55e0127b1097adcb21b38da9d2d674de21b836e836391f05de168fc4fc1d79c61af1bb79d88b422a9219d00bbfb997cddc992a9a85257ab84e0b9118069c25bbe4e539f850919b6815a776b515627eac1069d2138c7a847cabbf7edc86334a98882d9eaf580c42ea2ce1ad8381c35353184740d9f2d0e4e6d2f1c5a62ebdfb4aff0ab01d78586afa3b9975e32c270547e0eac603357a92686ed42fbc437535d4cbea0e67a9d0a24d30a6e0063ca3d7a92c167c2b3a5bc16f0bc7a903261df582444cfbe6d584549fb67ace7e358252f0c69d3c2e16ce07ee39b66ebaee381efdcc7eee9a45bc9ffb0a1a834a894093be1200f2128cf5de140ae726a569570ea1175592ed2708752425c165cf761bebe4c59e55deb288a18c7a034b71e9a352617d417a0b7008404732cb1f5a5de959ab865301e6a3526dab2ecc25b2f162abaf3e851e945a31c30e09edb32c65ff7dc25d76dd2a146f888ba0e2367c8479d5be598125a6d57e60e6ecfc362c61d8066254297e8c0854ecdf8268b83ef3be802342be14292d51dca07937dcb6a374651e3c54dbf3e5d8e8b0c956e78916612c6aa0407352a5f4fca1af086c212659a6493081ab05e5abc6a929b1c5c3a9e375cc8b5067ff145830d9702c7381ea21e21e448cbbbf19bc5d0efe82c5324bd15596ddd7a2e7da4f1e4ef42baba96fad664ebf06b178ae923cd76d0f346ea3cf090aa209d4e2cac9787804af2daad3436ea0ed675e75087a0e3e861d9e03cf1b43ac1354d525bf4cb0abb4cb5e32a55c8ff0ed9e109e10a97c0d5a651c0e066a7e11173218b17c9331d94a98c812e23afebbcb915e3bc88cd49dd74d4b63a099fbd2a270f1edc1c23ba93f2d8b0952f958f7768f6a5be0f4843ffd7cc0334adb9f21540fa356174b7f7ff9537477f78b8b5cbc6d59994fa7092aac0b50e253c9304904754c2b848141fe57400bfcec940e3cd4735300cd2970a8612de4f35571f12e77cf3004112795f38bd7344686fd378e14cb2a59d0f93f02ca35d3a13ee66be128f5aa341883b699a87365f15950183681a4dbd7626cb78c2324e7ee1fa5823239cd6d5b4851e06c7e4d1670117b7935211f340e3e8b398440aeb253c8c9c6b3ece94e33fa5c1ac5b9559bd485220b09494f82ecf4c63be96122864c6ac4595c6edb38555bafa58627ddb0a64f9a2890110a44a4a75ba83cc1713d316af0dc15105d7f85433db0fa5f3c1cc27f8b7dc170f84fa476624eb5ad8a9f74aca45bd638f19adb63203cb60a1cd61e1ca386267455f546a985f6ae4b1e0566daa33acae1db01b4cb13b513186038b5e2d08b8ec0e1a0619b0c0de1e08ebc9076c25367bef919287e2d105da4985a45cb5bd34557f55b3958fe07185b4315280406207a4c28f557abac99b93aa6ec7615a405a83603e8900c013380ef8ffd7c5285bbb976f5f680cc5e0d67948f450e47c5efb3b3e4d252060efa0a1e4310bf5487480586881f49676e64a9b1b3309d75aae70a3fa8a967f0576b18477e87e6a5dbb9e8e1eb365c3c12152f140cccf6fad11218622053e7e8978712955c4b537558a5ca9ae6ed0f6d20d3adebee1c1174d990c97c6fd387ff527c3717fd3fecddc2379015461e0ef1270d03810bbd44d03c9548744990ab84df2e961b272bdd889bb59e588d0772dadb5e41461331e7a0d85e065c4016ca40a0b18c6163c3d84edea32efeb2cf6123d6b64d0f6b980f89ceb9caf62854fa1d026c0dd965cba5216b7d2755fa4c7384d77d006bd0bb0db39063dde7a6c244feb5d745c48a893f3f46ee091e832f6d114dff8bc0fb8be91060c28f2ccaf6c3aa3d066e9579829a7f39f36682e4e8e47a9c0186e1528a97bc8c155cd0b1e2ef43a6712fdf84546e84e18c1000e9dcc1eaa7f0138bad6fe137be123a8cbcc399c8f49f3854fcfbec9b7d034be5cf7b9b39c804065fabcc5dceef8ec6e9cff42b9aa7a4135c9e42e4da3b8c7db3cba3cde41917368cb3d2c50ee9cc81e0983312d52c116e260758270929980323ad9eeb5b29655674cbcd7a77b12cc6a89d31afcd831720b283449cd87cee6f63dcc55908f19a10c97e264264cc9f14264d5646c3728b63d8aee045b4e4a4f2bc9103b81b5ab97729b083e849a891f27d4a41f6f97a85c81f703695b1ee5a45b8e95a8d58b4c8efa5fc3f6c10cbd4aeebbee4ca7a1e2fdf197d8b01ab64c8808846f374f1ba9aab06f0be4ef6537f4b5cde1d41e281b45dc9f77b8e9ddd066285c5088d9bdd5fabd6ccfa6a138989c214e87ae9c21e28e0a3892ac267f3778930833d90f7d65c33c8990b43b18a30b730b82282a933d22249706a21e516f4144e08195c9aff5056c68c3cb78fc246cb255c3293254f325fb4149977a1c8d1ae6c17f47024ea5c267bf2fd52f91c42fa2477958683e33cfbb2c01f42d21c7cc7ac96ac9fcfa030030ecf95b97569466adf3663c4ab8428b10e096a03059c5db55b445c486dd0750c6e95f3b081492d193b4c3d879849f1d59e558d0c84fe46e97f85bd1bd158bbcbdb5058d66e10f4b785ceb39a2e0940295369d58e4ab3f9d360ba1f08a1306b3e4ab28d14d0652ebfa8dd4011775dc77410d296e0b9747ad446a851a1185f82202d84052e1f01baed09470a0742722224365f0c3ab00293a84643568b36c2a9e9db2f723b232982a3532647e8cdfe45f2ac4b348a7ca5f1b29b199c9c1eabb9b475d30727adfb73c5c631f75c030c2e30da1afbc0991bd246b5011e1c3b1663bd0d24f6d135b3025e6b30b0bd64c323b02376de98cffc6727ca9f12ce4f88e99ca67f1eed3260e26596a1c1464674b38da151b470f501e6f936820448dec3bbb564e0ce79ecd21d3d4d8f5732747e3f9c14c7bdfcda194d50c6da3898b1fe9f65a06bcf04bdb0c5ef86b0358a9ee8786e4f20ed30535c8057934a28bb8bc81909a779ac3a5ae9c82021b700e37b2c9443ed2af742f97458ea50ac965c6b31d5f12494bbdf884a66f81f879e4b1c9e28a191631ab71c7a4672d663d563bb0b62c82176cb1c0685b07e662b0dd0aa66a1c36666311e9feba90be9479b38a268a94ce26b992bdefcf04d90b85a7e1ed30883acf162a504b35ef88bcfbf933962b804fcd5850e4a23dee62f2febe03a63f6074637e75dc4ac3c33e2a8c0a794c0f7ec4a2eb99023ffb398dfec22bc0221ab320c11a004042775316eb0fd5c4697ca7a19de0943323bcd0c566816299810236fc9fe576f41be808a5442ff7b1cd1a4ba8f1119b6191c1371c75c61bb7bedf95226c0aea22139777285324f052acfec873de5da629a99c75f8ef70ed33fb47a2712127cb2d6b79e23657dff6eb4f13903d9e0db788b268d94368d332ea55c067346b2a13fdecf34e57ddca370a3d86a03f2e93a88c71031cb418afe036cfc35b532f60416d0005811398633af0015a5ec75f47a0183cdaa52e92a5813966adcba1e784c539f58d136f6e25a73dda0f33507b11f82a7bea1673f96d702065c87ee6408103610ddcb252a85bb22a2e34cd136b9720a8747508f5929908da6d9b2a3377fb9363514b24fb17c884067bcd6200614394eff78ec3c62660c006874c7a595149fa25f0582830e7484523ffbcd3094c0d08d22441debba0400633f4081c7306eaae9b38044dd11da2ab0436589a0d244aee003049f0e1347799679de5c8ed8f155cf648093fde2933fec97fb69df07e18b6984f4f4ecb2bcaf74ecf38d4eca96ddb692d977546e6f26e52d45c2a7de16b75fefa3beba96b36741591b46ba24df1a8de44768c41569458acb8605dd2edf305f00982079c93a6aaedc955992166c367476dcb8fbfe7f86c4446b5b014fda58d49e0651f0be952d76110541849921683cfced3178cb15f9920d6825a865302516bbc15c32503855658844a6b33767d712f631523ad7f56233f55025950fd0aa9732266243070bfaa7136f3f821169ba3d015d71770b22fa46632079c47a1a23e9c53eecb1b3f955bfb5350214687b1d943a5e77ff937aac9424362ccbf6eafecde9661924ca33962cd2ef9796b27248b20779360ebe11a3bf2d4459756ce235880b318dea65f9bcd7fcba6a33de5f50cc27047e492eb138cc4591ae1c5fe34cf6d3a64b3eb0d02ba2d22698e8678cb8d899671544ede6b8921145a2849fff42b427aca7f7bb243d853e46ae18efab9107179ebb86f7c8a81ea015983273f2e4c29a0470ef8832ae2c214adea2b3f01936a3d2eccfcd6105d04e7b09346ed3aa304c2db87202c918658f431d579f6946f51613d395b984e7567b2d301ca8b2685bdfa0833c643008f89dd20a440e5b244af0035d5925617ed84707a5473431eb61fca3c5b10de22400a2eb0eddcd8a5134c7916316366e1bf8a3020739cedb85a4dc8aeed1282407526dd7da644baf2034e29bb6caa05374fde9a9109eabebc0482bf4b59875cb120b34f5e9ee8a0b85948e8db59b5fea4bfcd3caebfff3aeec731045ef384e2e15770dc759df8a09cc007717845c18db806f075cc76a2d156dbbdd3876298b677c31716dd37b76f4cfa635bba9898afb11d480a825b6f97b1515fb0b8b6e42a63d95122d6462c951a9779b1158de5eae17db71e3f2bdb86a4f09da628d828234a35eec94352e1388618f78b5f1cddb4753e4ec94204c36cfc9468d378d9ccf2333c3ebd4c04788de26de37989c82bbebf44c64f9d45a1e662fc25141f41bee53d890de898b3e699d6de74e2e1b90c606753168c893730df2a00cf624c3b34f8cd4a43c4ab63ea0a6ed7cd52fc5c6c68a57fda3936cea35f547535a45debdd69bfa886d282b22086529c2a69c6bc0bb6f11762badba6309aef54ad27a3e6895b4a90131d6df547a114326d2874483b2fac339ae3a934fc989d7b666903b4e90af08535e9ff279dd76c874341347343a2e26aa76cae3405eab7ddad8c3a60f8347d30d8feadc041549473d197955b91f7b738327c04ac34516477c1de75009ae8951ea020acc5a497043e970f0a67a693ac7b4a48e19d52d553d893b1fadadf219cc922a9aac10f8c7d7e0e549bd84657842d3d9830733396da1c1e2a88724b469171697439c884a379dd3943d10c27df424260ce8bdf91113cdba1507a01e59de6c0474852032dd54e8b620c9ba7c3736e34fd16c665ef10902cd1c596b2af6ce83f5d0add77b4559403756b79e041f5573418f12706053f4c726666b4d79a3df6fb4613a8a87ee5ae2bddc369175d7b1ac4d033910ad2f00b61fb1c1586da8ba4d3011899edeffe9bdba511d5bdca105adf1fc6e3d9d659ebef369e9acbc004d395a9f5fb96d4be3400b688d5f05f9ce43a7d87bead0b202bd588209b2a3e835f3804a809fd5cd1216bf93a14469e42ff95846c974fa6fb62b2021e71a31e1e66b3821780a90cafdfc7345e5a937a803ee4d3a5051a68b0dddd3ec70b7002ba20d54003de6d185e2e43cd33b87e6d3cc4589fa890054f39a40783522c092f7205310bb4216d08273a2467006d57c66adc3599995d25702a79a75eeae658aa06af9cf2492b4ee3c18e73965b8dc2615ea1ae7efa407f5e2751b91794bd28c57f7e652ca1a50d9fdc0dc165482fc13801910d77cf4ae987a8e67d8e19fe9e002ab55e997b977b0541c7c8c4e76871ef700b8f0c47e73d3d4473c17ff30da32779b8d1b1a289046038e606590d5aa672c11c3650859c3c31b412e1385a7f5f4b9a3cf757eb8cf64e2f6298fdfc68d659eab6fa1baddd0695ea5c97d50cfefd518ec8357f739435170382b6033691b54600890e20205b8683c47d7d436ebf42c7e7c117d38175467f0d24af74d412ad77b9f2535154a012be7cc5f01242345356f24b64793c6e34ac53683b169db9c29ccbed4f79fd4174426bffcde651db4c796333fedf446a5ca1fd98780bfab32cb02e23dd2532bc6ee5cddd9cae2ecdd90902d01b22b8b2d522d8049b0cf890d4f807b1ef23a871362edcb7bf11df5a056f2ed1d855d9d268bed624587a29c1c2116e6fa2756fd1869b956e999e5baa07ded7bf5899e9bf9b92c157e93ce9d34fa87ebdd1c2d8a88e33acbb4c7d0dd4f4e469bc6249f93e1b11efeff0a49171dcca566f0d3ae8e66fe659816db503833351febdc802b58bcd0531c5f1a9aacab91dac6dd7fc534d6a8ef2f2b9549e0261ba19a633041bc73044c7c52406195f0edfbc223eaf922e70769ad2bcd00ffe5130c6e1f70b5b520ce3efd8cf2a2688d2965697cfc1108c15301f157a598830d7e0f38f6f66fa965e141233242c30f555dca8480793e45ec30d7fcac73f077ab5e6e10363e1039fc4bd1401aad0669d2b15dd5b6fb3c2ce020ed6ef87ed28f1c056fd48bd934515896d69011ebf8f2710603b546b61b2ff4283287d833360826bc8c10b51eb90aec5481a1904f52c2e0b6680863e52ea691db2f48a7f7dfa12a8cf26d3da8377e6486a417e10849cdf1cf67577343184d2b5b4085d6e1a933f81f77fb50878d263eba1be1246552d8572b36d8dca0fe9e2c90178f335e4a75de232d67e1f7a7557bda375094bc6af447522d64ff6b89057f8e467a90d8e7578aaa91cb37a1a2c886c9fd933d0a938d6483bf7c10da4e861e7e73077bddc1923da616e8c073355559318b2d518b0fb4d76d86a01af9fb2812a12819f7692db73bd4d9dc02b89192acdc0322f3fab51b4e27fd94454c891165e41830423ed14b9f42d6131d4ac22076a5577020615a6fb9e8c444cb2bae4b957f55d36e7708acba083a42a33bfcc0fa1302ba0897df69d3289fc9e3094a7ff849325b6c723c305271e369ba8e705bf9be5b78f97681edf1ab07106077304be151512008fefdea23e3bc84ddd0e03fd919be860d797dc6550f067122a685a58ff810057b0a1ff35545a62b617b3cf85859a5962302fb7f6f660e0a840f823039b6a5ec186599b9428deef3899ffe6bb69e8d4584daef04243011819ee52f08c7eb62146e8e43c7c3836f9cfc3b330a56719ad32215896d23176cf46886a80cfe4961b7c29b6b35d07907e9d05cb66e2c5e1e7b5959ff1ea53696fdc6fbda789a16892eeff4f99a2f5b951d04fb01a9dfa4e1a422e5a75e7504ab530f2e5283747897af16b9e468edc921ba3a3bd4132dd7a2881531865e0a858cbabce180e9f1d20faf2ef90e8bc74139d608f34246cac9894d0872db0fe2b0469a64f7ba507be62d54f7cc069df2617f93ea94c888e1b7e1630b00f16ff12699033bf800d4680ca196ba4381a383e11fbb90dbb071fa109aa054cdcc00a9be4d0a118f21cdd487a14c8e02a4260b62d44cb3bb8de6b6decd86f461328b89a9e56137a1ed2ac6f72464262e0de7239b2b61082c0b6ec2e2cd8679c0669bf3f95c4c3cfbda5f9b6d01ce316d8a6890507f4eec10dc24e73599f5732d8fb388fede07545a6135fd72d8ae5340b189c83602cd9e68c4614297a9c73983825d1eeed7a6f852811f2853ab5d82e477e4048ced6cc74583abb5ffa5e83a256dbcd574693cb43663e7b555f19af242e9c232e3618e724d732dc5f5f402a9e3145db2c5d57e229104a72be2f9cc8cd9be7a51b8c364e4271731f6d2574db5523bbf86b6a54abe98e05e08378a50db14adab782b693c3e38b9fae76ac7a92d99ac54cc22ab02c4da5ba9bb2d6c061290fe1f718d27079881ea1b8c2f009bc30fef95d1137334c3e3076e3708fed585f24c566e462ec23217e0c743847e32dda3f562f6290d4d078ed29b67d3e8489199b3bce09a25bdc779f332b9400424d02decface9f5b035d6e4015da8c21b15a0de7d24176f267a653c518d48ab85d884345d5b9dab8a1b3ce718b4da4ac17557d4a45e18d8ad4e12b5dd890c226ce720b529bfc708055f2705282f516b76884a65b3e36dd5e3a996aa49045d3d04af3f1608ff8c8e128894cc60d434e24e4f7a37e43b848e3d97a233be44b0d871cb13337347efd0bd39236aa8ba98d816d069aba2989a871e08693ac0d36aabf9f816172b73104e5261dbf21aaccf71af5a23c24749506f8b3f607212672447a7479ee9fe0cfb8278cff53d16601ba84f767c9ade2f650a65dc98c6ce825196c0ad677623d7d08496abb32ec48d4e41b38765e47784316e59e29b800cdac01733c165d995d7a2da4364de947c8ba5a8d92277453f75da3eb0ebfea55f6f4a81316138d98707c26d82909947d8b10f8eede8c962a6971e43bc0cdbf3d336e1a2b26d8bc193d3f3ddac7d0bc8bf8469191583bfd74e3ec7bbe6d65ce9439b78f0b2b961459e33c15e5b394faa0a1031e81248ba57a29c5fb967f904dad09a5ec165e6779009c3290eedb2cfb436337f76a090129183cc06c6ad31916e2608b4f75bc937456909ef3e42616ea7a61632744b2e26b23a49a9292577491ece6a0c1fac4d8b799d73a6b851a45faae4c096c11064e3868f198931c0bb31684c73958083a4aa38934989c9b65f6a9eb741faf69471e8323db69e64488a3742dd4b39b8e48d223b2149aee19aa788561bbfa180786cd147d0beaa1353cb83804d3f8baf651a2170a240ad0d7aff2c6598dfff27e990960e307b6aae80a41ea5bc1108e2acc8281f821937f32434fa05aa4065663bcbf8c78f9d865fba140c4ee44394ab6618528f74282477f1bdca5e46fc6d94166397de69a592e7c8c065913742cbb7c0967d07a33047d9c4a4e01d9faae52046bdbb2bee22abc65cf068ad3d3265ec6dc1553c514ad41c15c436b98d77642b8fa63eeb38d6efd2d7d90ba7ac034337238a342fa1c6d7bbb1ca43a9f3035c4a5f16757fb521f1d45ff3e81defa599088c33a866ce7efa466af415ea22e54bbc60ed404cd12dc0a7d21f8a3b6211edf4feba8913a54df4f0c6148c41ffacbce903085f797481a93a20fb199abd400758d81746df44cc4112e3490899e058e7cb25e1a4ff90175b12ea03b5eae7ea66bfc54106c9d600f0015a43d2d322fa52bc7a12acaf93c38781d5bfc4f6d07a57a937a1a59eaf2277c9c498a878ca89fc7dcded6d91f54e66e563f06319cd818daf054f3d2ed62c13257862084e5246d1b99089f9239eb18403e6a098c354815d978dd27f4f0fe1f0483358c92821a65b7b601d98936b1906bae272bd8a45067826e4e0ebdd1efa253b0c178315c7ddfb658fddd1d6cc01703fb4b6a5244451d4b220d6a67f42de30df871fb81e416f2c39a8aec52c22d5359777fc624be2d7eca7859832b956c05c130930b7304194863913156cb36d5e772a780f334abbfbbc59269e71fced1b39faee80a60e5b440117bdbb9dc5f8de0e01de14b1551d85e96b6fc02a383929e1016254a27d2ce2e10b21bd7344707465488b8186b01e6ca347499c4ddde942b522395e05d0a681fad00618e9765d5945db954818e5b846395187ef5e1fe2a25be1d48055fbe9bcb9673f9b4d6d9a40daa3d99707c45f6b298e71c8a98b4cc6b4a838e0a64303c9f799638699feec8641ba6c3f97ad6bc641c193c29d1ccb9f910878acc0f486a29a8e9a7ccf4582b1e1fe0b71b8ca688395cc0bfce5851713eb34d4a4d444cf29721b7fec0294a1fe949ddfffbcf550b75b89fafddb2676f6e14b6bbeb5ffc357037c5db4736b80369323ec14e8634394dba9c347451e8a351a28e4bbb9265e18460b7fac0e272edeff89eed69e85a3f45c9d4b56225c34e3146905f40ed44a69325a58a01cfb6609c1b320fc80048f1ad7dfb5aac1288275653b6d07d3765cdb45b64f9905c25f828ce61d42f8c310addac2e74ce83e429e6c29249de2094e90015f432ceeee273db535f59a7b4de6506c7ea84665236e9a4224e7ac6a3abeb227a3911e683d5ec4588a680dd786bd6b632f3b092549215440064314b8523768341faf0154925b228504f8ebb69e760451afddc79ba57195d76a5003b01b013a4d264605108446ab17d1d57d6838c62cc10ffdef3b02769246c7e69917ee9bac22bba79391463f7db1c3be1948faf63b7df86d39818265a5719f4b7f2ab0413efa5b87952e112ffa74ceef99dffd8822da76e2162b51055fae76a996e4dff4c02df53c108245217a8a9c65683fe1bc2710b7e29b6963cbb21cdaf3d83cd1a91543faf5226e2e77099fdd4a90528f7209347c44c195f2dd897d6b66b341540721c5988e7502e10c40a04a4dd5e30f8f380b612f6d651818184f278a98079830d75b8e2c2b8ae5a7d3d2dda66e6c889761f9613fdefc418013e691e87dde8e18b83b6948248f8292672fe54e6bfa709870c9cbfefd114734b70459955ee7a04b2f7b814b1b3535e64c39a0f157d81f863ac8beeeef806d5afb4350b28bc07bf2bdb6249697ee1798b85ca3078e3683b4dd7dc68e44a05ce5d0763a608f0ddfad90ba08652c8f143447937d1104398343d6faf6586d2a45250b3f5973c3deaf26fa4e4a52e4bacd4f99ed7e76668c3597404a28f31746f94c12c5f65b1b57f338cf936e7c55f6e9aa5ee608efdc4b706674bf07423a30e8538122849903c6a0a7b814a41852f8b4c1dd136c31f548f54853bf10fea0d147d420b9b63e4cba3d68b18254114c68cb21e9cb60241aac96a308b70138fd441d5b0d1f3fe589e4b963ed18490a45914bd40cfa03d4e130ff3be37b12b63052c2210e90447330654900a9c00cf8edeb4884f9fd09f4009cddf0b7ae23d7a04ea3d02871215d5b8286d1adde59dd572cef31b375ab5e9a128de765ece13dbbd11f7be8ceafb7cfd07debf8ed1cc7e2d70b8f6ad57f16272d83e3ff3087d000c1f0aa1ba1e380c12f4abd810d40fb78f160e03ced14c6ebfca4dbe80a3c398df7216f8661d4179e4527e1ba0be1bc846d76670dd6740fa4165e3eb6b7f0980de86c9f2bfe31780a9c8cbf60d046ac604b60e2d850021e79014ec3722f06ca33a3fe047043bd0326d54db57658fb3170f602b25ecd1f1e7e3e6654897974ef8ab0248d3eb4bf4860ec45abe703ac33971bbb16eaea69d0480956c298596d1a90487ed5517850c726354820f18c0997c9116f12c148de2a663fe4810c1aff6a5e05f350c42187920b98dda54c35da5f6285e687b306278fb9e429f8db1f1e38c998acf318456e293d182b3612df2505bd4e63769bce1d0bb23078eeb5b4ec09d92a1bb293c47ace0dc768b35f807ba31546a84ce3bca34b58e0a575763ffc308bd64c5c339daf909767ff62820c90c427a58fe9bc2979525e1209f56f708a266ce14356ed3847031d73c3eee8cf1d2d27122cb432a90f35b19dd053ba6738a3c6b5606c2221c3d5fd28283911cc71eb74f0e397f1feca139f6c6c8e0f9f5c12786a42157845183a76716725f7e7e5dae6645a736337a49b83e152ca6afe45d6748f7f4c496f736d96e8b10ee74c71c003550a4be8bdaa56101b7d9bd0027aaa6900e58fcc77772ad493a8a613603c3bc32927dd2c2455923e924bd66c5d7ec7937fe0f3a6f2eba16463480711142963da156cb9ed2c1a4f5a3c541eb1358565687f6f6206e0414d610b4122beb2adc9f521af15af9db87b6adbc8205183582bf1c916d0ce050a0ecdefc24353d00d435d6b07ffd1eeec39b3154f654f733a5c95371168b86be13932cc0df2d27c487d0d6860be3c5c5e7e209157b32f709f2def27bc38662629d054fc4b51510b62a1a53795ad5936e8afc2a1f410334df60fd2a66079f9c6065868b75e2699f15bd07ffec14ffbfc54cc40c4a01dede88fe3b34303867194afbf3810a0b3aaa1aab621d572479c5b8dfc7ed5bc233dee16b56401698a9fa5c0d12b5dd0e3f4db43eba06bc3445ceb95e5594af8221f884fb6ebf7a65691eb7cb67e844e32ea088105e35e96cbee00c323bacb35e0607e3ec9ac48eabe223de34074925d459abadd5e76c79220aae51aa78d558c5d3dbe2d0bcfe8727337372fc414388104662bd2baa1e840d9d6e594c3e2f7e89d626208d6ec0a5e203530081951de4b62347488f79af8bdbd26c5679379abbab3a7ce861197292af472a71a5c459944b7439b13b4649764aff5096182c10a71c1815d3bfe77e183c93af8d78007c204862cd4022da552901ca37328546a62acbda72427c8b1c345be78330f623004b388dcfb05a6f5e007362f70da614d08645b2ad355716b8231946950218b14971ecdffafc99bb657995b7959b9503d97ebe08340edbc45e2714b9975161c56b070e00a0553261b466b198e4686f097c14ea9212feef595529ad03b617e6a1c6bca1d3cd23e321eb694d37bdc83f36bf23e3d581555366f6c575ea8221fff4b25fb9fbd69e9f024e7c5aea79cc96e66501eed51d4f3763a92dbe7ccc296f9373afef9b18bd5d2ec48c44b5c5f7f5255a5fcfca7c9d9f176fa5ab4ad6812c8aebace697645887b33463eda823b1285380db9a63aabb7057d8b7832a50f083f72834dd5a19e9099598fd155a827228a95572754096720a754c6cb488884bc5b2078558f39ef9135312271720ad6b13ff397c7d2f97c28f4ceb2286d5c59512f6d8859c5668d74faa8f13f9adb520ff42d18a7521bf5bfac4216d193217fa222178bbe75d1ef215dab17326d47fe3166e0f6de5ed889e906791edcecae3df5bf113884e95adbd600cb07aa372bb95ded3fd88ef7fb5397a243783134794cadbf514ce633089bf1059222b0b43a4e07694a33480b180d10d5e7db4e678a144337e2a482f8e5d2dad6c4c15ec9f89ff641c46d2b5f77e045722bd706e6893faff3f4a2eb87a7751850b9092b05a9b81f901e2b180c1793515863b5b97601b20f26bdb9021fc20d6668fdbe555f2839c2fb275b10b047ba757ca3b7a01695a0407468e0b96bc8825ebba00273f21de02825f6db3c0d5db001285e5c16f4292532f6c9484f1b6e1d208d9c33621d66bddc1229df59eb12a27bfcec3cca6a83a2d217b6219ec4262e13650ed233750649d41c94c449659a09a7e320e0c5baa04750717b948fbb59ee30eef68054fc5d78af32b77593afccb04d31930c9c13874d3462845ea68ea7b4ef4e09dcd3aa8e32acdb473d2d6973f64846f8137e5a29505a6e29bb2342107b333c2c52f4dcae0114eb09215db428d4d870396f918a2b66fa02ad8e7a6831b6225428c0aa82b31d330be622d0439d0cab77cd1067c327b9b76ab619cac5660183863039545102db106586cc9663f4c57390fbc9a61211bf330a362644c23c1d9d61c567f30c661502961a55ed5135a273c5a60ac7115a20b8c6e0c544a252d63b446e8d36a93f4baa6af482ee89b72522ae090466072c7efd4e9577a50b89b33bd58cbd926281a63d776eed85982b46c5782bca2abbf9c2a4f494ea5373453b3ed9059262d081518754094367893772e2ffa11eeda145aea80ccb114afa3d41baf632c29777759731618b2ba0b27467612154db70052a3054b46705b30f48a543e36e2a80b6485ac73b650819fbdc0981ac5af93f930a93c026139e1ab88ffed59377d396cd43794439db3c8675cbc95865dc59f523cf60cc9458dc55d8ef9e124daa7dc4a2113f22f19dfe24e2c286e76b517ea0ee654602f30a09c58c46df9c48625a939eb217f0f7675175bcb2718fb938dc5e7c3c0608f73905ed94c64e033cdec10070d979b0d6f1f8c15c45a42eaefa27f3485b3e72681406a2b0971d9e106c5e538e40ff6a2499b627ecb5ff2fef9d3cd42812c22a965828495e2a89f2657aafbc389c21e8abdfc0f7a13346538d352c968c05b45850ac585ed5a667f07f33033c546f11c0d1dc150c6d9cb94e9722fd3d1b1a57aef79319ffc6d087cc60039840865f0e5cf978a06b5d18f08864d433d5310d98cc32dff4b373ea1ce8783caff58d1bb9c687abb74de768dd3078a013f72e0a87ebc88871bb3e3aab075242a00473566c4c13c17645d9df37e50a6128c7edf26bad4cacc140355df5b313be464b4eef7a211c2467cdee511f4fc5b803e4bef5ac1aae85e1c9b772d4d5a879e35f11997f11ff1a09598aa171c5c05d3694382a80d466e0ccce376dd92a6ee85e7906137ba3f934aa6a97761abe99ea0270754d73f9a04aee8853fa4350f55780393a3d156844fc35897ef0ae4f987041b1166954f8d96114734a777e8ac21a7bd5c5c7b02f5cd38ad2160ac9060973a91a58c36c60564981209620d88ecb44b56fcec157cf1dd518b22b0da5fff82a3e444a48f3f2f1e3cc23a08847c99e074704669294ecd576378deae6cd1c99871a513b3bc3b68198e6b18b2913c3733b378b6cb54bf966f429342f959bdc6c3db2a53eb3bb20a31974858e7f232b4324e1ef0048b9a71244c6cd2c3edfa20e1cfde955e2bf9044ba4f105ded26b2c7a95ec1283849e5f5eb1c578580cb3aa2026f072e7256136adb7fe23918b3cf703e11d8a5674d72726505bf90be55447bed894cde5c266ebe02fa26b167125320e47da1229d4e7b6101c0ab3ad58a0c99c1a60c7540460c914ad9da5fccf3eb1e6970b29a801a2bead23270c8eea61d84ea0db431043a183353864b693398d96267d7375b483d810a1c717dd68540c82bf828ed7290fbee27362e66ecb4f00b7a97e676e06c319fd2b2db6d56f6ebd50eba9dd30a1aeae5892dd51d2442e73c4facb36eb05d0c9592a6a5544e3467aaf6707852a5b464438c80f3e004b761fbe0047e39043d10b4995384c19e8f0797ff770a12fc9914fc7707083aa7392757debe027b051fb9374bfbf826892b2d9f52dba07cdbb024126e77a65a8230982d8d5216e26d9abe79d4e11149b160fdbe2098f60fdb11049a2f33a53b1d86716902c238d83c587d429315c0e887c0a6e81b24c93ca6deb7fd0142cb781e0fbb32767d20c7a5e4624526aaa4547bc192b43854fda8ed1b64810cb79079de920904f5e35313d7acb8334cedce1dc173e222c374d85c74df41edcbe894d57829e6461fbc21532a87f930ea6cbfad678af4987bcc58fcd035550b00e73615e4c581adef7a90639aba3a37c913ffeb17ed58e0bfe8b71c321ccd62ef13c73b7526c322ffabd04713fd83722895432efdaaa76a162e48b881f830029865773559e648959f368b60a58185ea62be84f3116445c0def90f4db6d8c64ac032bd734f9cfea0da8a670d3227a99b0687bbd5f01e1cf45b300745a628bb61835976afc8d49c40e31288065894c816eee600d179fd387f85f0bb9ebaebf8c1fcd2361ec5ae837e9169e5f164e0b4add81daa50f8e94a5d44e5845f49fc07dd10a68cdd6d2f8102f25a2da3103a9dd6e60267212833d684e28f20316ffe1b663647147f84e3d7130731160ae9b35aa2ef8c83cfbaf2268007c5c896a360948a8bb4370f6a6b6612f1fc8ef38cfa514fdd33580f048ad31697fd2ec177d4d27d8b4f6f591eb0c6cb48972012647f9dc77f6091adc0c5feef2b188942d81febaaa8470c2fd3edb621f1fc953924b38802c563c2ce2c35bb57503d09858b90671f0847dbb94608a0956d9267bfaab36e58f17586fbb7b747e51152ed1cc1966b262c0a77b08d521a0cf8d9790b82b6dd54b5082b152ec06c8bb7ed3574af7d813f2de720a80a9145173d886bb0ae641334cde508bf49f34dd65a31e6c1a188f323258e782c819106c7bf5bd7e1ea0865dcbe31f04e4e6aedb1abf869f8b424d4cd1a9b4d74b7999cd9572b575c89ed30ae8c072f9c403bcbe237d06dbce991b05bf5ab04a1df6634acfd289d6e8b05b5cb252008a2d0fd2fae67ffa56c0ef17b6e077dad36911d9fd909fb00f66e20182f6b496d30dd00d38a3020e394f1b66d69a0043609c7b70c0e9b4c7ba3dac140c60767e463bad88631ee5af9757e89be88e9fb89a783bde3aac1e0a0a44fc5c820330822f3969ef9508e24bea9dc68165d7cb8a10c227aea4780e19a010a451893cb6f29656b34bc202b4191faf3b2c965ba3c3d750b77560bc2335ddaf63557f3fdb2ea421c505224103cd6228964aed3677b68485c38942860b14f18e95b2409bae164684aae856207b6a17e1aa569f93634d1b922daabc0c423feb28d7c4bb3b32b6cb761f01912ca12ba023882af2d80b215f54ac3aa6d4c2dc1d2ad9e4f88799ffc0d8b19b379827177d75a82e2d661b20d75c2620011f89592b5a6acd861706e9ed56a779272583a3c60f479864e667fc8e214a413eacb563bdd584c594ce633d3f10bee3713d453e32f147f5bdc7a4e775ecf20eb883e6d4e866fcfd99bcc41fa8e3266d48b97f0a218892233536fa25141a46d5a41f7ae4713297a2f95ce0e6661d2116a05601a346210f5ffc0dad79efd531156be2cb07ab6be8bc58ed98cfa69bab6ceb638dbc8d97b6d44603bd96c204acce5cfb677fc80e5f7cd9058fe77100fa41da58b4dde00bf5481400422a1e1ba54ab8e4b80c22434e80a2f016149f0899f6663bdf9a89e201ebb69aad3c37748b71756ab35c358765bb77d1289716fe89899f49f22ef736b90b17516e1cc8d9e91e172d56a6361dfc06fa10852005be0b013bc0a528e56da8b69e30cbde3567f0750f99daf96c64e35280245861c092de0865bcb2913156f08a84ef7ead5a357408b244c61b26e34da3a80fc82e1485beecf5377d3d95d77eb3dd11979789b9bc24fde7698f7103891419eacdcd32e5287e79a72db4338c986d3df9a04182e18ee200551ebce1f3351bc0728cf3b59d5d95345092625e9406d14bf8a53348e279e518096d98018af438d87686ecd02bf442d73e46511c8e8fc553a58f9faa99ae9fbae97154ed855c7e85caf2d980d267684c6dfdd7bc5e6fe5db46b4ed64567df9b38a71bd49ec38802b91c8515efc7aadb278381685ccd253f2ef88ad1cd987cb10ab5de4bd8de8faa6c567b5a072c2403e92976e87e1749b995d5da1b23369c70d7e009151bd3163f1d1e69755546882a1b0c57b1cf48fd62a8c46b8b56ccc84dd2799d0bb0a3be9121eef3f860cd1aba1da5c4491cf117a09c330a08b3aa5c00c7f91a898ffa405cae4fb84ee3033e44a808b309eb89ceefa81e65bef7d27672b2e0aea89b8522c3ba136df5241c4ff20469351ad28e8f2e3645a01e0a8ac15181b247ac95b91a08d0f184d166f4fc19f98148f2193ad2a6fd39c9a06160198615123b884b3318821348cf5bdccb04ff6bc8cb876fde4588c3244e2aeb2e8d24b1775a942a41ac7d274155b8910c3685d4146fe5400c17e83e8288a560acbd6a819f80024e548ac5881d6faad171b6223c5883defb2d5fcfae9ef86d046bc7a24f69fb9b1d661178caf72fda94b29cf03ed188a7452a9e8fe9f0d1e0ce0c6ddec550dfa0281b007a752235cb63ef66ccdd05591067516523a813ab7186f2be8d8f88092628ed50b8b8fe3355e963ce181b2a7761640b6433596c330ebdea5437d2579f795810a1d1353e2a7eecd868c23debf3b417a43d71bba4e9114c64a7743e762ba34fbcb9002ac936e869f95a24d9558b952470f6fb124a7a107d2934da909278593aba7c7143ca0cf802f957a3f8e0557451c216f82c1750fd74baeb0a414786eabab18a5cb1826f9800c471c23dd7ad43d497565c078a75e3d02f6dc72cbd9488849389af509d5f8b64a4ca215ef6b148fb4ab9b52e72181945cb6d64b951976c34c315bc7edc2705838ae09e821ce5b1821bb3d5d409dd6542745dd5a74aa6276add2d479c6f16c1b868d7856256c93c6d4d4a2f630ff40363e0a07182bb4131eee6fbd18a236da2adaaf6a7b70660874d7296f69e9309668c75e4a5f8144f93348a4a8141c2d1885546047f343a096eb255735a9590b9714bb5263b3bcae7a467c6356f50af9d49ee572ec529f2bf3894675d554334c1ea92c5fa121de3ef1b9f74cd953aca996d23ab6decd343ac53e2f99a249fb988f4ca796c0a849798f0f97495c10b9a0c8509c4bcff637662696949efc09251a06a22c22603847584330cfea0375d8c5bdce8dc49574865afbdb3673a76d91a4dc0eb7e3adf438a8f0c8c03dcccfdedddf4d44abac93d84d8f73a7a4bd8d0bd07122410bf9215dca11ff32e98eb1739b26e71890a21ea173ff62382c56bda1514776e65d36924e2590790e812d24cd2aac5752a02dcca068a4c5f4eb69a707280721e755d3601a2a18ded5eeb61fdbe7dae292976137780bb94cdc30a247223a39f94b324d9d013da3189c2cff87cdb6c2d60b271f33094db4ef5dcf9ed72fc21244c9cd4be4d3328e815f5101643868abb4e50de054c95554316f3a827016dd9474787d3403472ccf47484cacf52ba3865dd233b99e6884bb09536e65175f4ab58e9b138fb659f29a216225a1a89c94a0a537ce70f69001aa8b3f3e9c271d7acc8f61da6d9f9b0beda683fe87e40e61240ba431223cf98fed0ce930bf8e44edb42afcf54fc10c46f93b8c4d70d5b305507e6a5e2ed79b32085b7598a90659d2d929def4026ef7e9fc489bd22160929a0892c3897226fe63b54424aad314454ebe080e29ecc3e6172cf0f64fb2566a77813fd0f03df52f7542399a134cf6bdb23b01276ff2d6e2db82661fb1aa69388e55c087c3897309940477ed3e222f860eec00e012404ae81c6ca35f1ae7400e0aececf33348bb4adba665abcfbaea95ced173132f6d6298c2899cd6184f9e9d2f62e9d5c07177a3de17f59e7ef60600c3b741af36e7764ce2cb376ca9646f1134e89a0187662fe24c7be0973779d4f5bb3dcd05d8ef4e3481bba1d7199149d1b34c074640a8a2d9614a1d3f2547837c9dadcba164da6cb5899f85554640792f0d3e5076cbec862732dd8dda895695efbaa77ca0ca967630df62d746780e82cc16a066ed736889c9f3c533bc4340b3046ea8bf75707daaceee2c7582f179b1f1259b03b4bbbcc510768bd494b4ddbe27db9ac24aca119bc04175752328c5bf91e4995392c98d934ae13ebb92756e4bbb80053c1dbd56d7989a0d13f81a62f05a33653ea10edee1b38ce2608ec8c2ef69152bd442c79463e563ba7c5461ef96d170b0640a7566e56e510e66cc795f71d9d728ae1b235e72b546f7b3219d05c4bcc39ac269cf69f1c301d228060b8093322378b1684c6c396271cedb32989cb13da07022dae62db8a489b32bdc5989a7266528c5857a43f0cea8a8926aec1a732603fb80ff5b0342f17092f2f4ba5e9fc4e49bd96405824578c2543fb27c32f3299060de4b11c12678da6aa215e2a02cfc99a602405b130495b699483143274e1429794df198ad773abcfa16a6417fbe9fa64f97f8037dc80b0ab21821058990c4775a052079a1adcdc89deb0ecd2f1e916b0d77489438857c462ad98eb4d601e6c313c8c590e3543b4ddf31bdcc2fa83e193c74688dd1c5f8df7cd9b0401f2c67ea55fbc47fbcc3d8289d548fa058ac480d71d8d4fc4c48c1f1b82e1777e298002e97af72a4966807b9bee4f244cd8bd2a8c37ad5a91a520e30a43142ee4c8e9d1f106ce5b108b71508d67aabed8332800f1383514748c57b2d2689432bf826d7894ffe86f7f2e7cee69d461060f21b37de45abb6e7d15025bca8ff9b582a6fd4ac7f9d61cb356592f4a3ec762c5027af675d65b73a5ff5a8337c42bba72b71df49a0ed42e9feec65dfd4d96d79c7a4ecc2f51bb2cc056300d941505de6bbafcbddf7c663e48aa5fbe9978ca1789b794b6bf4fad0b7efd18c30a0e3641c4ffb3531d1fbebb11e01784279e61dce68db708f838839433ab24268c36123367d20cdd91cf0302452e23b83b3118d8dff460701ada0c6d61b7d054e9dc07d5460ea91e16103a26290962affac4aa486c29e18056ab56dc87c2f0215ccb7ff553427bf38e76488b38bcedef19033fa05ddb5a4c9f352337914ed1acf852adc9a8355a231741ef9b82db7178a93f302a39dd1feff376a21e469a72dc59abfe41624aeded1a0af7a20d89551f8e4af0b1ceb5d934c5ee7e9cd0497d660d0d58513de8ec71f89384ce4f3047f5c5e599c444f52d7080f266785d9cc950d723ec588edeea7e743f477b50ef6d493cb350bbb867f9367b65ccbe52a03674f284a08d36bc50aab4a3f0c91dd68acf6d2b5c605484b94dc331257feb5b3b8128aab2a441d7c04eadc7521e6ba756e3d7e69a3a2f41cc71d7115f4adec5eeced9cd516171ec3bd6106ce196783e946a23aab8dac73f2559f59a998dae80cdc54d83aff7a88a9622bce3045511cb77de14789832efe7340fbac4ff25a7883ad5bca41741a3144a0f9c5b8d2f03ded15b72415cb3447cb621409481b4501eea8cfb8ab6ae53b9d0095aea90fb84c7160ecaa8d04b2a2f757a24c75599472e7c6f629279d57ab897ca4b84398f1841aa0acdb7cc208455e9ddba3db8095aa6e31a5e5a284946b26db2706951d5a6ca7b33354839fb8a424cced92f9db490534b27c93678e362b5a2c12041827004abcf80b3c9f7659fb1b2c671002796b86869b29388d5df277289535c976fb56ea1a938cebf824f2e9093ffa058e41264abb4eb08edb505e51c0f9bfe3d4f97e52e84884793d4db290692fb25cd68509390f1ae6869ec8dca8a824279a455ab7db604e563bf6096755f838e5b4087380035f2041426ac0014fcc4c5decdc74453cb407616c57ce736039464e998b8fee6d423bb377a16a2b1fd8adc418abaaabdb2bee541a5c312d8454a36b4b1c718ce74e862da4a9e239da612f3f07d529e46251d85629242c7b0d4f5370f7ecbdacdf9ee925d7b717455ee78f11f99c94ad4cc2f8c598e845226669251292287987019a6d4df23999c46783f66d9c0d1ab4df572c972c9e837993bfa68bfaeee52c98211dc9e0c1b254e7c23bb6a05de76d7005e2fa82d4d2ac444f31a45b31fbd4237f2805cbb18111e091f182ee7d43501c1e4e1ae69997d7dde527b01bafb92482ba3870ce8211b9779a1479f168676371e606ec9c4da411283c845839f2440f6b9373d901653a26e45ae2145ad6ef2ef5729d9eabe50cb51d17eabd72e08a61a428a1a336836eed361e9a4d1cb2f312d7b3e5765f054edd1d7477076db18592b8b880c78f1ad6b9d6e680729b906d8e44652fcdb628d7e0ac1b5ddc8ffa2fa26710aca2989d3e5dc0ad481829c9dcfa99f5560e3aa2ec5f11c1fc995a14e2959cf492b07002cd80c066ffd4bca1e0c5f8628717daf7eb3cbbbe2542e3f5a18c9ba54d56bec9f52f0310635fcf92df6a4738cdf845a3caf7b3859edf9220f291dba1aac89c07693dd220763739798b687cd6b27d896a692536ad7e847ccac64984cf9ae18174d0c23109f82cc943b004e07ac6741045dc0cd4a302257b6bd4eeea0d0f3e7af93f1b3abe724ece35482f2afe205ed2265824302454e8a29bfc39e943232b7afb435e7517d6ce926c5fdd49ecac1be18435ff5665d0f724a2bc2d22f19a6c1428e2f686419b124cc76861f3070ebcbd99812cb10ecb357a0e1171ee64a67237762927adf9784ab9033f6b566f7218fa67109f9607fce2a4b8b74a3cd5a9ceafa4ce0b38be85144505c0bdc18a49ad0ca23051d563d14af02e2ec8147e8f2bc0bd30c69debfe2c170dda04de73fc777aea45027e56805a4b8c3fbf09315da5b05de928df4397977b26ce3e54d36643b0e229cfa6f832085fb3008c03e924a5b6232fd0a82c1b1b91967fa5a1b166c67f05ee6481d895f21aae704825fd44a635c29ac3ce0f5aa28262d845f4cd0891134ca5846a6b62ce7fc90a6bae5304eb0f533838b522a74365e6ec1957375d09c511d221439dc8f17d4b90e298815d7b9df23dac9a6adfc2608c062d1328de36b9b8390b330a99d50590d7d3f566e11022f7c066869422260b693c06e38b025157442b473e97b7eb2b4365e494f813a99c695447bd3155199597ca8ffe224b08d3fe81eb80afc5f2c5ca9778754251d8c7e35b063855d66cdb5ebd722d444c4654989edde1fbc78d2647b041148a159414b94805b0c76eaa242886d8b45f3f98489cbcfaeadbdcf2ac5ebc6b32e684d7467e63e935a6cdefaa3f78f8ee8a00ff9da25feb8fce6fff1033231a4aef0725907534f174e5386484fa18b781f3f6894affba4d496deeecc374f4b3e69f95a5997c8978a4e0a29c470b32864261d08d5679796ee633a6230d2b2f71e9f219df7e95d4042b3cc991352e50715c5ef56dc07afe11509d905b2d357bf03b2366582ff9d473c9a559670a4dbf02d215c5b3367a1bf08adb7cc5c208a2264906b67d4d9ba2a15f146549578b20aed14013f42dd268aaad8e2979bb51c5ed81988e6030b6f5082d1cc212ba2e2c8b8084ff0e72490f0d14048a507beccfabd6d4b683bd7dbf4bd65a45809166b207b187a310fb2558df0caca91362dc72c3ae5d2def3c16a8f4b96fef21f76d1b7ef57c93917976d0384d06f0bd1dd8088d777eb6c1bccd68fcd68efa860cea38018e46668210d678b248f53f83f0c4b922e8de99a6e734289991e1046a1291b249874de24687c24b3070d7e8024f47973570660787b0854a229b014e38ba8dd1d12250b899e46df956ddc02ee440a577756fa0052a305b3dcd21aa4013be057a6fbd43b579a5d57d3edf2c74d83114b96e55d601d5076eb3d113311ee1abae22fa5ea7107b8e20bce63e2806e395e86db9302fbcb1e66a7f03158d508a06c17fd81560cf48196ac12813c7f1c7a2920121f26194210632af96a2372a96bab8f2b237d9260ec7e9c5fee28d4571c3f74a47ffc4303f794f6d161061c63eab2d6b71e6fa6601edbe0228a47e62b5ec8fe591c147545b74d57c098e2373cc1cda4a35d1c3c40a5a5baa4af89d1c21cdbc2c4d8ba4db7b3c58db287ab79f63ac779d6e812776e143a32e12746ed3b1c8cffde5300b2428c5eaac80d63dc69242c83f86bf7166a42a0f70daf00a005f6cdea71cc02a75490f185f6e3b1524b3de595df869652a502aeaa9873a10960387b3b8610e53e84ef62f4d211f81c8bbe4639bfcd02664574f80dd9904b9552c0ddb1f0bec77868f116325e82208b93b11e559ca17259c7c2be47ccfa0a6e87dc081b2bafb7cb9fe41eede8bce6c2ffb156294d436b814ca9b222339711efcec9e5dde3cb9ee5773a96a8a241247d69cfce4a51c8713b85d11e2fa1ba53adb8290701aed0a755b97b7e2c6304566911de3181a6515c056c7a484e3910d1974eeb9eb862109884781881aa681a43e1dad8780c4ded42fb4d6a19437e8d523ca01401e3a4bccaf17b3f8eb98e7826490ca1ee44df361c39c9e9f9623fa86c7fbe46a4a55b70576332372930c4768eb910d4aa4df356327ac851f87cba7637b991577987b46d7020c118452833a683f7aa9953afc3faff0997011415fbdf8088418027b990b62d7ae15dd99a2789b53f20fb9dfac425ba5116bfc0bb903a851ecfae1895bc86a1d50ccd869b29d7ae0b9a6833bf16ffeb0f65ed4be2cbdb742456010cfd1eaab378d1b394ff3366b9000a79bc0573ce4ca6ae5946650c94c192b6c84699ed64b44c59fc890e510a8f6c4e2430f482f4ed9bd7501790bd9f7362e34afe53a0dc6aae15dfa531b85c837af2ea7ac9ebdfb2f960e6a4d18890ee9afe1a4d2c7c4a2046e2d260fab484a9b62752fac90214633b10472fb143c66e41a7d5904750f3ab61f10731c9fb11df99417bfb57f277ac9808d7e1ddd05e4840c5fca77f16bda3ea2e8defbb0455e03df458c1407fd6e4ee34fb5b264f8a83cf1437992202c4bd4195f5abdc136fabf9bc6e04202587cc87cd8254e7393839cb35fed61fc6c6cd1ee20845b79f418cd04cb533e82c42e956d7bb781f1ecad11e440593c9cffc2e6ffec8d21e04c3f80fd29c4abcba1110f8fdc9c16e9f8f0c0bc0e82bbcb43b46b597b48b94e73d106553d51de33b5fce8c0f183446085b690738464f6ca44ab07d8fe63df04d9462632449644b970c5db757d7f1d8d8da3c5244d8b85e958ac52a34079f5712bd1e586abc64aee4fd75a62800f202a5082261ef2e549999a96a1ca69e7382b59a3f702fe96746a8bcf917ec39556adaccb91e84d0345d789b0c14b09a7249e8143023294e08e55c69a8e15447d15e4856929051f64c760d4ad8501db3a4d9ae65d39060f27c78582f0e772b9f57eb748fef6a3061136f908cfafebee6b3295dc7e15aafe03cd975f9318560ea75002dc70b2e27c64cf8459c63aa7f1cd3abb5a2b28bb797b557c4cf05c56102deddfd954c39800a55db62e79bf256d763e8f854ce3d075ed2efd27e8c6d6558602bcf7c4be0036c6ada79ed34db5995b36e2da666f36f7bf5565c8f5a265acbd909cbb1c8b874214682e64a852f6aecc7354f81da36cc00de2c2cd22163837a7c9bebe44fc520a1564213a939dfa2b11f531d246460861022e78e7745316cbe2f212238fd22bb1e3d0813136b0ee7816b0db76e47ac08ff9a103d2b946d0b656bfaead6af2e3d766a853f8cb09bc3b53295d2e21cb9e34cbf4e8a6075e8973d74e8a01cb78b660149dd6c0380ff8e6d59430d542920d62bb915d74d2503d6a0b49377a618a757476f538719e36013409579661e04ff86f916cccf3a7aa895da4323364961c6b340c9b82c7200abbb1cdef23da98ef8a7942a8b633f7f6984abbead113210042bdd6e99b69f8d7e65bb1fff7d5c4c98a54754871d53440c86c1a4c228fec4bb090335c5528aff48ef3ce9ddcdb3c1ab44ceee0093f74382f93c5b66c45b9d9b2ef7bd92677397c9181f1f53d90c49939a4e9481a1d22548e7d6f727be762bacb6c58cc7224ef4c5279abe6cc5849c216c2f69d41460cab2e6e96a43d7f3b08c74b15e2f9af245c8749acc8eb7f93f19eaa2255f82a532d8acc5c7d7ae0553fbe847d658f7e47d2c770ac02a72df9cd764cd47e29a552b6d28d3c8340fb672adf10a8921a0e361d59e48eaaca7a7c931e5603cbbbd3ffb37a7f4aeeddff8ae56e5c37f1407a78a986c4aa3e19919e9c2c93fb921e72ae93c3b030853722d03cf59baf3cb086e3e3e4047d51c64f28ccfe468a6d492f824ee68eabb4dc6788a745ee23faa23810dc3196a7d6a64eb7a7c42ce6afa846840604bbe0ad77319fd41a59aaa40e83ff99a5a5d1543bb828894f9f1e79000f3d0fd21883aeed024ec5d0ff5190e7ed6ad7ede9b3524de15799b28bc2bd9568c654f9100a47a2e8e4d1042b2a2401ea990359fbe1ea9c5a23a8c9d52ed8b01cc65c942e136a862f7be5fbb30f438f8bc84d599bc18d4fc1275da1c1b3f64d03d25e9daa63bf2537ff257f591c55af5f56402fe83d18f9257527bad9b2ac65d35407d4b0a43c58356c606b85fe56c387ddbbefcda8a71cffcb29193a51209748d8021d5d123540e50954fc4131d2535681a6799944605b79b4de9fb12c0db182d6204df04db4cb28da9e41753cc3dee7658483efe54115bcb68017d65af0ed4ae29939d6c8da3b3c6b23dbd1c86877c9513fb8d2aa04870f212a4d5d0261d8067997e4618fa3675db86b472589bae3f9e6246b83187a84b2cbd8194548c2651b2e32430835d6e1392c0729e5e718e5455c5548c7ade623de02991ef30b34647622c8961eb14d305634d59844af5550e99858de852451fb4bc9b589e5fb2960b1e056cac90d3c75b17cf2caf98e261a3c4f24d848902f186ff916e776f65e9cbc0a84afc58d7b97352e3d73d0bcac5b8930dc5180788fbceb260a0a8ddaf68116b467874c4a2388713f8aae969fe09fdf1aa072ca5fba6239b27fa1d1bf5a77a50d5334b61c855bc2a494ef4844471be8a02f04dc9b182e48bcf8f44440f897de9bdf03cdddc340a0a225dc4fc89b6a65f3685ee414e26bd9d998b7d764e6da265c15efe857e226574c16c5fd9ab2e7bce95e9c61b356f39029b7b2d293d2e96548ccb21637f4e10c5911c73d3feafa76f760c8eadedc2599e0f1330f95905e694b601028742518c3b31df3c8981ab7640fc86e6873ec0659e08375b7beaf648ef96b7061341153491199b5da75e217cb88ce407e1b5a1ecc4b2e7e8db7238ee1914834e2903317fc40fe42129af84835bf647f90af2ad6bbdef712a2a96cc822e6c40a65ebffbf37d022be19d16a8249640e0349da99e4afcfe04b618dece4713eb74ad58984f1625e32d9bd266fb9cee63d3c71ce16abd1ea5f6ea1f4a91b70ef74e0a919f34e9ba8277df39b047f759a8bacac75fac20ccabb5f2e6f60e3436711c5711955c7742dd6d9e8a9b83d5cccd5ae3448b25cdb35ecc8f20a4c34bddc374ee9167f7fcd2f6a2cee9672ba4eeacbbc98574db1988c71e8212e2d35dd0f303691c4191990bdbcc3fb770d59b0a90433bb2dfb3539ed007bf529702031fcf429fe0bda4abfc427a9fe71a1a94bb264ee88dbb8c31f222adffd9ddbfe46feccd67655fd944bd4751466a59d69ea36d910e2c9b4111a955ff14d46ff6e6afe568231dedf800a90773cc1f8f956617ac44a2eb6e64b88ed5a07b943321c63a02ed711854f4b60a299dad987a82933961600db05a2f4eb7846a8d01cc22bc4529502c9ed664cd90f5d2f2a4d50334b4c41f45838d5de74a6b2b558ea1d1b34dc21d7f7d0fd6c01967852ff0e0f40fee4dadb242b7b8e7af4cea79842215e4baf008ccbbaa475006f25340c392534d4ede113ea0245c73bc624af6de72d50562eee999a5b98ee53bd69c1b1bd999328456e154b7430f2f228749328e25233b5c598ec8b9e5352814fb3fd15a7112c0a8f9855dd55ff6b747777f93cd15a07f118657a267dbdc51d30e9681fe89851f5a6c7b6b4527a97753d0784a9f60406b54b47028407e177c43888278968fe637e336cbef51ee438608d052efa715c874fccea267e400a305c22a2357d9c5afda431e0adf26ca41c978f202792fc1589ba7ccbf9900e1c9e35e9ba5843c864f8eb28d226b2f3c3212ad02100d8971672190f56a6e058f70daf9764cb86c36d677f42e06bb291b4ac3be2e1dadfecf2807eb62eb065a91dddedaccd8cce08fcef4488ec725be165765f60ddc628b555952449cd8a2ddd50e06f6244184b7266a2eae1db9a0e951ea4b80f1d973011a1ddfa3a0adf2ea03ba520c9025c3de01faeff8b74cd343efa2e886d18a50861dcce0941de826c5cd4cd9adfa4658faf8ca8f1bdd5fdd2742f55528f190b974c1d756126dd587bce6c0a54310103fcb750b4b0b97e032f7f3c1a64c5b37e51fa88305f735c6acad068a4fd8836049f9b1ba83ab3bb7301370429538601a0d2599aa1fb71085703f000f0f00ca386cc2f6600c0948caec2451f373494db089f4337cff642ab03059174ceb2a20ce3f8d2ed77ecde59855dc6a380fa0a9f1e0fb9dfd007ae1af1f101dd154ed5bdba618715261795b60ab5079d085634559da89134c141da8ab660c12d3e85bd90081478e8a0e2653d26c303bcc58721189d02688e9b7f0cb8d26a0c011f3b31611ca63f519fc1d5152f0aaa2fb599ee719b9f5e3e6a5e00173f87d9b3fb9eada124df2d95b0bceb55c984b1230f93bf8e114dbdffe2d7df566f596a628212bc50cac930df46bbcf3b28ccabc05f33c8c529e54fea057949a50aa183d2be6a17c3c825622793c0f8c93ac0ca3cdc1b748273d6f9a20cc09f2ee1f1bffd215a3def20886bab9047c227bda97d87752df8914d7dd0361b4b089611b5a4bce46fbdbb65709ea7b6026201a121eacad55bb8d0065555593d44d604d8c567f6ffa29d3f1cbb69b68402e85c0d5d951e74a46ffc4fb77711d0a3e28e4718d2a6d2f2118d98660d8920e914013caa24e3580ea7bd689f2aea02af380c1d7eba106c5ceced9e6070d00edd5f776a631fb83d021c0b410999c0cf55f0867ad828881d62677b3fa39c4d83f24b737220ed4f125b7c74cad934c3baf98a7583a6d5919271d7d7da84b360eac3b27a6505770f1b92305481dc6a0eda80c5ae69c90851e0283525020904fde991ed16da489bb25b2c82bdcb2a013130d49e7a35969497d7bbbfda112262a294ca959c005620144fb17448866da6e10cb6241ba38b1588dba72ffb8d04cd84e6d4ca0bc590f2be21aa223b0d5ff9ce06295fcdcb728a8ec85d92bc6fa270fd93f0ff4a0610c9904986a43d1275560ab2f50b3f5ffd5e860e8047f5c97e1d77d2643090508c3809da67ce192cdc9edc7f62941807ce1ff296fa1b8ab53b8da2d7e009be69e4213a0b76fb0bfd573f41d8bcf751686c41340713bfd76dc91ec0d7650cfa3c827631de51b70424d1d75d8f5e7c02d3344e2bd4d0eb848842c2d5a61f37b03986639a19b48974d943124edff77c84e57107974a4cf44cfac12d09cfaf96f5b914f9bdeacf9ad1c561486f5beaa92c9eb3fb975009cea69df9c0b2ed1c2a67ffe6b9a32b964ad127cf224479732005f66bb8a3270b013e12b74cec9cdcf24de84f4c74bca46c58e1dceed2fe2f79d4ad4963b129396deb616f878c8efff2998d96ae66aa3ddf059369457dbd321fe13bc50debeb8675c5c57e20e652741cc9e9dd84d3b30711947299b438c3dafa4146f4491c799822338acb8355dfe2633639f199f44e4ecb21e00a94cae6aee4e283d0db21dda8b618c6660ec344c11904aefe8bb5d977100e8ee4dbef63b9f353130e284923efde506b315af747a360b8adf718a63a7b8d5423b32dc484df2c552ff396cff605a228d54913202c3f6ee7e8042a4499675735569481fd5ec03610cee19c161f524ada7461afcb61a75d1b4d8b030ef3cc7d9880d2bd7aac7892ad0ed4784c15036d2456db2f0c082cee850a6d7ad435575f821a7cc5276d628b5c17f0a02d9df2ca6f62e6dad864ec46531c49fbbfdeabf6391563a0b8612d79272f222d85226918f128f50cd94753cf1f375cda5c9c5fcffc326c5f2d9d7790bf55ff665f7ae3029f983f1e9b0d8de6c0d239b36ac79bd43093839a8a7e3fb02fa8c47f6152e00b3bc4510728bbe5f8ebf24d6125a781e5c88e1c71c0b84f0179020c849936206cd98cac5bad53934a44e04b1803b0f2090b2c090eda5adcbb6787cce9aea155064290b05504a58e9d9539512ea246f1119f80148bebdd2490d7542a393258583ec4ff745458626abb729244137b67d7566fab4cbf3e2adda931509bb7d7dede5106db43a7639ae428cb33716e91019f784768682a0f0484b0d3f61104c52029a45a43488595d70357457010ad8bfc37c38fd0ab5536c20d18e40718e04cc8ac529432d6168ed48b95790ee9c6581b6d3b3fc14a3a864d6858c58af0ff02689d9de1b47f58fc0a8fc5780ea1742204e73be47c87121cca8662930a36eadca33487359f1a0f298971d83ec5562b2a9f32e69ea409cfc55bdac633b0ff384cab1d47ab47ae03c435d518ea5686e038a048b5df7241e51e884ed590392968919bd32593d6af5eeebdbd12f55820c138fd6c77e74d247b3cb28a70216615720c4bfd09d7068fd7cfadf7293fd6dfdf13a96867cda9db64b71255bece80bb8e376b4628c1a0064406e28a9656286941f1536c3375b908072c42c63a58bfca416497a4c84d917b89574f736c99d821569e2c785ffaefc545e4560d1425260d27cddd471137f17f76b7dd2029666f0a27d3194644d366f051c3066639a34d8636db5b8991911bf15743b23bed633305c4355ac820b85e7aa6c65e95ebdc68afcf1214ce569ecb575f760810da7edd05f5c8889a6e9d9940d2705702990860f3dc4d93b7230e94b1e317192bfafe8f8b5cd5ab7b1a7917a6dca13cc5956deabde65b1ba3e84e1f91dcf2ac6f0fa7c9ec942f2d7003b8167139dd2d6eedbab9d882131808a73c39554d3621aa75636ec73a1a8e30c697f4784f901eae702b4c5a7916341642f4790589b84b5c9a9f1999be3e29745154cbafe19ee29df11e231217e3475aafc3260f0dacbae05c74a9ed6c8856a84449611c67677be04ac0c31253aef76a3d5f6f431ea74f117fa76a3a888fa533b7bd84b0bea1948751790127e106b26a4c20160d53eba82f316c15bb17387bd3d0f9fa45005bc7630ee47538cae45ffe236400e4107dc9b5da5ced163acc49d85e2749208d218421f4e197be52bd75db2ea073b0cfa6fcec7ba7f2274cf7bacff7e459ce37317f72f084ee8f8dc573495dcef970a2e630013da40f5fdfea42578864d532aea7790e0319ddb4c93764b4a6a3d3269ac34f05acb211e4022245ffa64c46081ba910e8de2662a714e637d5dc0d46f83d85653799c7b22c931a5ee9f5b5365f23110721edd3c8812a5a124e0828042a9d9e5cf4934a3ee44a1550bf41fce8a14bbf372b01c3891cfab88560804bd838eb145ea51f219fa325fc175f38e63ad4fb30fd0ddf0062f871f3d5cdf557c3c8b6a02c2bdd7ae243193572e6df06281e3996b2e288f0375720afdc44206175839c50cf33fce705cbd6f65dbff9122946c8668bdedb016914e418145b104fa7c0d76b42ad8864ebbf916b03baae9591c473d60d3590c92e2803a7804c6012d5b011e96c6dd5248ab2c4e78e9402bc49a036017c1cdea653de71f4b998f553bb34a9b6b7538de01fd27d52d2d2523fe3a596f1c6e90e0da6ed3296d9690d3afe291f34d40ae76eb1bf7cbf61514ff3b32399794afba583849887aebe463814461251d08116c9b6c05db158ca15071e993e08ca0c49af4d23c1f7631df7fb7b5236d76d6aac8e6f8ac33688e94bf875c428c90ac2cfd16c7b19b959125953b2ebc38c478d97adf89921379a682622c107a466983e1d4a018dfa27608f21a9051535cbf4760f5631dea4df7758208d827dddeb18301af4c0f9597ace619b1e695647ee17770b85453bf2a3894ccb1894ff65616cf29327898ccdc544d64fdac5a3e4b01b063ea1a68546607e7b51465b58d60cd94c7b514a5c559724e6b1f802a0591e00b75679cbbc8eabbacc17c03f7449562dd8ac34249e7290f22d0173c5efb34c92de42910034f2e5ed65d04e6709355a9ea7c58fd5fe3f85f009bf204864560aca7a879fb5e26483c90647ab0d46f4bacbdf8430a76b8a94150d70b8db44340157d0b9fbc03225e33d63c44441836ddfe85649d2f1179fa96d5ec5583f6d01ad2e415b9683980f331843080e89110fd593687a6b767ac47b49e9704f26eba543c28dd26889e5d8107720d11e92a761f5021f77d2df4ed85c65d7d86c65bb68f149be503b93641e56922d9981593d5178eb25570be83dace578564123db5db6058d98d00d09cda503372ab65602e3dd7b63fd8e2fd8fda5f53dc29cb2bcdff527db0d49625716334bf5e3dfc4224968c0a9de9258e2e0a0a6bf16dd6667ff4cb598da611120e330de93acdc96048a638959c76e0bbf2938996639c6e324181b1fc70c7ce91988c32613840b7b6ae89b5886e7592ef39353583c62fb9a6742efab711e6c65507ae8dc66e85fb09c81db26c741dfc6a2ae64bcbca671ff426ba3a2b4f23db884b0945e0bbfadb90c62077bf729e7df1b1c20bdf15f7b1d549c63e056aa31312bd32c1d455ff18fe865f4704f0b3c1f8b4add3b2d6f1b4d70c97ece5faeade75da3846145b0cf4d308e8472b41990bcb7ac1e7868eb814c6d1dca980583d250a50974474e9f79032a80c34f44abe3d19a04f4059359d4bc6b38afd1f27254c00e7cdd1c4e5e501e2f99ca0d58f5010a5bb19101ad9001491a69378038b464d793d4832af28a2e7266cc61b9a82c01ea9deea974b5e386a239e93a7e8f986915900589b615b780213bfa24f56b425dc7456e1fe70dc57d0e1bc3069b0fdc6024ea813e0e2554223b0fb1991d841e539104c30adb0a685c24a04fcd6d0409d2dffb949352218df4d80978c64249798213b6c4368468cae0f61d636cd1f57fc99cc27f9feac4380a896449562ebfdbdbd89cb567422ab617ccd41d674c400907fc51b12e1a9ef2b35dd1dea86625a9819ffffc4cf2bf0a090fbb323bb2b410b01355c6e036bb70fa0b5d7df25d0180ee48cb6a84be30beee9fefcfc386dc16146cb772146b2665786763cd2db1f06a44340ee6d942f426cab6d9988a14cca830956e7907232f47125b866ce223a58fc04c1440bafc8134ad0acf1dd2ef5279390bb842f1e19f6b39898616649d7c1ec8421236fbc779b1693c0030220002b5a4b5de78ba14caec8a9f578483b07aa13543048b28fe2403bb8a3a5c6632f7e52f737534a19e87e7fe60ae03d9273573159208332ef98be87018f024978d4ec6629c9b79ea490973464adfb9bbf2b84fadbc3015d8dc4dbfd372cc54f4c84d2c402c538592ce2a8966b44daf432f8d1fd0a9abb66debc10ff2f6c874815c596361064f935b57b26cc31571c2ad33dc9cefcb307684d295368e4fa8c15d490833b11a1bf787ca1d214ed705e33f139218369fb694ae42da41b2e830e29b8d609e51a2d793471ef2c474fb445d0b3f2d5c65e8418cf16f0fb0937f785005e8a678df65558987089cfa38d78a926c179a354bd40fac48843a7427a5c135e85710d1ded6beef534925cad099d5cb3e7af503bfff666f7a68a5cc36a4098e04bb65de79c81888b51b88537521579b150e5ef9d0cd621ea956820e8a384ae98269c09e88a59892ea43b10b0aac13141903cfac8da80bbb60f70f8681620ee655cbcf1973983e6f24fe3070fbe323657179e7a0bd44ef5d619d3686ae06041b1d483960ffcb3d3e088e78b6e8fb6e8fb7cad6db7617ca8618c3229263e179de93a3b3a538b14bd060480ba0bff298fff01d25e40c4ecf8339b18035ee22f46c2f801c9a158750e5af4d358e9f83c7d849c136e23d509e24850729fbd32f2d7f10c04fdd70bbae22c2ade00abbf1fd6aae066894c1aad0d947b7c78a9a27a74e19492dafa1024724186ee9b3db8b72efe7d9c15405edbd97324870f080aa3260df0a2326992d796d93a9b0b727bd10ebb1aa4b252b8e08d2843750355d443f2a8a688898048810530048c2bb97104fae86fe8888e09bdc935a64f51a480bdc35151cb874616c21c6d02be49925d9e69196cf6d045c7823666d4902ebfa353f8997695e1714337990fbe98435e75c0ade4353bc4ef208ff6b389477e9cfd820061c059139781291b5cf213769dc429a34d04cf2606168c724acae08df128b468dc73d4965105fd46252633ae7e93cd2389cbca0ec43c03ebed0705d278468f84835a22497e88de4f97b3774ec1145f2dab3ec5c3ea9a03232f458e36e5964b25bb4b7391aafdda257a465d915629f0ae761ab62634e5896f566f2b09c9c0b6d0e7c477812f7dc8004b6250ce4ebc4073d9f0d67890edbba6bdda25a43369f0e15d358232b8b801790db2131880de8d7ac41259dd36c143559d83bbdea615946370697cf665f9f8b2fdd7f2ec5b41dd61ab00b207873c8db9b2e75f71b3d2f68eb4dfcaee6cd7400d981f59d770d51d15598f6622ee4765222e77ef70e6e31468c4704f145f48a9beaafe9a08195e2ed3a09ebb21ee183cef2addfa7b8cbea29ef00a06565f89fd8ec23dc1e03c236f1b706aede07aaffbc35ff89eae9edee57ef81d51ca0b881ff474d49264523f3f7af130b7e9bafb313fcbc9ec9d7ce8a23857d669294eff470937afff9a361f263a378d99b45697e61db08249ac838570c39687e4678eb9f3d45429b814f1f63e4b6cfb329b5639500050cdf21e014184418fdeeead744bdfd7d18bead1635340abc1c3cede4d65b5a5f47a3abcbafb537f0f56fd43ed5b3384dc8c1ee9875d4482d11c7ebd5541c37bd774e6faf6fe67db625d331b9a5ed366e45de2c1ed84e1a19959821d974d6478510d12bfbbc4c7c5bbd208e67b6f5ca526ba93a8f1fbde0cd8bcf8dd2e0d01ef54fa404e88c72180257c260148a02499f1d9278cd92b27cbfbf6da4c2de1c06453525c8193801bf892065c5f33a2390b81e84bfd146f8cc9b423e230ea8b7ed37dbc432f51e44f913b5a444f6ad4169e31df307a61a69bff3d26fc6f4fdb7191d4183de0c2fa7802ae0c23faba43de1b43f430b84040a90a8f5096a8a382a5d0db6a0c305b817ac1a59f44b1243488e7c3d80cc322506f2f7045a2c937876eff2d5fc2d077ae88fbe7455569cc278b2fec421b80e6bb99c989c57d323976ca99f40785d8aa3e3e2c57489dae2b2d421eee284325b7477231cc38d5d40945f5813119f2263bde664ee72b9c3ad5a8b6622a6415a38e393f8bd815af4fb7ceb4ea28d28939be965f5e6645b36ec726c00fb747d6ab805638cc90d773ad3dc669e771414adb6fcfa9dcabb6e537237dff6883bd39dd56b0a57587f8393aa698c46783616932d038c84139f3483179943a29d217b45c8d80b7f03ff67c3267a7c3316c2c5acd3914359bf9438d5bf93d6a33cfa5f86a142215f87d9becaeaab6173e03d292cf9725cf9117d12a9230b3871aa56dde5e7f9afc6c026d88ffac657444b1b07579bbc488c6f5e97ee1c88e90a6af2cf9f8ef9dd8b08980f9bbf1b2353bb235fe9f16677f20516e2cfbec3d4b2eb3bc1c87dee889ab2789e3f3e78b2da2dcd03644773b88f210bad65a1fe92dc71d2bfb55798c7a3802a5f9d9908b4ebaec5520d09ee1a84ee2c5699c9aeb53916647bc0096f329206ad50308b08aa2a7749e42dda9f8319b29d3f30e0c113d5e3564132860517143362dd48c7487e64065a67ce5922e76614790eea4a9f34dfb22170a6b2eae3590fe32c0764e7b738f1422664d23af10ed6c55f7b4e29c31b50a93b933f860e03192c39fab3dc9a1bd962c279bfa302aa80ec9fb1040d3b1a9265fcfb73f13ef73c4fa12151dbf9704c6f89d3042bf3c27c646bcf3d3b2f3b623f22ad71047c3c5edf248becd4a1064beed0dbcf357a086bcbd7bb40fdfcd792ff2fe3edfbf620e80e816c08e921e1688cffc780959aa2f3a6c3b18386072f17ad9936894e66b0947b3841dd18ed84b26dffc62f3f278617d681fb5f12bbb2b0cf7e6178c28ab32145ff7930365754798ec20664ec52f707908733e25f29980cfc7c3fa152c3a0dc3ffa80c53f1927e78278a5f06c690586ec268aa253aea10b48b49fb2ed1ba4e76e6d096736edd66cdab50c8f18e0c9be6a1a187ad0e7b3ad6facde6935c7bb1c4dff3358b5c73b306557f18f3924d8bf877fab3292d22257ac0098e4c9fa5b2a0380491b9154b450a8f829feff76529671d3b8ba957d9691c8b551ab0faaf6c2e3289149b96f46fe28ecf63fb55e3bd097b4e41fc277de00ab74721df09501e12a95c266a171dd15bc2c29564af4089efab7a478405acc384571e6c02f5b5ac8cc36be77daca524a1f0534f3d2dad60e2b6a54cac6225876820d8ec00ccb301f27724116836577d60fb96fc7f0b58fca0415be3c04e943903b573ff4ed860570a6cfc6ab953a57651060c4b359e1e5ab8aa49c7e571c8bf9a638d03db810ea30e58ac093563f5c675e56bd8ecd7209d13d0837b71c6f033ae89bbe7cc1aae7770e9ba52124fb5ffd929c877eed4e79585b7edff46b8aab917198ddf6a74d573b9ccf47f3b1f7d97cbe7a59bbcb2f0ed438eecae94f7006d5c14eaa14e2598536c37837a071cd6ed9b72c878b9d1e81bb215e76ba0cd4bff039bb2b7c4db87768099268c1b9de5041c3243315209b15ee81dc99cfa2bb034211b89f1a944131583f1b087f72b0a63bc1187511b4f2d8bf339b73faa6162d926dcd77396f0e39b533b657296bcd6e46475dddc33a1436fbf7e2b23e135bf87705f3a76bbd119d9d4c711da75de651cf8f02d8d48f8f7aac3457534cb2c45204ff46ea12190a7661e3cb82b56cdccff9f96c6710653f28c1b2e1ead24e09ef2be6bfce7f1880944fd1b7386e0f70e992fdef00abcfb9b277ff417e054bbc075b79d23dd9418d2bb952db441f0e92712e0a17884a60acd3446127719aa1520321305e2c47d670177d42415500d726dde18bceddc2f4ab17f050dbf20888257bdd859696bd52583acfbb55b62b82470425472b4b64a02677fee8b4c4fb93dc36fc415b08fd0f7bc5186ecaf82b24560cab3a3bb79f91e7d8a22bf8d59efd09426ef012c485bcaab4bbe7c5e42c69ed15557e630c2c97aaded06a18d51aa04ace19bbb97bce583cf66191b94953b0f070b5a32e49f160c5af9855f1ea5e02291f974175c30830e95846e2f3ce2e16050f7109343abcecf018a1cb389549d7c5525106872c74db955e4f33f3f86e38c5dfffe45686bf35a84b986590f33d57530125ea3ce3ed31d4295847c5ed1340a22218bc3e8597bb2739b55eee5a9c3c998b1866da55415a4bddb9cf22bac8dafdba6178eeecf9b9e04154857af97170da61c67d4a4a9f6ddb23258cf6fd1703e7220d7a0d14830cccb0954d9b4921b62dd976bd2522f2b2f86113ce2fa875f26d58f5779b16d42c1d4ffd0738b4489c2b2ccefae55099f8171d9b1b6398476b6be2fa9b789e62a33e66d61a5d7ff10029dd4e10aae05ae40e12e862d2d98ff9f18b923eefce9b696e2a773e2a89ec0fb332816d4349de32911eefb35d715c0fa865e0b0b78777fa08a88ce256ed754443977c3f806da9ca26a54c5823610116460c99afe44a678912915532e6320bc9303ce4f28cc144d1d246970a83385124a9229027c211727dac815eaf9a119fd892a7215fa6509fa232881c80e0a3c6780b928485ceeaba80830d8f9abaf408d1c929a120466e057a4d30130bbee808e25a6d5eb57ef51a581f5322670afb48d40b439ce0b8e756113785037192ba57b4285be38d4670829f863dc33a3fca49c8f58f8953a3e2ed44439b923e5c398b6e790cb79cd8a844450f086e770e6c206ce74968903136f0bbde0d212bd1890239054f257a5b0f81805b0dfa9d27ce6d6b2feecded46ecde172e8699423656ad431c5f6dbd24e2dac50b3449e789fb6e66521756f3753c4422afc49051c7825763599916e04bac0554a9f710642e3e024ce560c7532bb2a3a38073220e7c3ae2fb39e6e0133b7d210a806a9b88f4e13a7b43406405ebca415cd6f363517ec828a5e704b05599623d8fbbd4545516297b8bca5d990bb243c550ded2418292282cceb1c80ef7a706a3aec6e695a3fffc3f5ce37f579b986c27ee81789ae8541d3bebf624ffda6650a27d4aece4f1cb2ef7f13f40c2bde287cbce7c400ce5f508a44782560778409d9cce8698210c38ceaa66d03f8a02e777152068359464742570088ef5c475a5b542bd6c735bbc75f33f30127b0c4a9c4ec179e16fdb2a459dc0dac4256568041a19fc672c8dd2f67ef2d870ea59520dbedbf1e3a64fad80d167da484cb2ce92d7e0828886deeed1b9838140a8a9c0c1a69113679159e23dbd37f3d7779eb721c71b11cef8b14d976849952ebb54245c19b0b228701ef9f951f1e3e024f11b8d63c44a0562d6ba3ff30d6c3c644331c3422d6335072c77b71740c197640d7d5619cdd8e2330527b59ef15d0b96ba9ab8ebd775f45df018db5021e87f73a719ac0be9d36fe02735f9f4f6ce921883a52b05f2d505676cc49492a70284c3c590a89c074edb0cdbc6dafdda6e7123774ee64618eafe99a4dff441b004d32ef408f701cf35748b9c9e60bdf97c4c2bd57c5cfcc67a426fe5ed77cca7678bf50852bb1fed48b7a4aa1bf58f65b6694e79094af25f5d97f96aea0c82ed6be5288632fa5203eaf9521e5e19a13e4f24b1dde4058393be8faab1b077d3f288d0662205cf4226ec21622f81b0aa2867e1a565e4a400de4a98683ae8a445ac65f59b78790636dfbbe77258a8f568b743fa37186658d185740e95b39d3d9756660553458fdec896d65a456b5ab5b96326215fb73830fabd4d4b0442816197992a44eca9f618daf658e090e6e4fa16cc6529e37992e4ed67bfc6d331a6fd2299ded2436e1d086895ada95abd83ee0f1d72601dcf77d36eede5201c8f6eee07cc8b36801b1f5489f4ded0943da3dc349d93832bca8d741eef51ad0f73f1bc9ca8f0a04b053bcdff7a11662660b11c6ebee6a74eb3ebd986ed6a88c48a9f2399d6e80d70c6b9a7e7c0e5f6b805a3b8b6e8bdab6f2a6da910736c208db7938489aacd44e82782994740ff32eb6626a3b7030404ddb1bf5491bc085bfc8c741e7184ec8c470d6affbefc4576263a3166961e1c504eee8637e228c261361fd87a5d420090ad06aa3e39540efaed838556c019970faf1306356fdcfd68b428a818edac3b9dbf16d9ff4b0b8b45fd52d9eaab2dc8e59810050fc88d1ec8ff89e035ebf9ad891aff06f6a9376d229c8d71990b8ed6431674316035cccbb4d5d1749a2fd1b5d66d9b2591a046cf192544440ce064d821f11ad40b2cffe83cc1ac18f4fd1c1c072a4576985ef15f31d5446de6b36a3a0824f13041bfd48079d3ebf543c37142aa6dde5b87e1d4c977638a649dfd07480c85beacffbfd1be7e9a98fae468bbbbeca077216e7946e7f7bd2c17507e05f6f81965837f60c1836e18d8def34b1e8ffa0c2f6cde41da73ad051781038428ed3a0550585c5e1b933ee11046b353020344d681e9d83bcd21158095387ab8ac66b16d920b2dd1f8e4b8ac9dfb594949eafd31b5e3495c5cfd5f9736d95341548ee003a4bad9dd95a4f480e5f61f961122645e11173cef83749121a77f48ed2ff3e4a28158d87c1d4602d53aca09f071942a88a653f9f70c27102030872dfe56f3148ea6cc1f4eee92d45ba7a5dca60aa9c4cbe832ae0184df7922a6a72fc062460081bd2964001db833637b428f7f913d7d7641fa98d76d7eda3656da056135d15f7ae5b2ca75c6f5e606d1796b69893ec828a41236f39da152bb3e742e82fc3ee7b62dec3f5ecbf4f66baee9b3f86ea642fd543283f97128aacec9f54cb132c6ddadf709f2ccac623737a53b1bda6d355e01bff73f1c43124c4484c8fd9c11ad736e442bfa4ca7edafcc1319c22485f04fd8ef2b536dd02bcf1fd241b25c4d4dc7aef109750665b8f9ec0c554bd82de1d5ee6da379d6220cca2eb14c8d3db2617152e448f964b2e5abb0f921dc8bedbfa1ea4cbf922c8a1733865a918b228881443d8fdbc3d5f575dc39c94974da3af4b22b68a5172bda348f27359151096ef041d4d1f8fb3b204ddf0302dc93286dec600088b4d29c6d3f55c1d5154d1e56d454f2a7a22f65a22253abaaf10ad6160c3ffb9f76531045e01b2a4bde5ad042ab30e3fcaf3e35dcd963ffd432724b9f03692c2cc64a31bdfdca3bd8949c1e3377ca332e96f15879eafb95c40db9bdf3dd34bc097feac69523c6c29c423923227abb1cadbeb710dbc2ace43e6831b858fd4eeb8fb2a540349faadce46397c71a7e0ab45c6e8b15f03f43a8fdc68dd0ec475af71acf4b4f7a13bd116e10da73c668e72646ca02946961eddb7565a08f40f738f23bbd84c686c76540e873da89f19e2c33f57a918a1043c4d182b4dad50c86b2f921d93820d3550d12121c8ac9681bf757e64283add0ceb4751d5428632bd24f52eb0de77eafb16e86824bc9c21b518fe1596030f0e27015908cde06bfb3805dfa46a1993c8cb2428433d8ef60c92a9be5c7bfc542a3193bc2cf2784647906761816aab0c31556fc09a603f3d5919f85275591c668eaf161467d68142e5bb0ed0c2ec76d5fd653205270c96eef8f5357196fd3f4b1bb7b2a983c07acc261eba25f2fe3b255b22e7dea596deb2df73fb47bd7cf1070342b0a59c6975c066d5d7b5ee7e068fd3d9a0e0d9d4978bf97caf551000d9cf8b2b14b624d89ea47a92469a61e85e646a6b6a571a37302b13db3657c1d360a2bb336937859aa98607a41771c5f48e762b6e062971334102823d334a40396df9dd8cc4119675df5b8ab3d0965fb5f18a6ba9afd66c1ab91dbc49c25349be57299635b6168a85fd6b682bd3bdca1eb8dbb0816f7702117008e40f7beedd509778eb168eb0bcea8b229547c55048bdfeb9f76324070542130f255badb471011e6d110f459ffe53a2b60c2f2a00ddb272d34a83fb2365bca876b03afa395ae5d2c0f812affcb437a9f84fccf4ff790c2e43991d7a5757696d7ee6e92ce9e0e6e198f2f152e521dccb88a31616be1412100ce6dff66e3ee62b68f7d3891a9f5d938e1e73930d21b56076b9ccb86fed1ebd3311b7874e7a586ac0dc164411765d595c208539ae3dad52c5aaf8b9ff52ec2763eca5e1377dbf172b3de84f6d38beb5dd8a1fa885f5da105fd707dca4f744fe659b096deaf2941d1bb2093634f2ffdf38207a77673cc613bd2d2fc8f61f21fabf960c89b4adc82e9c855aff1315633769efecce87a24fced0c14f3f1e0c60e2a4ae3be7bfe2858721a454bd33c460e8dbb6e2aa85ec47c845cc5a40dc755f78f96827f7bdc4baefc47b251d4f96e0c170fa5bdcf3e1461893bec60a9e937489ab9c2c3af32a333da69af97b516b755048753cc99759cfafb51f4e4aae449bf322ee52b1ed55510a14a29b689c072088aeac0cf45e34b039111406a44bf7162380f35088ba09b8a4697bff4e5f6d1c69c8fad4610b1ef51490ef964c370fb182b47f1863ef451c5022399630776c43f33ab69d5b7d90f38f7e01059e3ddb3f4e89a73af0726a9d5609dc765cfcb5d1047980bfbf82b3914897adf8a3982d516439a38ac1819e6ce1379863878ac97fc4b5f2ff441f5f574e3630acccc51793e952c7e6063fcae352410e04997f577a6ab021725d8e25c1d101d584eb0ce9b5fb547566c906a0a555749f8ead9a9acc791f2f1e4e7233b21657f05ee2d75e4fbc71f269d2ef05615f0c933ab4d7ff3afd64b21adcf7ddb555d2ee6059c41f6a2f57bba943ded97cced510bd02cbbf52f9142223e2b030f8171643ccac365e89f3d322a7205a0aed36e94c1e300f31c9d71b93935d4ce1b3a0e42670eeb76b9b6002e6753bb8747c73fb7a0c702d2df14a75a5d1fd85bc0094f348505454998c50ea1aacfb8a63bc5c77418a103d8b6ecd6d0d4a481237db141fd684e64a0b63142631180e39eb1e5224bdf21a29f576ad84ceed390f3ef1228c204252da76f0e3b15bd426b1ce66727c1e700a0583cd716362607c0c09db433948dab990b445d005c98f6d401242dd831b0bc9edfcc8fe1bceeccdf5ccc45272a45884bcbc957c0f1bb8d2fc3a625eabb2ff61f83a95a99c6ec0e1752ec432205bc248b148d1dfaba0a9cacf8d54d6fa27ab941e350835d64a562f2026a1b29b2f5199782b384c514c19d1a76b20cc824b510c3317100afe3eff9b01a02380e5bf46bcd373bb756337ce8687702f5a4beda1d25a2ccbe3d53fb00c957814318349b4bab4c9211428c867bf42e6c625379eb0ec5b75122b0ce70efb304a9ccd708df5d60753aeefb0bd95f451cadc34900f24e45366753c1efa92131d2effaf41bafa3919db783b2c9d22cc7e1b8f236c2260c9bf2e7a3b9a4ea751b7b55dd47381bcadd544c25728ae62e2d6a96fd51fafa5c76f61b8bf50b5891210e16aea7b8bbea3e73f61029196907e6c62bdfbead62be35e2c714b6f0e5fc8224378988f487fb4799c23e8718274f0ac6881153024e541a02bb392012dfe27f0815e56ac7f02b88dc4205cbb4d036cdfc58c164219ccec2444a4477b7f8a9c15698178bce12e386a82d3920d5811eea072ff302410642ebc1e7120278e14c6643cc5f238ac4765e1b45c239f7e838ee60246e942405c807a17b235465cbb17f03afddc69043ae73ae578f55da41759062d7186199ecdf507d12aba73441ad2e6057bc05b00fddc4feec6781284364a978992eb195e2b27571b15fdd10e9ab8888eb0826bcc76b5534b7f5446474a31b57411c525fda1fa2934022f6462f6851aa1bd7fbba495efd2c275def068c3b2fd3f438f987d95e8a96dece5c18ecf9fad5d953a2c3d38f66a4f0022a74335119698b5f4a6ff428538470d975ae1fe80fa87abba6e1ade85f5e5fbb96b808b4e4a435ee171b838e0a556c23c1b980af93994280ebaaaae79a8b9b0b353344276c687b82d2bbc432672f02c7000ce49870d74a52f8bf66925778dfe1cd0c148d443c903c019e440659ae9fa326de59db3a597b4d208a3d9c4bba2641371603e528311078027ba007e0e5ae077244d3f290939ae6735604ba178c3469df241da9243055fb7bdfcd348091bc29bb7c290cbc2abcb1634de18efe0882f3eb638bddd9f4ea3f8211ca8d23a65767c4b45427a7c424182531bc3a94dc823b2ecfa57484ff6e64d8ed098e94647fe84d9828bd0d1ecee854a92a6bfb411991982f44b3dbb3c71015c8cf6f824d47aaa715e94ecd6e46d3986639d27ca0a9e2635cdc4c52a6a5ccb6a03e24de7aea55c7ee492ac3fa52dda7d306c2010165953c2ac16775be79002e4e68dfca61a052fb1b2fc74ca4f203765ab60ccb296d8adf275bef5ff9e99d554713809412b2fff3adef94965921fb04f2c9cce39bb36a57f61426d7921be06fbd5900e095fe9ef930bfc53cc0489b46145f26af0e1ecfdcf362bef9c0869d277999ef7bfe9e37e1c17084ecf19079863f562b50c653f520a3b5176ce09950d66816e830792bd759b6150ae189d2b0d0c6c03e3b7a36ac41052ae58a7edd85b111100db8a68829706f7cd3d5dcbb7314e8cbce8c80cc011090fdd136a74d807d375b9fddaca0f6a181dacc3bc7bceeccdc3424a339428c0e1bb805a60e8b99337285dc65bdc29f2893c42ef76d7da18700fe3b5006d8d95c532a78fdb7334c6481319058dfcfc2ad2924bc3d4f111bc301ddce84ba64cac72e6d4830d8033d736b830a913c02e338ff106b97d9b48f7f023073dff4cd48b7fc61d338cb4839168881d4224fbf7524d8a6a7c01a13068a19a5f38c7ca034d13d582b2db8421b570b47c656b2d51edbc18cd39643127f5c8e0bf0685bdf6b44f64eb4c07d2e9117ca45afdaef6979d37a7eef70e82ebada130561a257bb63ed5c9c3d3cf101d42c70cda123ea81a9f115f8bb78256450dbb6cb2899ed10684e8e18a1042ad83653e21c4c5f48aa887d399cb9fcf259b1ce5fc659a860a08c5a2c5fb3c126073fff976a57cbfba1074063435fcacb27b0caf0ac19b8e8f8f06fce07482d65d2568f908e93a0d0ef257285103797cc9f88f58eed2cd1717167f1f2dd006f055f27e392705f1ccb650bdfb07d3ab777ab9ba3ac3dffab3b1e663f154c62113da66b2fbd270eedc94a9437012625ce8ba9f00c1c4a83d588e5fca0e5401c66391a4155f3f86f552ccf9b4f0004a4cf1fbbb9760d1812f0c43cb54637b0ebcd7fe167c7700ea0031a5bd318338be50ee2783384e097284b8e59c170e8a156828bc99e773314e6f7a1f5b493ac21d9fe858d48e98b977caf42b95e9d54d4f17bffc28cca75a647263825f129bf12049394a45e75aa0e6c12b23ecb2b3251099a95422f19e447f6d3d337f9437037403c93d6d705c0d5a5d201a8e30d6b48cddea751d9c1dbfd65c04112695feca2dc25e9d9e73e5a5e1b146dd2ffb66f5647dfe44c1dbf502ecad9726812e9ccbf19c72cf32b0418b714995f58742798b624494210de0d2888a3bd6ddb47f9034344d08fde2d6b2ef97815c6a3a6e7617924dc02d70d713daca363a44a9325c4a17d6b7754dd4232c27c2ab9f796cabc49347cd35d2e25f918aa4ef2a775b556a248c5820e606af7e3ed95d06313cf7a07c3b0571b8ebb05b4b9770a047d9916906270959253b71d26a16297d5c6f2ebd84f9140a0e4543052ed2f8561952029286a358d7f1e1ad6650ea206a469e87874d281c226bc29bb5ae95c7c2c1145aa22c2f2c84f1d431f46e94d8e372456e0ae74323e680348d361f89054aa99f90526c1f243f72d908d039753d0a960f7788da707fd1f2cc95ba7be64bef54f395329533938951b7c85aad62a79ffc33f487f803fcf6bf2c26e6f82103a6698d76bf780ef70f3dacfba41418bb55e4a16014c71a9a2e56ebefac29a4804ec152bf89810f07b8acd9c5e697e14d40c3c8502c51182ca9e3870b392de488fc5d74748f700ab286e00db63f8c3e56d59e68a01b9b4866ced3d1e9106d1b7df659a14f59fd54f5a4727ab068889425c07a463da32f69b8bd7e747b08c7bcd323324c7f790a76f4dfa16f26d4242b16b3aa7ccd115f5ea17f5468f29766829fed9bd9d735d82b4faf5aa9dc0e4a577b53d9cfae701a54ebb67c75057053d8a4243cad178b9acf9c087518fdf50103b4ab347eecdf6a1c1b5d0c2a236d429cf78c2d21f0a7d213bac5b95d7d8c8ba71a28a21828b5cc3e87c67afffc37c7daa627343347789bc1316a670b298144283b81e73042039d627404ab5b6cc2001839d1fbe36b8de715a838a24c81d15d6071b04a285823f78f53d99491ecb2842f17de6f508441c8d3e75f6a35027c72c3ea003ed6ffd6c4043bc067c286406b531c0b553eacd468943659a586c17091b975b854dfb8e197bd72768b86458a9eb2e8cef2c6904579e6ef069191a0a2db735c5c8fee1102c0c7acc7c1f0f0b17913559e0f0fe6f19da77f878603d72170c398d11a838a5370edad089b0b0527a5cb07b33d7b38a49713be10f1ee477f867d5600936b6a9c74bed99a4db81e1cd7f959cdfd37116382b2f40d4eb980744772f73e1aa4a93dcfee36268845131c124369db4d0cca54d4f8c3899aace46adca0ce186ca23e2ebbbfb7b19ee441490a4962e5117782ae12c191f6dda42b96473d22cfe1636c460e56e7ab0548070db7a95fd6b3df5aed579b08b5815cfc8a153bcf141253d88c55b5ca968b811c0aad767a439db58677d5bb13696d6376aa6926b8f0acb54363fef2c29d358532eb252208471b146949f0af762f40417ced7bec03ac9752f2e16da680d29d9ccade97546fb9c0f46d911d735e9cc578308cefcfe8f406af2b7239f47643696f24443cfeb9f27259ed77a876822f734b739dbbcb9b72096b1e581e5fd12c957ce71f3c69a0885d02d46503798e7b09749c4247fead044aca5860b2242258763140f706e7509317f1ea81691f9d80d054535d639da733aaeb7cd4a9b0af300ea02d384380d50ac5842dd8fe47b82cda8ce9424ccee49763fe46ecca3e1e9e10f1017e333eb94ff1d20b3e59b92ca10872c482a4c1d1f1fedc95272bef6173a58d94c464cb52f34759dc644d972031a1b5025022e8f85173efb913ea59cfbec4da2586b29308a4d418432a79972b64d9c756905b96e2426f634860c944791ab13cf4010c83ca630d2ba4cbb55505eb0790194d927164ae80c0db21954943c66f5bc89beffbdb3e22a3838406704e1bda3aefb5fdb2a71ed23b4b75352aed0db5c8d60250a49a9e4899b0983efd5662be361fb28288b620666e05953cb031407c0a2605559d8cbc0421cbe61831aba85c5d62c1baafb86b1692456b6f0628289bd57bf9187b40d4aed39013f857d1912e561fa3b5998168662010a287c7e205e4e8a9c13ba68ce1de8561d9afce4b5d57917558e13a7cd3f4ab1fdb2c8fdfa4f61b8ed6d60ead1efeb9216a1fef78fc2099e8716522d3cfa575888823f558bf15e30e1ca995ce19c9069ddbd57c409d52f0706cb3e562fa18405e4181614230acd0c51e39bb7d9621ca50affbd209fa67bdb7193cdb97dcc6e5a7fa717feb917c13aab6c41cb4f2541738b0dca8b2b129e5f631c2a8fc77f366078286c90d83910d1604e805f9c2333b853c14bb4a3d5f22a641fe545121e14b7b1e3ecfcfe3ff8914a716f2428724c3ff13188b5d06c8ac9715d54e81836b2f9405ea8e8515177091afc064922ac4f409fdd1e1359b640f6337c4a3fd4a3fcd3bbe63c984671e15654c1d6621de7b3a95241c1642fb7a713ae1bfe8aac7bc26f613fdd226b19e98987c3041cd84d5ef2c78faba10b0094968f2747d42480a7b8ddb2acf2f87ac4dd22bf23a2da943c35e76dfec22234c0f254adb8e3d32181ff35809f41a619e646ea3ab7d2554cc237eb80aae024aa3616369d00bbd6c62b6e17c9f5d45bf780c721bd49fceef369349f58191a19d468e73dd9fcc6e38e20d3b131a9c67778b4f6cb8d4db5dd09036908119b23de74af79d71abca4869357b9c5e808dc60b6a4323b2d5b8b75e4d8607207334bad78418d6b7287b90d3480ff5946c5c41cc5291487701a08cb436fea3aa7638aa5f4ff7369f526783746600794f28befeeb543a11c3ec5f3245e3e0557abbca2c42ad2dd7f7d4d386884c70dfc1e45d56cef5a086808f3c94bef9881d0e45a98a731ef16a432be8bce4172b4a8b8f12d2ac858542816db541f11baa9f8632fc604dedbbf197c573a293c96465e64eb1e2071be5c060f168700bb789e993264551620303bd5fee285129ffec0eab47ea52f856224839787d2abc159421016c18597649607de74eb86f7454bf2b7dfada50c780449b1d636de6374f7fd9109f5b39ba67fbbc209e37c57610ee7811e26be2dab80005d72d19506a23861b88208a883dc9216c608e7d858e33f58088a05ec626eb3edf9ac3ed7de4ea80b0c23d1f0d6ba248c31b200e28702a3e713a7383bc3b6c660c2e955c39b6afeb4c9e0a72fc4e1e0a8c00183d8123815f0e943a7bae2bcbb1d4eeea175abb5c4b93e85d41542f6b8cb65bdf10c00fee8d8e079ccacea1f3a0912ab7ce1381d821191c7cb4be46bbf8cd07256b0f81be4758f35fb7537e5353080efde7521dde5e9881fc91bd6c7846c77049ac303c32ad9de7754d06e00a9b8feda1abad27192c550955589a6c41cf14bca6cac53527a37f4bc08b9005b42b9c70216c51b337b335fb5a1cfd9cd6b59f76ab90affe4732c7e304b9ccc82ed6af679dc39c91998fa682cfe4a6864c1b79e5e2da85c3211502aae5764a004a3b3d41005d5cbc118deb022a51fc1ca56f0c6f5732266fe215a3cb6e949698bb1ef1a7e67ddeb8b6bacf9aeca16b073309d7a7f8edb56f223c39dd2bd08e669131bd51b8cf9bdeb9988f71d8e553324492790d6a7aea92bb41dff044af0da6b0b403c80c5bc4f6fe92380440372a0e993a4ff3923b327992517041db7ba01280cdbca96667a0f37213c204cd7bfa009c2b4adce2846f9e9eae207cdf5350b30d0ec746bcee5b29b44fbbe3910fc015d164deabc65e8fc44253a7e42c38051fe184408271f8bbe0efc739a24820d97db1a5b351f3c3f02b17ad9984bd4c140972a71680ef1bac678830d5fe38562bcfcbdc268d8feeed8c7da82aee6d12ed0ca88454f2631d86ab6742167eb34eec9360c8227bf96fc1b17b3d0bd5ec8b297c61407c6fdd3d6965dfcb363326a85f0e84773f9fdfbbe3efa72edca1f6cf8c230738e104c15947e8f54dc46a67a40e4787fda23bcf4e4dcfc43a213fd09f1c4e61143d4ceae85fd5237c141d1f521abfff83cf23c624dbef356fccbb880c729664a568d54fcbe1d264deef7ab4d7b9be1d0ccdc4e6e78b324270a7fc806ba7c5c2711a34f43d3fcbda22968dce2372cc3fb35aa6578cee49b7425758be5fa1c3c6729f9669d9d067e56b7024a8ea7eb118be8b65ed817a7a2838ba8959ab9f3cc0c9b4b13945e1ce89b02f86166aa89c504a27503d1f57df0516284b4b4f36265b5bc9d8393d15f6b8d2a18046f78f2ecbcd410bbd2842be4ed69dd70a534490befd3843e85b12f964a12855e2ea18002200c728007d3ba098a7be3afce3608dd533eecd536c4d8d7f4da1ac96ad45c84e811ec3df571c78fdf7f8b9d0a1a45882c53eb2891bfa6f5dbf4c5b81ccbbc1ad6d73847f014841eac73782a1b5ead5cef12bb5a1a4ed82a9f4faa96cf303a5904c5d51b3053b141eaeac0b4b333e4affda6e869472c634dad1f270e1d39dec683b7e84afdedffb1daa22eb3ccbda3380437b67022c83dcdbef46978fe85e4b0e066621c1ac5372b955ad5b9048fd0f7ec567f1cd8e74ec8dfa4d87f553ac3b581ba69735a8d4707cba2d0ee9671db59b2790d43e88390c2ec109b94b1b55179b39f79026c8f1685a50c6cdb84c0770b30c4fc2f4690922757878d607d3d10646725f2c07e8863a96fe35e5a206f39aa74891a643acd4b3e16e95e69118b33c5a0bb16ebc40f8cb25aa3c1ecf83a9fe5c937381e165f273bb0476bbf8cd351510a53138124acd75ac598528d6bb492d1229dd50c1d867181d20fa6e2b00b46f5cfe910b61958484b176a6f168e9161ade81411eab0aee2051d30903af597ab648a2062dc4e2428a6efc01d3100e120ef09578596d0fa3f36721b7423d477bd9c74f77418bde1bb94ca8aadea4027ec2e066ebb5fdb37eb841a8d0522349f71a0c4c9a4ed958b0c76d35e6dde3ad296eac72409ad47574bea30337fb226c335d78f5cdf8612cd1e04e7619c808ecdf2b9a2ac0616a0720d6c3ca856fa8370d202f3e622d547ee3316b3ff1d271970091d00b338871f9b70feac6844c404a9343e4cea8cec59b7be9da09b9d125d73f0e8823d3fa9bd247a1add73a73064ea265bbad9f30aa3424314a48eb710f4d5df40258e9299335443226d4bf7812febb7b2de941ddddfd88ffbfcb5bf7518b8e99933bcbe477bf1303c263133d9ebeb1549bfd552065c783ec284a9ce9b553a20d7b77548f49cf519049ab5783afdbcfcf6c7429e76ab5419ebaaea468f8181d3adaf30528e67950b5be474207c1a7a81f0f3db8aecb28d79d56fda42b955194f6e47ad33ec19f8d8b996fb6d8b1818981aa2af6e069a4608258c5ee64b70c9fb3a0e45cc014e4f9addf951da9a06727dd22005c921dcd79ea3c711615b8a5368be587203fabc96b712bb8b7f7361dd268bd76a26931566a23ba17c56db36e003e6b75a2e756fe979aaad3b304ec8afeda488fb40ab38d3a920264a4f2bf1dbf55620b6093a9b36699b9c32ee344d043a4766184f102196feb205cba518f069952b3bf8f857aa2b16a6e55a1fd0004b7e8a5549a8825708a48bdfe71d2c138bd0de81f7f3686584b3ee09ef695a6fa68c2a2bcbf76da1734fde9ded42e4ee908e1e939c4ebcfc1dd5ebfb50ccf79bc877a396bfe76be7afe123c5538baf0e7c286a0505c63b9b9493960500153751017dd98eaa898110429ec87ab32d6d6d3908a27128463f01da7d7a410182bbc32e667031835e8ae20ae46467a73b1ac2f2a18341dc64a558c75cb831cd3496fbfcf42d88fd609886c90d8a71286aba45f8c7edafe0176eea6050d36f202f7c9e6bb7924396e040428eee610c4abbbe1cba688f508f11e01d4640e6c87c45d29cc3dde93d428b5028ce4c1d9bb95907a557223bfa9e9f6eac9195aa1b4990a9c125a7e116c8e5510f69c8b741836d7c43f13400c894f366a7d22281ff871782173ae78ab8740296aaa999587cc0005d2f4ee7b1b9be642ac1e496bc29946f72cfa6426cb3b07a2e948c18d2a1bac5e5b08562aa5f5407635c18ec0754f92d769a23c5e73f570c23b3d9561840d39b6a7271d9354ed79e26762946397df3ed2b2a692fcfe5109ef1941bc527658891033d97db15a08311c51fee65c8d98723569444e3945fcbc81632d19dcb9373868aaf4a6a3cdabbe97a915f83a386deb483d3dd126a9d1ee7b2b4f386dd32566ca0469aa6c6d80f982f90dd6be7b3e6e5c231998d88951ab0eeb8bcea07f82ad8cf260482365c413d48e7dfe108a91b2cbbe4cbe2f9a52132b4d54fcd36277225c68ac40b5e3b443d543b891476f271d2352b3095bcfb083f2c3a51f248cb4eb3085d0c910741c1ae9dcc1445358a6bf44e626a954dc909ce85c1bf979b88cfac5fdb65d27e65ab08245aab32fe2dc08ac6312e0fb7f408d75e6b01a3ccee722540016b0247df32bf72a767c76008a92e0b11fe9c05004545409ac608e327c0d7dcbbb887c36c33cc9a0e6906c177327f2ccbb43a72d588eef87501112a1b643731d2bcaee89a250663abc668a3cca8abd78c2d23f9e6643df9bc3028fd56b34b21bcdb808492e35de98c316dc7deb4112fcead0ad74937997a397442d38eef00a7b4d31dce64f9bf09b514741bd42dc0d3cb1b310a34bddac411f46a523113d571b4acb991dabd8f1d1525223c5656efc43241574ff51c847fe329ea20c1ae30eef094c0e64c0de95d727a37bbc510214fcb3bf6ce4acc12d76c1931e0efe47399a584a590ec68787b17566ab2e518786e858246e8474afd178e236274819a3dceb7652fd74ce86e7f318d82a25306f43c7be9f6babbe2c96a1b41bf442008065d59f8b055c364700624308332789632a682fe243a74e6626127273ca87c3d172fb12e5f9ac7ddeb4b106108652448dbd15598a4ed3fa649b93c02dea87768131d49656272d1848ab4230369a5f043df758aecab659430d5f1045259d3506fb84ec7aac3ab5b5bfcb9689f3c1b5bb24695ec97687c992d10f2db52e0088e5bb7701e36570bc51d376b249597f030e597a84fc61756b0c17043109b035592c2f6355ed8072f5e8d4c155c4f119e07a67062887d1d5601fcfba1195c8230e69de048544e7153108815f9b64d21dafb1c9f5865887d4bb11e1d4dcae48c91240adf033391e1822c849f38a0a29955e653d069ff4d222ae08c14a8d024d64ef1060e52490cf0377b6a7f957e61764aaf155669c8ef46795f92e931c6bccb0b0125f60d0c557c89e67c0bbd0c5a2569690603495ec1e653a39f3b574cb42df7d84989dd3c57df8420ff18f0210462e652a573251ce56b62b816c4257a2be69165c7209a2e12af189961cbe35b0b14d105cf9c8403021d98344a5372ba79ca588092e418519b8002a2a090bbb843f6adb13933439e422f3d6f0317f49b4c92eda47c065383cf4ba9390dabfd757e63e20aa4f2c5e369b05166f80785899e22a08d074e2535a64b814fc105b1b68e77565da771ac638558a611ea4c27ed209f52eed08e53041e1a5709403c3273ed21e3e714cf12448ae0d69fb10482628bc35b031642c0fdc0346e38cae9872308df9c5f1256da8d40db3a048e42ebafb041662e23affced6e7f32e2d70d0087306fb1237a937b90523dc3d4e3939ae06fcea703a6d5bbae8d99323b121e6de5cf5781fdcd8604c632129b66e9693431e04982ef5803cd1ecc3b2fc6281de955fd5e5f28986ea298524d23fefcc2f30b97b3900e1dff4eb2629de4761f9564d3c3dfeea05c633ab1f689bfa8eb5acdbd97ec6d15c4577ca900b401c2fab73bf704f2833183f1903f2f35dfda0efeaf50cf51b352c3f3b970a6150bac63b27024c6ba7d53d49d3abd9e23e4af60b3e004969706b215188fe2bb911ec4495570bc8511cf378578dd1a1c74ca1979834cce7742b4a6de492eea4cba3e63ebc661d17329ca017479cb3d1a16356b336b03e3a538c63a3f5aaa28ff94ecc31987f838d08b3c82ce7b14846bb930510025d8e514c194bb037dc70c72d56a48731c333d7ac4b4fbd410d408d1b879bf50baee91bb1d48880c20cf11b76a8e06e57fe895a82bf99746c1cbbc64469bc1b059e3a621095f841ea57af815dc34a00ab9cf4d30001c9712665d0f98b64083b177e21901bab8382a39a091917aa9bec1dc7bd11f7d3e1289ea746215636c17871f3267de96584b521e1fa3ef47ce41a6f25aba64a05783ee47f6bb8d3f495500d56ceaef1e3a0f38edefd53da0c6853f1c6c24fa434840e558b6d212f90121db3df0bd4f73b54b3ed9fcad65c5aed7c476f9cb31594d5899a32d979b9e20376b715000f314b7d24f99af72899c65f671e522925bfc966dabecbe3081a5a5d610417519d8237a0d102180329ec3c2708d3298c506f7a9a88b15c251ed48741c4cf67ebe00d5c8cb3d950d943c40f043a9d7ddf671577c5bdee7ad10edf26e1c48d12e99d70e5a1c4642af393c972872cfb1e11315d22dda189a36cd35d9b01733a4993f1cd704c36dcd15eba9cbf252a21e5cb17183b886be2e00d3a32ce09328f60e5c1aa26c97155608419e4429943571752fc53ebef0baf5b672f01346ca0499fdf16df5af75823dfa595872b569eb65a930caddbe9673729ee55efc49b2df0dda031167590d976202b78614bcfcd91735f5afd2a5393dcf192be245a0bdd673c6c81de5ab104c5214d3ada64a84e9dc9616ba71678b6f8a564d956e4bc6aa52e9b92961aeab853bcf7ac1a069ee2b81fdfa2aa85aff86ee3c9ca769dd3bf4da010f08bb9e87f2b9000e0b2cac60e3aec7f2e8cbd63d4509d228ab71ab24afacba832f3791bcb68910ada4d9b588a4410aff25149028975bc71bf36ce82897a796f5d5a98e3057dfa7a8a3a021243467e11303d1d3d9d342d6e6a3238a420d90b018cfb90bc4a68e40b73d3133c613118cb6871339b359e0136d873905daee1817963824c3dd9634edcb4f24b35083d4e72ef28a8cc1dbe04d930f99f567e0cd7fabea8315e8d013042f6008bb0a8e5adefa814f79e2f70cc4171af32c431b0b7e148b071df7575d720973b08646b0312e2a6874689a58430ea112f6fc4b5a56c78534f5809f785e6094ee5bf38be21676e4fd71a193033b0de273c2c1452c1c3e4c6de0f499d9839ba1625640a1b2eea532695613372b1f519bac2c6318d133aebb079f9e26d7f47b5cc410681d09d23f167fc5a43da874b9915249afc5c9195ae2229f21a14a178e66deb6dd765b306d9ded7e511945193194f118bc6e1ab326e2e8cc9c116ee1d6122793663319ea8721704c15eaac549e2ea9ac4e7b9841ab63c5e12f80f5081a4f04b0abd58bcf2c2c6965fedc77cc0222a4003ce7f51c130306f74ef98ff1cbf65e02ec98863d7ff02ea309d417d0e6a75c409be4019db6f99ceee78e39ff4d625b448761b4913b43524af7d7ec0dd0631cb97a8be0ad239c2017e9ead8529c6713c760e7b104869162f38cf4111644be90370dd298bc1a874b567e39f606f394f62fbe9b5c6111ed1f12193168f2af7ee60214171578b6c2181566608a3ff2fe42f7b04cf4674a682c6e2b0db02e4210ca10d7126ff38b68782e702a7978ee7a31bc37db46c714858a7d9fa88f86b435cfbbf2d1505d4075588b0543d246283cc09d789f1ce2a60faebf09e11a41098184d3b716e0d46eb6580208cb74bc0142075f35f2bca241d077560ac7dbbd240ebbedd9437c22c401d6f79656bc1f75a5c2c625714fd73016d4d9d0223c65d76e19e944f92936554eaa3a68b062588824d98f07aef58d533e0dd6a1406f4c6dd59b611e7679cc27736816288d0cd9d92088d00afe5fc7dc1527acd9c5cb25e5ac01092e40b530af711478db5c071546a4c74c429c2c77b69bd7c5397645ba1d0d872273daa6db759df53c0a718fdafb222e6d49c44843a31f3780b0bea398e005f53e430ba2bcec7f5ead0ea36c10c2306cbd9cb928e5d788da1ac27366875a623df30263f7851481657e16782b2a27168c105da4bff690a9cb6cc2306324e1d56823b649d3ca9eadae4ce5e0d6969dce92ecf0c0e81feaed7bfd3fb13f2d4e548cb724ff0b1685646f99f754df6a2302c498633573eabfb2802710dc70edb366be7f343f2476ba19e371ea3e041278ff01801c5de4b057c59bbf251404018631d1270a9ff0a0f0191f3d5797498a9b71854736a945a6f990d967f29f5a0ffc7e20c5b8001b73cbe20d75a668b6961b44aeeda1b57e3520de141e4cf32deebda2e562304339e3715389be537276931d78510f83286be11ec8e8ec14f67f603e18dca9f929726be0c337216b88113f00f4cd5526f40f294d4f72eaa120bab0cf536779903576436d22df5953b87a591b5092fc8e5fc5097233947fb07e6bdaa80e18a028721d76b9a8be32cc4c70552223cd1970abb11d33cb1cda59950e18a767df6aff5fb37488621bec27b9292ea88010c4926bc61f9c0fe20e4187da939ff2beb66ab492b45f183d856be322992a7404361e5122cb8568d8ec53057f0d94fcd2b897fd315267afc7a38a99d105448d900619c7423271686f290433546d98565e5f8bb3cc0aa8cf8870bdaebfcfb4bf45453608d74b8aa0bcdd98e2cd8e04352df3e6cbebd384ca197cceaf4bb5139731ec1126d08d217e292bffc3bee368b9d96f85fdf5935587df107a20d05880c6e8e6a758f14e81077011e636adf6ec01fdfb96db24be9a62c74e47a9360055969fa916bcac2dde45e719cf99729766a27306d7353a3ba7686f9ef0405966fdd77c616470b6c196f0286ef16fe5505b1762102413679e9c91782b7ec6a6d04813257b2427458afd627cdd608d408391e67412278af0daa1018ef8876db102a92c031b5a2aab225d2b84ffb6ce07046e9398ba80f21bc07934b4becc299b1cdc27e9c379801c1c3fe3ac0755cac61f59d044b50525dec796e001677ee39d77705cefc294ff9d8cbc28f7984c2e9b7335723e79855b7e92646d11a61c9cf5468d06b54950ca7c42991f893e91d2b1d1e7e4bf3b8c02c7c0a640bb80c2484d5a55ee001019cba3ee242feed1b0d42fcdd7a18ba1e7c2ccbd318f7d17799dccc93a9bee9fb11410449daf8014417498f4a33af9d0ec4f9f1e8068033b8b452c8f10b8b2f62f431658048f5484956fa0977fd980758bd6dc9785ce1293f702afe545286d8804333cb5ed0f7c1a4b38777523b08db5b09a6bb3addcbbd095dae75cd424e30271ed94630d36803f77f2485a11c2cc2b8e78a164ca1c5d514c262429273bac0865320f4f8b950f0e54db424284bb91e8232df4a47e5bcfd4c17ef96f9f6a94d720cb457ad778ef43ee58773d6a2e125a7727b3fda4faae627c6fc7c6e73aa95dcaa72604fa3d5965ac9caa8a4260bf4d47821de3f261c214d762d8f55f77ead902ce343829166ac0b316b6e5b1b34d8bc3e6d64bbdac9fac806fa4e48c1ce6c1a9bf0e565ded6d15fa472bd1fe688ed56b9ce8940fb62c4ec48d29ab8bd4260bf7bddcc09caa9402fe4a299548ea2738f324d66bdfe3a0cea466c7215d68c028ce7d255e9ef6dff9caa4f99ce74324036328f2d717b55dc3c48239cc0cc359a3725dc849f894f58b6908714eff472aba37ab283ccb7dd5707fd15845328d23309b45393755f28b4fc031777f418a4cd11ccdd0ace104c08dd4faab8b56aa37b51068b8f107fb392f6201028b55137dbc6211a6e67b657176b0a05a20696d496d852249102829f96431837335597ff4294fe667a039aefc268f47b986b22c2338cd639e5cc79e6917df9e8132c6a42df0fee096cb192a7ee8a4508e2642a176e28b60729373b444ecda1ce2da57cb966c1d285173c36f9489b1f08db9d8b4b2dfa0e7de81b499f4bd21765f10904b10b30dbf7e8301572b564b4ca57e8349fa41039712fa9aceb450a3d4339fc2e909a8eb9a3a56ed1b0d5996966e3437d6e2d518746d8f8697ca9f375d76dc06059446f2117b48b2fcd081d196988106b13e5afd4e042ccc20016adf2069d81fb303af0778dcbe05688682527017bca7ae1250055882bdbb5d1f0cc54c70cf3be35fe8507b1b65cec2cbce09495ed7af3816eea9f775b31dfba5e968f9fb6ce23598d8e52687142d867a468b55ad9b7106885a5b5f35f33548bd5001d18a3d4244144666c2081db896732a96d80d219c5b7c4ebb435a6d44086d6c411b8ef85455fbed093e5d168d2217c05ba1e2ca1401286013442c4bb01cd440255c7bd0199701f961bdcad1e376adcc20f96cbe887a24128242f8a7996b18de6d01325632d0d5bd27dae2d0a63a7a34c047b9bfbba9abb267f9f097435a3108a0c2686d9cc6ab4e7100097c45b3e58e2c610802b02d108b04cfd218f346ffcfccfa2be06b2ee9327ed4bae40f6cefa6d0a741c740e0dbd12c2cd77ab4e56150264b0cffffcbb27679f73099731921e38eff187c939587d14518c514fac44e35d77a975d1fdaf34e9ad2334131f26c24bbc13f2df90666341d1f5edd07b8d53b7703d4ef25bdd7a4272c0c17f7f6d5914bad5de0e77afa25af1eb30f18f1c6d52c996463351917de5f612ad6d3b57e1e0d9c3cf7659ec28110534f864087864844ced73b49082b77477be465faac436388dee32dfc3dd0cf5dff1991704c8e8d6aa22b3263b66b23f3180d11d21854bc2ffb2775f7a8b3601e9a6e5685eb265450a222118a5115c8dab86db406d8e4e2f82e7c41214ea54b355082bd153a7106048b72984dc0e01e4b8252d36f1e9c4a1b7179ae2a656fedc990cf54b2c4bd927b034604b04989c76c6782c496c23ef8e7958044d5e2a0caeae787b7303db8594005db1f8127dc7ae3c1617710ca451fcb6ffc9d0e5d34f19d9ffeff61325d4b4524995fe0fdb66dacf9de64458d3a28ab8fc07c9d370edcfda9e9c87416039adebb7c99c447624ba0cb8382d2e4c0cf1e8a70139c4c08c1d5d51548d2789fe71708081f2cfd76a8a897677c0cbacd129df1694941d26387d77d6f1aadb7fd4434121c267211843691651dd228e377256578c3c88ddf0426664e86511a3f8595d7bdf37ccaf396bc9e7cb0fc789cac81f6326c3612b3b2290d07041dd0da180a3f74ff96d82348060900216534c3069100704afb1372d36260432aec3f88fd0a4c4ec7ab7f002397c8ac60758f2df97dda34c302ad5bfcf0c15dfec61fc7cadfba50021d0a813012caf464cd6a16cce4ba49078c4c92b3e049b6d955bd0f99121af65067cbf88fb2c557840e6b50d92ef387ebd93fbbcee39a83749249a6de6174b88ec04850ad88d42e425de196fa9299f637102e4b19a86365df7d462019974ab6e790ee909ba3930916473a3e9d5aa856350126933193c807746e34e2f5451672e08e0718778ab3e3946611834948f192f204a06c363355457535c3eeb8a3bfc9dcf9e2a5bd648891255907995e923114b5581a8d74a60fed02f184ffe5f14fce6eb63f3d2bfaa4f16dffca143ea0e922a1fcd3a9f3a506239191b1c25071332ca3adb17e95c77b6e55fc0494442d0574c3bf54326042313602e661b5824920fc454e54c224d7a92e11059e04aac30e3691246cafcd66624cb17907db1dd0702de2554d2db0fe639b8a49735a59b58393a57acd3be6584394ac36d328e354323a8b9c23c9833b4a1d480b55889ec6f6f4fc64a2e91a98705ce5739a9aef3b977515b9370bc5fc69c5ddef488c40e5064653f6ed2381384292087879988ae37f41b515ffdc01de8da66cb9fc6f0ba1d5d6ef7ec616f575349dac097d141d27036e2bb74b02b7d6fed9c7481a84bdd72e2fdd7946eb6793399ed9f7d2a780769b3933e25691351d3d766a0fab511283e2b818af89a2c40277130c1ab6c85872b20548140d57e0840a23f5ba7428e8b6e9f7f5318cb5a5fc1601c06f3c892a1cebf9f08eb2eaeeffbee2337b820e36797c8d33570106eb31deae4ce2e0b70ee9370dcd6a48b4b6d66684b2e53d0e6c1d41bb28f6c7219010418d88c9d17065a6044b3e247af1d2ae04a40a3b64cca6be89f53c39f81fb9449849e368d220675916f81206e5d3fbe58dd4294f89667eaa849f02624ceaec0eb2431a9bfee29e5adc57") r23 = syz_kvm_add_vcpu$x86(0x0, &(0x7f0000014f40)={0x0, &(0x7f0000014ac0)=[@nested_amd_invlpga={0x17d, 0x20, {0x25000, 0x5591}}, @cpuid={0x64, 0x18, {0x8, 0x57}}, @nested_create_vm={0x12d, 0x18, 0x3}, @cpuid={0x64, 0x18, {0x0, 0x2}}, @in_dx={0x69, 0x20, {0xc003, 0x1}}, @cpuid={0x64, 0x18, {0x10, 0xc}}, @nested_create_vm={0x12d, 0x18}, @nested_load_code={0x12e, 0x7e, {0x1, "362e363e66430f57a90098000066baf80cb8288fc686ef66bafc0cedb971030000b8c7000000ba000000000f30420f01c866b878000f00d0400f01c566ba430066ed401d03000000c744240000000000c7442402493a5664c7442406000000000f011c240f32"}}, @cpuid={0x64, 0x18, {0xf, 0x4}}, @nested_load_code={0x12e, 0x60, {0x0, "c421f8107af00fe7649a4f47fb0f01ca460f08b9800000c00f3235008000000f300f01cb400f01cbc74424008d000000c744240207000000c7442406000000000f011c240f524b00"}}, @uexit={0x0, 0x18, 0x2}, @nested_create_vm={0x12d, 0x18, 0x3}, @nested_amd_clgi={0x17f, 0x10}, @uexit={0x0, 0x18, 0x4}, @nested_vmlaunch={0x12f, 0x18, 0x2}, @nested_load_code={0x12e, 0x56, {0x3, "0f01df0fa866baf80cb882caa98fef66bafc0c66ed670f01ca0ffdca460f01b3904e000066ba200066b8b7ea66ef0f0132c4e161eb5800b9810500000f32"}}, @nested_amd_inject_event={0x180, 0x38, {0x1, 0x17, 0x4, 0x4}}, @nested_amd_vmsave={0x183, 0x18, 0x3}, @wrmsr={0x65, 0x20, {0x32c, 0x10}}, @wr_drn={0x68, 0x20, {0x7, 0x2}}, @code={0xa, 0x56, {"f341af66b83e008ed0c4e13573fae7660f74a60000000047dbc1450f0866410f3882941f0e5839ba470f795500c4015651af4104000066baf80cb8e27ff48def66bafc0cec"}}, @nested_create_vm={0x12d, 0x18, 0x3}, @enable_nested={0x12c, 0x18}, @nested_load_code={0x12e, 0x6f, {0x3, "f3410f221766baf80cb8618ea184ef66bafc0cb000ee36640f2139c46241403266ba430066b80b0066ef66ba4300ec400f23383e0fc732c7442400ac000000c7442402907c03e6ff2c24b805000000b9970000000f01d9"}}, @in_dx={0x69, 0x20, {0xc3e5, 0x2}}, @set_irq_handler={0xc8, 0x20, {0xa1, 0x2}}, @wrmsr={0x65, 0x20, {0x12f, 0x2}}, @enable_nested={0x12c, 0x18}], 0x471}) r24 = mmap$KVM_VCPU(&(0x7f0000fff000/0x1000)=nil, 0x0, 0x1000008, 0x2, r23, 0x0) syz_kvm_assert_syzos_kvm_exit$x86(r24, 0x2) syz_kvm_assert_syzos_uexit$x86(r20, r24, 0x10) syz_kvm_setup_cpu$ppc64(r20, r5, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000015140)=[{0x0, &(0x7f0000014f80)="04eaa0ef0000603c0000636004006378000063640401636014c2803cd1c0846004008478830a8464be018460273ba03c003ca5600400a5782772a5649d4fa5607c62c03cdfa5c6600400c6787811c66430b5c660f2d6e03caccae7600400e7785198e764fb3be760020000440000e03f0000ff630400ff7b0000ff670048ff63607bff1b0000603c000063600400637800006364fcf463607609803c6cdf8460040084787cb584645d858460f3c8a03c8498a5600400a578a16ba5647c44a560020000440000203e000031620400317a00003166980031620000403f00005a6304005a7b00005a67e5135a63aafef97d0000803c00008460040084780000846400808460dc39007c0000403d00004a6104004a7900004a6571994a61a75fc07f0000603c00006360040063780000636408ef636009c6803c1c64846004008478b4f7846466cc84600380a03c458fa5600400a578cf35a5647597a560ae5ac03c1931c6600400c678a96dc6646f30c660220000440000003c000000600400007800000064120000602401007c0000e03f0100ff630400ff7b0000ff670000ff63a7ffa07e", 0x1a4}], 0x1, 0x0, &(0x7f0000015180)=[@featur2={0x1, 0x1}], 0x1) syz_kvm_setup_syzos_vm$x86(r5, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(r21, 0x114, &(0x7f00000151c0)=0x1, 0x0, 0x4) ioctl$NS_GET_OWNER_UID(r5, 0xb704, &(0x7f0000015280)=0x0) syz_mount_image$adfs(&(0x7f0000015200), &(0x7f0000015240)='./file0\x00', 0x40884, &(0x7f00000152c0)={[{@gid={'gid', 0x3d, r16}}, {@uid={'uid', 0x3d, r17}}, {@uid={'uid', 0x3d, r13}}, {@othmask={'othmask', 0x3d, 0x7}}, {@ftsuffix={'ftsuffix', 0x3d, 0x100}}, {@othmask={'othmask', 0x3d, 0x8}}], [{@fowner_lt={'fowner<', r25}}, {@func={'func', 0x3d, 'FIRMWARE_CHECK'}}, {@smackfsdef={'smackfsdef', 0x3d, '\x00'}}, {@hash}]}, 0x0, 0x1c, &(0x7f00000153c0)="$eJxqm+Dw14DJSO1/e8m97d/2AAIAAP//OKcIHw==") syz_open_dev$I2C(&(0x7f0000015400), 0xe, 0x420200) syz_open_procfs(r18, &(0x7f0000015440)='net/mcfilter6\x00') syz_open_pts(0xffffffffffffffff, 0x0) syz_pidfd_open(r8, 0x0) r26 = pkey_alloc(0x0, 0x1) syz_pkey_set(r26, 0x2) syz_read_part_table(0x53, &(0x7f0000015480)="$eJwAQwC8/xqlOy2XIlZYZGJIETVblKDS140J0glR3zwsGkmIykjUUmHMRz5PZfZ25OmzjN5Kq6BcIOpvN6UpQpfiwqdtflUtytgBAAD//9ZjH6U=") syz_socket_connect_nvme_tcp() r27 = syz_usb_connect(0x1, 0xd9f, &(0x7f0000015500)={{0x12, 0x1, 0x310, 0x99, 0x45, 0xdf, 0xff, 0x19d2, 0xfff8, 0xcd35, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xd8d, 0x4, 0xc, 0xd4, 0xb0, 0x8, "", [{{0x9, 0x4, 0x5, 0xe, 0x6, 0xff, 0xff, 0xff, 0x5, [@uac_as={[@format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x82, 0x97, 0x9, 0x9}, @as_header={0x7, 0x24, 0x1, 0x91, 0x10, 0x1}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x64, 0x5, 0x5, 0x9}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x9, 0x1, 0x1, 0x18}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x5, 0x100, 0x0, 0x1f}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x200, 0x2, 0x6, 0x6}]}, @uac_as={[@format_type_i_ext={0x9, 0x24, 0x2, 0x1, 0x0, 0x9, 0x4, 0x1, 0xdc}, @format_type_ii_discrete={0xb, 0x24, 0x2, 0x2, 0x5, 0x9, 0x6, "42e9"}, @format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x2, 0xaecb, 0x0, "e0ff89cc39b242b2b0"}, @as_header={0x7, 0x24, 0x1, 0xc, 0x2, 0x2}]}], [{{0x9, 0x5, 0x1, 0x1d, 0x20, 0x5, 0x9, 0xf}}, {{0x9, 0x5, 0x4, 0x10, 0x10, 0x5, 0x7, 0x1, [@generic={0x49, 0x1, "bedbdc40b657915aeea36befa743bbf476bbcc3a55777437fd0c0862a5591f0b8091626c6564a62b6995d0b1ac34995d442de50d21f30da08f64d3bb0e86086e62968216d8cbfe"}, @generic={0xc, 0xe, "1cca42d0d4c12478dbc7"}]}}, {{0x9, 0x5, 0xc, 0xd, 0x10, 0x4, 0xef, 0xd}}, {{0x9, 0x5, 0x0, 0x2, 0x40, 0x1, 0x92, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0xf, 0x9}, @generic={0x9c, 0x24, "9462e78d67a7938309f893388b585f99ed3cae5aeb241e37eacc73fb040b917d697587fd8885dcc892bfee22871988c70188e9e84546a796e56ea48370dfca689aaa0ffd0841c7e28cbcecbc3beeb254d902498dde373f5e920932acdf3222a561174a85ce36d5f5c709829a0429f48de3266211e3532235cacb3a64fff3e30182cd027ea660bce24cc197bf358f77953c964de4530416907fa1"}]}}, {{0x9, 0x5, 0x6, 0x0, 0x400, 0x4, 0x0, 0x6}}, {{0x9, 0x5, 0x1f, 0xc, 0x20, 0x8, 0x80, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x40, 0xfff}, @generic={0x4a, 0x9, "13df6f0c723d233880c0869f46c9399e148ef0d987297635b6bf6f369cbf8f07b34b9376ff57dcbdf27465eb5153fb8dd7ca2fab2737dd515edef1c966915e0676db831f2b918d82"}]}}]}}, {{0x9, 0x4, 0xe4, 0xb, 0xd, 0xff, 0xde, 0x55, 0x3, [@uac_control={{0xa, 0x24, 0x1, 0x3, 0xa}}], [{{0x9, 0x5, 0x1, 0x3, 0x20, 0x1, 0x66, 0x7, [@generic={0x8c, 0x23, "c344bd7f690e1122d6524ccd0257c1185e61c3ab3ccb366ef9037a58035418728d9aab96717e220d7220fb964b7e928d75ef45859131159097fa85b2d24eeb7fc590e048eb1ba830ac343bfd9a3c32dfc93fadcb90f93a63c737834f5e2d4e7368e02ec5f2106bef935e5e74c3e7d2d3d16ebffa13a829499da442f01726d07a338feb612c3b6e5193b8"}]}}, {{0x9, 0x5, 0x1, 0xc, 0x10, 0x6, 0x73, 0x2}}, {{0x9, 0x5, 0xe, 0x1, 0x40, 0x0, 0x0, 0xe, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0x8, 0x9df1}, @uac_iso={0x7, 0x25, 0x1, 0x4, 0x3, 0x84}]}}, {{0x9, 0x5, 0x7, 0x10, 0x8, 0xd, 0x6, 0x6, [@generic={0x9c, 0x11, "61c2c581bcf0dc3a09ec5465d8b39593b51cb568ad67bf219f28a637f8b8f3aae7b6cf31069da551c5d90a297ab0cfeda543a0f762c8185babc43a4c9bb3b095c0ee1396f8b1fd6219b31613b7560d309f173c80673fb08529fc8f175291f99856af198cf47a32c76df6be449493e5a66eb4664b84226ca1e2c8f2029ade7d75316b104a3480fbf7d4509d748c36f659f8f52743fd077fc7df42"}, @generic={0x4e, 0x4, "57fad147fa12cd27896e4e92ba1ad4058c8d43ec2150d8732fc5ae105a174ed83942dcb79a05b10fd4957dbc1ac027a2df5728b2b2bb9b5bc51f9a8c88e9fa851138c7cdd7626641911cbe0c"}]}}, {{0x9, 0x5, 0x0, 0xc, 0x8, 0x8, 0x20, 0xc, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x6, 0x101}, @uac_iso={0x7, 0x25, 0x1, 0x8, 0xfd, 0x2}]}}, {{0x9, 0x5, 0xb, 0xc, 0x10, 0xf0, 0x3, 0x9}}, {{0x9, 0x5, 0x2, 0x2, 0x7b7, 0x9, 0x2, 0x78, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x2, 0x6e8}]}}, {{0x9, 0x5, 0xe, 0x0, 0x8, 0xb6, 0x47, 0x1, [@generic={0xea, 0xd, "d7eef8adff593fef601257eb29f1123c0f04cf50d2f065a52ab835d40454ac46b6638738e9753c66062b76d457d6b363f7b7634feaac719c3e900cceb8d969210b573a62d4516498d598a61e6fa5bbd0fd386f9f1d7afef4ddbe39495d6e555d24555bf1bffe21fc472ab2a8d5d0f8a611ab5a46ae9b23bb6a6b363946dafbb2e741d34fe456f5816332d72d435fbd1fae4763325dac58c2de0a67277e2d74fef5d8ba6de17c31d5c7fb01a13d3bf00c3113416b72b3e2e0b80b4ab9cda77d2de3ed368fab4841fd62acf66e432121b5f5d7c8c036660d7a351033155e3eef2ff20f2aed8241d176"}]}}, {{0x9, 0x5, 0xe, 0x3, 0x200, 0xff, 0x62, 0x5, [@generic={0x55, 0x23, "d522b56c6dde6a698a23e10e4fc0798f87c946fa2848c717a9a33138fdb3475793c1b4d1722b3bcc36384d2589a27e5f22b289727e23f039ffdf2ab25da62c092ed01cb151b0ad8ba7758c32abd07f79514eba"}, @generic={0x96, 0x8, "70f4e5b83374f7b0de44ec45105ac31402140e176214641e3797ba0aea4013e3e7c2871f78528a256a2249dcad684fd577a428a14f446ce9d7de49364aa163c68dd1e4e20c0aa98a263547f07dae9c3e45ffec5bdccfb90b1ad9054da62866626bfbc394a1e9aec6b300420a6167e6e6ef4396dffb6bfc18d3b2537789270423867535f75b1454cc3b8a6aef5b65b9774139adcf"}]}}, {{0x9, 0x5, 0xc, 0x10, 0x20, 0x8, 0x1, 0x8}}, {{0x9, 0x5, 0xd, 0x10, 0x400, 0x3, 0x6d, 0x7, [@generic={0x85, 0xe, "1a54b4a07976e16cec507f7cfe00c93599f9fdefaf8bf86cb9ae60f5e7426c78b3e01cc8cab0aaf09debbacd785c9de3bb89551d0a241f2d65830f5364754991feead87fe8c8b928ac16853ae959eac27b59ccc86d22442ca629d120b1a09cf14184a9c4873f74ae748201f5f4e649e3724c7ddb89f458472b285f9c10ea40393f3060"}]}}, {{0x9, 0x5, 0x9, 0x0, 0x8, 0xa, 0x7, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x4, 0x4fb3}]}}, {{0x9, 0x5, 0x7, 0x10, 0x3ff, 0x1, 0x88, 0x6}}]}}, {{0x9, 0x4, 0x10, 0x8, 0x10, 0xff, 0x5d, 0x81, 0x3, [@generic={0xb7, 0x0, "bea8fdb50e624b763ddddaf5ed85d8170ca858cf74ac678eb54d2045e5fbb2772140e2cf1895cb693a914ffb891cd2c90d4827bcd34359d70107462ead889a6e4ed6968935a81a147ac0ccc81c38d62d6a84cf504552ec37d609b5475018bda124c09ea9f21303865fe464abc38cd84ae42de33e4691127e2b8553837d58cda51f11a05a1538ecff55e90f34a1c566c234c006d00b50b4b29e49b8d090f5a274ae37e03e49682c44c2b1d9db62f63233f9670cb2ac"}], [{{0x9, 0x5, 0xc, 0x10, 0x40, 0x9, 0x8, 0x2}}, {{0x9, 0x5, 0x6, 0x2, 0x8, 0x3, 0x18, 0x1c, [@generic={0xf6, 0xc, "d7729711236eb7896991e6ffe3dd7622e96e2e7d1760ab6452472bbac1d06861d9d49e4100606a227d342c6175945ade9cc3f46ec4627f92caa5d73227fae7a360d25fac9e5744073f0c054c9a5b8258dd279b736876584b904d943b23c26d9e6bc2dd3b98f36244158c760f0bf975029142b3f58bb63ec376d7f5d9611820d380efd7de6163ac8dc27144e21d92c93ffecc2d8c7b3bc5ead181863cd96a0abf2889eb10b687913fa8214b89de11f52b7d1936ad9c1c45da86a15e86b6c9060291d85b48ebc2344db8ad8cc52f79d4f0377a893b3da61cfc1513d2ba9536d6190de886a2d18ff8ab1f463f15471d7f96dc92d0ac"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x20, 0x9, 0x2, 0x37}}, {{0x9, 0x5, 0xf, 0x12, 0x8, 0xd, 0x6, 0xf, [@generic={0x40, 0x5, "71afb2617a61e75529dde0f32fa6ca4b857a84b3120b936168642c34048f292fc27a3a8f1f74580cdc36e9a40b4ff692f13224b914a89fb73085793a5c22"}]}}, {{0x9, 0x5, 0xd, 0xc, 0x36fb25d4600df5f1, 0x4, 0x1, 0x0, [@generic={0x50, 0x3, "17ffd473ba28c360591f571dc60f1324d4a34ab8d9d3c0686c13a61bda2464e1635423ebf4ed34037bab62fd30a8dd0a89f1bcbff3af4f0c989ddb6f03760ae76f63ffdcbfbbfee9a135257314aa"}]}}, {{0x9, 0x5, 0x6, 0x0, 0x8, 0x2d, 0x10, 0xba}}, {{0x9, 0x5, 0xe, 0x0, 0x10, 0x8, 0x7, 0xac}}, {{0x9, 0x5, 0xa, 0x8, 0x20, 0x9, 0x7c, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0x9, 0x4}]}}, {{0x9, 0x5, 0xb, 0x10, 0x3ff, 0x1, 0x4, 0xbd}}, {{0x9, 0x5, 0x7, 0x3, 0x20, 0x6, 0xf, 0xe}}, {{0x9, 0x5, 0xd, 0x10, 0x7f7, 0x4, 0x1c, 0x1}}, {{0x9, 0x5, 0x0, 0x0, 0xaead6ee2ff2b5f33, 0x40, 0x6, 0x81, [@generic={0x54, 0x9, "22a03d117edd7ff802cdb509b49cf07b1884a5d06a2872ffdd1f6a974c0574871d68b2fd80b9dde557da7eec4d7f2778a5c3a4bbef519d158a59f152fe19f598e43360f8a24aa973c56f46c4a68a273a1fc4"}]}}, {{0x9, 0x5, 0xf, 0x10, 0x8, 0x5, 0x38, 0x1}}, {{0x9, 0x5, 0x4, 0x10, 0x10, 0x4, 0x2, 0x7, [@generic={0xda, 0x26, "32162d9cffd7548ddc1524c6651fa112cb8399eb7daa746af4a3f458159bd8a487dade3217ae3224615d50ba5643301952fdd082ab52f64eb38bddcf02b06728a3bf4f73d3b780a3a5804bad04ecc22787690f67257674f728b10231ba2db83cb4eb841e5523eb43f3482d3ec33cb8187b87aa08a21e94e0394a1ee8d8f0cc088910aba4dbe5feefc245380ff1443e3a97bd4d5addd01f1126d4b70abcbbe140716a1c66dac61f66514fcebe67647b43bbd8e848333ff9957ebaace9d057b627a667e6f51daeac302b2129c26d415bc9a2ee7495b331b7da"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x7, 0x1}]}}, {{0x9, 0x5, 0x3, 0x1, 0x40, 0x8, 0x7, 0x5}}, {{0x9, 0x5, 0xb, 0x10, 0x40, 0xfe, 0x0, 0xd, [@generic={0xe1, 0x24, "66c968f67f56d0ab89d6819c67d1d6c215d2f3cf615b37028db269d93608cdf0704118e0ddbf97166c27afb51a132cd70f0fa3b7ad5ee3a441027a74122781ab0f1ce5fe7bd1153c8ffccd3ef109213f20d2bafd0e331abc5cd1fb54809a06c8fa60a9f0fc8e113f318c3a7f7bc6fabe193094ec493d246cbd702bf019796a8872b3c40234d8e90731b2dff88a1f0c4f1786a190eb16651e3ac45edb14d9fb898644bed61576bd7a9fd90c5217217f6b9aed19d4a22bff482d058e603d2a0cdc48b1b271b79b1e25d7fe6bb820506e48579a78af99e7e9429bcd4b07bc0134"}, @generic={0x40, 0x5, "8f82cc05df67734141e356e936a6e0a7247ac23b30900c5fc4148a14990b5004686de6cace04ade350f04a3d078c3910f7dba492af85da649432e26a7854"}]}}]}}, {{0x9, 0x4, 0x88, 0x1, 0x8, 0xeb, 0x43, 0x23, 0x4, [], [{{0x9, 0x5, 0xc, 0x0, 0x40, 0x8, 0x8, 0x5}}, {{0x9, 0x5, 0x0, 0x10, 0x20, 0x9a, 0x5f, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x81, 0x4}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0xf9, 0x2}]}}, {{0x9, 0x5, 0xb, 0x10, 0x40, 0x7, 0x1, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x6, 0x1}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0xd, 0x103}]}}, {{0x9, 0x5, 0xb, 0xc, 0x3ff, 0xa9, 0x1, 0x6, [@generic={0xfb, 0x2c, "df60d233063867e638f4ac474e685fef8f861557d0a31566d58bde1f04a113f6cb64c96056a81685a6dfa2978a60c2d94e450f6675e38b44c96bfbff6c5f3746609346497483dfc8ac2127362cdbdaa0253951a182272183f456aae2bd12b292c609e8e14b4f8c1853e0d87e0c3179c8be7b0730721bb30159040826f093510ce022587691627b236a66215620418df334d28d1d14f0ca3b9f4fcff06ba249dd19508198503a2c2cd4f3abdadbd4f1ace4e627bec97299a00228e09c064e5f342e00d8c8f2d5b1fb56485e736a87dcfe510c218632729122a4eb5d5b5d81df8be58527183e48f760b85c599f8813f89d706af7b22f77d68dc1"}, @generic={0x6b, 0x4, "07ece06586e01505f126e0db2ed1ac18b57549f080d741f38b0ccec6ba034d096429405619d01af435c8092be0e9c4a93c1b647e7c7f14f05efff305d2b85d51fedff750b87e5990d028fd338645029bd9ed95e00305acce8b899a786dbf30895be03148a7a1e3bf25"}]}}, {{0x9, 0x5, 0x6, 0x8, 0x400, 0x3, 0x5, 0xff}}, {{0x9, 0x5, 0xa, 0x10, 0x200, 0x6, 0x14, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0xc, 0x9, 0x4}]}}, {{0x9, 0x5, 0x5, 0x8, 0x210, 0xe8, 0x5, 0x3}}, {{0x9, 0x5, 0xa, 0x8, 0x10, 0x64, 0x8, 0xe, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x5, 0x2}]}}]}}]}}]}}, &(0x7f0000016780)={0xa, &(0x7f00000162c0)={0xa, 0x6, 0x201, 0x3, 0x8, 0xff, 0x20, 0x10}, 0x28, &(0x7f0000016300)={0x5, 0xf, 0x28, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x1, 0x7, 0x7, 0x6, 0xff}, @ptm_cap={0x3}, @wireless={0xb, 0x10, 0x1, 0x2, 0x61, 0xff, 0xf, 0x6, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x1, 0x3, 0xb, 0x100}]}, 0x7, [{0x4, &(0x7f0000016340)=@lang_id={0x4, 0x3, 0x457}}, {0xff, &(0x7f0000016380)=@string={0xff, 0x3, "85a764d829532917b6647a68a249b252f01a99f88767a2e9f13aeefab39cf6a405497e3244294b1bd485c0ec99338640a508fabbf11e0fd6a03bcc9cebaf83037aa77397cbdf0911c8dfb842f62f94766aa445925773c4f7c6701be8a05673afe95cf19c279ac62fd2720ed2dae689371c5151bf6b9e7727f8f497091c3aaa902f81e44c5173acf22152fcbc4d72a75e9ab4badc6788b2fdbb7e34b202e0e71feb1cc9b1ca791e92374cfc63cc7db5648591778bfc1948f9dad9b7fe74a588ddc9ad499993062666b3e0df0acaa67802ad37a86fcb411a2230bdd43fe8610f29c15179bf429f81876ee90b7d35a2263f91eb8d3c7c87c46600b45282ee"}}, {0x4, &(0x7f0000016480)=@lang_id={0x4, 0x3, 0x8406}}, {0x49, &(0x7f00000164c0)=@string={0x49, 0x3, "cb9d5f1c5fbc9474d59ffa54a92ba7aff97b2f65abf48aad8e2b09b60a5dc2744b250fe7529097bfbb2bcf99d0548a034fb7aecaf8dd808495be132e1b8c84abe53375dcf540d5"}}, {0x4, &(0x7f0000016540)=@lang_id={0x4, 0x3, 0x407}}, {0x102, &(0x7f0000016580)=@string={0x102, 0x3, "04ddeb57b5072b0dc9dc624cf2792daac535b02570dbb701e1db0e6c25d680f07b517f6582125baa7a7849eb0b11130e0024efe8a1c951363bf47a68fb5bd9acf185aea1627381f50343cb4bb8d7175131f2ae52a842db753904d3051a0ab082608560e8ac66b87dddbb9fa3514a31e5595170e3d21c018b37855992a2a4b348de99469b63f5438e240e23cfe0a26d30a91d953691d741b9d5d85dab27d40da71fc9d8677b0dc3e1d6060d0d98a71300d374e7bd550f6a57b6fcd444313f37367f5b55c20f1a2d44861e8a1a36bcdc769ffc146bb71ab5846dcb8231247f1636483dabb710d074fd2b8018d4c356d1825bb17bf96327e96ee867583243e8254e"}}, {0x9e, &(0x7f00000166c0)=@string={0x9e, 0x3, "ef2a4e829a0f6cdb32a449bba1d48f5dfe865e51f2287e2177391a43f9bbf1ca78d573f200eae40c60a21ddc2ad482df2a85f27559815bb4ebca560530b86553450ee38eaeb8712f6b77c14d47f85d8bbf641e1d9e09fa1e2be5e92c187ce56ef9949ae1d87cfbfe0ea1ba9f9b2ff0182d4b05ce506891c5a347ee33ccf9ce7d86d7ddf2bf38574d21d9654bbe80658680bef5589e2db6072d9fd0fd"}}]}) r28 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000016800)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r28, &(0x7f0000016b40)={0x2c, &(0x7f0000016880)={0x20, 0xb, 0xc8, {0xc8, 0x21, "01f48fe831d8d1992472173ea819a3a2ade96121341354e85ca198ec1fcf8590c939f727aa0e85856b357c23bc068f24a22cc6b71bd4add3ae66955e3ceb2a8f155c4feaf36d9c4802968a53b086a4a50dc35475e75c1851e7d408540774e8982191e50606991f3f33fa708ef6a94041511098b0267e737b9f399fad65b7cc2efa80eafc734bd5ab1fdc3decc026fa7675ef45a1d17ffe1c0b1e00b10273d7c57d183c74a3d9b1471322b59a98cebd12d16c2834b226cecaeaf960e3d90776c23923eae68d1e"}}, &(0x7f0000016980)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x280a}}, &(0x7f00000169c0)={0x0, 0xf, 0xc8, {0x5, 0xf, 0xc8, 0x5, [@ssp_cap={0x14, 0x10, 0xa, 0x3, 0x2, 0x9, 0xf, 0x0, [0xc0cf, 0xf]}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0x30ec, 0xf0f, 0x82, [0xc00f]}, @ext_cap={0x7, 0x10, 0x2, 0x0, 0xb, 0x8, 0xf}, @generic={0x8d, 0x10, 0xa, "422d46fc73f84b4dd0c3d24d79f270975a978d736a0aa3e586ae4e9a232483cf25269718cbb9df730362ce6b7cf0e3d10079c328ee2be8f5ffc242a07e20f7c3db607c73e2cac82f1c73c8fcaceb151e2022fe0c73ad6619a4dace08659699ed7660d45202749cda47dfa1e0db87664d1eff73f0606d30b778cb8808dfa6b24cc18add579f29e81b12e3"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x48, 0x6, 0xf2, 0x0, 0x2}]}}, &(0x7f0000016ac0)={0x20, 0x29, 0xf, {0xf, 0x29, 0x1, 0x3, 0xf6, 0x5, "d7db758c", "cb024e33"}}, &(0x7f0000016b00)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x2, 0x2, 0x80, 0x5, 0x7, 0x7, 0xff24}}}, &(0x7f0000016f40)={0x84, &(0x7f0000016b80)={0x20, 0x13, 0x2a, "b3644b33a496f2187a5863e64c407cecd2d6d13ae23ecf1c3c53f78ff217cff021e4718cea7fbe4c3ba3"}, 0xfffffffffffffffd, &(0x7f0000016bc0)={0x0, 0x8, 0x1, 0x6}, &(0x7f0000016c00)={0x20, 0x0, 0x4, {0x2, 0x1}}, &(0x7f0000016c40)={0x20, 0x0, 0x4, {0x40, 0x20}}, &(0x7f0000016c80)={0x40, 0x7, 0x2, 0x2}, &(0x7f0000016cc0)={0x40, 0x9, 0x1, 0x3}, &(0x7f0000016d00)={0x40, 0xb, 0x2, '{*'}, &(0x7f0000016d40)={0x40, 0xf, 0x2, 0x9}, &(0x7f0000016d80)={0x40, 0x13, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x2}}, &(0x7f0000016dc0)={0x40, 0x17, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0xe}}, &(0x7f0000016e00)={0x40, 0x19, 0x2, "1ac5"}, &(0x7f0000016e40)={0x40, 0x1a, 0x2, 0x100}, &(0x7f0000016e80)={0x40, 0x1c, 0x1, 0x7}, &(0x7f0000016ec0)={0x40, 0x1e, 0x1, 0xc8}, &(0x7f0000016f00)={0x40, 0x21, 0x1, 0x4f}}) syz_usb_disconnect(r27) syz_usb_ep_read(r27, 0x0, 0x4, &(0x7f0000017000)=""/4) syz_usb_ep_write(r28, 0x4, 0x9a, &(0x7f0000017040)="dd9c6225175b3c37dc1963b4d0f463d6e382d956edabd131d419ff0b343494a2c3c8bd5e321a506b68c9621ab544dc8bd17c2f62f3c56caecb3908a6430e4d9eafd02ca13dfdcc2d07c531313862ad4271ecb07f10143f48ff7e738a4a77623d0d4b8921084f7c7a9114220624e8f12287c7369f8b9193de6e3a67ff4bf7596fd6c107e477fc1df67c16fec951a212d960cd48e3a1758e8ec8e7") syz_usbip_server_init(0x3) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_getfd #define __NR_pidfd_getfd 438 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static struct nlmsg nlmsg; const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } static int hwsim80211_create_device(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t mac_addr[ETH_ALEN]) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_NEW_RADIO; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_SUPPORT_P2P_DEVICE, NULL, 0); netlink_attr(nlmsg, HWSIM_ATTR_PERM_ADDR, mac_addr, ETH_ALEN); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static void initialize_wifi_devices(void) { int rfkill = open("/dev/rfkill", O_RDWR); if (rfkill == -1) exit(1); struct rfkill_event event = {0}; event.type = RFKILL_TYPE_ALL; event.op = RFKILL_OP_CHANGE_ALL; if (write(rfkill, &event, sizeof(event)) != (ssize_t)(sizeof(event))) exit(1); close(rfkill); uint8_t mac_addr[6] = WIFI_MAC_BASE; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) exit(1); int hwsim_family_id = netlink_query_family_id(&nlmsg, sock, "MAC80211_HWSIM", true); int nl80211_family_id = netlink_query_family_id(&nlmsg, sock, "nl80211", true); if (hwsim_family_id < 0 || nl80211_family_id < 0) exit(1); uint8_t ssid[] = WIFI_IBSS_SSID; uint8_t bssid[] = WIFI_IBSS_BSSID; struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = true, .mac = bssid, .ssid = ssid, .ssid_len = sizeof(ssid)}; for (int device_id = 0; device_id < WIFI_INITIAL_DEVICE_COUNT; device_id++) { mac_addr[5] = device_id; int ret = hwsim80211_create_device(&nlmsg, sock, hwsim_family_id, mac_addr); if (ret < 0) exit(1); char interface[6] = "wlan0"; interface[4] += device_id; if (nl80211_setup_ibss_interface(&nlmsg, sock, nl80211_family_id, interface, &ibss_props, true) < 0) exit(1); } for (int device_id = 0; device_id < WIFI_INITIAL_DEVICE_COUNT; device_id++) { char interface[6] = "wlan0"; interface[4] += device_id; int ret = await_ifla_operstate(&nlmsg, interface, IF_OPER_UP, true); if (ret < 0) exit(1); } close(sock); } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define always_inline __attribute__((always_inline)) inline #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_BOOT_ARGS 0x2F000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x400000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_ADDR_GLOBALS 0x17F000 #define X86_SYZOS_ADDR_PT_POOL 0x180000 #define X86_SYZOS_PT_POOL_SIZE 64 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x1000000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 9) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_PHYSICAL_ADDRESS 0x00002400 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_EXITINFO2 0x080 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define VMCB_RAX 0x5f8 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_TSS_BUSY 0x008b #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_MAX_L2_VMS 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static always_inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1) { struct kvm_run* run = (struct kvm_run*)a0; uint64_t expect = a1; if (!run) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered: run is NULL\n"); errno = EINVAL; return -1; } if (run->exit_reason != expect) { fprintf(stderr, "[SYZOS-DEBUG] KVM Exit Reason Mismatch\n"); fprintf(stderr, " is_write: %d\n", run->mmio.is_write); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)run->exit_reason); errno = EDOM; return -1; } return 0; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_LOAD_SYZOS = 310, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_nested_load_syzos { struct api_call_header header; uint64_t vm_id; uint64_t unused_pages; uint8_t program[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) #define MEM_REGION_FLAG_REMAINING (1 << 7) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; struct syzos_boot_args { uint32_t region_count; uint32_t reserved; struct mem_region regions[]; }; struct syzos_globals { uint64_t alloc_offset; uint64_t total_size; uint64_t text_sizes[KVM_MAX_VCPU]; struct l2_guest_regs l2_ctx[KVM_MAX_VCPU][KVM_MAX_L2_VMS]; uint64_t active_vm_id[KVM_MAX_VCPU]; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, UEXIT_INVALID_MAIN = (uint64_t)-4, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t cpu) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t size = globals->text_sizes[cpu]; uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; volatile uint64_t call = cmd->call; if ((call >= SYZOS_API_STOP) || (cmd->size > size)) { guest_uexit(UEXIT_INVALID_MAIN); return; } if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_SYZOS) { guest_handle_nested_load_syzos((struct api_call_nested_load_syzos*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit(UEXIT_END); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; asm volatile("movq %0, (%1)" ::"a"(exit_code), "r"(ptr) : "memory"); } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static uint64_t get_unused_memory_size() { volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { if (args->regions[i].gpa == X86_SYZOS_ADDR_UNUSED) return args->regions[i].pages * KVM_PAGE_SIZE; } return 0; } GUEST_CODE static uint64_t guest_alloc_page() { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (globals->total_size == 0) { uint64_t size = get_unused_memory_size(); __sync_val_compare_and_swap(&globals->total_size, 0, size); } uint64_t offset = __sync_fetch_and_add(&globals->alloc_offset, KVM_PAGE_SIZE); if (offset >= globals->total_size) guest_uexit(UEXIT_ASSERT); uint64_t ptr = X86_SYZOS_ADDR_UNUSED + offset; guest_memset((void*)ptr, 0, KVM_PAGE_SIZE); return ptr; } GUEST_CODE static void l2_map_page(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa, uint64_t host_pa, uint64_t flags) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pml4[pml4_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pdpt[pdpt_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pd[pd_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) pt[pt_idx] = (host_pa & ~0xFFF) | flags; } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id, uint64_t unused_pages) { uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; if (vendor == CPU_VENDOR_INTEL) { flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { struct mem_region r; r.gpa = args->regions[i].gpa; r.pages = args->regions[i].pages; r.flags = args->regions[i].flags; if (r.flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r.flags & MEM_REGION_FLAG_REMAINING) { r.pages = (unused_pages < 16) ? 16 : unused_pages; } for (int p = 0; p < r.pages; p++) { uint64_t gpa = r.gpa + (p * KVM_PAGE_SIZE); uint64_t backing; if (r.gpa == X86_SYZOS_ADDR_USER_CODE && p == 0) { backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); } else if (r.gpa == X86_SYZOS_ADDR_STACK_BOTTOM) { backing = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); } else { backing = gpa; } l2_map_page(cpu_id, vm_id, gpa, backing, flags); } } } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION = 6, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void handle_nested_uexit(uint64_t exit_code) { uint64_t level = (exit_code >> 56) + 1; exit_code = (exit_code & 0x00FFFFFFFFFFFFFFULL) | (level << 56); guest_uexit(exit_code); } GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_EPT_VIOLATION 0x30 #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == EXIT_REASON_EPT_VIOLATION) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 7 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == EXIT_REASON_EPT_VIOLATION) { uint64_t gpa = vmread(VMCS_GUEST_PHYSICAL_ADDRESS); if ((gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); vmwrite(VMCS_GUEST_RIP, vmread(VMCS_GUEST_RIP) + 3); return; } } syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx push %%rax mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[l2_regs_size], %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp jmp after_vmentry_label )" : : [l2_regs_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_NPF 0x400 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == VMEXIT_NPF) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 8 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); volatile uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == VMEXIT_NPF) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t fault_gpa = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_EXITINFO2); if ((fault_gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip + 3); return; } } syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, X86_SYZOS_ADDR_VAR_TSS); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id, 0); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, SVM_ATTR_TSS_BUSY); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, X86_EFER_LME | X86_EFER_LMA | X86_EFER_SVME); vmcb_write64(vmcb_addr, VMCB_RAX, 0); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id, 0); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static uint64_t l2_gpa_to_pa(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) return 0; return (pt[pt_idx] & ~0xFFF) + (gpa & 0xFFF); } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_backing = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_USER_CODE); if (!l2_code_backing) { guest_uexit(0xE2BAD4); return; } uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t prog_size = cmd->header.size - __builtin_offsetof(struct api_call_nested_load_syzos, program); uint64_t l2_code_backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (prog_size > KVM_PAGE_SIZE) prog_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->program, prog_size); uint64_t globals_pa = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_GLOBALS); if (!globals_pa) { guest_uexit(0xE2BAD3); return; } volatile struct syzos_globals* l2_globals = (volatile struct syzos_globals*)globals_pa; for (int i = 0; i < KVM_MAX_VCPU; i++) { l2_globals->text_sizes[i] = prog_size; globals->l2_ctx[i][vm_id].rdi = i; globals->l2_ctx[i][vm_id].rax = 0; } uint64_t entry_rip = executor_fn_guest_addr(guest_main); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, entry_rip); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { uint64_t vmcb = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); vmcb_write64(vmcb, VMCB_GUEST_RIP, entry_rip); vmcb_write64(vmcb, VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint64_t vmx_error_code = 0; uint64_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); globals->active_vm_id[cpu_id] = vm_id; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[launch] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[host_rsp_field], %%r10 mov %%rsp, %%r11 vmwrite %%r11, %%r10 mov %[l2_regs], %%rax mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 mov 0(%%rax), %%rax cmpq $0, 48(%%rsp) je 1f vmlaunch jmp 2f 1: vmresume 2: pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp mov $1, %[ret] jmp 3f .globl after_vmentry_label after_vmentry_label: xor %[ret], %[ret] 3: )" : [ret] "=&r"(fail_flag) : [launch] "r"((uint64_t)is_launch), [host_rsp_field] "i"(VMCS_HOST_RSP), [cpu_id] "r"(cpu_id), [l2_regs] "r"(l2_regs) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; globals->active_vm_id[cpu_id] = vm_id; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint8_t fail_flag = 0; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[vmcb_addr] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[l2_regs], %%rax mov 0(%%rax), %%rbx mov %[vmcb_addr], %%rcx mov %%rbx, 0x5f8(%%rcx) mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 clgi mov 48(%%rsp), %%rax vmrun 1: mov 48(%%rsp), %%rax setc %[fail_flag] pushq 0x70(%%rax) push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx mov 176(%%rsp), %%rax pushq 0x5f8(%%rax) mov 120(%%rsp), %%rdi mov %%rsp, %%rsi call nested_vm_exit_handler_amd add $128, %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp stgi after_vmentry_label_amd: )" : [fail_flag] "=m"(fail_flag) : [cpu_id] "r"(cpu_id), [vmcb_addr] "r"(vmcb_addr), [l2_regs] "r"(l2_regs), [l2_regs_size] "i"(sizeof(struct l2_guest_regs)) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 5, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_VAR_IDT, 10, 0}, {X86_SYZOS_ADDR_BOOT_ARGS, 1, 0}, {X86_SYZOS_ADDR_PT_POOL, X86_SYZOS_PT_POOL_SIZE, 0}, {X86_SYZOS_ADDR_GLOBALS, 1, 0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, {X86_SYZOS_ADDR_UNUSED, 0, MEM_REGION_FLAG_REMAINING}, }; #define SYZOS_REGION_COUNT (sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0])) struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; void* pt_pool_mem; void* globals_mem; void* region_base[SYZOS_REGION_COUNT]; }; static inline void* gpa_to_hva(struct kvm_syz_vm* vm, uint64_t gpa) { for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r->gpa == X86_SYZOS_ADDR_UNUSED) break; size_t region_size = r->pages * KVM_PAGE_SIZE; if (gpa >= r->gpa && gpa < r->gpa + region_size) return (void*)((char*)vm->region_base[i] + (gpa - r->gpa)); } return NULL; } #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(uint64_t)gpa_to_hva(vm, sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static uint64_t* get_host_pte_ptr(struct kvm_syz_vm* vm, uint64_t gpa) { if (gpa >= X86_SYZOS_ADDR_PT_POOL && gpa < X86_SYZOS_ADDR_PT_POOL + (X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE)) { uint64_t offset = gpa - X86_SYZOS_ADDR_PT_POOL; return (uint64_t*)((char*)vm->pt_pool_mem + offset); } return (uint64_t*)((char*)vm->gpa0_mem + gpa); } static void map_4k_page(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)((char*)vm->gpa0_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = get_host_pte_ptr(vm, pml4[pml4_idx] & PAGE_MASK); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = get_host_pte_ptr(vm, pdpt[pdpt_idx] & PAGE_MASK); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = get_host_pte_ptr(vm, pd[pd_idx] & PAGE_MASK); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(vm, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE}; memset(vm->pt_pool_mem, 0, X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE); memset(vm->gpa0_mem, 0, 5 * KVM_PAGE_SIZE); for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { int pages = syzos_mem_regions[i].pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) { if (total < 0) exit(1); pages = total; } map_4k_region(vm, &alloc, syzos_mem_regions[i].gpa, pages); if (!(syzos_mem_regions[i].flags & MEM_REGION_FLAG_NO_HOST_MEM)) total -= pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) break; } } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = 0}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = SVM_ATTR_TSS_BUSY, .limit_high_and_flags = 0, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[(X86_SYZOS_SEL_TSS64 >> 3) + 1] = (struct gdt_entry){ .limit_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 32), .base_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 48), .base_mid = 0, .access = 0, .limit_high_and_flags = 0, .base_high = 0}; } static void get_cpuid(uint32_t eax, uint32_t ecx, uint32_t* a, uint32_t* b, uint32_t* c, uint32_t* d) { *a = *b = *c = *d = 0; asm volatile("cpuid" : "=a"(*a), "=b"(*b), "=c"(*c), "=d"(*d) : "a"(eax), "c"(ecx)); } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd, int cpu_id) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)(uint64_t)gpa_to_hva(vm, sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_pg_table(vm); setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0; get_cpuid(0, 0, &eax, &ebx, &ecx, &edx); if (ebx == 0x68747541 && edx == 0x69746e65 && ecx == 0x444d4163) { sregs.efer |= X86_EFER_SVME; void* hsave_host = (void*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id)); memset(hsave_host, 0, KVM_PAGE_SIZE); } sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, uint64_t rip, uint64_t cpu_id) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = rip; regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd, cpu_id); setup_cpuid(cpufd); uint64_t entry_rip = executor_fn_guest_addr(guest_main); reset_cpu_regs(cpufd, entry_rip, cpu_id); if (vm->globals_mem) { struct syzos_globals* globals = (struct syzos_globals*)vm->globals_mem; globals->text_sizes[cpu_id] = text_size; } } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; struct syzos_boot_args* boot_args = NULL; for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) { vm->region_base[i] = NULL; continue; } size_t pages = r->pages; if (r->flags & MEM_REGION_FLAG_REMAINING) pages = allocator.size / KVM_PAGE_SIZE; struct addr_size next = alloc_guest_mem(&allocator, pages * KVM_PAGE_SIZE); vm->region_base[i] = next.addr; uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_PT_POOL) vm->pt_pool_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_GLOBALS) vm->globals_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_BOOT_ARGS) { boot_args = (struct syzos_boot_args*)next.addr; boot_args->region_count = SYZOS_REGION_COUNT; for (size_t k = 0; k < boot_args->region_count; k++) boot_args->regions[k] = syzos_mem_regions[k]; } if ((r->flags & MEM_REGION_FLAG_REMAINING) && boot_args) boot_args->regions[i].pages = pages; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); if (r->flags & MEM_REGION_FLAG_REMAINING) break; } } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void dump_vcpu_state(int cpufd, struct kvm_run* run) { struct kvm_regs regs; ioctl(cpufd, KVM_GET_REGS, ®s); struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); fprintf(stderr, "KVM_RUN structure:\n"); fprintf(stderr, " exit_reason: %d\n", run->exit_reason); fprintf(stderr, " hardware_entry_failure_reason: 0x%llx\n", run->fail_entry.hardware_entry_failure_reason); fprintf(stderr, "VCPU registers:\n"); fprintf(stderr, " rip: 0x%llx, rsp: 0x%llx, rflags: 0x%llx\n", regs.rip, regs.rsp, regs.rflags); fprintf(stderr, " rax: 0x%llx, rbx: 0x%llx, rcx: 0x%llx, rdx: 0x%llx\n", regs.rax, regs.rbx, regs.rcx, regs.rdx); fprintf(stderr, " rsi: 0x%llx, rdi: 0x%llx\n", regs.rsi, regs.rdi); fprintf(stderr, "VCPU sregs:\n"); fprintf(stderr, " cr0: 0x%llx, cr2: 0x%llx, cr3: 0x%llx, cr4: 0x%llx\n", sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4); fprintf(stderr, " efer: 0x%llx (LME=%d)\n", sregs.efer, (sregs.efer & X86_EFER_LME) ? 1 : 0); fprintf(stderr, " cs: s=0x%x, b=0x%llx, limit=0x%x, type=%d, l=%d, db=%d\n", sregs.cs.selector, sregs.cs.base, sregs.cs.limit, sregs.cs.type, sregs.cs.l, sregs.cs.db); fprintf(stderr, " ds: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.ds.selector, sregs.ds.base, sregs.ds.limit, sregs.ds.type, sregs.ds.db); fprintf(stderr, " tr: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.tr.selector, sregs.tr.base, sregs.tr.limit, sregs.tr.type, sregs.tr.db); fprintf(stderr, " idt: b=0x%llx, limit=0x%x\n", sregs.idt.base, sregs.idt.limit); } static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1, volatile long a2) { int cpufd = (int)a0; struct kvm_run* run = (struct kvm_run*)a1; uint64_t expect = a2; if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != X86_SYZOS_ADDR_UEXIT)) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered on VCPU %d\n", cpufd); dump_vcpu_state(cpufd, run); errno = EINVAL; return -1; } uint64_t actual_code = ((uint64_t*)(run->mmio.data))[0]; if (actual_code != expect) { fprintf(stderr, "[SYZOS-DEBUG] Exit Code Mismatch on VCPU %d\n", cpufd); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)actual_code); dump_vcpu_state(cpufd, run); errno = EDOM; return -1; } return 0; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); initialize_wifi_devices(); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 57; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 41 ? 4000 : 0) + (call == 48 ? 200 : 0) + (call == 50 ? 3000 : 0) + (call == 51 ? 3000 : 0) + (call == 52 ? 300 : 0) + (call == 53 ? 300 : 0) + (call == 54 ? 300 : 0) + (call == 55 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[29] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x200000000000, "/dev/admmidi#\000", 14); inject_fault(1); res = -1; res = syz_open_dev(/*dev=*/0x200000000000, /*id=*/0x302d694, /*flags=O_NOFOLLOW|O_DIRECTORY|FASYNC|O_APPEND*/0x32400); if (res != -1) r[0] = res; break; case 1: syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x80045700, /*arg=*/0x200000000040ul); break; case 2: memcpy((void*)0x200000000080, "/dev/hpet\000", 10); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000080ul, /*flags=*/0, /*mode=*/0); for (int i = 0; i < 4; i++) { syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000080ul, /*flags=*/0, /*mode=*/0); } if (res != -1) r[1] = res; break; case 3: syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x40045436, /*arg=*/0x17ul); break; case 4: *(uint32_t*)0x200000000100 = 0x14; syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/6, /*optname=*/0x1d, /*optval=*/0x2000000000c0ul, /*optlen=*/0x200000000100ul); break; case 5: *(uint64_t*)0x200000000340 = 0x8800000; *(uint64_t*)0x200000000348 = 0x200000000140; *(uint64_t*)0x200000000350 = 0x200000000180; *(uint64_t*)0x200000000358 = 0x2000000001c0; *(uint32_t*)0x200000000360 = 0; *(uint64_t*)0x200000000368 = 0x200000000200; *(uint64_t*)0x200000000370 = 0x72; *(uint64_t*)0x200000000378 = 0x200000000280; *(uint64_t*)0x200000000380 = 0x200000000300; *(uint32_t*)0x200000000300 = 0; *(uint32_t*)0x200000000304 = -1; *(uint32_t*)0x200000000308 = 0; *(uint32_t*)0x20000000030c = -1; *(uint32_t*)0x200000000310 = 0; *(uint32_t*)0x200000000314 = 0; *(uint32_t*)0x200000000318 = -1; *(uint32_t*)0x20000000031c = 0; *(uint64_t*)0x200000000388 = 8; *(uint32_t*)0x200000000390 = r[1]; res = -1; res = syz_clone3(/*args=*/0x200000000340, /*size=*/0x58); if (res != -1) r[2] = *(uint32_t*)0x200000000180; break; case 6: syscall(__NR_kcmp, /*pid1=*/r[2], /*pid2=*/0, /*type=KCMP_FILES*/2ul, /*fd1=*/r[0], /*fd2=*/(intptr_t)-1); break; case 7: *(uint32_t*)0x2000000003c0 = 0; *(uint32_t*)0x2000000003c4 = 4; *(uint32_t*)0x2000000003c8 = 0; *(uint32_t*)0x2000000003cc = 8; *(uint32_t*)0x200000000400 = 0x10; res = syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/0x84, /*opt=*/0, /*val=*/0x2000000003c0ul, /*len=*/0x200000000400ul); if (res != -1) r[3] = *(uint32_t*)0x2000000003c0; break; case 8: *(uint16_t*)0x200000000440 = 6; *(uint16_t*)0x200000000442 = 0x8207; *(uint32_t*)0x200000000444 = 0x96d; *(uint32_t*)0x200000000448 = 0x10; *(uint32_t*)0x20000000044c = r[3]; *(uint32_t*)0x200000000480 = 0x10; syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/0x84, /*opt=*/0x22, /*val=*/0x200000000440ul, /*len=*/0x200000000480ul); break; case 9: syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc04c6100, /*arg=*/0x200000000500ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 1, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xa, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 6); *(uint16_t*)0x200000000042 = 0x8000; memcpy((void*)0x200000000044, "\x63\x44\x8e\xdb\x2f\xb0", 6); *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 0; syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x10); break; case 11: memcpy((void*)0x200000000080, "wlan0\000", 6); memset((void*)0x2000000000c0, 2, 6); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/6, /*join_mode=JOIN_IBSS_BG_NO_SCAN*/2); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_kernel_create_files_as\000", 31); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\x28\x03\x83\x7c\xbc\xf3\x7b\xce\x72\xc1\xa7\x3b\x90\x9c\x68\xfe\x5b\xf7\xa6\x36\x3c\xdc\x90\xc0\x0d\xc6\x01\x3b\x35\xda\x02\xa6\x6a\x05\x91\x66\x71\x54\xa5\x56\x7c\x0e\x5e\xe6\x93\x3d\x6d\xa8\xbf\xed\xac\x5d\x27\x8a\x29\x1e\xfa\x30\x20\xba\x15\xe3\x90\xeb\x38\xda\x76\x26\x1c\x3a\xef\xf9\xee\xa8\xab\xea\xce", 77); memcpy((void*)0x200000000240, "\x6a\x0b\x56\xff\x4b\x8f\xac\x28\x77\x3c\xa1\x37\x65\x2b\x5b\x0f\xd8\x03\xa0\x41\x3c\x28\x20\x37\xf7\x21\xcb\x96\xec\xf2\xbb\x1a\x61\x6d\xc3\xd5\x6e\xee\xa2\x6f\x6b\x16\xf4\x56\x2d\x17\xc6\xd8\xb8\x83\x8f\x18\x44\xb5\x85\xeb\xcc\x0b\x56\x2f\x05\x57\xb2\xc7\xe9\xf0\xdd\xa1\xce\x4c\xc6\x1d", 72); res = -1; res = syz_clone(/*flags=CLONE_NEWCGROUP|CLONE_SETTLS*/0x2080000, /*stack=*/0x200000000140, /*stack_len=*/0x4d, /*parentid=*/0x2000000001c0, /*childtid=*/0x200000000200, /*tls=*/0x200000000240); if (res != -1) r[4] = res; break; case 14: *(uint64_t*)0x200000000480 = 0xc2e0; res = syscall(__NR_socketcall, /*call=*/8ul, /*args=*/0x200000000480ul); if (res != -1) r[5] = res; break; case 15: *(uint64_t*)0x2000000004c0 = 0x18000000; *(uint64_t*)0x2000000004c8 = 0x2000000002c0; *(uint64_t*)0x2000000004d0 = 0x200000000300; *(uint64_t*)0x2000000004d8 = 0x200000000340; *(uint32_t*)0x2000000004e0 = 9; *(uint64_t*)0x2000000004e8 = 0x200000000380; *(uint64_t*)0x2000000004f0 = 0x29; *(uint64_t*)0x2000000004f8 = 0x2000000003c0; *(uint64_t*)0x200000000500 = 0x200000000440; *(uint32_t*)0x200000000440 = r[4]; *(uint32_t*)0x200000000444 = r[4]; *(uint32_t*)0x200000000448 = r[4]; *(uint64_t*)0x200000000508 = 3; *(uint32_t*)0x200000000510 = r[5]; res = -1; res = syz_clone3(/*args=*/0x2000000004c0, /*size=*/0x58); if (res != -1) { r[6] = *(uint32_t*)0x2000000002c0; r[7] = *(uint32_t*)0x200000000300; r[8] = *(uint32_t*)0x200000000340; } break; case 16: memcpy((void*)0x200000000540, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000540); break; case 17: memcpy((void*)0x2000000006c0, "/dev/fuse\000", 10); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x2000000006c0ul, /*flags=*/2, /*mode=*/0); if (res != -1) r[9] = res; break; case 18: *(uint32_t*)0x200000002b00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/r[5], /*level=*/0, /*optname=*/0x11, /*optval=*/0x200000002a00ul, /*optlen=*/0x200000002b00ul); if (res != -1) r[10] = *(uint32_t*)0x200000002a34; break; case 19: *(uint32_t*)0x200000002b40 = 5; *(uint32_t*)0x200000002b44 = 0xee00; *(uint64_t*)0x200000002b48 = 1; *(uint64_t*)0x200000002b50 = 5; res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0x4018aee3, /*arg=*/0x200000002b40ul); if (res != -1) r[11] = *(uint32_t*)0x200000002b44; break; case 20: *(uint32_t*)0x200000002c00 = 0xee00; *(uint64_t*)0x200000002c08 = 0; *(uint64_t*)0x200000002c10 = 8; *(uint64_t*)0x200000002c18 = 1; *(uint32_t*)0x200000002c20 = 6; *(uint16_t*)0x200000002c24 = 5; *(uint16_t*)0x200000002c26 = 0; res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0x40286608, /*arg=*/0x200000002c00ul); if (res != -1) r[12] = *(uint32_t*)0x200000002c00; break; case 21: *(uint32_t*)0x200000002f00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/r[5], /*level=*/0x29, /*optname=*/0x23, /*optval=*/0x200000002e00ul, /*optlen=*/0x200000002f00ul); if (res != -1) r[13] = *(uint32_t*)0x200000002e34; break; case 22: *(uint32_t*)0x200000004040 = 8; *(uint32_t*)0x200000004044 = 0; *(uint32_t*)0x200000004048 = -1; *(uint32_t*)0x20000000404c = 2; *(uint32_t*)0x200000004050 = 0x10; *(uint32_t*)0x200000004054 = 4; *(uint16_t*)0x200000004058 = 7; *(uint32_t*)0x20000000405c = 0x7f; *(uint64_t*)0x200000004060 = 0xbb; *(uint64_t*)0x200000004068 = 0xf; *(uint64_t*)0x200000004070 = 4; *(uint32_t*)0x200000004078 = 0x800; *(uint32_t*)0x20000000407c = 2; *(uint16_t*)0x200000004080 = 5; *(uint16_t*)0x200000004082 = 0; *(uint64_t*)0x200000004088 = 0x200000002f40; memcpy((void*)0x200000002f40, "\xa0\xfc\x03\x37\xfa\xea\x63\x1f\x70\x4d\x04\xb5\xa5\x94\xdd\x3a\x87\xe2\x74\x7c\x38\x74\x0f\x43\x57\xe5\xcb\x22\x1b\xf4\x40\x57\x95\xc2\x99\x06\x22\x7d\x36\x4e\x04\x46\xeb\xf7\x7d\x11\x1a\xb6\x66\x81\x06\xa0\x02\x14\x0a\x81\x07\x1b\x6d\x28\xcf\xab\xb3\x7a\xea\x4e\x26\xc4\x65\x7d\xb3\x19\x16\xf1\x71\x81\xef\x2f\xbb\xa8\xcf\x19\x4a\x98\xc4\x35\xa1\x00\x7c\x27\x0c\xd6\xef\xf5\xc6\x42\x45\x37\x19\x7a\x13\x02\x02\xf2\x8c\xe2\x58\x6b\xe0\xce\xff\x0d\xb4\x7a\x35\x35\x12\x18\xf4\x9a\x45\x99\xa9\x8e\x93\xfd\x6f\xa6\xbe\x92\x17\x67\x82\xd2\x9c\xcf\xc9\x00\xc7\x67\xf4\xde\x10\x2c\x3a\x77\x79\x57\x7f\xf3\x6f\x42\x7d\xca\xed\x1e\x8d\xd3\x89\x65\x0f\xbe\x9c\xc0\xca\xb5\xb4\x39\x0e\x80\x5e\xc3\x0a\xd6\x41\x1c\xff\x60\x65\xa8\xa5\x76\x10\xab\x7c\x61\x01\x32\xa2\xa1\xbf\x37\xc8\x71\xd0\x6a\x9d\x78\xcc\x27\x68\x8f\x4b\xef\xa7\xbd\x11\x2a\x69\xdf\x64\xb5\x51\xe3", 214); *(uint64_t*)0x200000004090 = 0x200000003040; memcpy((void*)0x200000003040, "\x64\xb9\x52\x0e\xb1\x74\x93\x9e\xc8\x76\x43\xa2\xfd\xaf\xfe\xa4\x52\x7b\xbf\xd5\x1b\x07\xac\x94\x67\x16\x9d\x3c\x7b\xaa\x5d\xc6\x5b\x8a\x38\xd9\x50\xc8\x58\xff\x99\x23\x7e\x6e\xc0\x6b\x46\x56\xa5\x2a\xcb\x76\xc7\x55\xc1\xcf\xf1\xc0\xa6\x5e\x3d\x16\x32\xfa\xbd\x9e\x1b\x38\x18\x52\xb6\xfc\xfc\x05\x87\x44\x85\x6a\x80\xa2\x9f\xb4\xdb\xdd\x71\x5b\x3c\xd0\x8e\x15\xa5\x34\x05\xd0\xfd\x2f\xf7\xea\xc8\x36\x33\x8c\x4e\xca\x04\x56\xff\x78\xcc\x57\x12\x33\x21\x46\xb6\x71\xbc\x42\x86\x1c\xd8\xbb\x43\x20\x09\x85\xa3\x62\xf3\x9f\x15\xbd\x43\x7f\x06\x45\x8b\x86\x7d\x4b\xea\x22\x27\x49\x32\x50\xd8\x3f\xb4\x6f\x72\x97\xb8\xf8\xc2\x73\x51\xcc\xbe\xc4\xff\xd0\x71\x75\xa7\xc5\xe2\x31\x9e\x94\x21\x0d\x4a\xf5\x06\x1e\x74\x3f\x05\x0f\x2e\xa5\x38\xa3\xed\x9d\x03\x59\xf5\xa7\x54\x6c\x3d\x01\x13\xe2\x55\x26\x8c\xd0\x48\x3a\xb1\x86\xf9\xc5\x55\x02\x02\xa9\xfa\x3f\xa0\xc4\xa2\xa5\x80\x52\x41\x81\x9c\xf9\xc3\x45\xce\xcc\x6b\x77\xdd\x7c\x29\x97\x50\xb6\x7f\xf8\xcb\x5d\x9a\x6b\x0d\x3d\x98\x16\xdb\xeb\x6f\xdb\xc5\xea\x9f\xae\x4a\x25\xe1\x9b\x48\xe5\x10\xdd\xb5\xd4\xd1\x27\x1b\xa0\xc4\xa0\x83\xd0\x4c\xc5\x09\xb4\x0f\x1a\x84\x91\x95\xf3\xbc\x3e\x9f\x63\xb7\xcc\x74\x73\xff\xc7\x40\xcf\x1a\x97\x9b\xd1\xd7\xe9\x31\x7f\x6f\xc7\x7a\x62\xe5\xac\xab\x36\xc4\xa0\x63\x06\x9c\xfb\x20\x7d\xcc\x7a\xf7\x0b\x77\xa7\x43\xb3\x62\xd9\xd9\xfa\xe0\xdb\xc6\x80\x92\x3a\x0e\x34\x54\x02\x6b\x6d\xa9\x57\x9f\x35\x2a\xfe\xf7\xab\xbc\xa7\xbf\xc1\x4a\xef\x0f\xb3\xd1\x30\x55\x06\xb9\x79\x40\xea\x12\x7f\xfe\xd1\x3e\xee\xa6\xca\xe0\xbe\x96\xf5\xbe\x73\x85\xe8\xe9\xba\x4f\x00\xfd\xc5\x18\x59\xd8\x25\x19\x27\x18\xdc\xf2\x3e\x0b\x6d\xa4\x13\xaf\xf8\x54\xba\x52\x21\xba\x8d\x27\xff\x02\xb6\xc0\xf9\x66\x7f\x2f\xfe\x72\xf4\x34\xf4\xc7\x08\x5a\x52\xfe\xe5\xf0\x87\x1b\xc2\x0a\xeb\xc8\xef\x87\xc1\x7c\x49\xb2\xa4\x34\x24\x21\x54\x77\x0e\x3a\xe2\x68\xd5\xba\xe1\x1f\x22\xf2\x14\x61\x69\xd7\xa9\xc1\x6b\x5d\xaf\x83\x03\x11\x11\xce\x5c\xe9\x92\xd2\x75\xbb\x9b\xc5\xd1\x29\x0f\x7f\xea\x35\x66\x07\xe8\xdd\x9a\xcc\x55\x84\x9e\xeb\x50\x28\x27\x37\x4c\x45\xdc\x89\xdd\x11\x86\xec\x92\x10\xbf\xf8\xe0\x05\xb7\xcb\x2c\x13\x4a\x92\x2d\x6d\xdc\x51\x22\x81\xe6\xf5\xaa\x9b\x10\x4d\x04\xbc\xc6\x00\x0b\x9f\x95\xf7\x43\x93\xf3\x12\xc9\x90\xf7\xd2\x9d\xee\x0e\xf7\xa4\xb1\x58\xfe\x69\x19\x6b\x06\x83\xf3\x5e\x8b\x4b\xa6\x5b\xb4\x9b\x31\x3d\x92\xd6\xf6\x7f\x72\xf7\xc3\xe7\xde\x4d\xd8\x84\xd7\x2c\x78\x6d\x66\xbd\xf5\x98\xa1\x5f\x9a\xc2\x96\xea\x70\x74\x03\x43\xd9\x45\x91\x18\x64\x48\xae\x73\xee\xa6\x10\x1d\xe1\x3d\xf6\x67\xab\x6e\xa1\xf5\x5a\xba\x4c\x11\x3d\x0a\xc4\x2b\xba\x7e\xc5\xbd\x1d\x56\xb6\xbc\x94\x70\x45\x59\x5c\x76\xc8\xf6\x93\x39\xbd\x2f\x19\x3d\xe2\x46\x53\x30\x10\xf4\x2a\xc9\x3c\xe0\xaf\x99\xf4\x0a\xe8\xbf\x3a\x30\x54\x3d\x68\x61\xb2\xca\x30\x6c\x0c\x08\x1d\xb7\x92\xaf\x44\x88\x20\x40\x9c\x05\x33\x0b\xdb\xe4\x4f\x70\xc5\x56\x1d\xff\x87\x04\xb5\xee\xb7\x12\xac\xd3\x21\xfb\x7b\xd5\x8c\x80\x9f\xb1\x1d\x01\x7c\x34\x87\x98\x54\xf1\x53\x24\x17\x41\xfd\xf8\xde\x35\x35\x6b\xee\x7a\x0c\xb4\x0a\x72\x6c\xc7\x83\x17\x57\x59\xe2\x66\xdd\xbc\x98\xe3\xe5\xf8\x22\x02\x4e\x33\x59\xa7\xfe\xc0\xe0\x9f\x0d\x1e\x21\x42\x62\xea\x20\x9a\x9d\xdf\x12\x28\x0e\x28\x72\x33\x93\x36\x88\x17\xde\x6d\x20\x0a\xc6\xf9\xd1\x4c\xee\x80\xcb\x71\x35\x47\xca\xd5\x53\x33\xac\xaf\xf3\xa3\x2b\x48\x96\x48\x45\x50\x1b\xf1\x08\xe8\xf5\x15\x72\x8b\x36\x72\x62\x90\xb4\x78\xf7\xf3\xda\x9a\x62\xdd\xb1\xd4\x4f\x5e\xd5\x69\xc7\xcf\xf3\x04\x51\xb1\x35\x5d\x34\x91\xeb\x80\x34\x5c\xfd\xb9\x38\x47\x5f\x9d\x16\x18\x1c\xb1\xe3\xd7\x33\xea\x45\xab\xa0\x4c\xbe\x41\x9b\x1f\xe3\x9d\xe5\x14\xe8\xb0\x0d\xb8\x27\xfe\xc1\x95\xae\x77\x31\xb2\xa6\x4a\xd2\x58\xc1\xcf\x2d\x4c\xd9\x7d\xd9\xde\xc3\x56\x4f\x9c\xa7\x4e\xd6\x25\x83\x0e\xd3\x2b\x05\x07\xad\x8c\x97\xf6\x3f\x5a\x2b\x39\xbb\xae\xc0\x4b\x3b\x88\x9b\x6d\x7c\x9f\xb9\x89\x93\xd5\xe5\xae\x40\xcd\x6b\x63\x72\xbc\x63\x1d\x37\xda\xc4\xab\x3d\x48\xb5\x89\x5b\x00\x30\xe0\x02\xe7\xf4\x43\xbe\xad\x14\xa5\x77\x7e\xcf\x5e\xe9\x99\x83\xb3\xc0\xf5\x00\x53\x9d\x02\xba\x11\xcb\x4b\xf3\x25\x99\x06\xbb\xcc\x34\x85\x5e\x6d\x4b\x2c\x49\x31\x68\x16\xd4\xd1\x73\x40\xd8\x93\x8d\xbb\xad\x5f\x2c\xbf\xe8\x3d\xa5\x7f\x59\xe5\x1c\x9e\xb6\xff\x62\x15\xf7\x94\xf6\x82\x28\x20\xb0\x59\x12\xdf\x85\xfe\xa5\x3c\x04\x6d\xd6\xe8\x89\x24\xa1\x8e\x71\xc0\xcd\xa6\x58\xb5\x8a\xff\x26\x19\x4f\x88\xdf\x81\xda\xf0\x6e\xe0\x94\x2c\xda\x0d\xf1\x8b\x41\xb0\xe2\x30\xb3\x05\xb4\xf9\xa4\x7f\xdb\x18\xc6\xd6\x8c\xce\xba\x1f\x24\xf2\x75\x6b\xd9\x6a\x79\x91\x12\xc3\x48\x5e\x39\x4d\x2d\xd9\xfc\x87\xab\x1b\x46\x51\xad\x05\x8a\x3e\x44\x46\x1d\x2c\x72\xf0\x38\xff\x88\x11\x04\xcb\x75\xcc\x79\x68\x3a\x9d\x97\xd8\x81\xcf\xfb\x92\xb0\x5c\x12\xbf\x4d\x3a\xb4\xdb\xe1\x79\x08\xfb\x79\x9e\xaf\xfa\x9c\xaf\xa4\xa6\x1c\xe2\x0a\xa4\xb3\xeb\xc3\xc7\x52\x20\xaa\x65\xc9\x80\x3a\x77\xf1\x81\xda\x39\x24\xcc\xa5\xf6\x05\x96\x12\xe4\x54\x86\x10\x6f\x22\xb8\xc8\x91\xf7\xb1\x46\x62\xab\xd6\x4b\x32\x58\xed\x13\xbd\xcd\x6d\x1a\x77\xc6\xa4\x15\x19\xd6\x60\x63\x74\x3a\x19\x18\xbb\x13\xe9\xb7\x57\x7f\xb6\xbb\x7d\xf2\x3f\xf1\xb9\x6e\x78\x2b\xda\x63\x94\xd4\x86\x1a\x7e\x0a\xc8\x0d\x1c\x6c\xc8\x4a\x30\x3b\x78\x41\xe5\x89\xd6\x6b\xed\x37\xcc\xc0\x5f\x4e\x9b\x4d\xfb\xc5\x3d\x3b\x50\xd5\x0e\x02\xc8\x7d\x41\xf5\x3f\x86\xde\xcb\x39\xc7\x06\xf5\x37\x2e\x9d\x6e\x3d\xde\x53\x05\x96\x20\xd2\x78\x45\xf3\xed\x77\xcd\x58\x99\xe3\x3a\xed\x5c\x4f\xb1\x40\xf8\xe4\x05\xfa\x2e\x0e\x11\x72\xea\xa7\xd4\xe9\x12\x98\x7a\x0a\xa3\xac\xf7\xc2\xd8\xe9\x4d\x16\xc9\x98\xc9\x87\xfd\x40\x4b\x23\x4e\xf7\x36\x1d\x0c\x53\x87\xe6\xb9\xd5\x5f\xb9\x72\xc7\xdc\x21\x72\x26\xce\x13\xd8\x2a\x59\x31\x1f\xe2\x69\xa0\x9c\x38\x4e\x73\x9a\x66\xbe\x43\x54\x79\x1f\x38\x1e\x74\xcc\x5d\xfb\x9a\x92\xfb\xff\xf8\x59\x5d\xf2\x4b\x40\x3e\xaf\xb0\x04\x73\xeb\x0b\x2e\x7f\xee\x36\xdb\xa4\xa9\x08\x93\x8b\xcf\xcc\xe9\x61\xfd\x10\xec\x29\xe5\x6d\xfe\x40\x59\x1e\x13\xd5\xe5\x3f\x16\xc8\x75\x9c\xa2\x7f\x80\xce\x90\x4f\x2d\x7c\x43\x32\x10\x97\x59\x5e\x90\x76\x39\xf2\x0f\x9e\x8d\xce\x70\x0c\x39\xd0\xe4\x42\xda\x88\x7a\x4d\xf0\x82\xeb\x7e\x17\x2f\xaf\xdc\xb0\x0b\x00\x8c\xaf\x55\x23\xd1\xfe\x5f\x24\x0a\xe9\x91\x49\x6d\xb9\x33\x89\xaf\x41\x85\xe9\xc9\xcc\xbd\xcb\x97\x31\xce\x7a\x77\x0a\xe2\xab\xac\x9d\x8c\xdd\xf3\x13\x23\x1a\x55\xe1\x27\x7b\xd3\x6c\x1e\x44\x84\x2b\x38\x72\x55\x5c\xcd\xcb\x3a\x06\x84\x59\x13\x21\xff\x15\xdc\x6d\x2c\xef\xfd\x58\x5d\xbe\xb9\x90\xe4\x05\x4f\xab\xc1\x8a\x9e\x9f\x1d\xe1\x3b\xfa\xd9\xde\x7f\x8d\xeb\x6b\x6c\x47\x2c\x42\x33\x67\xee\xad\x52\x50\x04\xde\xfa\x9e\x17\xc6\x79\x02\x36\x0b\xf1\x63\xa0\x1e\x98\xf6\xe7\x55\xcf\xf6\x28\x2a\xee\xbd\x1e\x8a\x09\x71\x5c\x15\xb9\xed\xaa\x50\x0d\xe0\x74\xc2\x8b\xad\x6d\x03\x57\x8c\x5e\x1c\x87\xbe\x71\x17\xf5\x4e\xef\xc3\x31\x3c\x38\xb6\x1d\x88\xa6\xa5\x0a\x0f\x36\xfd\xbf\x08\x4c\xb4\x14\x47\xc6\x90\xd3\xff\xcc\x83\x14\xe9\x1a\xda\x81\xd3\x4a\xcc\xd3\xe0\x6d\x19\xbc\xa2\x8f\xb4\x9b\xed\x5e\x32\xf4\xeb\xd5\x49\x29\xe4\xab\x51\xa6\x59\xb8\x1c\x1c\x35\xdf\x9e\x51\x47\x69\xb9\xeb\x31\xd7\x1d\x43\x78\x64\xf5\x4e\x99\x2a\x2b\x9b\x15\xe2\xfd\x32\x07\x81\x77\x56\xb4\x86\xd0\x81\xaf\x39\x7b\x21\xa2\x58\x44\x3d\x86\xa2\x0a\x82\xda\xb3\x09\x4a\x48\x83\x32\x47\x91\xd6\x7c\xea\x91\x8b\xec\x79\x94\xab\xce\xc1\x80\xf8\xfb\xd4\xae\x90\xad\x2c\x78\x5d\xe7\x74\x73\x08\xd8\x0a\x73\x31\x86\x4b\xd1\xa9\xbf\xfb\x51\x44\x07\x78\x51\x93\x92\x74\x05\xf7\x78\xa1\x66\x51\x4a\x33\x9b\xfe\x16\xf5\xcb\x8e\xe3\x49\xa0\x8e\x25\xb9\x4d\xc3\x51\xc7\x2e\x98\xc6\xba\xf1\x86\x02\x50\x60\xcd\x98\xd7\xd1\x4b\xf8\xee\x06\x02\x40\x40\x5a\x1c\x10\x20\x2c\xb3\x48\x57\xab\x67\x4e\xff\x41\xcd\x46\xc0\x3d\x2f\xfc\xca\xbf\x19\x4e\x0f\x35\x16\x58\xab\x02\xd9\xa1\xf9\x28\x30\x61\x7d\xe6\x91\x35\x50\x95\x34\x64\x7b\xc4\xcc\x20\x52\x87\xb2\x51\x55\x3f\xcc\x76\x89\xd5\xe6\x69\xf9\xba\x4b\xdb\x40\x36\xe0\x64\xb2\xa7\x91\xea\x5d\xe9\x3c\x66\x91\x8a\xd6\x1c\xf1\x0b\xe4\xf5\x56\x4a\x07\x1b\x02\xb9\x36\x5b\xc5\x87\x31\x6e\x65\xbd\x12\x64\xfe\x1f\x8d\xc7\xd2\x44\xab\x33\x19\xe9\xa9\x05\xe2\x44\xa0\xd0\x00\xbf\x3c\x56\x68\x11\xf7\x29\xd1\x0f\x9d\x81\xb0\x60\xcb\x7f\xf9\x3d\xa8\x05\x6d\x64\x1f\x93\x12\x1c\x50\xb9\x87\xe4\x14\x9d\x44\xc2\x34\x91\xe9\xde\x6a\x5c\x1d\x6b\x26\xf6\x44\xb3\xb0\x20\x62\x7c\xaf\x32\xd4\x7f\x95\xa4\x85\x7b\x36\x53\x0f\xf5\xc5\xbe\x38\xca\x37\xb9\x0d\xec\x3b\xde\x10\x75\x61\x58\xd6\xdb\x91\xbc\xbb\xea\x66\x65\xfa\x14\x08\xae\xc0\x02\x5d\x9d\xfe\x3d\xe8\xa5\x7b\x8a\xf3\x00\x17\x9b\xff\x26\x03\x2e\x61\xdb\x60\xd6\xe2\x0a\xcb\x67\x15\x95\x05\x6f\xd6\x5e\x84\x03\x80\x40\xf0\x7d\x46\xdb\xd4\xcb\x8c\x0d\x3c\xe9\xfd\xa0\x02\xd2\x2e\x24\x75\x0f\x14\x58\x01\xaf\x85\xd7\x82\x68\x1b\xb9\xb1\x22\x8f\xb2\x81\xc5\x43\xe5\xdc\xde\xf8\x4b\x7a\x26\x26\xde\x59\xe1\xec\x79\xe4\x4d\x1a\x23\x0f\xed\xda\x6e\x30\x37\xb0\xe9\xc4\xca\x47\x5d\xcd\x31\x9b\x86\xbd\x4a\xb2\xcc\x3c\xd5\xee\x47\x85\x7a\xda\xa8\x8e\x7e\x77\xaf\xaa\xb3\xfd\x85\x07\x6e\xdb\x36\x15\xba\x44\xe9\x7b\x5e\x18\x1b\x5e\x8c\x86\x11\x78\x48\x54\xa8\xae\xbd\xcc\x09\x83\xe0\xb8\x37\x45\x5a\x29\x01\xb9\x19\x80\xb0\x5e\xfc\x92\x23\xd2\x06\xdc\xaa\x5b\xe6\x74\x5c\xbd\xfb\x6f\x9a\xf1\x38\x73\xb3\x77\x3f\x5a\x59\xbe\xaa\x0f\x4a\x36\xdd\xd3\x83\xd6\x3e\x12\xf5\x0e\x0f\x7c\x53\x3e\x6a\x55\x9e\x54\x5d\x28\x51\xd0\x4b\xd3\x6e\x41\x2d\x89\x1e\xac\x7b\xbf\xf3\x99\x36\x93\x7f\xa3\xe4\xfb\xfa\xf5\x10\x37\xc5\x0a\x7d\x57\x30\x05\x1e\x4c\x69\x84\xf3\x94\xf3\xf5\x9f\xaa\x61\xac\x96\xfc\x2b\xa4\xe3\x35\x64\xc2\xbb\xc6\x07\xb1\x8e\xf8\xae\xf1\x9b\x88\xb7\xac\x63\xce\xf3\xe0\x97\x1f\xa1\x15\x62\x33\x37\x3f\xa5\xb5\x8f\x16\xfa\x99\x31\x2d\x84\xa6\xb7\x90\xe7\xa6\x63\xba\x05\xe2\x37\x38\x5e\xb4\x13\xe4\x26\x0e\x02\x1b\xa3\x87\x91\x23\x57\xfe\xd3\x9f\x13\x66\xe7\x31\x8e\xbe\xa7\xb9\x21\xde\xd5\xd9\xf9\xab\x5a\x86\x12\x16\x48\x31\x0f\x09\x04\x25\x8a\x9e\x4d\x59\x0d\x65\x43\x1d\x23\xe6\x22\x30\x9d\xe9\x64\xcb\x77\xdf\x8f\x28\x07\x66\x7b\xd5\x81\x81\xe4\x85\xc2\xe0\x3c\x29\x5c\x15\xe5\x27\x4c\x70\x6c\x1a\x00\x27\xb6\x75\x1e\x40\x95\x9a\x15\x81\xc7\x10\x77\x4b\xd5\x57\x53\x67\xc9\x3c\x17\xfb\x84\x44\x97\x6e\x38\x47\x11\xd4\xde\xbc\xe0\x97\x54\xe9\x7b\x04\x8d\x47\xb3\xdd\x82\xf7\x5f\xa9\x39\x37\xd0\x72\x2c\xb2\x37\x9e\x8b\x4b\x02\x67\x59\x91\xed\x1b\xc5\xf1\xf1\x5f\xea\x5f\xbe\x59\xc6\x3a\x29\x91\xaf\x99\x8a\x21\x99\x1f\x1d\x46\xcd\x3d\x21\x1a\x53\x2c\xee\x73\x2f\xfb\xcf\x55\xb2\x87\x90\xc4\xba\xdb\xa7\x68\xc5\x7a\x26\x23\xdf\x69\xb3\x96\xc2\xac\xcf\x92\x58\x06\xd5\x52\x61\xb7\x08\x74\x35\xe4\x97\x45\x29\x75\xb1\x52\x66\x52\x2e\xf9\x76\x37\x95\x6f\xaa\x20\xe8\xec\x65\x3c\x9c\x0c\x07\x73\x60\x3d\x77\x67\x7d\x0e\xf1\xec\x99\xa0\xf6\x1c\xcc\xf7\xe1\x10\x30\x51\xa7\x85\x2a\x00\x77\xf9\x73\x36\x9f\x6d\x80\x56\xb7\x9c\x53\x7a\xea\x6b\x41\x07\x09\xdf\x69\x37\xb6\xb7\xce\x03\x39\x8e\x1a\x7a\x1e\xf8\xe0\x62\xbf\x5b\x5a\x11\x0b\xc0\xda\xf2\x76\x5c\x92\xe6\x95\x83\x4a\xdd\x9a\xc0\x3f\x5e\xa5\x6f\x8e\xc1\xd6\x4a\x8f\xad\x07\x41\x0e\x30\x19\xd8\x4c\x0e\x7c\xdf\x1c\x49\xe9\x50\x91\x79\x4a\x3a\xad\x82\xab\xf6\x3e\x9c\x6c\xeb\xab\xdf\x05\xe8\x05\x03\xd1\xba\x70\x37\xe9\xb0\xb3\x5a\xad\x55\x17\xa0\x29\x88\xa3\x43\xb6\xa4\xaf\x6d\x82\x77\x96\x4f\xcd\x3e\x72\x0c\x19\xeb\xcb\xca\x7c\x4a\x87\x7c\x4b\x17\x40\x5d\x4e\x04\xe2\xbf\xf0\x36\xd6\xf5\xe8\xda\x62\xd6\xec\x70\xd1\xcd\xd9\x70\xe8\xba\x36\xf7\xfa\x95\x6c\xbd\xe7\x89\x25\xa4\x43\xb9\x57\x9b\xe0\x39\xe5\x65\x39\x66\xe7\x45\xb1\xd9\x3c\x62\x97\x0f\x29\x07\xfb\x53\x5c\x88\x82\x0b\x95\xb2\x44\x09\xd1\xbb\x81\xe0\xcd\xfb\xdc\x39\x72\x78\xa8\xb1\xeb\xa6\x32\x5e\x69\x3a\x93\xb5\x50\xdc\x2d\x7f\xf0\x55\x98\xf8\x24\x67\x94\xb2\xd0\x1b\x58\xf3\x03\x24\xe4\x4c\x43\x9e\xc6\xe1\x70\xb6\x92\xef\x2d\x55\x2f\x33\x22\x42\x10\x1f\xe2\x45\x86\x56\x4b\x87\xe4\xd0\x4c\x5c\x41\x37\xf4\x53\x45\x1d\xc8\x2c\xe4\x9f\x93\xd5\x0e\x49\xac\xf2\xb9\x66\xd0\xd5\x00\xff\xf9\x9b\x98\x4d\x70\xfa\xa2\x06\x11\x87\x36\x9a\x3d\xd5\x03\x37\x87\x2c\x23\x0e\x6f\xbd\xa2\x42\x0e\x56\x58\x86\xb6\xee\xf5\x3e\xb5\x32\x23\x9a\x98\x23\x7b\xf8\xcf\x35\x49\xf6\x0b\x08\x3d\x81\xa1\x6e\x6a\x30\xc2\x6a\x74\x45\x6f\xbf\x8d\xdc\x24\x76\x78\x4e\x77\x6d\xf7\x49\x0a\x31\xe1\x11\x3c\xb0\xd8\x76\xd5\xca\x9f\xbf\xc3\x2c\xf6\x08\x1f\x75\x42\x01\x5b\x41\xae\x86\xf9\xc0\xbb\xfe\xd2\xb8\x47\x4b\xfc\xd7\x82\x84\x46\x7c\x22\xf1\xd6\xdf\x54\xbb\x3e\x28\xf5\xcf\xf0\x07\xe9\xd5\xd5\x59\x7c\x83\x7a\x72\xeb\x04\xef\x8d\x1f\x3a\xc0\x60\xb9\xf1\xff\xf3\xd7\x4d\xa3\x5b\xf1\xcc\x3f\xf9\xd8\x36\xbf\xc8\xd2\xcc\xb0\x72\x14\xaf\xd3\x57\xc2\x96\xae\x04\xa5\xce\x01\xfd\xc7\x79\xe9\xb4\xae\x6d\x67\x7c\x6f\xc4\x8f\x73\x83\x06\x4f\x2d\x21\x7d\x51\xe3\x90\x60\x9d\xad\x93\x30\x22\xed\x7c\x35\xf8\x9e\x83\xb5\x55\xc8\xe3\xcc\xec\x20\x4e\x59\x32\x28\xf3\x24\x44\x27\xcf\xed\x43\xbd\x37\x1e\xe5\xf5\x84\xce\xab\x01\xf8\x8d\x1c\x99\x47\x41\x89\xb8\x76\xc9\x53\x40\x89\xdd\x5d\x04\x60\xda\x83\x3a\xfb\x14\xcb\x1c\xb1\xf4\xbf\x85\x17\xff\xf8\x6f\x94\xa9\x19\xb9\xf8\xee\xb3\x60\x88\x7b\x13\x9f\x67\x59\x05\xce\xee\xfa\x05\x78\x6f\xd7\xea\xa8\xcc\x60\x10\xee\x28\x69\x89\xb6\x26\x9a\x45\x05\x2d\x4c\x62\xf7\x42\xbd\xc2\x52\xfb\xfd\xb2\x16\x6f\x9b\x02\x15\x31\x6c\xe5\x69\xd5\x3f\x12\xd7\xff\x1e\x92\xd2\xbf\x11\xb6\xed\x6a\xec\x3f\xe3\xf6\x2c\x49\xa4\xcd\x2f\xeb\xca\xe8\xe1\xb4\x4b\x38\xea\xf1\xa6\xe7\x8f\x2d\xa3\xcd\xd9\x4e\xde\xa7\x15\x00\x00\xd7\x01\x5c\xb6\x52\xba\x46\xd3\xb2\x31\x5b\x64\x9e\xdc\xcf\x47\xb5\x1d\x45\x85\xdb\xc7\x60\x64\xa1\x2b\x05\xce\xd6\xfd\x11\xfe\x37\x03\xad\x22\x67\xf9\x62\x97\xbc\xd4\x55\x81\x07\x69\x74\x6e\xe2\x64\xe7\x3d\x90\x43\x38\x4e\x3a\xf7\xb4\x45\xfd\xa9\xf1\x2f\xff\xbc\x7d\x63\xcd\xc1\x05\xeb\xf8\xec\x1f\x52\x47\x5c\x73\xb0\x6b\x4a\xf0\x80\x03\x7b\xab\xda\x88\x88\xb0\x5b\x3d\x00\x51\xd7\xaa\x6c\x94\x91\x40\xdf\x65\x80\x6c\x83\x66\xf8\xe3\x64\x0f\x5a\x74\x70\x26\x26\x96\xbd\x3c\xd4\xdb\x85\x50\x2c\xbd\x5f\xe2\x2b\xb0\xf5\x92\x87\x76\x8f\xb9\xc5\x2e\x69\x33\xe5\x68\xe0\xd3\xce\x72\x83\xa4\x20\xc8\x9f\xd0\x4e\x93\xe5\x65\xdf\x0f\xf6\x8c\xc7\x43\xcd\xcf\x4d\xfc\x7f\xf0\x9c\xbe\x8a\x77\xa0\x20\x80\x4f\x4c\x17\x61\x28\x46\x16\xd9\x58\x40\x1f\x57\xaf\x9d\xc7\x13\x62\x99\x2b\x3f\xf3\x43\x9c\xcf\x85\xf4\x3b\x6c\x08\x50\x98\x96\x50\xd8\xf5\x5b\xa1\x92\x2a\x65\x00\xd2\x72\xdd\x42\x38\x6c\xbb\x23\xe6\xe6\x7e\xc9\x26\xa1\xca\x93\x57\xf4\xc8\x4b\x76\x71\x52\xe6\xc4\x36\x17\xde\xf9\x4a\xc6\x01\x4a\xa3\xc6\xca\x84\x18\x59\xdc\x57\x52\x4a\x72\x27\x41\x24\x65\x30\xda\x55\x06\x71\xec\x17\xd2\xa3\x42\xe5\x57\xb4\x3c\x08\xa9\x3c\x12\x67\x63\x7f\xff\x37\xff\x4a\x40\x85\x52\x8e\x7c\xe6\xd0\x9d\xe6\x42\x99\x6f\xff\x98\x68\x85\x44\xa7\xc2\x3b\xff\x8b\x6f\xdb\xe5\x33\x42\x4c\xcb\x11\x9a\x56\x7f\x1f\x15\xc0\xb4\x65\x0e\xd8\x0e\xfe\x24\xab\x4d\x1c\x1e\x33\x30\x5a\xfd\x2c\xea\xc6\x82\xc0\xea\xca\xa5\x66\x9e\x44\x34\xf6\x34\xb1\xc6\x12\x71\xd9\x5b\x00\x95\xc7\xb1\xa6\x2a\x2d\x07\x3a\xad\x80\xc5\x10\x15\xbb\x51\x50\x84\x5c\x11\x86\x33\xa3\xc4\xc9\x4b\x74\x63\xfe\x73\x39\x18\x2e\xa0\x1a\x7e\x28\x63\x7c\x27\xb5\xf8\x60\x68\xa7\x37\x4a\xe7\x7c\x5c\xdd\x6d\xd9\xb4\x69\xdd\x9a\x47\x5c\x37\x52\x8e\x2f\x1c\x40\x13\x23\x59\xe9\xe6\x5e\x23\xad\x45\x95\xb1\x60\xad\x9a\x2d\x83\xcc\xe0\x78\xf4\xd6\x18\x1f\xd3\x02\x6c\x2a\x0b\x13\x02\xfa\xa6\x9a\x51\x80\xa2\xc2\x0b\x3a\x32\x87\x6e\xfc\x2a\x62\x81\xc4\x09\xc2\xe6\x6e\x00\xde\xb5\x30\x98\x19\x7f\x13\x18\x5b\x7d\xa5\x89\xb0\xcf\xe2\xa3\x12\xf0\xf6\x1e\xfa\xb2\x9a\x7b\x1b\x61\x4f\xaa\x57\xed\x37\xe0\x1f\x8b\x0c\xdf\xb2\xea\x78\x67\x74\x5d\x66\x69\xa4\xa8\x95\xb9\x7e\x1e\xd2\x4c\x2f\x3c\xf2\x3e\x88\x51\x13\x8d\x9a\x64\x0c\x2c\x0b\x32\x1d\x00\xf0\xa4\xdd\x9a\x72\xfe\x5b\xa4\x3a\xc4\x7d\xd3\x1a\x01\x4d\x31\xb7\x25\xee\x28\xcd\x8f\xbe\xd0\xbc\x78\x14\x59\x80\xb5\x86\xd3\x71\x84\x8b\xb9\x67\x48\x30\x3d\x0a\xd1\xfe\x2a\x2e\x7f\x5d\xd3\x40\x70\xc6\xfc\x50\xe1\x09\xdb\xb1\x5c\xdd\xcb\xc0\x4e\x1c\xf6\x35\x8d\x10\x50\xe6\x31\x9a\x34\xf1\x45\x2f\x44\x43\x6d\x8c\xea\x13\x7a\x37\xa1\xda\xd1\x3e\xfc\x2b\x9a\x95\x87\xa4\x3c\x2c\x3f\x3d\x5a\xa3\x2c\x09\x78\x52\x0d\x24\xda\xdd\x18\xef\xa8\x12\xa7\x2d\x33\xb2\xf4\x41\xac\x88\x52\x26\x55\x5f\x7c\xd2\x54\xab\x27\x71\x75\xc4\x35\x68\x3c\x36\xdf\x69\x7c\x2f\xb5\x36\x27\x19\x48\xe5\x38\xdd\x3b\xce\x39\x09\xa5\xc8\xc3\x7e\x97\xea\x37\x36\xcd\x1a\xda\x26\xf1\x3f\x12\x1a\x99\x06\x33\xd9\x5b\x59\xe6\x73\x93\x43\x29\x93\xc0\xc8\x4f\xd6\xd5\x2b\xeb\x7e\x3d\x02\xa4\x37\xeb\x28\x1a\xf5\x73\xba\x1c\x47\xf3\x73\xf6\xcc\xd6\xe0\xb1\x83\xa2\x1c\xbe\x9f\xdb\xb8\x2c\xcc\x39\x6f\x16\xaf\xf1\x99\x9f\xb8\x39\xeb\xca\xff\x97\xfa\x0b\xfd\x0d\x34\xcf\x8e\x57\x60\x6f\xd8\x23\x41\xdb\x31\x8e\x40\xcd\x9e\x85\xc1\x54\x46\x5d\xcc\xe1\xb7\xfd\x8b\x22\x80\x8f\x0e\x0d\x45\x4e\xf9\xa2\xb5\xa4\xc3\x5c\x0a\x12\x5b\x92\x37\x07\x00\x72\xd1\xcd\x82\x7c\xfd\xea\x8e\x3d\xe8\x33\xb0\x81\x4c\x8f\xf2\x60\xe6\xb3\x98\x07\xef\x86\xac\x67\x7a\xbd\xeb\x50\x7d\xd5\x7f\x69\x93\xd3\x03\xd5\x55\x17\x84\x0b\xd7\xaf\x1d\xb3\x98\x08\x21", 4096); res = syscall(__NR_shmctl, /*shmid=*/2, /*cmd=*/6, /*buf=*/0x200000004040ul); if (res != -1) r[14] = *(uint32_t*)0x200000004048; break; case 23: *(uint32_t*)0x2000000042c0 = 2; *(uint32_t*)0x2000000042c4 = 0; *(uint32_t*)0x2000000042c8 = 0; *(uint32_t*)0x2000000042cc = 3; *(uint32_t*)0x2000000042d0 = 0x44; *(uint32_t*)0x2000000042d4 = 7; *(uint16_t*)0x2000000042d8 = 0xff00; *(uint32_t*)0x2000000042dc = 0x80; *(uint64_t*)0x2000000042e0 = 0xe5; *(uint64_t*)0x2000000042e8 = 0; *(uint64_t*)0x2000000042f0 = 8; *(uint32_t*)0x2000000042f8 = r[7]; *(uint32_t*)0x2000000042fc = r[4]; *(uint16_t*)0x200000004300 = 0x800; *(uint16_t*)0x200000004302 = 0; *(uint64_t*)0x200000004308 = 0x200000004180; memcpy((void*)0x200000004180, "\xb8\x47\x2d\xa7\x63\xb7\xf2\x33\xe5\xd2\x38\x7c\x99\x8e\xd4\x35\x56\x57", 18); *(uint64_t*)0x200000004310 = 0x2000000041c0; memcpy((void*)0x2000000041c0, "\x10\xf1\x21\x59\x35\x43\xac\x48\x3e\xe5\xd9\xfc\x00\x93\xe2\x03\xb9\x27\xb4\x4b\xb5\x34\xa8\x71\x1a\x28\xdf\x30\xc8\x75\x70\xf2\x5d\x8d\xd6\x43\x46\x7a\x2c\x9e\x53\x1e\x8a\x4a\xa6\xe0\x33\xf5\x71\xb9\xfe\xea\xe8\xb6\x5d\x09\x3f\x91\x56\x28\x88\x5d\x3f\x02\x8c\x3f\x44\x47\x63\x2b\x36\xf2\x2e\x16\xc1\xfc\xb5\xe7\xbd\x69\x92\xc0\x89\xdf\x96\x1f\xee\x65\xda\x52\x26\x3c\x86\x54\x31\xc8\x32\x4d\x25\x20\x54\x27\x65\x39\x02\x00\x0e\xe5\xf2\x31\xb0\x3d\xf0\x0c\xf5\xb4\xff\x9f\x87\x79\xd3\x31\xa8\xb5\x11\xc4\xdd\xf3\xba\x9b\x68\xb4\x81\x33\xa4\xcd\x4f\x26\xe7\x37\x66\x50\xcb\xa6\x10\xc6\x2a\x68\xf4\x81\x02\x20\x00\x97\x06\xa8\x5a\x06\x31\x03\xdc\x90\xdf\x67\x13\x7a\x34\xa2\xdc\x60\xea\xcd\x86\x8a\x66\xd7\xf6\x8e\x69\xc0\x4c\xc1\x95\xfd\xc8\x08\x1c\x4b\xe4\x14\x86\x03\x24\x2c\xaf\x94\x67\x0f\x9e\x25\x55\x7e\xf9\xad\xa0\xf2\x3c\x59\x61\xfc\x07\xfe\x58\xc7\x8b\xff\x01\x3f\x83\x44\xdd\x96\x11\xe2\x31\x49\x63\xbf\x51\xdf\x6c\x98\x4c\x56\xb9\xaf", 236); res = syscall(__NR_shmctl, /*shmid=*/0x10000, /*cmd=*/2ul, /*buf=*/0x2000000042c0ul); if (res != -1) { r[15] = *(uint32_t*)0x2000000042c4; r[16] = *(uint32_t*)0x2000000042c8; } break; case 24: *(uint32_t*)0x200000004540 = 0x9732; *(uint32_t*)0x200000004544 = 0xee01; *(uint32_t*)0x200000004548 = 0xee01; *(uint32_t*)0x20000000454c = 5; *(uint32_t*)0x200000004550 = 4; *(uint32_t*)0x200000004554 = -1; *(uint16_t*)0x200000004558 = 5; *(uint32_t*)0x20000000455c = 0x80000000; *(uint64_t*)0x200000004560 = 9; *(uint64_t*)0x200000004568 = 5; *(uint64_t*)0x200000004570 = 0x8001; *(uint32_t*)0x200000004578 = r[7]; *(uint32_t*)0x20000000457c = 2; *(uint16_t*)0x200000004580 = 0xffc; *(uint16_t*)0x200000004582 = 0; *(uint64_t*)0x200000004588 = 0x200000004440; memcpy((void*)0x200000004440, "\xae\xb6\xd5\x07\x3a\xfa\xa3\x1c\x2e\x2b\x2c\x26\x91\x12\xdf\xff\x49\x39\x37\x39\x22\x07\xd1\x3f\xcd\x1a\x8e\xba\xa9\x97\xfd\x97\x6c\xcf\x81\x7f\x42\x90\xa8\x95\x65\xf4\x5f\x54\x38\x2b\x31\x3d\x34\x98\xe2\xa6\x76\xfb\x90\x8e\xe4\xd8\x92\x13\x1f\x01\xb8\x3d\xed\xd0\x94\x98\xc8\xc2\xc5\x6d\xf4\xef\x1c\x82\x32\x32\x0b\x42\xd5\x83\xcc\x60\x61\xc9\x2c\xc0\x6c\x76\x4f\xb0\xd4\x46\xa8\xb9\xa5\xf1\x90\x3c\x9b\x2b\x2b\xa4\x5c\x1e\xce\x47\xcd\x24\x9f\x20\x1b\x45\x7e\xe0\x3c\x79\xfb\xe2\x6f\xee\xa6\xde\xc1\x42\x68\x9a\xe2\x1b\x9c\xed\x84\x39\xf1\x0a\x2e\x3b\x65\x7a\x1e\x3a\xb7\x38\x54\xc1\x33\x8b\x6d\xb9\x05\x24\x8a\xe4\xbc\xee\x97\x3d\x06\x8e\x9b\xd4\x9b\xf4\xf9\xe8\xd0\x17\x7c\x72\x61\x2b\xce\x4e\xf6\xb4\xd7\x6c\x09\x39\x96\xde\x65", 183); *(uint64_t*)0x200000004590 = 0x200000004500; memcpy((void*)0x200000004500, "\x24\xa7\x29\x1c\x4a\xbc\x17\xba\x4a\xcd\xe1\xc6\xfb\xdb\x58\x89\x6a\xd2\x7d\xad\x25\x64\x40\x20\x7f\xf6\xa5\xe4\x8f\xf2\xa6\x18\x5f\x2c", 34); res = syscall(__NR_shmctl, /*shmid=*/0xfa95, /*cmd=*/0xbul, /*buf=*/0x200000004540ul); if (res != -1) { r[17] = *(uint32_t*)0x200000004544; r[18] = *(uint32_t*)0x200000004578; } break; case 25: memcpy((void*)0x200000000700, "\x2b\xce\x17\x78\xfe\xc9\xa1\x28\x6b\xf6\xab\xa5\x3c\x3a\xc4\x02\x86\xad\x6a\xa7\x11\x2d\x6f\x2f\xca\xbf\xd2\xba\x71\x3e\xaa\xdc\x81\x39\xe1\x4f\x61\x80\x70\x12\x6a\xc3\xa3\x8a\xd9\xcd\x7b\x5c\x94\xb1\x78\x3b\x26\x11\x52\x07\x29\x35\x3d\x56\xfc\x5b\xd5\xcb\xd4\xf1\x1d\x01\x35\x9c\xa9\xeb\x2e\x0c\x4c\xc6\x60\x95\x84\x6c\x2b\x10\xd4\x1e\xb8\x46\x77\xf1\xc3\x52\xbd\x90\xeb\xfa\x66\x12\x3a\x7a\x19\xf4\x5c\xae\xa8\x4f\x12\xe7\x76\x57\x93\x32\x46\xc4\x4a\x20\x9a\x4b\x9f\x15\x56\x87\xe2\xa4\xfd\x90\x2f\x57\xea\x49\x08\x5f\xaa\x76\x01\x19\x40\x68\x27\xdb\x2e\x6a\xde\x20\x29\xf8\x20\x1d\xe4\x7e\x97\xb1\x33\x85\x3a\xe7\x32\x14\xa7\x96\xe4\x81\x8d\x39\xcf\x10\xa8\xe6\xa6\xf1\x1a\x88\xe0\x82\xc9\xaa\x25\x85\x7a\x67\xa3\x2f\x35\xbc\x8f\x86\x7f\x04\x4d\x0f\x32\x99\x53\xdc\x06\x02\x24\x9d\x83\x19\x7e\x0e\xf5\xc9\x83\xb9\xd5\x56\xbd\x52\x7a\x6a\x59\x9f\x52\xa2\x11\xf9\xc7\x11\x3e\xdc\xc0\xe9\x3f\xc1\x8e\x79\xed\x69\xfb\x2a\x7f\xde\x97\xc9\xc3\x5e\x31\xe3\x5f\x07\x71\x37\xc8\xfd\x8b\xec\x40\x18\x14\xfb\x99\x81\x6d\x1e\xe5\xa5\xe7\xed\xc2\x10\xc6\x10\x97\x0d\xaf\x8a\xea\x89\xac\xbb\x75\x40\x82\xd8\xf6\x8e\xb4\xa0\x01\x06\x53\xc7\x06\x84\xa8\xdd\x7c\x00\x2b\xa7\xe4\x61\xc8\xdc\xc4\x5c\x22\x86\xda\x34\x27\x35\x14\x18\xcb\x24\xa9\x4d\x65\x56\xd6\x9e\x2a\x31\x9b\x5c\x0e\x69\xe6\xbf\x11\x1a\x9c\x45\x46\x7c\x41\x57\x5f\xdb\xfc\x26\x46\xda\xfd\xa3\x17\x9b\x0f\xca\xcc\x14\x9b\x45\xef\x10\xdc\x13\xf5\xfc\xe2\xe4\xa2\xc2\x2c\x2a\xe9\x92\xbc\x6b\xd5\x13\x23\xe7\x24\xe4\x66\xc7\x36\xdb\x1d\x34\x57\xee\x0f\x7d\xe1\x47\x66\x1d\xba\xdc\x94\x2b\xf0\xdf\x2f\x08\x9e\x98\x03\x81\xae\x88\x8a\xb0\x22\xfb\x54\x5c\x03\x43\xc4\x08\x7f\x2c\x1b\x6a\xe0\xcd\x21\xd0\xfd\x65\x65\x79\x09\x58\xc9\x3a\x67\x59\xa5\x75\x4b\x70\x0a\x6f\x53\xab\xbc\xa7\xd2\x2c\xdd\xcd\xd7\x09\xb2\x79\xd1\x11\xd6\xce\x1f\xd7\x91\xeb\xca\xf2\x60\x48\x09\x86\xb3\x21\xce\xcc\xf9\x55\x61\x8b\xbe\xa2\x78\x1d\x33\x14\x90\xcd\xe5\x73\x47\x93\xab\x07\x5f\x5a\x72\x93\x21\xae\xe1\x77\xfc\x3c\x20\xef\xd0\x79\x74\x46\xe5\x12\xc6\x25\xa3\xbc\x1a\x56\xf4\xc0\x18\x89\xf5\x74\x93\x3b\x72\x6f\x74\x37\xee\x04\x94\x91\xbc\xb9\x1f\x1c\x63\xa0\xb1\x75\xe2\xce\x56\x75\x07\xdd\x35\x4b\xf2\x6b\x08\x05\x9a\xc2\x29\x04\x6a\x6e\x75\xd3\xd3\x21\xee\x63\xc5\xab\xc1\xa7\x40\x9e\x20\x7e\x6f\xc5\x16\x79\xdf\x37\xbc\x7b\xa3\x39\xcb\xce\x32\xd4\x5a\x96\x09\x06\x88\x51\xb0\xa7\xf5\x81\xaa\xed\x7e\x99\x5c\x36\x77\x9d\x07\xc3\x57\xe5\xd9\x76\xf6\xde\xee\x4f\x36\x84\xf9\x7e\x7c\x61\x9d\x3c\xcc\x28\x72\x2f\x13\x0d\x93\x6d\x3c\x07\x3b\x9b\xb5\x19\x4e\xb9\xff\x69\x91\x0c\x6a\x3d\x58\x58\xc2\x86\x2b\xa8\xce\x94\x25\xce\xc1\xe8\x01\x18\x2a\x7f\xb5\xc7\x01\x7a\x41\x85\xd1\x3f\xeb\x35\x38\x29\xdc\x68\x1a\x56\x19\xf0\xa0\x2d\xb6\xeb\xde\x86\x0c\xf7\xc6\x29\x4d\x21\x45\xf9\xa5\x29\x18\x49\x76\x2d\x93\x81\x66\x82\xd1\x91\x89\xdd\x76\x82\x80\xdf\x4a\x68\xc8\x08\x01\xf6\x6a\xba\xbd\xf7\x22\xec\x21\x3a\x7b\x7f\x58\xc4\x61\x48\x68\x69\x00\x66\x9b\xdb\x0c\x64\x3d\x00\x5d\x60\x0d\x95\xc5\xcb\x5d\x28\xac\x4c\xd4\xc7\x02\x22\x94\x35\x2e\xd1\x35\x0c\x4e\x75\xfe\x89\x27\x89\x53\x92\xb0\x06\x2c\x78\x29\x2f\xc1\x5a\xd7\x03\x8d\x1b\xdd\xc9\x94\x53\x5e\x73\xcc\xc3\x3c\x9a\xb2\x33\x11\xd6\xf6\x5d\xe5\x98\xf5\xee\x9f\x91\x34\xca\x4e\x4b\x40\x9f\x21\xb0\xb0\xe4\x0f\x36\xaa\x5c\x78\x2b\x7b\xb8\x64\x70\x7a\xfd\xce\x1e\x7c\xfe\x5a\x27\xc1\xef\x3d\x2d\xc1\x41\x05\xd6\xa4\x89\xb8\x7e\x7a\xe1\x67\xae\x87\xa5\xf3\xcd\xa0\xb8\xa6\x22\x17\x62\x97\xf5\x32\x8b\x79\x69\x0d\xf9\x89\x79\xa4\x80\x6d\xea\x06\x93\x95\xf5\xb8\xe5\xbc\xec\x68\x3f\xd3\x9b\x86\xbc\xef\x86\x5d\xe6\x0f\xe4\x07\x29\x1d\x12\x7c\x4f\x00\x68\xbe\xc8\xae\x95\x73\x8f\xce\x42\x20\x5e\xf7\xcb\xba\x2a\x10\x76\x6e\x32\x19\x1c\xb4\xe5\x0c\x06\xdc\xf6\xca\x3a\xe7\x8c\x0c\xaa\x65\x8f\xd5\x8b\x65\x2c\xab\xdd\xe1\xdf\xa9\xd1\xf5\x4a\x44\x79\xad\x61\xd2\x5a\x47\xff\x08\xb3\x12\x25\x60\x09\x9b\xde\xc5\x5d\xeb\x11\x0e\x40\x6e\x08\x59\x53\x40\x88\x7e\x49\x67\x74\x54\xb6\x08\x60\x15\x3c\x4b\x1f\x7c\xeb\xef\x25\xda\xd0\x82\xf4\xd3\x40\x20\x78\x29\x8b\xfd\x39\x0b\xc7\x66\x23\x45\x95\x91\x8c\xbb\x3b\x6c\xdb\x99\x61\xe1\xbb\x1d\x4f\x7c\x7f\x24\x01\xa8\xd8\x0a\xc6\x2b\x14\x62\x4a\x3b\x16\xd9\x70\x46\xfc\xef\x8d\x02\x5d\xeb\x79\x40\x94\xd2\xce\xa5\x0c\xcb\xe2\x72\xe1\xc7\x9a\x71\x67\x80\x3c\x40\xa4\xcc\xee\x13\x84\x44\xe7\xa4\x15\x34\x77\x83\xbf\xe0\xff\xda\x3d\x50\x01\x6d\x0f\x6b\x1b\x06\x12\x6f\xcd\xd9\x23\x7a\xac\x40\x0b\x85\x49\xe4\xc1\x91\x7a\x25\xdb\x59\xcd\xba\xe2\x9d\x1e\xa5\xbd\x7d\x25\xc5\x75\x02\x2d\xc5\x5f\xf3\x2e\xd4\x2a\x61\x0e\x23\x94\x79\xbe\xab\x0d\xd6\x2a\x30\xa4\xfb\xed\xa0\xfc\xfe\x1d\x0b\x61\x3a\x8d\x06\x69\x33\x46\x6a\x9a\xb3\x12\x62\x70\x1d\x08\xe7\x79\x28\xf8\x8c\xf8\xa8\x38\xe9\x72\x98\x93\xe5\x50\x70\xef\xcc\x83\x73\x6f\x3c\xb3\x2e\xef\xc0\x8f\x24\x0d\x44\x9a\x61\xcd\xf2\x11\x6c\xe4\xea\xe7\xb9\x66\x9c\xe6\xfc\x52\x8b\x98\x34\x01\x2b\x0f\x7c\x54\x25\xc2\x62\x23\x7a\xe8\xa3\x01\xb6\xcf\xc0\x3a\x57\x9c\xb1\x09\xdf\x41\x7d\x85\x14\xaf\x61\x2d\x32\x0d\x0e\xd9\x6b\x7f\x7e\x4a\x48\xaa\xa3\x0f\x6c\x8f\x42\x7d\xb2\xf9\x81\xbe\xf3\x60\xb9\xd8\xc2\x77\xc8\x4a\x80\x15\xf4\x9b\xb8\x84\x0d\xfd\xbf\xd5\x40\x2a\x05\x3f\xbe\xdc\x07\x51\x58\x7e\xbf\x6d\xf4\xd6\x92\x85\xcc\x39\x8e\x98\xa7\xfc\xd6\x88\x76\xeb\x2b\xf6\xf9\x4f\xc0\xd0\x3d\x7a\x93\xb1\x44\x6c\xf2\xac\x7e\xc1\x1f\x8c\x3b\x62\xfc\xc0\x74\x1c\x37\x6d\x15\xcc\xd8\xdc\x9c\x85\x92\x94\x53\xa1\x77\xbc\x24\x24\xb3\x74\xcc\xad\x51\xa5\x7b\xd0\x52\x90\x24\x1e\x00\x38\x9e\x5d\x97\x33\xda\xc8\x43\xb2\x5f\x43\x94\xdb\x45\x0f\xe1\x6f\xdc\xbb\x56\x33\x37\x90\x04\x4d\x65\xad\x60\x6a\xe8\xca\x97\xce\xec\x3f\x80\x9d\x78\x90\x49\xa3\x29\x88\x81\x33\x9d\x2e\xd1\x60\x2f\x2b\xf2\xbd\xe3\xcc\x87\x16\x3c\xf1\xdc\x3f\x8e\x32\xe8\x59\xac\x7b\x2d\x27\x1a\xe4\x2a\x7a\xd0\x5e\x6f\xda\x9b\x98\xc1\x4b\xe9\xa3\xf6\x5b\x16\x25\x37\x43\x99\x59\x82\x23\x7d\x31\x30\xd1\x5a\x18\xf8\xf5\x32\xa8\xd0\x27\x3e\xab\xb3\x38\x67\x02\x85\x98\x33\x84\x47\x81\xdc\xeb\xf2\x16\x4f\x0a\x4b\x14\x11\xd8\x82\x99\xfa\x82\xe7\xba\xb7\x1a\x08\x36\xd5\x0b\x41\x8a\x6a\x47\xf7\x47\x22\x0f\xef\xee\x26\x85\xaf\x32\xc2\xde\x7c\x33\x75\xcc\xa1\x19\x14\xf2\xda\x17\xec\xc4\x6e\x63\x5a\xfd\xa8\xc3\x6f\xef\xf1\x0c\x7d\x6e\xbd\xcf\x7d\xa4\x41\x4b\x4f\xdb\x28\xc4\x2f\x73\x8c\x95\x61\xa6\x56\xb0\x1c\xa0\xbc\xb0\x22\x4e\xc8\x03\xe6\xa2\x38\x64\xe0\x14\x38\x97\x4b\xba\x22\x36\x92\x12\xca\xf0\x53\xe5\x60\xcf\x11\xac\x83\xec\x04\x85\xf5\x70\xf6\xe5\x36\x74\x42\x43\xc2\x11\xfd\xc0\x3c\xb3\x59\x04\xf1\xb3\xad\x1e\x79\x65\xd4\x73\x1a\xa0\x48\x21\x5d\xbe\x3b\x33\xd0\x96\x3b\x0d\x5c\x0e\xcc\x90\xfa\x99\x99\x7f\x19\xb5\x83\x57\x48\x68\xb4\x08\x1c\x9e\xa2\x71\x23\x43\xb9\x18\xd2\x2f\xa3\x7e\x8d\xf4\xdb\x67\x0a\x4b\xe4\x29\x5f\x69\x9c\x92\x4c\x4b\x7f\xeb\x71\x10\x3d\x9a\xef\x02\x70\xde\xd2\x9d\x4f\x42\xaf\x37\xa4\x87\xe2\xbc\x8d\xc0\xb0\xbd\x3f\x68\x70\x38\x5a\x1a\x8a\x98\x42\x20\xf7\x9a\x47\xa9\x81\xe9\x87\xdc\xa4\x46\x95\xce\x64\x87\xd5\x3c\x01\x90\x10\x54\x3b\x20\x42\x22\xef\xae\xf7\x20\x8d\xfa\x23\xf8\x08\xc4\x56\x13\xd5\x14\x46\x8b\x97\xfe\x57\xdf\x91\x1e\xac\x0c\x90\xed\x04\xf0\x06\x49\x32\x1c\x3a\xbd\x27\x01\xec\x1a\x01\x22\xb4\xbb\x48\x37\x7b\x5e\x92\x51\xc0\x20\x3f\xaf\x08\x98\x26\x0f\xf7\x47\xc5\xa8\x2e\xed\x23\x42\x50\x15\x88\x51\xa5\x09\x06\xac\x54\x92\x71\x9f\x97\x0a\x90\x62\x00\x5e\xf1\x67\x55\x76\x35\x1a\x8b\x3d\x9d\xda\x73\x5c\xc6\x5b\x82\x09\xe9\x86\x68\xb8\xd4\x97\x88\x5f\xb1\xd9\x1d\x89\x3e\x3e\x3f\xe9\x6d\xbf\x56\xb6\x1c\x60\x6a\x84\x63\xc4\x1f\xd8\xc9\xbe\x64\xdf\x1a\x59\x56\x27\xfc\x71\x14\x38\xee\xa8\xdf\xb7\x32\x35\xa4\x7b\xe9\xc0\x37\x04\xfe\xda\x19\xe5\x4f\x65\xa2\x87\x62\x94\x49\x5a\xca\x4d\x61\x1c\x9b\x43\x84\x29\x15\xfa\x7a\x51\xe4\x5e\x16\xc7\xd2\x28\x17\xc1\xb1\x59\xe0\xbf\x53\xdf\xfe\x16\xed\x63\x41\x61\xbe\x4c\xc9\x16\x9c\x95\x2b\x0b\xb5\xfb\xf4\x45\xae\xe0\xe9\xd3\x86\xd3\x00\x61\x18\x57\xc7\x0e\x95\xcf\x2e\x42\xa3\xe7\x9b\xf7\xc2\x02\xb7\x7c\xe4\xf5\x2d\x5e\x8d\xdf\x50\xd5\xdb\x3f\xa1\x0e\x95\xf2\x4d\x65\x61\x86\xd3\x56\xde\xdc\x85\xc6\xf8\x68\x4b\x81\x02\xeb\x01\x9c\x18\xda\x8a\x66\x3d\x70\xbe\x24\xea\xd9\xf1\xdc\xed\x78\xbd\x06\x8a\x6c\x9b\x32\x4d\xd7\x47\x73\x43\x18\xeb\xc6\x2a\x4a\x9c\x74\xeb\x34\x22\xcc\xde\xe0\x2f\x94\x7c\x1a\x76\xe7\x38\x54\x28\x06\xff\x2c\x9c\x85\x1a\xb7\x12\x17\xf7\x53\x9d\xa9\xc3\x35\x0a\x1f\xbd\x5e\x53\x90\xa0\x48\xcc\xac\x1f\x54\x13\xab\x2d\x81\x47\xd7\xb2\xd7\xd4\x93\x3e\x24\xd7\xff\x0d\x16\xfa\x34\xe2\x38\xe9\x31\x62\x27\x30\xda\x47\xe8\xee\x85\x35\x49\xf5\x7d\x8c\xd0\x41\x1f\xd3\xdd\xcd\x5d\x6b\xf3\x63\x88\xd0\x36\x86\x62\xf9\x5d\xae\x7d\x3b\xcb\x93\x2d\x62\xe0\xf8\x95\xa5\x6b\xd8\x79\xd1\xf5\x70\x43\xeb\x6a\xd4\x6e\x35\x97\x6c\x4f\xa6\x24\x42\x21\xe9\xa6\x8f\xb5\xa9\x3f\x25\x68\xc1\x77\x2a\xd1\xfa\xef\x2a\xab\x00\x21\xfe\x7d\xbc\x57\xf3\xa7\x77\xdd\xfe\x61\xf4\x1c\xc3\xf7\xdb\x0b\xbf\x63\x7b\xd4\x8f\x72\xd1\x1d\xd0\x52\xfb\x4e\x32\x52\x0d\x41\x39\xce\x9b\x92\x06\x21\xf1\xeb\x6f\x37\x88\x71\xf1\xe7\x94\xc3\x87\x59\x65\x0a\x0a\x74\x2c\x0e\x34\x03\xb6\xbe\x88\xe3\x19\x20\xc0\xf3\xaf\xb5\x8c\x68\x6b\xea\xee\x1d\x65\xd6\xd8\x3b\x8e\xaf\xa7\xd0\xbc\xaa\xef\x87\x5e\xfa\x7a\x27\x37\x1c\xac\x05\x99\xd4\x1b\xa5\x1a\xa5\xce\x65\xce\x48\xbc\xa2\x4d\x4a\x43\x8e\x6e\x3a\xc3\x3c\xf1\xfc\x7c\xd8\xcc\x3c\xd9\xb7\x51\x16\xb5\x3a\x09\xd9\x81\x41\xfc\xcd\xf0\xb0\x8d\x8f\x9d\x6e\xfd\xed\x52\xd1\x01\xc3\xed\x6b\x27\xf6\xc6\xe4\x2f\x9b\xa1\x99\xf3\x9c\x9a\x33\x77\x28\xbd\xe0\x5b\xbe\xee\x63\xe4\xdc\x68\x0e\xcf\x0f\x02\x0b\xcb\xbb\x7b\x6a\xd0\xba\x9b\x2a\xa6\x14\x39\x1e\x8a\xa4\x15\x52\x13\x73\x56\x95\x3e\xf2\x15\x35\xca\x4e\x32\x20\xa2\x6f\x06\x1c\x7e\x78\xeb\x42\x42\x88\x98\x16\x95\xe6\x51\xf6\xda\x90\x57\xc6\x11\x02\xf5\xd5\x8d\x33\x13\x58\xd6\x91\xce\x1b\xd7\xf6\x81\x60\xcb\x76\xfe\x77\xf0\x3f\xfd\x46\x0e\xcd\xa1\xfd\xb1\xa7\x83\x33\x89\x3f\x1d\xc5\xd0\x35\x7d\xc2\x43\x35\xd3\xf1\x2d\x7d\xf9\x13\x31\x69\xd9\xd2\x14\x45\xb6\xa5\x81\x95\x66\x3d\xa0\x33\x06\x31\xb7\x32\xc1\xdc\xc3\xe6\x58\xf2\x37\xf0\xf6\x9a\x11\x60\x2d\x4c\xac\x64\x68\x35\x3f\xaf\xcb\xf4\xca\xd1\xa3\xa2\x6d\x2d\xed\xdb\xa7\xcc\xc8\x86\x34\x7f\xf0\x59\xda\xcf\x96\x96\x98\x00\x18\x53\x30\x7a\x3c\x5b\x36\x34\xde\xa1\x62\xe6\x3b\xd2\x7b\x7c\x9d\xab\x63\xa6\x70\x59\x29\x9d\x69\x42\x67\x5d\x10\x68\x8a\x79\x7d\x6b\x51\x63\xea\xb8\x3b\x45\xb1\x84\x60\xc2\x8d\x6a\x83\x37\x1e\xca\x62\x6e\x9b\xdb\x94\xb9\x0a\x11\xa7\xfb\x7f\x7d\x9f\xec\x0d\x77\x3c\xc0\x56\x66\x36\x29\x2c\x7d\x90\xde\x64\x79\xae\x9f\xfc\xe8\xc3\x4e\x28\x4f\xf2\xfb\x4d\xa4\xc0\xb4\x62\x9a\x02\x3f\x1e\x9c\x1e\x79\xc5\xd6\xba\xe6\x25\x2c\xd4\xa3\x01\x53\xe8\xc1\xeb\xf0\x83\x89\xc2\x06\xd6\x6b\xec\xe9\x02\xed\x87\x7c\x36\x75\x6b\x3f\x9c\xaf\xe8\x41\xca\x61\xbf\xf3\x15\xfa\xe3\xaf\x3a\x18\x56\x3f\x71\xa7\x7e\xeb\x6f\xde\x0d\xb2\xce\xa7\xfe\x49\x4a\x78\x39\x1a\xfc\x1b\x21\xb2\x33\xe0\xc4\xb4\xa1\xa2\x3e\xee\x6f\xeb\xa1\xae\xe1\x12\x4e\xb0\x4e\xc4\xd2\x3b\x6a\xe5\xcc\xaf\x13\xac\xdb\x65\x6c\x72\x70\x7f\xed\x01\x0f\xc4\xab\x31\xba\x09\x3a\x22\xfa\x85\xe4\x73\x89\xac\xaf\xe2\xa2\x22\x98\xe5\x1d\x36\x73\x26\x95\x00\x8e\x65\xaf\xfd\xa7\x56\x13\xbb\xd2\x2f\x86\x9b\x05\xe9\xda\xfe\x41\x1d\xa8\x54\x9f\x14\x1e\x01\x8b\x36\x20\x49\xc6\xaf\x4e\xd7\x82\x37\x81\x72\xc5\x5a\xe7\xb1\xd0\x05\xa1\x90\x86\xc2\xab\x19\x74\x2f\xf7\xf9\xb3\x29\xdc\x56\x7f\x61\x47\x30\xef\x3e\x74\x78\xb6\x22\x09\xec\x2d\xb9\x0f\x3a\x60\x37\xaf\x0c\xb7\xbd\xcc\x8b\xad\x8b\x32\x86\x4a\x41\x67\xa3\x70\xd0\xf9\x16\xdc\x75\x1f\xb2\x8e\xe9\xc8\x00\xe5\x9e\x2e\x37\x20\xdb\xff\x36\x3b\x28\xcf\x26\x98\xfd\xb3\x06\x1b\xc3\x91\x97\x67\x7e\xfb\xca\x4f\x86\xda\x8a\x97\x6a\x1f\xe5\xf9\xe1\x83\xab\x9f\x3b\xdc\x9a\xb6\xae\x44\xb8\x71\x3a\x1e\xe0\x7b\x89\x4b\xf3\x74\x90\x46\x4f\x9d\x2c\x4f\x5a\x2a\x46\xc6\xb3\x03\x53\x43\xb9\x26\xdc\xa5\xd9\x93\xec\xb0\x74\x19\x1d\xf0\xe5\x0f\xbb\x11\x4c\x82\xb3\x69\xe1\x9d\x8c\xe9\x58\x02\x5e\x12\xa6\xe1\x35\xc3\x3c\x4e\x70\x40\xf2\xe5\xe4\xab\xb1\x43\xba\xfb\x7c\x71\x21\x44\xa9\x91\x09\xb0\x0d\xfd\x72\xf6\x6d\x6a\x5d\x7d\x1e\x6a\xea\xef\x79\x4f\xa4\x04\x57\x53\x28\xfe\xef\xd9\xc2\x08\xae\x71\x02\x36\xda\x12\xde\x52\x5c\x78\x40\x3e\x78\xfd\xcf\xb5\xcb\x34\x48\xf9\x38\x09\xea\xdb\xf8\xc6\xca\xec\xa7\x02\x83\x3a\x3d\x30\xbb\xaf\xe9\x4c\xa1\x4b\x5e\x91\x86\x4a\xa5\x75\x40\x94\x98\x93\x9c\x5b\x2c\xce\x2d\x33\xd1\xf1\x4a\xe3\xd7\x16\x9f\xfd\x51\xa7\x42\x1d\x2b\xe6\xa4\xf6\xce\x0d\x7f\xd5\xdd\x83\x4e\x02\x0c\x3e\x69\xcf\x5d\xeb\xe6\x9e\xe8\x63\xf5\x70\x2b\xab\x78\xfe\xcc\xd2\x85\xab\x47\x2b\x56\xd1\xc0\x6c\xe4\x0a\x79\xef\x15\xc0\x72\x36\x16\x36\x31\x74\x13\x72\x66\x43\xc9\x50\xc6\x7e\x57\x6f\xfd\x80\xd5\xf8\x08\x07\xb6\x72\x97\x36\x54\x7b\x00\xa0\xd4\x58\xe9\x3b\xf9\x64\xf4\x7d\xa3\x50\x77\x47\xec\x32\x3d\x31\x08\xc4\x49\x82\x62\x24\xea\x09\xaf\xa3\x66\x13\x33\x1a\x96\x1c\x5c\xf2\x59\x25\x2d\x0d\xac\xb5\x02\xfb\xc9\x87\xbb\xf6\xb1\xc8\xc6\x22\x5a\x6c\x0e\x65\xeb\xb5\xa5\x59\x45\xc5\xa0\x64\xec\x34\x6f\x84\x27\x0e\x3b\x38\xa1\x2a\xe7\x2c\x17\x80\x99\x75\xad\xa7\x2b\xad\x05\xa1\x2f\xda\x83\xf1\xb0\x0a\x42\x31\x04\x81\xca\x2a\x09\x90\xb6\x63\x96\x4e\x19\x4c\x92\x5c\x99\xce\xe8\x62\x79\xf6\x2c\x64\x54\x8a\x57\xd3\xf1\x67\xd6\x21\x3a\xcc\xbe\x67\x9a\x9f\xc2\x04\xd2\x10\x31\xf6\x4b\xd5\xf6\x8e\x8c\x75\xcf\x80\xaf\x20\x7c\xba\x25\xaa\x42\xfb\xc7\xdf\x07\x34\x25\x70\x00\xe5\xe9\xc2\x23\x36\x6d\x1d\xf4\x6f\x50\x8b\x8a\x8f\xba\x49\x33\x35\x2c\xb7\xc3\xf0\xe2\x5d\x66\xd8\xc5\x12\x9b\xdc\x46\x7d\xcd\xaf\x4f\x4a\x87\x1f\xea\x52\xb7\x07\xc8\x5c\xa1\xad\x30\xf0\x08\x04\xba\x50\x0c\xfb\xb2\xee\xe1\x8c\x68\x42\x09\x1c\x12\x0f\xf9\xf5\xfe\x91\x5a\x75\xa6\x23\xe5\x40\x7e\x77\xb2\xf2\xd7\xaa\x46\xe2\x4c\x96\x98\x6a\x60\x86\x55\x17\xc2\x67\x94\x5d\x39\x16\x92\xa1\xd3\xfe\xff\xc9\x35\x57\x67\x87\xc9\x0d\xa8\x46\xf9\x59\xe2\x6e\xef\x2f\x98\xce\x0b\x13\x17\x4f\xe4\x56\xc5\xd3\x3f\xb6\xbb\x65\xe8\x60\x3a\xf4\xf1\x02\x92\x9d\x84\x22\xb8\xbb\x5a\x24\xe0\xbe\xc7\x21\x4e\xe2\x3d\x9b\x8d\xd0\x7e\x7d\xaf\x18\xd8\x3f\xa6\x6d\x84\x9b\x91\xc7\x08\xf9\x9b\x46\x85\xc7\xb5\xdc\x95\x6d\x95\xc7\xfc\xea\xe7\x75\x9f\xea\xa0\xd2\xa0\x1f\x26\xb1\x7b\x9e\x5a\x23\x0c\x18\xc6\x10\xa7\xe7\x24\xdb\x79\xbe\xcd\x4a\xc0\xf1\x76\xbc\xf2\x04\x49\xe9\x0c\x3f\xae\x89\xc3\xa9\x93\xe2\xf9\xc5\x1e\x42\x8d\xc0\xbd\xdf\x67\xa7\xcd\x11\xf9\xce\x0d\xaf\xb4\x27\x7c\x32\x81\xb8\x8f\xa7\x13\x8d\x21\x7d\x79\xfe\x3e\xd7\x2b\x19\x5f\x27\x82\x0e\x33\x22\x9c\x5a\x6d\x7f\x49\x37\x20\xf9\x19\x0a\x1c\xb2\x29\xa3\xbe\xa0\xa7\x8f\x62\x9d\x00\x59\x3c\x98\x8c\x2d\x3f\xa0\x9f\x89\x35\xe2\x5b\xcd\x4c\xe0\x27\x6a\x16\xf2\x30\x6f\x7c\xbc\x89\x12\x52\x35\x91\xed\x88\x92\x1a\xa7\xae\xfe\x26\x71\x2f\x81\x02\x89\x06\xd7\x30\xfb\xe8\x19\x95\x52\x1e\x02\xe3\xdd\xfc\xa0\xf8\x81\xcb\x98\xa6\x61\xd2\xcf\x8d\x1f\xc3\x10\x84\x5d\xf4\xec\x58\x8c\x2b\x30\xfd\xfc\xe1\x81\xe6\xef\x9a\x65\x4e\x83\xfa\x69\xb7\x73\xfb\x51\x71\x77\x74\x93\x6e\x6d\x03\x77\x54\x78\x2f\xbf\xf1\x3d\x32\xa5\x0c\x75\xe2\x75\x3b\xca\xf4\xae\x37\x35\x26\xe6\x10\x60\x5f\x07\xc6\x77\xae\xda\xc8\xda\xf3\x79\x28\x3f\x2e\x59\xae\xdd\xe2\xc0\x19\x53\xd1\xbe\x45\x91\xef\x16\x5c\xa1\x90\x6d\xeb\xdc\x0b\x8e\x47\xde\xf1\xa3\x4d\x3c\x3a\x4c\x12\xea\xe8\x96\x68\xd1\x43\xd1\xb0\x98\x4f\x94\x50\x44\x70\x9d\xf8\x68\xd0\x97\x55\x14\xdc\x10\x93\x09\x0b\x0f\xe4\x29\x62\x34\x5e\xf4\x0b\x0d\xd8\x4f\xf7\xa2\x0f\x39\x4d\x5b\x3f\xc5\xa5\x5d\x69\xb4\xbb\xd0\x0b\x53\xe3\x17\x4c\x76\x0c\xb9\xc7\x9f\x27\x52\x75\x55\x8c\x69\x67\xf0\x3c\xb7\xb5\x4e\xc6\xc2\xa8\x60\x2a\x55\x57\xc4\x8e\x0c\xce\xae\xbc\x38\xc4\xcb\x35\xf1\x71\xfa\x42\x62\x2b\x1e\x8b\xe6\xdd\x32\x33\x75\x03\x3e\xde\x7b\xea\x93\xb6\xd6\x67\x75\x8f\xb9\x97\xcc\xee\x89\x6c\xb3\xa0\x3e\x47\xfe\x8b\x51\xbf\xef\xd7\x16\x5b\x4b\x16\x25\x46\xc2\xe4\xd4\x67\x10\x35\x3b\x73\xf6\xf1\xde\xa1\x7e\x44\x2b\x82\x72\xf6\xaf\xf9\x9c\x86\x43\x72\xe4\xc3\xe5\x63\x1b\xb7\x39\xb5\x9a\xd1\x23\x5a\x18\xaf\x7d\x59\xb7\x93\x20\xa4\x1b\x7c\x0e\x8d\x64\xd5\xa7\x94\x81\xcc\xe1\xe3\x1b\x33\x4a\xb3\x3e\x92\xe6\xa4\x29\x7f\x3d\xef\x0f\x1b\x34\x67\x5c\x7d\xe9\x10\xfe\x38\xe4\x94\xee\x01\x4b\xb8\x44\xe7\x07\xbd\x30\x2b\x24\x78\x6b\xd6\x06\x2b\xac\xb8\x2d\x52\x7a\xcd\xca\x23\x6f\x21\x7b\xf0\x47\x47\x42\x47\x6e\x6a\x93\x25\xd9\xee\x28\x2d\xee\x43\x63\x6b\xeb\xa5\x41\xe6\xaf\x65\xba\xb1\xf5\x82\x33\xa6\xf5\x58\xd8\xc6\x01\x9f\x4e\xe4\xc8\xe8\x33\xea\x16\x18\xb0\x53\xb3\xcd\xb8\xf8\x8f\x09\xce\x12\x25\xa6\x8f\x31\x9d\xe5\xbc\x58\x3e\xb3\xd2\x2f\x27\x32\x34\x3e\x9c\x0a\xcb\xd8\xef\xde\x7d\x9c\x0f\x22\x40\x6b\x9d\x1b\xeb\x10\xe7\xbc\x92\x80\x7c\x7b\xbd\xc0\x0b\x1d\x88\x53\x4e\x65\xdb\xa2\x56\x21\x67\xe2\xcf\x12\xa6\xf4\xb1\xe8\x9b\x24\x95\xbe\x63\x1f\xe9\xa7\xaf\xaf\x3e\x44\x02\x54\xa2\xda\x7e\xeb\x26\x1b\x40\xb4\xb2\xc8\xa2\x25\x7d\x75\xb0\x9b\x85\xb8\x1d\x79\x54\xac\x55\x31\x3a\xc4\x99\x0c\x54\xae\x40\x79\x3c\x21\x58\xcf\xeb\xf3\x29\xb2\x67\x40\x5d\xd2\xa5\xe7\x61\x54\xd2\x1d\x74\xed\xd4\xa1\xe0\x86\xf0\xf2\x40\xe7\x19\x96\xa0\x4e\x8f\x96\xec\x88\x22\xbc\x5f\xc9\x18\x38\xd1\x7d\x97\xb0\x3c\xab\x99\x58\x33\xaa\xd9\xfe\xd8\xdb\xd9\x44\xfc\x11\xab\x74\xfc\x51\x5f\xd8\xbc\x5c\x06\x74\x24\xd3\x2d\xbb\x99\xe4\x9e\x0d\x42\xa5\x97\xdd\x80\x73\x17\xd6\x69\xdf\x7c\x08\x97\x9d\xd6\x47\xca\xe4\xb9\xd1\x23\xa6\x44\x03\x7c\x68\xfd\x7b\x45\x4d\x15\x8b\x51\x28\x18\x5b\x7a\x07\x1b\x77\x45\x3e\x29\xef\x51\x83\xc0\x3f\x3d\xac\x27\x58\xfa\xd6\x67\x3d\x17\xb9\x5a\x42\xd4\x28\xb5\x6d\xd7\xac\xd6\xb4\x4a\x15\xf8\xa6\xac\xc4\xc7\x3d\x23\xfd\xdf\xc4\x4f\xe5\x7a\x9a\xdd\x19\x57\x96\xcf\x45\xc0\x00\x6f\x6a\x24\x16\x0d\xfb\x87\x98\x62\xb0\x11\xe7\x4b\x88\x0f\x5a\x4f\x5d\xc8\x05\x3a\x1f\x2c\x7d\x0e\x1d\x77\x2c\x62\xca\x02\x8b\x09\xce\xba\xc8\x8e\xa7\xa8\xa1\x85\x59\x96\x20\x16\x74\xf2\xeb\x71\xac\x52\x6c\x0a\x0e\xc4\x49\x3d\xaf\x01\xa5\x51\x6d\x2b\xf8\x8b\xd8\x11\x72\xa2\xf7\x5f\xaf\xb3\xcd\xe2\xc9\x2b\x7a\x02\x0e\x07\x67\xcb\xda\xdf\x65\x57\x55\xc3\x71\x5c\x6b\xf9\xcc\x3d\xf3\x8c\x38\x34\xa7\x24\x95\x05\xa6\x89\x48\x0c\xa3\xa9\x78\x79\x2a\xe9\xbe\xfd\xfb\x3f\x25\xe3\xdf\xec\x22\xa9\x0d\x66\xac\xbc\xe1\x63\x3a\x29\x7c\xc2\xbe\xd9\x75\x73\x1f\xbc\x97\xc0\x9d\xa8\x94\x22\x65\x33\x6d\x17\xb1\x3a\x52\xef\xff\x98\x62\x6a\x8b\x7b\x18\x8c\xfb\x9d\xfd\x33\xeb\x28\x76\x34\x08\x73\x2b\xba\xe7\xb8\x01\x22\xa9\x1a\xd9\x81\x38\x97\x75\x7e\xff\xb8\x43\x58\xdb\xd6\x2b\x01\x33\x24\x1a\xb9\xaf\xa7\x9e\x35\x3f\x5e\x7d\xb9\x16\x39\x21\xd6\x5e\xfc\x93\xe4\x08\xbc\x38\xff\x95\x84\x29\x05\xa9\x13\xd0\x84\xd2\x4f\xa2\x23\x59\xdf\x71\x0b\x39\x69\x4d\xe2\x40\x38\x98\x31\xe3\x44\xe9\xd5\x33\x2a\xc0\xc5\x48\x4e\xdc\x3a\x9a\xc6\x12\xf6\x68\xe4\xe7\x81\x80\x10\x9e\x12\x49\xef\x5d\xc2\x7c\xfd\xed\x52\xea\x37\xef\x3a\x7d\x1d\x02\x88\xa9\xf7\x53\x2f\xb9\xf3\xa3\x80\x29\x4c\xf0\x33\x29\x62\x8f\xe8\xfa\xc3\xb8\x12\x11\x30\xbc\x3d\xff\x51\xed\x6f\x83\x00\x80\x67\x86\xf9\xe5\x05\xde\x5d\x25\xd6\x87\xc4\x02\xc0\xbe\xdb\x7d\x41\xcd\xb9\xcf\xb8\x77\x14\xba\x29\x28\xbe\xce\xcb\xe1\xaa\x32\xdf\xda\x00\x17\x07\xc7\x84\xce\xe7\xf6\x46\x48\x77\xef\x87\x98\xc1\x60\x8c\x48\x7c\xe0\x88\xd0\x73\x08\xb4\xf1\x67\x2f\xb2\x8e\xfa\xd8\xae\xe8\x45\xff\x99\xe0\x0d\xb8\xd0\xa4\xef\xf1\x0e\x7e\x04\x82\xe1\x0d\x2d\x4f\x53\x6b\x90\xa1\x7f\x2c\xd0\x64\x99\x58\x61\x9a\x3b\xfc\x4c\x72\x65\x4a\xb9\xa0\xda\xe3\x09\x9d\x69\x58\xcc\x43\xac\xee\x94\xa4\x50\x15\x24\xe0\xa9\xdd\x76\x70\x0d\x81\x46\x1f\xfc\x9c\xde\x22\x27\x15\xd4\xc8\x91\x7c\x2e\x53\x56\x0b\x63\x53\xa0\x98\xc9\x48\xce\x16\x13\x1b\xca\xc5\x69\x48\x46\x94\x26\x57\xfb\xbd\x47\xd1\x4f\x0b\x9e\x6e\x0e\x38\x3e\x7d\x60\xef\xe2\xd9\x93\x5c\x04\xdf\xee\x10\xe2\x2f\x47\x4c\xf3\x82\x32\x9c\xce\x12\xae\x8d\x21\x0f\xfb\xd1\x7d\xd0\xf1\x86\x8f\x6c\x10\xaa\x34\xdc\x1f\xb7\xbb\xb7\xa2\x5d\xb0\xcd\xb0\xaf\xcb\x3a\x52\x34\x45\x56\x4c\x6b\xc6\xc0\xf8\x43\x3a\x67\x75\x88\x18\x52\xd9\x97\x0a\xa4\x20\x3c\x92\x58\xa9\x44\x27\x41\x68\x89\x9d\x5a\x81\x5d\x66\x50\x37\xda\x71\x6d\x53\x04\xe4\xf2\x6c\x28\x9a\x46\x38\x4b\x96\x5f\x2c\xa5\xaa\xcc\x1c\x81\x23\xb5\x4c\x14\xe8\x3a\x59\xb9\x97\x99\x64\x88\x14\x79\x77\x84\x25\x4e\x3f\xcc\xca\x53\x79\x0c\xe3\xf0\xc2\x4b\xa0\x17\x22\xd4\x2b\xaf\xfc\x81\x68\xa3\x6c\x95\xb5\x38\x8d\xef\x13\x7e\x6c\x92\x9e\x2e\xd1\x42\x99\x10\xd1\x38\xe7\x91\xf8\xc4\x5c\x37\xea\x0b\x8d\x5f\x25\xdb\xb2\xb4\x3a\x4c\x2e\x05\x27\x32\x7a\x58\x47\xdf\x44\xa2\x14\x22\x23\x30\x14\x4d\x26\x44\x63\x66\x76\x4f\x81\x6d\xb2\x84\x7b\xba\x48\x60\xf2\x2d\xca\x28\xae\xa5\xba\xd2\x98\xdc\x4e\x58\x88\xce\x73\x7b\x16\x96\xc9\x52\xc2\xa5\x15\x57\x4d\x10\xd4\xd2\xc3\xd0\xa2\x12\x32\x42\x2d\x0d\x60\x07\x45\x86\x2a\x31\x51\x3c\x97\x8c\x84\x42\xbe\xba\xb3\xe3\xef\xbc\x5b\xf0\x65\x72\x70\xd1\xdb\x26\xe9\x79\xcf\x50\xef\x7a\x3c\xfe\xe8\x80\xf7\x7a\x0b\x80\x2c\x7b\x37\x1b\xf9\x66\xa5\x41\x3d\x68\x74\xd9\x11\x1e\x7b\x98\xa9\x72\xbe\x26\xe2\x8f\xa9\xec\x1f\x77\x93\x91\xe3\xa4\x91\xd5\xe8\x69\x5f\x73\xd8\x87\x73\xa3\xd4\x06\x82\xff\xe1\xce\xa2\x37\xfa\x5a\x91\xd4\x8b\xd8\x2d\x8e\xcd\x25\xe6\xa6\x29\x2d\x17\x77\xe3\x8b\xe3\x7c\xcc\x8d\x96\xcf\x9d\x19\x1b\xa9\x05\x85\xe7\x28\xdc\x41\x5b\xc4\x06\xfd\x94\xe5\x3c\x67\x40\x71\xdf\x12\xea\x08\x9d\xcd\x94\xf9\xd9\x6b\x03\x86\xf7\x26\x05\x12\x67\xc9\x6e\x5c\x3d\x79\x49\xe8\x55\x02\xb5\xda\x43\xf1\x04\x93\xba\xa2\xfd\x77\xa0\x2f\xaa\xca\x33\x55\x8f\x78\xf0\x9f\x00\x43\x3b\xa9\x91\xef\x1b\x40\xc5\x99\x90\x39\xbe\xe1\x77\xfd\xa3\xba\x5d\xc0\x92\x51\x62\xe5\x9a\x8e\x32\x7c\x19\xe7\xd4\xe0\xaa\x8f\x13\x71\x07\x02\x71\xe0\x03\xce\x63\xf4\x27\x26\x5b\x6a\x2d\xfb\x1d\x68\x64\xf8\xcd\xf2\xa9\xd0\xf8\xb3\x8e\x57\x71\x2b\x85\x43\xa2\x0b\xe5\x02\x4a\xef\xfd\x25\x0a\x10\x6e\x78\x3a\x08\xa5\xae\x38\x5a\xc9\xa5\x76\xb3\xc1\xb0\x90\x36\xc5\x0f\x1a\x8d\x56\x99\xf1\xba\xd3\xd1\x69\x68\xf1\x1e\x9b\x1f\x54\xef\xdf\x3c\x2e\xc0\x3a\x1f\x12\x4a\xb5\xe5\xc4\x53\xd1\x9b\x93\x9b\x68\xd0\xa3\x39\x95\x1b\x5b\xb5\x5d\xa3\xeb\x45\x9c\x3f\x86\xa1\xde\x1b\x8b\x9c\xef\xe6\xe6\x0d\x14\xd8\xc6\x14\x31\x45\xe2\x4a\x85\xe9\xc0\x62\xa8\xf6\xbf\x5c\x9a\x51\xb2\xa5\x07\xff\xdf\x6f\x60\x1c\xd7\xd1\x0a\x7f\x3c\xb1\x6f\x38\xd7\xf2\xc4\x6e\xb2\xc1\xeb\xd2\x05\xd5\xb6\x0c\x5d\x5e\xc3\xd6\x0e\x15\x18\x9b\x9f\x44\x5c\xbf\x29\x17\x7b\x83\x55\xd8\xaf\x6b\xad\x6c\x6e\x3a\xda\xb3\x9d\xf7\x1e\xe2\xcf\x90\xdf\x9a\xb8\x68\x08\xe6\x2d\x1e\xc2\x4f\xf2\xbd\xe6\xfd\x56\xa2\x31\xe4\xe5\x56\xcc\x22\x7f\x5f\xa6\xd6\x17\xd5\x49\xae\xd8\xe2\xe3\x66\x01\x3d\x8a\x2c\x28\x99\xa5\xc7\x52\x62\x0d\x54\x47\x1f\x9c\xfe\x17\xb6\x87\xfe\xe4\x27\x99\xeb\x86\x21\xca\xbf\x3b\x81\x76\xdf\x65\x4b\x20\xf3\x48\xc9\x16\x7d\x70\xe9\x59\x22\x13\x38\xbf\x47\xcf\x3b\x34\x7d\xdb\x46\xe4\xea\x71\xfc\x82\x50\xcf\x48\x18\x60\x7a\x35\x95\x16\x65\xae\xec\x1b\x46\x84\xa9\xf2\xd5\x40\x39\xb6\x44\xe3\xff\xcf\x5e\xf2\xa2\x67\x3d\x97\x40\x8f\xb9\xc5\xb9\xee\x80\x28\x67\xfc\xfc\xbf\x3c\xed\x42\x95\xe5\x9e\x78\x36\x5d\xe8\xf3\x8d\x98\x06\x6b\xc1\x63\xb7\x55\x56\x8b\xb0\x2e\xec\xa3\x8e\x04\xfe\x45\xb7\x80\x9c\xc4\x42\x40\x23\xa2\x3b\x15\xe3\x74\xe3\x83\xd0\x1e\x02\xdc\x66\x92\x48\x47\xf3\x72\xd8\xad\xc3\xb8\xaa\xdd\xb6\xea\xf9\x57\x5f\x52\x42\x51\xca\x6f\xea\x93\xfa\x33\x57\xe8\x1e\x94\x71\x5f\xbb\xe3\xce\x2b\xbc\x0c\x3d\x44\x7a\x51\x18\xd8\x59\xb1\xa7\x43\xb3\xe8\xee\xbf\xd3\x52\xfc\x50\xc2\x8c\x89\xd9\xfb\xf2\x08\x7c\xbe\xdc\xdd\xad\xd1\x99\x3a\x35\xf7\x1b\xff\x4b\x6e\x91\x90\xfb\x18\x26\xfa\x2b\x30\x89\x01\x87\x61\x65\xc7\x04\x17\xdc\xe1\x6e\xa0\xc1\x97\x55\x74\xbd\xc7\xcc\xf8\xd9\x2b\x3e\x77\x2b\x57\xfb\xad\xee\x74\xfc\xfe\x7b\x73\xdb\xef\x59\xc7\xf2\xe5\xba\x57\xb9\xbe\x68\x43\xe0\x6d\x0c\x13\xda\x2f\x48\x78\x40\x73\x7a\x8d\xfc\x79\x0c\xd5\x53\xc6\x93\xa9\xd1\x26\x8a\x13\xac\xfa\x44\xfa\x5e\x4b\x4f\x0d\xa3\x76\xfc\xc0\xec\x82\x94\xfd\xc0\x18\x23\x89\x7f\x91\x21\x27\xdb\x76\x90\x3d\xf2\xcd\xbf\xb9\x90\x24\x00\xc8\x6b\xf5\x26\xdd\xbb\x47\xc8\xe4\x9b\x67\x30\x55\xf7\x0a\x7d\x90\x08\x1c\xd3\x19\x64\xe0\x51\x9d\x50\x4c\x17\x1c\xd4\x1a\xb7\x99\x79\x16\xa7\x11\xcd\xec\x24\xf8\x0f\x80\x39\xce\xc9\xf6\x5b\xfb\xfa\x93\xe7\xbf\x22\x83\x51\xa8\x18\x92\xe5\x71\x80\xae\xce\x3e\x6b\x0f\xf3\x36\x6d\xc6\x66\x44\x47\xfa\xe5\xbe\xd3\x81\xf6\x29\x13\x4a\xdf\xcc\x51\xec\xa2\xab\x32\x76\x68\x2e\x5d\x9f\x67\x7b\x30\x1d\x6e\x6d\xcf\xa8\x64\x61\xa5\x67\xcb\x9c\xbf\xda\x3d\x2f\x91\xb3\xab\xc2\x0a\x5a\x7d\x46\x5d\x57\xc5\x07\xfe\x9c\xad\x83\x43\xd6\x4f\x51\xbe\x63\x0c\xe8\x18\xab\x78\xe9\x2c\xc5\x40\x8f\x48\x02\x5f\xbb\xf8\x39\x6d\x88\x20\x1c\x04\x2f\xd7\x11\x82\xc3\xd5\xdd\x62\xac\xe3\xec\x92\x31\xf8\x47\xbd\xff\x19\xb7\xbc\xe4\xe0\x4d\x10\x22\xb3\x2d\x46\xc7\x47\x09\xaa\x49\x63\x16\x6a\xef\xc5\xad\x6e\xd9\x47\x01\xd4\x32\x7f\x39\x4e\x1c\x9d\x01\xfb\xd3\xf2\x59\x03\xc5\x02\x0a\x84\x87\x96\x30\x08\xf8\xe4\xee\xdf\xe9\xc8\xd6\x2c\xa9\xcd\x72\xa9\x62\x39\xb1\xc0\x42\x7c\xb4\xe1\x71\x18\x21\x9b\x42\xcb\x89\x73\x53\x62\x1d\x66\x7a\x53\x8d\x3b\xa3\xe9\x26\x67\x38\xfd\x25\x24\x68\x1f\xd6\x33\xc1\xf7\x1a\x51\x28\x62\x10\xbc\x79\x3f\xc8\x9c\x0f\x04\x38\x66\x48\x0b\x7e\x08\x62\xb7\xa1\x08\x59\x3b\x2e\x9f\x8d\x1f\xc6\x2b\x7c\x67\xf5\x0d\xff\x63\x8f\x93\x18\xfa\x26\x0f\x37\x30\xce\xc7\x08\x0a\xfd\x74\x36\x41\xde\x7d\x59\xbc\xa4\xd3\x21\xf0\x31\xf3\x5f\xa6\x16\xc4\x33\xed\x57\x2a\x39\xbb\x17\xb9\x3c\x85\x81\xb1\x2a\xa1\xd2\x51\x54\x1b\xb5\xb2\x1c\x63\x91\x7c\x5b\x70\xec\x65\xe9\x57\xc5\x9c\x64\x3a\x6c\x0a\xb0\x02\xb5\x46\xdd\x97\x03\x50\xbe\x2a\x57\xe1\xa8\xf0\xf4\x6b\x01\x19\x95\x0a\xab\x33\x01\xe5\xca\x05\x43\x53\x2e\x1f\x08\x19\x90\x75\x60\x9f\x22\xcb\x8c\x8f\xfc\xba\x4b\xc8\x1d\xf5\xda\x4b\xa7\xae\x6b\x11\x1b\x4c\xd9\xc6\xe2\xe6\xc2\x0a\xda\x23\x28\x20\xb4\x77\x53\xd6\x26\x2c\x2b\x9e\xa6\x1e\xad\x28\x1b\xa0\xc3\x1c\x3b\xdf\xc0\x6b\x8a\x42\x98\x22\x82\xa2\x15\xbe\xad\xa3\xae\x9b\x2e\xad\x9a\xfd\x24\xf5\x0b\xc2\x28\x18\x90\x09\x77\x91\xcf\x37\xb1\x96\x9b\x45\xba\x7e\xb1\x30\x53\x66\x76\x7e\xda\x01\xef\xd0\x57\xda\x56\x74\x31\xc4\x9e\x79\xc5\x5a\x58\x95\x4f\x12\xda\xb8\xf1\xb6\x88\x51\x3f\x4c\x3c\x49\xa5\xf2\x7e\xe5\x37\x50\xd8\x9b\x63\x37\x79\x98\x00\x58\x78\x9d\x26\xa6\xb1\x72\x0b\xe7\xca\x54\x9d\xe7\x4b\xdb\x76\x3f\x4d\xb1\xa6\xbb\x86\x0b\x05\xdb\xc4\x77\x5b\x20\xce\xd8\x71\xb4\xa9\xd9\xd8\x77\xab\xef\x6c\x4b\xb3\x9d\x36\x8e\xf7\xe7\xfb\xba\xc5\xcb\x88\x21\x2d\x87\xf3\xc7\x62\x06\x59\xcf\x4c\xe1\xc6\xee\xb0\xea\x83\x84\xa6\xdf\x2f\x29\x13\x34\xe5\x80\x84\xfc\x55\xa3\xb6\xd7\xa8\x35\x1f\x62\x5a\x71\xee\xce\x16\xfc\xb5\x2f\xcc\xa8\x88\x09\x3a\x04\x0f\x5f\x15\x7a\xe2\x7d\xd7\x9d\x26\xae\x55\x5d\xd0\xd2\x19\xb5\x85\x53\xdb\x3b\xd8\xb4\x8d\x85\x6b\x3e\x23\x3d\x19\x72\x65\x78\xd3\x82\xbe\x3d\x12\x3f\x86\x56\xdb\xa5\xe6\x1d\xb1\x4b\x62\x7e\xb0\x74\xdb\x68\xd5\xa6\x9c\x93\x51\x17\x44\x92\xb5\x08\x24\x82\x4d\x3d\x3a\xf7\x92\x95\xf0\x5c\xdb\xb4\x7c\x8e\xf7\xc8\x5d\x81\x5b\xdc\xba\xcf\x4b\x86\x27\x96\x5c\x07\xc8\xe1\x07\x9f\x20\x1e\x50\x98\x02\x84\xf2\x00\x5a\x92\xba\x82\x15\xd0\x6e\xf5\xef\xed\x59\x1f\x52\x79\xf1\x8a\x2f\xea\x04\x24\x66\xd7\x83\xe1\x08\x64\xe9\x3a\x54\xb8\x64\x9b\xb4\x43\x6d\x88\x6c\x78\x81\x9e\x92\x7c\x16\x3c\x76\x9c\x22\xfd\x6c\x1f\xfc\x50\x98\x49\xf6\x85\xac\xbc\x5c\x6e\xab\xe4\xbf\xb2\xe2\x65\x0b\xab\x17\x39\xa6\x95\x3b\x27\xa1\x84\x64\x64\xea\x8f\x56\xa7\x6c\xd3\x71\xa7\x47\x45\x95\x94\x9b\x6f\xd4\xdb\x07\x6d\x44\xce\xca\x31\x12\x22\x74\xec\x56\x8c\x58\x1d\x08\x8e\xe7\xf5\x68\xc0\x02\x4a\x49\x19\x20\x40\x1f\x16\x5d\xd1\x71\x1a\x2f\x9b\x03\x7e\xf4\xb4\x01\x9d\x22\x72\xe1\x9e\xd5\xcf\x41\x40\xe5\x8d\x74\xae\x1d\x93\x01\x8d\x09\xfe\xe3\x26\x3e\x81\x19\xfc\x7a\x48\x09\x45\x9c\x43\x4e\x93\xd3\x04\x70\x2f\x11\x0f\xc3\xa4\x0d\xfa\x78\xfd\xac\x5e\xdf\x24\x25\xd8\xdc\x16\x29\xbc\x95\xba\xb9\x32\x70\x32\x59\x8c\x2f\x55\x30\x78\x18\x7c\x3d\x07\x6f\x15\x67\x4c\xfb\x9e\x0f\x18\x2b\x68\xce\xdc\xec\x34\xcf\x04\x90\x90\x1a\xf1\x0a\x2d\x10\xac\x87\x31\xf7\x9e\x60\xea\x1e\xb1\x78\xa6\x01\x42\x97\xa5\xa3\xb8\x4b\x80\xde\xb5\xf3\xb5\x62\x04\xcd\xaf\x3a\x4c\xa0\xbc\xa0\x08\x3a\xca\xc6\xd2\xa5\x63\x71\x7e\xb7\x0b\x9d\x82\x75\xbb\x31\xdd\x4d\xa2\x5f\x6a\xaf\x3b\xb5\x76\x15\x2c\xc5\x98\x39\x9b\xfc\x1f\x70\x3f\x9d\x65\xc7\xca\x6f\xc4\x5d\x7c\xd8\x19\x12\x07\x1a\x94\xb4\x98\x17\x28\xbd\x3f\xa5\x32\xdd\x3a\xb9\x5e\xdc\x2c\x8a\x87\x92\x31\x6b\x78\x28\xc1\x7a\x0a\x11\x5a\x80\xee\x5f\x7c\x63\x2f\xa1\x23\xfc\xce\xae\xcb\x31\x19\x15\x34\x9c\x9b\x26\xf2\xed\x27\x52\x23\xd7\x9b\xac\x0c\x13\x76\x71\xc3\xac\x5f\x48\x9b\x42\xfb\xf5\xb1\x9b\x3a\x46\xae\x22\xa7\x2f\xe3\x47\xd8\xab\xf1\x11\x42\x96\x85\x62\xc6\x32\x9d\xfb\x94\x22\x49\xb5\x93\xd3\x7d\x17\xf4\x0d\x79\x3a\x48\x18\x92\x10\xe0\xb6\x0b\x95\x83\x75\xc0\x89\x93\xd3\x4e\x3e\xb0\xba\x69\x32\x43\x5c\xde\x73\xd5\x68\xd8\x1e\x0d\xf7\xf7\x6d\xab\x7c\x1c\x1f\x7e\x5b\x76\x41\x44\x89\x6f\xe5\xa8\x19\xa4\xf0\xae\xfa\x09\x9e\x1d\x84\xf8\xc1\x12\x02\xbc\x14\x1f\x7a\xe0\x3f\xb4\xfd\xbf\x5b\x6c\x30\x83\x4a\x4d\xcc\x7f\x9a\x64\xbb\xe1\x40\x76\x11\x0b\x97\x29\x76\x7e\x5f\x31\xed\xbf\x5d\xdc\x54\x0f\x3a\x31\xa3\x6f\x4a\x33\x2b\x5a\x24\xd9\xe0\xbe\x54\xf8\x16\x1b\x52\xf7\x6b\x78\x08\x3e\x40\xa6\x63\xc8\xd2\x0b\xfb\xc4\x46\x53\x3c\x2c\x4b\x78\xe6\x30\xbb\xc9\x4a\x24\xd9\x51\x60\x18\xfa\xff\xed\xc2\xe8\x5f\xb0\x91\xde\xea\xd3\x61\x2c\x8a\xb2\x41\xb1\x26\x47\xc2\xe7\x14\x07\xa9\xbb\xef\x11\xc9\x75\xed\xbb\x97\x22\xab\x61\x74\xa9\x19\x1c\x5f\x01\x28\xc1\xe0\xf4\x39\x33\x53\x68\x9a\xd1\x8b\x96\x78\x5a\x7d\x8e\x04\x5a\xdb\x80\x1a\xfe\x79\x00\x0f\x18\xec\xbc\x07\xea\x83\x93\x06\xbe\xcb\x86\x2b\x17\x53\xfe\xd5\x04\xdf\x00\x95\x46\x67\x2f\xd6\x5e\x60\xa2\xb5\x23\xae\x74\x77\x50\x2d\xb7\x5d\xeb\x99\x44\x52\xe0\xb3\xf7\xa8\x41\xa9\x8b\x8c\x0b\x0e\x82\x8f\x0c\xa6\x79\xe1\xfb\x97\xf8\xdf\x29\x2e\x2d\xb3\x0f\x75\x6f\xba\x17\x75\x45\xa0\x9b\xeb\x2b\xe1\x93\xfb\x3a\x1a\x94\xd3\x44\x56\xd9\x07\x1e\x63\x4b\xb8\xa4\x33\x09\x30\x2f\x6c\xe4\xc3\x38\xd4\x39\x27\x0c\x42\x6b\xaa\x04\x8b\xb9\x2e\xc1\x39\xe5\x0f\xc4\x57\xdb\x0f\x37\xb4\x94\xc5\x91\xf6\x71\x15\xbc\x9c\x52\x21\x52\xd2\x8f\x9c\xad\x16\x10\xbf\xfc\xea\x13\x9b\xf2\xc5\xe0\x23\x9d\x4f\x8d\xb1\x25\xf0\xc6\x68\x76\x8a\x02\xab\x70\x28\x14\xab\x61\xb5\x7e\x0d\xd8\x39\x54\x9c\xd7\x8c\x1d\x33\x1d\x3c\xf4\x2e\x0e\x94\x35\x9d\xf9\xf9\xd8\xd4\xfa\x2b\x98\x2a\x19\x77\xcc\x55\xa8\x88\x80\x56\x46\x23\x15\x45\xc2\xe9\x6a\x8b\x80\xc9\xdb\xda\xf7\xb7\x64\x40\x21\xf8\xdb\xdd\x8f\x3c\x37\x3a\x72\xa9\xc5\xa8\xad\x05\xc6\x7f\x50\xbd\x32\xa9\x6e\x19\xa6\x06\x17\x00\x61\x54\x2a\x0b\x1e\xe9\x0e\x3c\x75\x61\x9d\x95\x41\x6e\x1d\x2f\x6c\x76\xef\x08\xf6\x11\x88\x2c\x87\xd0\x96\xb2\xf8\x4c\x1b\x5f\x79\xc7\x28\x72\x7e\x00\xb0\x58\x9f\xf8\x67\x82\x4b\x88\x93\x9c\x3a\xcb\xa9\x6f\x59\xa3\xe3\x08\xef\x70\x68\xbd\x4a\xd8\x47\x8b\x9f\x0d\x6d\x5c\x90\xc8\xd3\xfd\xb1\xbc\xe0\x82\x2f\xd4\xdb\xf6\x04\x33\xd0\xfd\x9a\x1d\x00\xfa\xd0\x5b\x13\x5b\x0f\xca\x52\x29\x82\xbd\x41\xa1\xd3\x2c\xa9\xe1\x3c\xc2\xde\x18\x09\xe5\x1e\x12\xb5\x40\xdf\x58\xcc\x4b\xca\xcb\xc3\x94\x53\xe6\x2e\xff\xe1\xcb\xa6\x2a\x72\x5b\x7b\x69\x0a\x53\x1a\x16\x9b\x16\xcd\x4f\xb4\x23\x00\x18\xad\xbf\xeb\xfd\x58\xec\x47\x67\x42\xa8\xea\x7e\x8f\xf7\xe5\x6a\xb4\x63\xb3\x45\xa8\x42\x99\x86\x7f\x85\x7d\xe6\xea\x30\x75\x9a\x8d\xd0\x93\xe9\x8f\x99\xc6\x2f\x40\x95\x97\xf9\xa3\xdd\xd4\x90\xc8\x81\x33\xd9\x83\x1a\x7d\xdd\x0b\xbc\x35\x36\xd8\x0d\xea\xee\x38\xac\xb1\xba\x95\xba\x0c\xda\x91\x0f\x4b\x12\x0a\x59\x2b\xc9\x15\x04\xf4\xb0\xd9\x91\x71\xe2\xc4\x5d\x4e\x25\x6d\xc0\x3f\xed\xe6\x8e\xe1\xda\xbf\x80\x29\xc9\x9d\xec\x19\x8c\x4a\xad\xdb\x68\x17\xf8\x39\xf1\xda\x74\x97\x12\x67\xc2\x12\xbd\x22\x69\xf8\xcc\xcd\x32\x49\x5e\x8f\x72\x04\x48\x6d\x98\x59\x87\xc2\x5a\x5c\xb7\xef\xd6\x39\xb1\xdb\xd2\x50\x60\x22\xf6\xca\xf2\x4b\x09\x22\x62\x27\xd8\x03\x5c\xea\x83\xb9\xcb\x82\x1a\xc3\xfd\xae\xda\x5f\x22\xdf\xb1\x19\x15\x93\xf4\xd1\x65\x5e\x23\x54\x6c\x84\xa8\xff\x48\x27\x89\xbc\x92\xf1\x94\xdd\xa5\xf6\x14\xd6\x98\x6e\xac\x82\x9b\xab\x2b\x7a\x29\x22\x5b\xd5\x51\x76\x12\xd4\x0f\xda\x6a\x15\x3f\xc5\x2b\x24\x66\x33\x68\xad\xc2\xed\xf5\x6b\x07\xbb\x22\xf1\xb5\xd5\x26\xbf\xfb\x21\x28\x2c\x65\x4a\x77\x95\xa2\x76\x31\xf9\x5d\x88\x5d\xf4\xc0\xbc\xeb\x07\x12\xbf\xdd\xc0\x58\xdc\xbf\x32\x83\xa8\xb9\x66\x64\xdf\x54\x83\x40\x46\x6b\xd7\x17\x32\x9e\x6d\x54\x25\xcb\xd8\xf9\xe6\x44\x2e\xc4\x67\x13\x81\xb8\x01\x7e\x04\xba\xf1\x66\xd7\xb1\x4d\xdb\x51\x6a\x62\x4a\xc5\xc7\x65\x87\xa0\x0c\x65\x02\xa9\x40\x1c\xee\xc4\x82\x69\xc4\xeb\xf6\x70\xbd\x1c\xaf\x46\x13\xbc\xe8\x6e\x29\x7f\x9d\xd0\x02\x24\x08\xaf\x5c\x7a\x7e\x9c\xa4\xa1\xa2\xc7\xea\x50\x6d\xcc\xd7\xf8\x40\xeb\x4d\xe4\xdd\x3c\x73\x40\x06\xcb\x85\xe9\xa0\x53\x9f\x98\x8a\xb4\x5f\x59\x3d\x1d\x96\x06\x12\x2a\x2f\x10\x6e\x9f\x84\xf5\x2f\xf9\x17\x97\x07\x61\x03\xd0\x42\x58\x68\x46\xff\x73\x05\xc2\x73\xfe\x8e\xaf\x05\x3f\x6f\x2c\x7f\xd4\xf1\x18\x13\x4a\x8c\x82\x4b\xbb\x27\xe3\x19\x1a\x8b\x19\x25\x55\xc6\x61\x49\x08\xba\x54\x36\xa6\x73\x83\x0c\x27\xa6\x31\x69\xd3\xc6\x9d\x3f\x7e\x05\x2a\x6b\x6d\xe6\xfd\x2a\x54\x45\x72\xcb\xce\x67\xf6\x7a\x3b\x37\x83\xf4\xc8\xdb\x22\x71\xa4\xa1\x3c\x03\x55\xa9\x2c\x6b\x03\x6e\x5e\xf0\x6f\x53\x32\x3d\xb1\x43\x2b\xd5\xbe\xd2\x60\x15\x44\x38\x7d\xfe\xa3\xf5\xed\x9b\x25\x2f\xc9\xa2\x04\x11\x99\x94\x23\x94\x4f\xdc\x2d\x16\x3f\x66\xba\x18\x26\xc7\xbd\x6d\xa8\xe8\x95\xef\xb1\x9b\x4f\xe0\xf2\x03\x81\x42\xd7\x66\x5f\xaf\xaf\x97\x9c\x56\x35\x29\x40\xb5\x5c\xae\xf5\xf8\xf8\x81\xdb\x23\x06\x0d\xdd\x71\xf9\x9f\xca\xb6\xbf\xe4\x12\xbe\xb2\xa1\x7d\x10\x6f\xa4\x50\x91\x4a\xa7\x92\x0c\xb2\x12\x67\xe1\x6c\xb4\x94\x36\x05\x60\x98\x36\x14\x9f\x19\x70\xd5\xca\x6f\x31\x10\x14\xd5\xb6\x91\xc1\x45\xba\x81\xb4\xff\x94\xc7\x2f\xe1\x50\xea\x49\xe5\x60\x70\xcf\xf3\x4a\xbe\xe3\x70\x61\xe8\x71\xae\xcf\x5d\xcf\x9f\x91\xb5\x2a\x36\xeb\x99\x3c\x67\x89\xf0\x21\xbe\x51\x70\x89\x2c\xa8\x0d\x1c\x2a\xd5\xbb\xce\x3c\xe4\x06\xcf\xb4\x12\xbd\x66\xfd\x64\x42\xd7\x0e\xbe\x18\xcd\xcc\x29\x58\xc5\x09\x34\x1f\x05\x10", 8192); *(uint64_t*)0x200000004700 = 0x200000002700; *(uint32_t*)0x200000002700 = 0x50; *(uint32_t*)0x200000002704 = 0xfffffff5; *(uint64_t*)0x200000002708 = 6; *(uint32_t*)0x200000002710 = 7; *(uint32_t*)0x200000002714 = 0x2d; *(uint32_t*)0x200000002718 = 2; *(uint32_t*)0x20000000271c = 0x400000c; *(uint16_t*)0x200000002720 = 7; *(uint16_t*)0x200000002722 = 0x6b; *(uint32_t*)0x200000002724 = 0x80; *(uint32_t*)0x200000002728 = 3; *(uint16_t*)0x20000000272c = 0; *(uint16_t*)0x20000000272e = 0; *(uint32_t*)0x200000002730 = 1; *(uint32_t*)0x200000002734 = 4; memset((void*)0x200000002738, 0, 24); *(uint64_t*)0x200000004708 = 0x200000002780; *(uint32_t*)0x200000002780 = 0x18; *(uint32_t*)0x200000002784 = 0xfffffffe; *(uint64_t*)0x200000002788 = 4; *(uint64_t*)0x200000002790 = 5; *(uint64_t*)0x200000004710 = 0x2000000027c0; *(uint32_t*)0x2000000027c0 = 0x18; *(uint32_t*)0x2000000027c4 = 0; *(uint64_t*)0x2000000027c8 = 8; *(uint64_t*)0x2000000027d0 = 0x101; *(uint64_t*)0x200000004718 = 0x200000002800; *(uint32_t*)0x200000002800 = 0x18; *(uint32_t*)0x200000002804 = 0xfffffffe; *(uint64_t*)0x200000002808 = 4; *(uint32_t*)0x200000002810 = 0x50bf; *(uint32_t*)0x200000002814 = 0; *(uint64_t*)0x200000004720 = 0x200000002840; *(uint32_t*)0x200000002840 = 0x18; *(uint32_t*)0x200000002844 = 0; *(uint64_t*)0x200000002848 = 3; *(uint32_t*)0x200000002850 = 0xffff; *(uint32_t*)0x200000002854 = 0; *(uint64_t*)0x200000004728 = 0x200000002880; *(uint32_t*)0x200000002880 = 0x28; *(uint32_t*)0x200000002884 = 0; *(uint64_t*)0x200000002888 = 6; *(uint64_t*)0x200000002890 = 0xfffffffffffffff7; *(uint64_t*)0x200000002898 = 0; *(uint32_t*)0x2000000028a0 = 0; *(uint32_t*)0x2000000028a4 = r[4]; *(uint64_t*)0x200000004730 = 0x2000000028c0; *(uint32_t*)0x2000000028c0 = 0x60; *(uint32_t*)0x2000000028c4 = 0; *(uint64_t*)0x2000000028c8 = 0xa2; *(uint64_t*)0x2000000028d0 = 0xfffffffffffffffb; *(uint64_t*)0x2000000028d8 = 0; *(uint64_t*)0x2000000028e0 = 0x2867; *(uint64_t*)0x2000000028e8 = 0xd7f; *(uint64_t*)0x2000000028f0 = 2; *(uint32_t*)0x2000000028f8 = 0x28; *(uint32_t*)0x2000000028fc = 0xafb; *(uint32_t*)0x200000002900 = 7; *(uint32_t*)0x200000002904 = 0; memset((void*)0x200000002908, 0, 24); *(uint64_t*)0x200000004738 = 0x200000002940; *(uint32_t*)0x200000002940 = 0x18; *(uint32_t*)0x200000002944 = 0; *(uint64_t*)0x200000002948 = 0; *(uint32_t*)0x200000002950 = 0xb; *(uint32_t*)0x200000002954 = 0; *(uint64_t*)0x200000004740 = 0x200000002980; *(uint32_t*)0x200000002980 = 0x13; *(uint32_t*)0x200000002984 = 0; *(uint64_t*)0x200000002988 = 0x80000000; memcpy((void*)0x200000002990, "&,\000", 3); *(uint64_t*)0x200000004748 = 0x2000000029c0; *(uint32_t*)0x2000000029c0 = 0x20; *(uint32_t*)0x2000000029c4 = 0; *(uint64_t*)0x2000000029c8 = 0x41f; *(uint64_t*)0x2000000029d0 = 0; *(uint32_t*)0x2000000029d8 = 0; *(uint32_t*)0x2000000029dc = 0; *(uint64_t*)0x200000004750 = 0x200000002b80; *(uint32_t*)0x200000002b80 = 0x78; *(uint32_t*)0x200000002b84 = 0xfffffff5; *(uint64_t*)0x200000002b88 = 5; *(uint64_t*)0x200000002b90 = 0; *(uint32_t*)0x200000002b98 = 0x30; *(uint32_t*)0x200000002b9c = 0; *(uint64_t*)0x200000002ba0 = 0; *(uint64_t*)0x200000002ba8 = 0; *(uint64_t*)0x200000002bb0 = 0x9cb; *(uint64_t*)0x200000002bb8 = 6; *(uint64_t*)0x200000002bc0 = 0x45ff; *(uint64_t*)0x200000002bc8 = 8; *(uint32_t*)0x200000002bd0 = 0x7fffffff; *(uint32_t*)0x200000002bd4 = -1; *(uint32_t*)0x200000002bd8 = 2; *(uint32_t*)0x200000002bdc = 0x8000; *(uint32_t*)0x200000002be0 = 0xffff0001; *(uint32_t*)0x200000002be4 = r[10]; *(uint32_t*)0x200000002be8 = r[11]; *(uint32_t*)0x200000002bec = 0xb; *(uint32_t*)0x200000002bf0 = 7; *(uint32_t*)0x200000002bf4 = 0; *(uint64_t*)0x200000004758 = 0x200000002c40; *(uint32_t*)0x200000002c40 = 0x90; *(uint32_t*)0x200000002c44 = 0xffffffda; *(uint64_t*)0x200000002c48 = 0xfffffffffffffc00; *(uint64_t*)0x200000002c50 = 3; *(uint64_t*)0x200000002c58 = 0; *(uint64_t*)0x200000002c60 = 6; *(uint64_t*)0x200000002c68 = 4; *(uint32_t*)0x200000002c70 = 7; *(uint32_t*)0x200000002c74 = 6; *(uint64_t*)0x200000002c78 = 6; *(uint64_t*)0x200000002c80 = 0x5d; *(uint64_t*)0x200000002c88 = 8; *(uint64_t*)0x200000002c90 = 0; *(uint64_t*)0x200000002c98 = 0xfffffffffffffffc; *(uint64_t*)0x200000002ca0 = 1; *(uint32_t*)0x200000002ca8 = 3; *(uint32_t*)0x200000002cac = 8; *(uint32_t*)0x200000002cb0 = 8; *(uint32_t*)0x200000002cb4 = 0xa000; *(uint32_t*)0x200000002cb8 = 2; *(uint32_t*)0x200000002cbc = 0xee01; *(uint32_t*)0x200000002cc0 = r[12]; *(uint32_t*)0x200000002cc4 = 6; *(uint32_t*)0x200000002cc8 = 7; *(uint32_t*)0x200000002ccc = 0; *(uint64_t*)0x200000004760 = 0x200000002d00; *(uint32_t*)0x200000002d00 = 0xc8; *(uint32_t*)0x200000002d04 = 0xfffffffe; *(uint64_t*)0x200000002d08 = 1; *(uint64_t*)0x200000002d10 = 6; *(uint64_t*)0x200000002d18 = 5; *(uint32_t*)0x200000002d20 = 5; *(uint32_t*)0x200000002d24 = -1; memset((void*)0x200000002d28, 170, 5); *(uint64_t*)0x200000002d30 = 2; *(uint64_t*)0x200000002d38 = -1; *(uint32_t*)0x200000002d40 = 6; *(uint32_t*)0x200000002d44 = 7; memset((void*)0x200000002d48, 255, 6); *(uint64_t*)0x200000002d50 = 5; *(uint64_t*)0x200000002d58 = 5; *(uint32_t*)0x200000002d60 = 6; *(uint32_t*)0x200000002d64 = 0xc828; memset((void*)0x200000002d68, 2, 6); *(uint64_t*)0x200000002d70 = 3; *(uint64_t*)0x200000002d78 = 0xa; *(uint32_t*)0x200000002d80 = 0x1f; *(uint32_t*)0x200000002d84 = 2; memcpy((void*)0x200000002d88, "bpf_lsm_kernel_create_files_as\000", 31); *(uint64_t*)0x200000002da8 = 5; *(uint64_t*)0x200000002db0 = 0x100; *(uint32_t*)0x200000002db8 = 5; *(uint32_t*)0x200000002dbc = 9; memset((void*)0x200000002dc0, 170, 5); *(uint64_t*)0x200000004768 = 0x2000000040c0; *(uint32_t*)0x2000000040c0 = 0xb0; *(uint32_t*)0x2000000040c4 = 0; *(uint64_t*)0x2000000040c8 = 0xffffffffffff51c6; *(uint64_t*)0x2000000040d0 = 0; *(uint64_t*)0x2000000040d8 = 1; *(uint64_t*)0x2000000040e0 = 0x7fffffff; *(uint64_t*)0x2000000040e8 = 4; *(uint32_t*)0x2000000040f0 = 0x80; *(uint32_t*)0x2000000040f4 = 0xe; *(uint64_t*)0x2000000040f8 = 5; *(uint64_t*)0x200000004100 = 6; *(uint64_t*)0x200000004108 = 9; *(uint64_t*)0x200000004110 = 0; *(uint64_t*)0x200000004118 = 0x80; *(uint64_t*)0x200000004120 = 3; *(uint32_t*)0x200000004128 = 7; *(uint32_t*)0x20000000412c = 0xffffff01; *(uint32_t*)0x200000004130 = 5; *(uint32_t*)0x200000004134 = 0x6000; *(uint32_t*)0x200000004138 = 5; *(uint32_t*)0x20000000413c = r[13]; *(uint32_t*)0x200000004140 = r[14]; *(uint32_t*)0x200000004144 = 9; *(uint32_t*)0x200000004148 = 4; *(uint32_t*)0x20000000414c = 0; *(uint64_t*)0x200000004150 = 1; *(uint64_t*)0x200000004158 = 0x7fffffff; *(uint32_t*)0x200000004160 = 6; *(uint32_t*)0x200000004164 = 7; memset((void*)0x200000004168, 2, 6); *(uint64_t*)0x200000004770 = 0x200000004340; *(uint32_t*)0x200000004340 = 0xa0; *(uint32_t*)0x200000004344 = 0xfffffffe; *(uint64_t*)0x200000004348 = 0x4f4; *(uint64_t*)0x200000004350 = 0; *(uint64_t*)0x200000004358 = 3; *(uint64_t*)0x200000004360 = 0x58be8e49; *(uint64_t*)0x200000004368 = 0x88; *(uint32_t*)0x200000004370 = 0x80; *(uint32_t*)0x200000004374 = 2; *(uint64_t*)0x200000004378 = 0; *(uint64_t*)0x200000004380 = 7; *(uint64_t*)0x200000004388 = 0x8000000000000000; *(uint64_t*)0x200000004390 = 6; *(uint64_t*)0x200000004398 = 2; *(uint64_t*)0x2000000043a0 = 0; *(uint32_t*)0x2000000043a8 = 0x81; *(uint32_t*)0x2000000043ac = 0xb; *(uint32_t*)0x2000000043b0 = 0xfff; *(uint32_t*)0x2000000043b4 = 0x8000; *(uint32_t*)0x2000000043b8 = 0xc093; *(uint32_t*)0x2000000043bc = r[15]; *(uint32_t*)0x2000000043c0 = 0; *(uint32_t*)0x2000000043c4 = -1; *(uint32_t*)0x2000000043c8 = 0x9e9; *(uint32_t*)0x2000000043cc = 0; *(uint64_t*)0x2000000043d0 = 0; *(uint32_t*)0x2000000043d8 = 4; *(uint32_t*)0x2000000043dc = 0; *(uint64_t*)0x200000004778 = 0x200000004400; *(uint32_t*)0x200000004400 = 0x20; *(uint32_t*)0x200000004404 = 0xfffffffe; *(uint64_t*)0x200000004408 = 4; *(uint32_t*)0x200000004410 = 0x1000; *(uint32_t*)0x200000004414 = 4; *(uint32_t*)0x200000004418 = 7; *(uint32_t*)0x20000000441c = 3; *(uint64_t*)0x200000004780 = 0x2000000045c0; *(uint32_t*)0x2000000045c0 = 0x130; *(uint32_t*)0x2000000045c4 = 0; *(uint64_t*)0x2000000045c8 = 6; *(uint64_t*)0x2000000045d0 = 7; *(uint32_t*)0x2000000045d8 = 0xf; *(uint32_t*)0x2000000045dc = 0; memset((void*)0x2000000045e0, 0, 16); *(uint32_t*)0x2000000045f0 = 4; *(uint32_t*)0x2000000045f4 = 0xfffffffb; *(uint64_t*)0x2000000045f8 = 0xc3f; *(uint32_t*)0x200000004600 = 0xc6; *(uint32_t*)0x200000004604 = r[17]; *(uint32_t*)0x200000004608 = 0xee01; *(uint16_t*)0x20000000460c = 0x1000; memset((void*)0x20000000460e, 0, 2); *(uint64_t*)0x200000004610 = 0xc42b; *(uint64_t*)0x200000004618 = 0xfffffffffffffffb; *(uint64_t*)0x200000004620 = 8; *(uint64_t*)0x200000004628 = 0xfffffffffffff3f4; *(uint64_t*)0x200000004630 = 7; *(uint32_t*)0x200000004638 = 9; *(uint32_t*)0x20000000463c = 0; *(uint64_t*)0x200000004640 = 0x893b; *(uint32_t*)0x200000004648 = 0xc160; *(uint32_t*)0x20000000464c = 0; *(uint64_t*)0x200000004650 = 3; *(uint32_t*)0x200000004658 = 0x6a48; *(uint32_t*)0x20000000465c = 0; *(uint64_t*)0x200000004660 = 0x40; *(uint32_t*)0x200000004668 = 6; *(uint32_t*)0x20000000466c = 0; *(uint32_t*)0x200000004670 = 5; *(uint32_t*)0x200000004674 = 0; *(uint32_t*)0x200000004678 = 9; *(uint32_t*)0x20000000467c = 3; memset((void*)0x200000004680, 0, 112); syz_fuse_handle_req(/*fd=*/r[9], /*buf=*/0x200000000700, /*len=*/0x2000, /*res=*/0x200000004700); break; case 26: res = syscall(__NR_pidfd_getfd, /*pidfd=*/r[6], /*fd=*/r[9], /*flags=*/0ul); if (res != -1) r[19] = res; break; case 27: memcpy((void*)0x2000000047c0, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x2000000047c0, /*fd=*/r[19]); break; case 28: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 29: res = -1; res = syz_io_uring_complete(/*ring_ptr=*/0); if (res != -1) r[20] = res; break; case 30: *(uint32_t*)0x200000004804 = 0x87d1; *(uint32_t*)0x200000004808 = 0x200; *(uint32_t*)0x20000000480c = 3; *(uint32_t*)0x200000004810 = 0x92; *(uint32_t*)0x200000004818 = r[19]; memset((void*)0x20000000481c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x70d3, /*params=*/0x200000004800, /*ring_ptr=*/0x200000004880, /*sqes_ptr=*/0x2000000048c0); if (res != -1) { r[21] = *(uint64_t*)0x200000004880; r[22] = *(uint64_t*)0x2000000048c0; } break; case 31: *(uint8_t*)0x200000004980 = 0x1c; *(uint8_t*)0x200000004981 = 0x40; *(uint16_t*)0x200000004982 = 0; *(uint32_t*)0x200000004984 = r[20]; *(uint64_t*)0x200000004988 = 0x200000004900; *(uint64_t*)0x200000004900 = 0x8000; *(uint64_t*)0x200000004908 = 0x190; *(uint64_t*)0x200000004910 = 0x10; *(uint64_t*)0x200000004990 = 0x200000004940; memcpy((void*)0x200000004940, "./file0\000", 8); *(uint32_t*)0x200000004998 = 0x18; *(uint32_t*)0x20000000499c = 0; *(uint64_t*)0x2000000049a0 = 0x23456; *(uint16_t*)0x2000000049a8 = 0; *(uint16_t*)0x2000000049aa = 0; memset((void*)0x2000000049ac, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[21], /*sqes_ptr=*/r[22], /*sqe=*/0x200000004980); break; case 32: memcpy((void*)0x2000000049c0, "*(z,\000", 5); memcpy((void*)0x200000004ac0, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x8a\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x7e\xf6\xbf\x4c\x19\xc0\x4a\xa5\x7c\x4c\x2f\xf9\x2e\xe1\x46\x0e\xbf\x0e\x57\x59\x5c\xc3\x55\xaa\x22\x67\x95\x47\xef\x84\x49\x9e\xf9\x9d\x9b\xdd\x69\x1a\x9a\x0e\xe1\x9f\xba\x5f\xee\x97\xd9\xa9\x2b\xb7\xae\x3d\x75\x4a\x98\x45\x6c\xdb\xfd\x27\xda\x20\xf9\x77\xf4\xbf\x46\x30\xc3\xca\x42\x1a\x6a\xcf\x8d\x9f\x81\xd2\x93\xd3\xa0\xb0\x23\x27\xe4\x06\x32\x3e\x77\x3c\x64\xb8\x65\xc2\xc7\xa1\x02\x36\xfb\xbb\xb9\xc9\xea\xc5\xd1\x4f\x18\x75\x2a\x03\x89\xa5\x81\x59\x64\x04\x1b\x84\x4f\x71\x45\x5e\xa1\x2d\xdc\x9d\xcf\xb6\xe9\x00\xa3\x66\x57\x58\xcb\xa3\xc7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 192); syz_kfuzztest_run(/*name=*/0x2000000049c0, /*data=*/0x200000004a00, /*len=*/0xc0, /*buf=*/0x200000004ac0); break; case 33: *(uint64_t*)0x200000014f40 = 0; *(uint64_t*)0x200000014f48 = 0x200000014ac0; *(uint64_t*)0x200000014ac0 = 0x17d; *(uint64_t*)0x200000014ac8 = 0x20; *(uint64_t*)0x200000014ad0 = 0x25000; *(uint64_t*)0x200000014ad8 = 0x5591; *(uint64_t*)0x200000014ae0 = 0x64; *(uint64_t*)0x200000014ae8 = 0x18; *(uint32_t*)0x200000014af0 = 8; *(uint32_t*)0x200000014af4 = 0x57; *(uint64_t*)0x200000014af8 = 0x12d; *(uint64_t*)0x200000014b00 = 0x18; *(uint64_t*)0x200000014b08 = 3; *(uint64_t*)0x200000014b10 = 0x64; *(uint64_t*)0x200000014b18 = 0x18; *(uint32_t*)0x200000014b20 = 0; *(uint32_t*)0x200000014b24 = 2; *(uint64_t*)0x200000014b28 = 0x69; *(uint64_t*)0x200000014b30 = 0x20; *(uint64_t*)0x200000014b38 = 0xc003; *(uint64_t*)0x200000014b40 = 1; *(uint64_t*)0x200000014b48 = 0x64; *(uint64_t*)0x200000014b50 = 0x18; *(uint32_t*)0x200000014b58 = 0x10; *(uint32_t*)0x200000014b5c = 0xc; *(uint64_t*)0x200000014b60 = 0x12d; *(uint64_t*)0x200000014b68 = 0x18; *(uint64_t*)0x200000014b70 = 0; *(uint64_t*)0x200000014b78 = 0x12e; *(uint64_t*)0x200000014b80 = 0x7e; *(uint64_t*)0x200000014b88 = 1; memcpy((void*)0x200000014b90, "\x36\x2e\x36\x3e\x66\x43\x0f\x57\xa9\x00\x98\x00\x00\x66\xba\xf8\x0c\xb8\x28\x8f\xc6\x86\xef\x66\xba\xfc\x0c\xed\xb9\x71\x03\x00\x00\xb8\xc7\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x30\x42\x0f\x01\xc8\x66\xb8\x78\x00\x0f\x00\xd0\x40\x0f\x01\xc5\x66\xba\x43\x00\x66\xed\x40\x1d\x03\x00\x00\x00\xc7\x44\x24\x00\x00\x00\x00\x00\xc7\x44\x24\x02\x49\x3a\x56\x64\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\x0f\x32", 102); *(uint64_t*)0x200000014bf6 = 0x64; *(uint64_t*)0x200000014bfe = 0x18; *(uint32_t*)0x200000014c06 = 0xf; *(uint32_t*)0x200000014c0a = 4; *(uint64_t*)0x200000014c0e = 0x12e; *(uint64_t*)0x200000014c16 = 0x60; *(uint64_t*)0x200000014c1e = 0; memcpy((void*)0x200000014c26, "\xc4\x21\xf8\x10\x7a\xf0\x0f\xe7\x64\x9a\x4f\x47\xfb\x0f\x01\xca\x46\x0f\x08\xb9\x80\x00\x00\xc0\x0f\x32\x35\x00\x80\x00\x00\x0f\x30\x0f\x01\xcb\x40\x0f\x01\xcb\xc7\x44\x24\x00\x8d\x00\x00\x00\xc7\x44\x24\x02\x07\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\x0f\x52\x4b\x00", 72); *(uint64_t*)0x200000014c6e = 0; *(uint64_t*)0x200000014c76 = 0x18; *(uint64_t*)0x200000014c7e = 2; *(uint64_t*)0x200000014c86 = 0x12d; *(uint64_t*)0x200000014c8e = 0x18; *(uint64_t*)0x200000014c96 = 3; *(uint64_t*)0x200000014c9e = 0x17f; *(uint64_t*)0x200000014ca6 = 0x10; *(uint64_t*)0x200000014cae = 0; *(uint64_t*)0x200000014cb6 = 0x18; *(uint64_t*)0x200000014cbe = 4; *(uint64_t*)0x200000014cc6 = 0x12f; *(uint64_t*)0x200000014cce = 0x18; *(uint64_t*)0x200000014cd6 = 2; *(uint64_t*)0x200000014cde = 0x12e; *(uint64_t*)0x200000014ce6 = 0x56; *(uint64_t*)0x200000014cee = 3; memcpy((void*)0x200000014cf6, "\x0f\x01\xdf\x0f\xa8\x66\xba\xf8\x0c\xb8\x82\xca\xa9\x8f\xef\x66\xba\xfc\x0c\x66\xed\x67\x0f\x01\xca\x0f\xfd\xca\x46\x0f\x01\xb3\x90\x4e\x00\x00\x66\xba\x20\x00\x66\xb8\xb7\xea\x66\xef\x0f\x01\x32\xc4\xe1\x61\xeb\x58\x00\xb9\x81\x05\x00\x00\x0f\x32", 62); *(uint64_t*)0x200000014d34 = 0x180; *(uint64_t*)0x200000014d3c = 0x38; *(uint64_t*)0x200000014d44 = 1; *(uint64_t*)0x200000014d4c = 0x17; *(uint64_t*)0x200000014d54 = 4; *(uint64_t*)0x200000014d5c = 4; *(uint64_t*)0x200000014d64 = 0; *(uint64_t*)0x200000014d6c = 0x183; *(uint64_t*)0x200000014d74 = 0x18; *(uint64_t*)0x200000014d7c = 3; *(uint64_t*)0x200000014d84 = 0x65; *(uint64_t*)0x200000014d8c = 0x20; *(uint64_t*)0x200000014d94 = 0x32c; *(uint64_t*)0x200000014d9c = 0x10; *(uint64_t*)0x200000014da4 = 0x68; *(uint64_t*)0x200000014dac = 0x20; *(uint64_t*)0x200000014db4 = 7; *(uint64_t*)0x200000014dbc = 2; *(uint64_t*)0x200000014dc4 = 0xa; *(uint64_t*)0x200000014dcc = 0x56; memcpy((void*)0x200000014dd4, "\xf3\x41\xaf\x66\xb8\x3e\x00\x8e\xd0\xc4\xe1\x35\x73\xfa\xe7\x66\x0f\x74\xa6\x00\x00\x00\x00\x47\xdb\xc1\x45\x0f\x08\x66\x41\x0f\x38\x82\x94\x1f\x0e\x58\x39\xba\x47\x0f\x79\x55\x00\xc4\x01\x56\x51\xaf\x41\x04\x00\x00\x66\xba\xf8\x0c\xb8\xe2\x7f\xf4\x8d\xef\x66\xba\xfc\x0c\xec", 69); *(uint8_t*)0x200000014e19 = 0xc3; *(uint64_t*)0x200000014e1a = 0x12d; *(uint64_t*)0x200000014e22 = 0x18; *(uint64_t*)0x200000014e2a = 3; *(uint64_t*)0x200000014e32 = 0x12c; *(uint64_t*)0x200000014e3a = 0x18; *(uint64_t*)0x200000014e42 = 0; *(uint64_t*)0x200000014e4a = 0x12e; *(uint64_t*)0x200000014e52 = 0x6f; *(uint64_t*)0x200000014e5a = 3; memcpy((void*)0x200000014e62, "\xf3\x41\x0f\x22\x17\x66\xba\xf8\x0c\xb8\x61\x8e\xa1\x84\xef\x66\xba\xfc\x0c\xb0\x00\xee\x36\x64\x0f\x21\x39\xc4\x62\x41\x40\x32\x66\xba\x43\x00\x66\xb8\x0b\x00\x66\xef\x66\xba\x43\x00\xec\x40\x0f\x23\x38\x3e\x0f\xc7\x32\xc7\x44\x24\x00\xac\x00\x00\x00\xc7\x44\x24\x02\x90\x7c\x03\xe6\xff\x2c\x24\xb8\x05\x00\x00\x00\xb9\x97\x00\x00\x00\x0f\x01\xd9", 87); *(uint64_t*)0x200000014eb9 = 0x69; *(uint64_t*)0x200000014ec1 = 0x20; *(uint64_t*)0x200000014ec9 = 0xc3e5; *(uint64_t*)0x200000014ed1 = 2; *(uint64_t*)0x200000014ed9 = 0xc8; *(uint64_t*)0x200000014ee1 = 0x20; *(uint64_t*)0x200000014ee9 = 0xa1; *(uint64_t*)0x200000014ef1 = 2; *(uint64_t*)0x200000014ef9 = 0x65; *(uint64_t*)0x200000014f01 = 0x20; *(uint64_t*)0x200000014f09 = 0x12f; *(uint64_t*)0x200000014f11 = 2; *(uint64_t*)0x200000014f19 = 0x12c; *(uint64_t*)0x200000014f21 = 0x18; *(uint64_t*)0x200000014f29 = 0; *(uint64_t*)0x200000014f50 = 0x471; res = -1; res = syz_kvm_add_vcpu(/*vm=*/0, /*text=*/0x200000014f40); if (res != -1) r[23] = res; break; case 34: res = syscall(__NR_mmap, /*addr=*/0x200000fff000ul, /*len=*/0ul, /*prot=PROT_GROWSDOWN|PROT_SEM*/0x1000008ul, /*flags=MAP_PRIVATE*/2ul, /*cpufd=*/r[23], /*offset=*/0ul); if (res != -1) r[24] = res; break; case 35: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[24], /*exitcode=*/2); break; case 36: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[20], /*run=*/r[24], /*exitcode=*/0x10); break; case 37: *(uint64_t*)0x200000015140 = 0; *(uint64_t*)0x200000015148 = 0x200000014f80; memcpy((void*)0x200000014f80, "\x04\xea\xa0\xef\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x04\x01\x63\x60\x14\xc2\x80\x3c\xd1\xc0\x84\x60\x04\x00\x84\x78\x83\x0a\x84\x64\xbe\x01\x84\x60\x27\x3b\xa0\x3c\x00\x3c\xa5\x60\x04\x00\xa5\x78\x27\x72\xa5\x64\x9d\x4f\xa5\x60\x7c\x62\xc0\x3c\xdf\xa5\xc6\x60\x04\x00\xc6\x78\x78\x11\xc6\x64\x30\xb5\xc6\x60\xf2\xd6\xe0\x3c\xac\xca\xe7\x60\x04\x00\xe7\x78\x51\x98\xe7\x64\xfb\x3b\xe7\x60\x02\x00\x00\x44\x00\x00\xe0\x3f\x00\x00\xff\x63\x04\x00\xff\x7b\x00\x00\xff\x67\x00\x48\xff\x63\x60\x7b\xff\x1b\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\xfc\xf4\x63\x60\x76\x09\x80\x3c\x6c\xdf\x84\x60\x04\x00\x84\x78\x7c\xb5\x84\x64\x5d\x85\x84\x60\xf3\xc8\xa0\x3c\x84\x98\xa5\x60\x04\x00\xa5\x78\xa1\x6b\xa5\x64\x7c\x44\xa5\x60\x02\x00\x00\x44\x00\x00\x20\x3e\x00\x00\x31\x62\x04\x00\x31\x7a\x00\x00\x31\x66\x98\x00\x31\x62\x00\x00\x40\x3f\x00\x00\x5a\x63\x04\x00\x5a\x7b\x00\x00\x5a\x67\xe5\x13\x5a\x63\xaa\xfe\xf9\x7d\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x00\x80\x84\x60\xdc\x39\x00\x7c\x00\x00\x40\x3d\x00\x00\x4a\x61\x04\x00\x4a\x79\x00\x00\x4a\x65\x71\x99\x4a\x61\xa7\x5f\xc0\x7f\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x08\xef\x63\x60\x09\xc6\x80\x3c\x1c\x64\x84\x60\x04\x00\x84\x78\xb4\xf7\x84\x64\x66\xcc\x84\x60\x03\x80\xa0\x3c\x45\x8f\xa5\x60\x04\x00\xa5\x78\xcf\x35\xa5\x64\x75\x97\xa5\x60\xae\x5a\xc0\x3c\x19\x31\xc6\x60\x04\x00\xc6\x78\xa9\x6d\xc6\x64\x6f\x30\xc6\x60\x22\x00\x00\x44\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x12\x00\x00\x60\x24\x01\x00\x7c\x00\x00\xe0\x3f\x01\x00\xff\x63\x04\x00\xff\x7b\x00\x00\xff\x67\x00\x00\xff\x63\xa7\xff\xa0\x7e", 420); *(uint64_t*)0x200000015150 = 0x1a4; *(uint64_t*)0x200000015180 = 1; *(uint64_t*)0x200000015188 = 1; syz_kvm_setup_cpu(/*fd=*/r[20], /*cpufd=*/r[5], /*usermem=*/0x200000fe8000, /*text=*/0x200000015140, /*ntext=*/1, /*flags=*/0, /*opts=*/0x200000015180, /*nopt=*/1); break; case 38: syz_kvm_setup_syzos_vm(/*fd=*/r[5], /*usermem=*/0x200000c00000); break; case 39: *(uint32_t*)0x2000000151c0 = 1; syz_memcpy_off(/*ring_ptr=*/r[21], /*flag_off=SQ_FLAGS_OFFSET*/0x114, /*src=*/0x2000000151c0, /*src_off=*/0, /*nbytes=*/4); break; case 40: res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0xb704, /*arg=*/0x200000015280ul); if (res != -1) r[25] = *(uint32_t*)0x200000015280; break; case 41: memcpy((void*)0x200000015200, "adfs\000", 5); memcpy((void*)0x200000015240, "./file0\000", 8); memcpy((void*)0x2000000152c0, "gid", 3); *(uint8_t*)0x2000000152c3 = 0x3d; sprintf((char*)0x2000000152c4, "0x%016llx", (long long)r[16]); *(uint8_t*)0x2000000152d6 = 0x2c; memcpy((void*)0x2000000152d7, "uid", 3); *(uint8_t*)0x2000000152da = 0x3d; sprintf((char*)0x2000000152db, "0x%016llx", (long long)r[17]); *(uint8_t*)0x2000000152ed = 0x2c; memcpy((void*)0x2000000152ee, "uid", 3); *(uint8_t*)0x2000000152f1 = 0x3d; sprintf((char*)0x2000000152f2, "0x%016llx", (long long)r[13]); *(uint8_t*)0x200000015304 = 0x2c; memcpy((void*)0x200000015305, "othmask", 7); *(uint8_t*)0x20000001530c = 0x3d; sprintf((char*)0x20000001530d, "%023llo", (long long)7); *(uint8_t*)0x200000015324 = 0x2c; memcpy((void*)0x200000015325, "ftsuffix", 8); *(uint8_t*)0x20000001532d = 0x3d; sprintf((char*)0x20000001532e, "%020llu", (long long)0x100); *(uint8_t*)0x200000015342 = 0x2c; memcpy((void*)0x200000015343, "othmask", 7); *(uint8_t*)0x20000001534a = 0x3d; sprintf((char*)0x20000001534b, "%023llo", (long long)8); *(uint8_t*)0x200000015362 = 0x2c; memcpy((void*)0x200000015363, "fowner<", 7); sprintf((char*)0x20000001536a, "%020llu", (long long)r[25]); *(uint8_t*)0x20000001537e = 0x2c; memcpy((void*)0x20000001537f, "func", 4); *(uint8_t*)0x200000015383 = 0x3d; memcpy((void*)0x200000015384, "FIRMWARE_CHECK", 14); *(uint8_t*)0x200000015392 = 0x2c; memcpy((void*)0x200000015393, "smackfsdef", 10); *(uint8_t*)0x20000001539d = 0x3d; memset((void*)0x20000001539e, 0, 1); *(uint8_t*)0x20000001539f = 0x2c; memcpy((void*)0x2000000153a0, "hash", 4); *(uint8_t*)0x2000000153a4 = 0x2c; *(uint8_t*)0x2000000153a5 = 0; memcpy((void*)0x2000000153c0, "\x78\x9c\x6a\x9b\xe0\xf0\xd7\x80\xc9\x48\xed\x7f\x7b\xc9\xbd\xed\xdf\xf6\x00\x02\x00\x00\xff\xff\x38\xa7\x08\x1f", 28); syz_mount_image(/*fs=*/0x200000015200, /*dir=*/0x200000015240, /*flags=MS_PRIVATE|MS_NODIRATIME|MS_NODEV|MS_DIRSYNC*/0x40884, /*opts=*/0x2000000152c0, /*chdir=*/0, /*size=*/0x1c, /*img=*/0x2000000153c0); break; case 42: memcpy((void*)0x200000015400, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000015400, /*id=*/0xe, /*flags=__O_TMPFILE|O_TRUNC|O_NOFOLLOW*/0x420200); break; case 43: memcpy((void*)0x200000015440, "net/mcfilter6\000", 14); syz_open_procfs(/*pid=*/r[18], /*file=*/0x200000015440); break; case 44: syz_open_pts(/*fd=*/-1, /*flags=*/0); break; case 45: syz_pidfd_open(/*pid=*/r[8], /*flags=*/0); break; case 46: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=PKEY_DISABLE_ACCESS*/1ul); if (res != -1) r[26] = res; break; case 47: syz_pkey_set(/*key=*/r[26], /*val=PKEY_DISABLE_WRITE*/2); break; case 48: memcpy((void*)0x200000015480, "\x78\x9c\x00\x43\x00\xbc\xff\x1a\xa5\x3b\x2d\x97\x22\x56\x58\x64\x62\x48\x11\x35\x5b\x94\xa0\xd2\xd7\x8d\x09\xd2\x09\x51\xdf\x3c\x2c\x1a\x49\x88\xca\x48\xd4\x52\x61\xcc\x47\x3e\x4f\x65\xf6\x76\xe4\xe9\xb3\x8c\xde\x4a\xab\xa0\x5c\x20\xea\x6f\x37\xa5\x29\x42\x97\xe2\xc2\xa7\x6d\x7e\x55\x2d\xca\xd8\x01\x00\x00\xff\xff\xd6\x63\x1f\xa5", 83); syz_read_part_table(/*size=*/0x53, /*img=*/0x200000015480); break; case 49: syz_socket_connect_nvme_tcp(); break; case 50: *(uint8_t*)0x200000015500 = 0x12; *(uint8_t*)0x200000015501 = 1; *(uint16_t*)0x200000015502 = 0x310; *(uint8_t*)0x200000015504 = 0x99; *(uint8_t*)0x200000015505 = 0x45; *(uint8_t*)0x200000015506 = 0xdf; *(uint8_t*)0x200000015507 = -1; *(uint16_t*)0x200000015508 = 0x19d2; *(uint16_t*)0x20000001550a = 0xfff8; *(uint16_t*)0x20000001550c = 0xcd35; *(uint8_t*)0x20000001550e = 1; *(uint8_t*)0x20000001550f = 2; *(uint8_t*)0x200000015510 = 3; *(uint8_t*)0x200000015511 = 1; *(uint8_t*)0x200000015512 = 9; *(uint8_t*)0x200000015513 = 2; *(uint16_t*)0x200000015514 = 0xd8d; *(uint8_t*)0x200000015516 = 4; *(uint8_t*)0x200000015517 = 0xc; *(uint8_t*)0x200000015518 = 0xd4; *(uint8_t*)0x200000015519 = 0xb0; *(uint8_t*)0x20000001551a = 8; *(uint8_t*)0x20000001551b = 9; *(uint8_t*)0x20000001551c = 4; *(uint8_t*)0x20000001551d = 5; *(uint8_t*)0x20000001551e = 0xe; *(uint8_t*)0x20000001551f = 6; *(uint8_t*)0x200000015520 = -1; *(uint8_t*)0x200000015521 = -1; *(uint8_t*)0x200000015522 = -1; *(uint8_t*)0x200000015523 = 5; *(uint8_t*)0x200000015524 = 0xa; *(uint8_t*)0x200000015525 = 0x24; *(uint8_t*)0x200000015526 = 2; *(uint8_t*)0x200000015527 = 2; *(uint16_t*)0x200000015528 = 0x82; *(uint16_t*)0x20000001552a = 0x97; *(uint8_t*)0x20000001552c = 9; *(uint8_t*)0x20000001552d = 9; *(uint8_t*)0x20000001552e = 7; *(uint8_t*)0x20000001552f = 0x24; *(uint8_t*)0x200000015530 = 1; *(uint8_t*)0x200000015531 = 0x91; *(uint8_t*)0x200000015532 = 0x10; *(uint16_t*)0x200000015533 = 1; *(uint8_t*)0x200000015535 = 0xa; *(uint8_t*)0x200000015536 = 0x24; *(uint8_t*)0x200000015537 = 2; *(uint8_t*)0x200000015538 = 2; *(uint16_t*)0x200000015539 = 0x64; *(uint16_t*)0x20000001553b = 5; *(uint8_t*)0x20000001553d = 5; *(uint8_t*)0x20000001553e = 9; *(uint8_t*)0x20000001553f = 0xa; *(uint8_t*)0x200000015540 = 0x24; *(uint8_t*)0x200000015541 = 2; *(uint8_t*)0x200000015542 = 2; *(uint16_t*)0x200000015543 = 9; *(uint16_t*)0x200000015545 = 1; *(uint8_t*)0x200000015547 = 1; *(uint8_t*)0x200000015548 = 0x18; *(uint8_t*)0x200000015549 = 0xa; *(uint8_t*)0x20000001554a = 0x24; *(uint8_t*)0x20000001554b = 2; *(uint8_t*)0x20000001554c = 2; *(uint16_t*)0x20000001554d = 5; *(uint16_t*)0x20000001554f = 0x100; *(uint8_t*)0x200000015551 = 0; *(uint8_t*)0x200000015552 = 0x1f; *(uint8_t*)0x200000015553 = 0xa; *(uint8_t*)0x200000015554 = 0x24; *(uint8_t*)0x200000015555 = 2; *(uint8_t*)0x200000015556 = 2; *(uint16_t*)0x200000015557 = 0x200; *(uint16_t*)0x200000015559 = 2; *(uint8_t*)0x20000001555b = 6; *(uint8_t*)0x20000001555c = 6; *(uint8_t*)0x20000001555d = 9; *(uint8_t*)0x20000001555e = 0x24; *(uint8_t*)0x20000001555f = 2; *(uint8_t*)0x200000015560 = 1; *(uint8_t*)0x200000015561 = 0; *(uint8_t*)0x200000015562 = 9; *(uint8_t*)0x200000015563 = 4; *(uint8_t*)0x200000015564 = 1; *(uint8_t*)0x200000015565 = 0xdc; *(uint8_t*)0x200000015566 = 0xb; *(uint8_t*)0x200000015567 = 0x24; *(uint8_t*)0x200000015568 = 2; *(uint8_t*)0x200000015569 = 2; *(uint16_t*)0x20000001556a = 5; *(uint16_t*)0x20000001556c = 9; *(uint8_t*)0x20000001556e = 6; memcpy((void*)0x20000001556f, "\x42\xe9", 2); *(uint8_t*)0x200000015571 = 0x12; *(uint8_t*)0x200000015572 = 0x24; *(uint8_t*)0x200000015573 = 2; *(uint8_t*)0x200000015574 = 2; *(uint16_t*)0x200000015575 = 2; *(uint16_t*)0x200000015577 = 0xaecb; *(uint8_t*)0x200000015579 = 0; memcpy((void*)0x20000001557a, "\xe0\xff\x89\xcc\x39\xb2\x42\xb2\xb0", 9); *(uint8_t*)0x200000015583 = 7; *(uint8_t*)0x200000015584 = 0x24; *(uint8_t*)0x200000015585 = 1; *(uint8_t*)0x200000015586 = 0xc; *(uint8_t*)0x200000015587 = 2; *(uint16_t*)0x200000015588 = 2; *(uint8_t*)0x20000001558a = 9; *(uint8_t*)0x20000001558b = 5; *(uint8_t*)0x20000001558c = 1; *(uint8_t*)0x20000001558d = 0x1d; *(uint16_t*)0x20000001558e = 0x20; *(uint8_t*)0x200000015590 = 5; *(uint8_t*)0x200000015591 = 9; *(uint8_t*)0x200000015592 = 0xf; *(uint8_t*)0x200000015593 = 9; *(uint8_t*)0x200000015594 = 5; *(uint8_t*)0x200000015595 = 4; *(uint8_t*)0x200000015596 = 0x10; *(uint16_t*)0x200000015597 = 0x10; *(uint8_t*)0x200000015599 = 5; *(uint8_t*)0x20000001559a = 7; *(uint8_t*)0x20000001559b = 1; *(uint8_t*)0x20000001559c = 0x49; *(uint8_t*)0x20000001559d = 1; memcpy((void*)0x20000001559e, "\xbe\xdb\xdc\x40\xb6\x57\x91\x5a\xee\xa3\x6b\xef\xa7\x43\xbb\xf4\x76\xbb\xcc\x3a\x55\x77\x74\x37\xfd\x0c\x08\x62\xa5\x59\x1f\x0b\x80\x91\x62\x6c\x65\x64\xa6\x2b\x69\x95\xd0\xb1\xac\x34\x99\x5d\x44\x2d\xe5\x0d\x21\xf3\x0d\xa0\x8f\x64\xd3\xbb\x0e\x86\x08\x6e\x62\x96\x82\x16\xd8\xcb\xfe", 71); *(uint8_t*)0x2000000155e5 = 0xc; *(uint8_t*)0x2000000155e6 = 0xe; memcpy((void*)0x2000000155e7, "\x1c\xca\x42\xd0\xd4\xc1\x24\x78\xdb\xc7", 10); *(uint8_t*)0x2000000155f1 = 9; *(uint8_t*)0x2000000155f2 = 5; *(uint8_t*)0x2000000155f3 = 0xc; *(uint8_t*)0x2000000155f4 = 0xd; *(uint16_t*)0x2000000155f5 = 0x10; *(uint8_t*)0x2000000155f7 = 4; *(uint8_t*)0x2000000155f8 = 0xef; *(uint8_t*)0x2000000155f9 = 0xd; *(uint8_t*)0x2000000155fa = 9; *(uint8_t*)0x2000000155fb = 5; *(uint8_t*)0x2000000155fc = 0; *(uint8_t*)0x2000000155fd = 2; *(uint16_t*)0x2000000155fe = 0x40; *(uint8_t*)0x200000015600 = 1; *(uint8_t*)0x200000015601 = 0x92; *(uint8_t*)0x200000015602 = 1; *(uint8_t*)0x200000015603 = 7; *(uint8_t*)0x200000015604 = 0x25; *(uint8_t*)0x200000015605 = 1; *(uint8_t*)0x200000015606 = 8; *(uint8_t*)0x200000015607 = 0xf; *(uint16_t*)0x200000015608 = 9; *(uint8_t*)0x20000001560a = 0x9c; *(uint8_t*)0x20000001560b = 0x24; memcpy((void*)0x20000001560c, "\x94\x62\xe7\x8d\x67\xa7\x93\x83\x09\xf8\x93\x38\x8b\x58\x5f\x99\xed\x3c\xae\x5a\xeb\x24\x1e\x37\xea\xcc\x73\xfb\x04\x0b\x91\x7d\x69\x75\x87\xfd\x88\x85\xdc\xc8\x92\xbf\xee\x22\x87\x19\x88\xc7\x01\x88\xe9\xe8\x45\x46\xa7\x96\xe5\x6e\xa4\x83\x70\xdf\xca\x68\x9a\xaa\x0f\xfd\x08\x41\xc7\xe2\x8c\xbc\xec\xbc\x3b\xee\xb2\x54\xd9\x02\x49\x8d\xde\x37\x3f\x5e\x92\x09\x32\xac\xdf\x32\x22\xa5\x61\x17\x4a\x85\xce\x36\xd5\xf5\xc7\x09\x82\x9a\x04\x29\xf4\x8d\xe3\x26\x62\x11\xe3\x53\x22\x35\xca\xcb\x3a\x64\xff\xf3\xe3\x01\x82\xcd\x02\x7e\xa6\x60\xbc\xe2\x4c\xc1\x97\xbf\x35\x8f\x77\x95\x3c\x96\x4d\xe4\x53\x04\x16\x90\x7f\xa1", 154); *(uint8_t*)0x2000000156a6 = 9; *(uint8_t*)0x2000000156a7 = 5; *(uint8_t*)0x2000000156a8 = 6; *(uint8_t*)0x2000000156a9 = 0; *(uint16_t*)0x2000000156aa = 0x400; *(uint8_t*)0x2000000156ac = 4; *(uint8_t*)0x2000000156ad = 0; *(uint8_t*)0x2000000156ae = 6; *(uint8_t*)0x2000000156af = 9; *(uint8_t*)0x2000000156b0 = 5; *(uint8_t*)0x2000000156b1 = 0x1f; *(uint8_t*)0x2000000156b2 = 0xc; *(uint16_t*)0x2000000156b3 = 0x20; *(uint8_t*)0x2000000156b5 = 8; *(uint8_t*)0x2000000156b6 = 0x80; *(uint8_t*)0x2000000156b7 = 4; *(uint8_t*)0x2000000156b8 = 7; *(uint8_t*)0x2000000156b9 = 0x25; *(uint8_t*)0x2000000156ba = 1; *(uint8_t*)0x2000000156bb = 4; *(uint8_t*)0x2000000156bc = 0x40; *(uint16_t*)0x2000000156bd = 0xfff; *(uint8_t*)0x2000000156bf = 0x4a; *(uint8_t*)0x2000000156c0 = 9; memcpy((void*)0x2000000156c1, "\x13\xdf\x6f\x0c\x72\x3d\x23\x38\x80\xc0\x86\x9f\x46\xc9\x39\x9e\x14\x8e\xf0\xd9\x87\x29\x76\x35\xb6\xbf\x6f\x36\x9c\xbf\x8f\x07\xb3\x4b\x93\x76\xff\x57\xdc\xbd\xf2\x74\x65\xeb\x51\x53\xfb\x8d\xd7\xca\x2f\xab\x27\x37\xdd\x51\x5e\xde\xf1\xc9\x66\x91\x5e\x06\x76\xdb\x83\x1f\x2b\x91\x8d\x82", 72); *(uint8_t*)0x200000015709 = 9; *(uint8_t*)0x20000001570a = 4; *(uint8_t*)0x20000001570b = 0xe4; *(uint8_t*)0x20000001570c = 0xb; *(uint8_t*)0x20000001570d = 0xd; *(uint8_t*)0x20000001570e = -1; *(uint8_t*)0x20000001570f = 0xde; *(uint8_t*)0x200000015710 = 0x55; *(uint8_t*)0x200000015711 = 3; *(uint8_t*)0x200000015712 = 0xa; *(uint8_t*)0x200000015713 = 0x24; *(uint8_t*)0x200000015714 = 1; *(uint16_t*)0x200000015715 = 3; *(uint16_t*)0x200000015717 = 0xa; *(uint8_t*)0x200000015719 = 2; *(uint8_t*)0x20000001571a = 1; *(uint8_t*)0x20000001571b = 2; *(uint8_t*)0x20000001571c = 9; *(uint8_t*)0x20000001571d = 5; *(uint8_t*)0x20000001571e = 1; *(uint8_t*)0x20000001571f = 3; *(uint16_t*)0x200000015720 = 0x20; *(uint8_t*)0x200000015722 = 1; *(uint8_t*)0x200000015723 = 0x66; *(uint8_t*)0x200000015724 = 7; *(uint8_t*)0x200000015725 = 0x8c; *(uint8_t*)0x200000015726 = 0x23; memcpy((void*)0x200000015727, "\xc3\x44\xbd\x7f\x69\x0e\x11\x22\xd6\x52\x4c\xcd\x02\x57\xc1\x18\x5e\x61\xc3\xab\x3c\xcb\x36\x6e\xf9\x03\x7a\x58\x03\x54\x18\x72\x8d\x9a\xab\x96\x71\x7e\x22\x0d\x72\x20\xfb\x96\x4b\x7e\x92\x8d\x75\xef\x45\x85\x91\x31\x15\x90\x97\xfa\x85\xb2\xd2\x4e\xeb\x7f\xc5\x90\xe0\x48\xeb\x1b\xa8\x30\xac\x34\x3b\xfd\x9a\x3c\x32\xdf\xc9\x3f\xad\xcb\x90\xf9\x3a\x63\xc7\x37\x83\x4f\x5e\x2d\x4e\x73\x68\xe0\x2e\xc5\xf2\x10\x6b\xef\x93\x5e\x5e\x74\xc3\xe7\xd2\xd3\xd1\x6e\xbf\xfa\x13\xa8\x29\x49\x9d\xa4\x42\xf0\x17\x26\xd0\x7a\x33\x8f\xeb\x61\x2c\x3b\x6e\x51\x93\xb8", 138); *(uint8_t*)0x2000000157b1 = 9; *(uint8_t*)0x2000000157b2 = 5; *(uint8_t*)0x2000000157b3 = 1; *(uint8_t*)0x2000000157b4 = 0xc; *(uint16_t*)0x2000000157b5 = 0x10; *(uint8_t*)0x2000000157b7 = 6; *(uint8_t*)0x2000000157b8 = 0x73; *(uint8_t*)0x2000000157b9 = 2; *(uint8_t*)0x2000000157ba = 9; *(uint8_t*)0x2000000157bb = 5; *(uint8_t*)0x2000000157bc = 0xe; *(uint8_t*)0x2000000157bd = 1; *(uint16_t*)0x2000000157be = 0x40; *(uint8_t*)0x2000000157c0 = 0; *(uint8_t*)0x2000000157c1 = 0; *(uint8_t*)0x2000000157c2 = 0xe; *(uint8_t*)0x2000000157c3 = 7; *(uint8_t*)0x2000000157c4 = 0x25; *(uint8_t*)0x2000000157c5 = 1; *(uint8_t*)0x2000000157c6 = 8; *(uint8_t*)0x2000000157c7 = 8; *(uint16_t*)0x2000000157c8 = 0x9df1; *(uint8_t*)0x2000000157ca = 7; *(uint8_t*)0x2000000157cb = 0x25; *(uint8_t*)0x2000000157cc = 1; *(uint8_t*)0x2000000157cd = 4; *(uint8_t*)0x2000000157ce = 3; *(uint16_t*)0x2000000157cf = 0x84; *(uint8_t*)0x2000000157d1 = 9; *(uint8_t*)0x2000000157d2 = 5; *(uint8_t*)0x2000000157d3 = 7; *(uint8_t*)0x2000000157d4 = 0x10; *(uint16_t*)0x2000000157d5 = 8; *(uint8_t*)0x2000000157d7 = 0xd; *(uint8_t*)0x2000000157d8 = 6; *(uint8_t*)0x2000000157d9 = 6; *(uint8_t*)0x2000000157da = 0x9c; *(uint8_t*)0x2000000157db = 0x11; memcpy((void*)0x2000000157dc, "\x61\xc2\xc5\x81\xbc\xf0\xdc\x3a\x09\xec\x54\x65\xd8\xb3\x95\x93\xb5\x1c\xb5\x68\xad\x67\xbf\x21\x9f\x28\xa6\x37\xf8\xb8\xf3\xaa\xe7\xb6\xcf\x31\x06\x9d\xa5\x51\xc5\xd9\x0a\x29\x7a\xb0\xcf\xed\xa5\x43\xa0\xf7\x62\xc8\x18\x5b\xab\xc4\x3a\x4c\x9b\xb3\xb0\x95\xc0\xee\x13\x96\xf8\xb1\xfd\x62\x19\xb3\x16\x13\xb7\x56\x0d\x30\x9f\x17\x3c\x80\x67\x3f\xb0\x85\x29\xfc\x8f\x17\x52\x91\xf9\x98\x56\xaf\x19\x8c\xf4\x7a\x32\xc7\x6d\xf6\xbe\x44\x94\x93\xe5\xa6\x6e\xb4\x66\x4b\x84\x22\x6c\xa1\xe2\xc8\xf2\x02\x9a\xde\x7d\x75\x31\x6b\x10\x4a\x34\x80\xfb\xf7\xd4\x50\x9d\x74\x8c\x36\xf6\x59\xf8\xf5\x27\x43\xfd\x07\x7f\xc7\xdf\x42", 154); *(uint8_t*)0x200000015876 = 0x4e; *(uint8_t*)0x200000015877 = 4; memcpy((void*)0x200000015878, "\x57\xfa\xd1\x47\xfa\x12\xcd\x27\x89\x6e\x4e\x92\xba\x1a\xd4\x05\x8c\x8d\x43\xec\x21\x50\xd8\x73\x2f\xc5\xae\x10\x5a\x17\x4e\xd8\x39\x42\xdc\xb7\x9a\x05\xb1\x0f\xd4\x95\x7d\xbc\x1a\xc0\x27\xa2\xdf\x57\x28\xb2\xb2\xbb\x9b\x5b\xc5\x1f\x9a\x8c\x88\xe9\xfa\x85\x11\x38\xc7\xcd\xd7\x62\x66\x41\x91\x1c\xbe\x0c", 76); *(uint8_t*)0x2000000158c4 = 9; *(uint8_t*)0x2000000158c5 = 5; *(uint8_t*)0x2000000158c6 = 0; *(uint8_t*)0x2000000158c7 = 0xc; *(uint16_t*)0x2000000158c8 = 8; *(uint8_t*)0x2000000158ca = 8; *(uint8_t*)0x2000000158cb = 0x20; *(uint8_t*)0x2000000158cc = 0xc; *(uint8_t*)0x2000000158cd = 7; *(uint8_t*)0x2000000158ce = 0x25; *(uint8_t*)0x2000000158cf = 1; *(uint8_t*)0x2000000158d0 = 4; *(uint8_t*)0x2000000158d1 = 6; *(uint16_t*)0x2000000158d2 = 0x101; *(uint8_t*)0x2000000158d4 = 7; *(uint8_t*)0x2000000158d5 = 0x25; *(uint8_t*)0x2000000158d6 = 1; *(uint8_t*)0x2000000158d7 = 8; *(uint8_t*)0x2000000158d8 = 0xfd; *(uint16_t*)0x2000000158d9 = 2; *(uint8_t*)0x2000000158db = 9; *(uint8_t*)0x2000000158dc = 5; *(uint8_t*)0x2000000158dd = 0xb; *(uint8_t*)0x2000000158de = 0xc; *(uint16_t*)0x2000000158df = 0x10; *(uint8_t*)0x2000000158e1 = 0xf0; *(uint8_t*)0x2000000158e2 = 3; *(uint8_t*)0x2000000158e3 = 9; *(uint8_t*)0x2000000158e4 = 9; *(uint8_t*)0x2000000158e5 = 5; *(uint8_t*)0x2000000158e6 = 2; *(uint8_t*)0x2000000158e7 = 2; *(uint16_t*)0x2000000158e8 = 0x7b7; *(uint8_t*)0x2000000158ea = 9; *(uint8_t*)0x2000000158eb = 2; *(uint8_t*)0x2000000158ec = 0x78; *(uint8_t*)0x2000000158ed = 7; *(uint8_t*)0x2000000158ee = 0x25; *(uint8_t*)0x2000000158ef = 1; *(uint8_t*)0x2000000158f0 = 4; *(uint8_t*)0x2000000158f1 = 2; *(uint16_t*)0x2000000158f2 = 0x6e8; *(uint8_t*)0x2000000158f4 = 9; *(uint8_t*)0x2000000158f5 = 5; *(uint8_t*)0x2000000158f6 = 0xe; *(uint8_t*)0x2000000158f7 = 0; *(uint16_t*)0x2000000158f8 = 8; *(uint8_t*)0x2000000158fa = 0xb6; *(uint8_t*)0x2000000158fb = 0x47; *(uint8_t*)0x2000000158fc = 1; *(uint8_t*)0x2000000158fd = 0xea; *(uint8_t*)0x2000000158fe = 0xd; memcpy((void*)0x2000000158ff, "\xd7\xee\xf8\xad\xff\x59\x3f\xef\x60\x12\x57\xeb\x29\xf1\x12\x3c\x0f\x04\xcf\x50\xd2\xf0\x65\xa5\x2a\xb8\x35\xd4\x04\x54\xac\x46\xb6\x63\x87\x38\xe9\x75\x3c\x66\x06\x2b\x76\xd4\x57\xd6\xb3\x63\xf7\xb7\x63\x4f\xea\xac\x71\x9c\x3e\x90\x0c\xce\xb8\xd9\x69\x21\x0b\x57\x3a\x62\xd4\x51\x64\x98\xd5\x98\xa6\x1e\x6f\xa5\xbb\xd0\xfd\x38\x6f\x9f\x1d\x7a\xfe\xf4\xdd\xbe\x39\x49\x5d\x6e\x55\x5d\x24\x55\x5b\xf1\xbf\xfe\x21\xfc\x47\x2a\xb2\xa8\xd5\xd0\xf8\xa6\x11\xab\x5a\x46\xae\x9b\x23\xbb\x6a\x6b\x36\x39\x46\xda\xfb\xb2\xe7\x41\xd3\x4f\xe4\x56\xf5\x81\x63\x32\xd7\x2d\x43\x5f\xbd\x1f\xae\x47\x63\x32\x5d\xac\x58\xc2\xde\x0a\x67\x27\x7e\x2d\x74\xfe\xf5\xd8\xba\x6d\xe1\x7c\x31\xd5\xc7\xfb\x01\xa1\x3d\x3b\xf0\x0c\x31\x13\x41\x6b\x72\xb3\xe2\xe0\xb8\x0b\x4a\xb9\xcd\xa7\x7d\x2d\xe3\xed\x36\x8f\xab\x48\x41\xfd\x62\xac\xf6\x6e\x43\x21\x21\xb5\xf5\xd7\xc8\xc0\x36\x66\x0d\x7a\x35\x10\x33\x15\x5e\x3e\xef\x2f\xf2\x0f\x2a\xed\x82\x41\xd1\x76", 232); *(uint8_t*)0x2000000159e7 = 9; *(uint8_t*)0x2000000159e8 = 5; *(uint8_t*)0x2000000159e9 = 0xe; *(uint8_t*)0x2000000159ea = 3; *(uint16_t*)0x2000000159eb = 0x200; *(uint8_t*)0x2000000159ed = -1; *(uint8_t*)0x2000000159ee = 0x62; *(uint8_t*)0x2000000159ef = 5; *(uint8_t*)0x2000000159f0 = 0x55; *(uint8_t*)0x2000000159f1 = 0x23; memcpy((void*)0x2000000159f2, "\xd5\x22\xb5\x6c\x6d\xde\x6a\x69\x8a\x23\xe1\x0e\x4f\xc0\x79\x8f\x87\xc9\x46\xfa\x28\x48\xc7\x17\xa9\xa3\x31\x38\xfd\xb3\x47\x57\x93\xc1\xb4\xd1\x72\x2b\x3b\xcc\x36\x38\x4d\x25\x89\xa2\x7e\x5f\x22\xb2\x89\x72\x7e\x23\xf0\x39\xff\xdf\x2a\xb2\x5d\xa6\x2c\x09\x2e\xd0\x1c\xb1\x51\xb0\xad\x8b\xa7\x75\x8c\x32\xab\xd0\x7f\x79\x51\x4e\xba", 83); *(uint8_t*)0x200000015a45 = 0x96; *(uint8_t*)0x200000015a46 = 8; memcpy((void*)0x200000015a47, "\x70\xf4\xe5\xb8\x33\x74\xf7\xb0\xde\x44\xec\x45\x10\x5a\xc3\x14\x02\x14\x0e\x17\x62\x14\x64\x1e\x37\x97\xba\x0a\xea\x40\x13\xe3\xe7\xc2\x87\x1f\x78\x52\x8a\x25\x6a\x22\x49\xdc\xad\x68\x4f\xd5\x77\xa4\x28\xa1\x4f\x44\x6c\xe9\xd7\xde\x49\x36\x4a\xa1\x63\xc6\x8d\xd1\xe4\xe2\x0c\x0a\xa9\x8a\x26\x35\x47\xf0\x7d\xae\x9c\x3e\x45\xff\xec\x5b\xdc\xcf\xb9\x0b\x1a\xd9\x05\x4d\xa6\x28\x66\x62\x6b\xfb\xc3\x94\xa1\xe9\xae\xc6\xb3\x00\x42\x0a\x61\x67\xe6\xe6\xef\x43\x96\xdf\xfb\x6b\xfc\x18\xd3\xb2\x53\x77\x89\x27\x04\x23\x86\x75\x35\xf7\x5b\x14\x54\xcc\x3b\x8a\x6a\xef\x5b\x65\xb9\x77\x41\x39\xad\xcf", 148); *(uint8_t*)0x200000015adb = 9; *(uint8_t*)0x200000015adc = 5; *(uint8_t*)0x200000015add = 0xc; *(uint8_t*)0x200000015ade = 0x10; *(uint16_t*)0x200000015adf = 0x20; *(uint8_t*)0x200000015ae1 = 8; *(uint8_t*)0x200000015ae2 = 1; *(uint8_t*)0x200000015ae3 = 8; *(uint8_t*)0x200000015ae4 = 9; *(uint8_t*)0x200000015ae5 = 5; *(uint8_t*)0x200000015ae6 = 0xd; *(uint8_t*)0x200000015ae7 = 0x10; *(uint16_t*)0x200000015ae8 = 0x400; *(uint8_t*)0x200000015aea = 3; *(uint8_t*)0x200000015aeb = 0x6d; *(uint8_t*)0x200000015aec = 7; *(uint8_t*)0x200000015aed = 0x85; *(uint8_t*)0x200000015aee = 0xe; memcpy((void*)0x200000015aef, "\x1a\x54\xb4\xa0\x79\x76\xe1\x6c\xec\x50\x7f\x7c\xfe\x00\xc9\x35\x99\xf9\xfd\xef\xaf\x8b\xf8\x6c\xb9\xae\x60\xf5\xe7\x42\x6c\x78\xb3\xe0\x1c\xc8\xca\xb0\xaa\xf0\x9d\xeb\xba\xcd\x78\x5c\x9d\xe3\xbb\x89\x55\x1d\x0a\x24\x1f\x2d\x65\x83\x0f\x53\x64\x75\x49\x91\xfe\xea\xd8\x7f\xe8\xc8\xb9\x28\xac\x16\x85\x3a\xe9\x59\xea\xc2\x7b\x59\xcc\xc8\x6d\x22\x44\x2c\xa6\x29\xd1\x20\xb1\xa0\x9c\xf1\x41\x84\xa9\xc4\x87\x3f\x74\xae\x74\x82\x01\xf5\xf4\xe6\x49\xe3\x72\x4c\x7d\xdb\x89\xf4\x58\x47\x2b\x28\x5f\x9c\x10\xea\x40\x39\x3f\x30\x60", 131); *(uint8_t*)0x200000015b72 = 9; *(uint8_t*)0x200000015b73 = 5; *(uint8_t*)0x200000015b74 = 9; *(uint8_t*)0x200000015b75 = 0; *(uint16_t*)0x200000015b76 = 8; *(uint8_t*)0x200000015b78 = 0xa; *(uint8_t*)0x200000015b79 = 7; *(uint8_t*)0x200000015b7a = 2; *(uint8_t*)0x200000015b7b = 7; *(uint8_t*)0x200000015b7c = 0x25; *(uint8_t*)0x200000015b7d = 1; *(uint8_t*)0x200000015b7e = 0; *(uint8_t*)0x200000015b7f = 4; *(uint16_t*)0x200000015b80 = 0x4fb3; *(uint8_t*)0x200000015b82 = 9; *(uint8_t*)0x200000015b83 = 5; *(uint8_t*)0x200000015b84 = 7; *(uint8_t*)0x200000015b85 = 0x10; *(uint16_t*)0x200000015b86 = 0x3ff; *(uint8_t*)0x200000015b88 = 1; *(uint8_t*)0x200000015b89 = 0x88; *(uint8_t*)0x200000015b8a = 6; *(uint8_t*)0x200000015b8b = 9; *(uint8_t*)0x200000015b8c = 4; *(uint8_t*)0x200000015b8d = 0x10; *(uint8_t*)0x200000015b8e = 8; *(uint8_t*)0x200000015b8f = 0x10; *(uint8_t*)0x200000015b90 = -1; *(uint8_t*)0x200000015b91 = 0x5d; *(uint8_t*)0x200000015b92 = 0x81; *(uint8_t*)0x200000015b93 = 3; *(uint8_t*)0x200000015b94 = 0xb7; *(uint8_t*)0x200000015b95 = 0; memcpy((void*)0x200000015b96, "\xbe\xa8\xfd\xb5\x0e\x62\x4b\x76\x3d\xdd\xda\xf5\xed\x85\xd8\x17\x0c\xa8\x58\xcf\x74\xac\x67\x8e\xb5\x4d\x20\x45\xe5\xfb\xb2\x77\x21\x40\xe2\xcf\x18\x95\xcb\x69\x3a\x91\x4f\xfb\x89\x1c\xd2\xc9\x0d\x48\x27\xbc\xd3\x43\x59\xd7\x01\x07\x46\x2e\xad\x88\x9a\x6e\x4e\xd6\x96\x89\x35\xa8\x1a\x14\x7a\xc0\xcc\xc8\x1c\x38\xd6\x2d\x6a\x84\xcf\x50\x45\x52\xec\x37\xd6\x09\xb5\x47\x50\x18\xbd\xa1\x24\xc0\x9e\xa9\xf2\x13\x03\x86\x5f\xe4\x64\xab\xc3\x8c\xd8\x4a\xe4\x2d\xe3\x3e\x46\x91\x12\x7e\x2b\x85\x53\x83\x7d\x58\xcd\xa5\x1f\x11\xa0\x5a\x15\x38\xec\xff\x55\xe9\x0f\x34\xa1\xc5\x66\xc2\x34\xc0\x06\xd0\x0b\x50\xb4\xb2\x9e\x49\xb8\xd0\x90\xf5\xa2\x74\xae\x37\xe0\x3e\x49\x68\x2c\x44\xc2\xb1\xd9\xdb\x62\xf6\x32\x33\xf9\x67\x0c\xb2\xac", 181); *(uint8_t*)0x200000015c4b = 9; *(uint8_t*)0x200000015c4c = 5; *(uint8_t*)0x200000015c4d = 0xc; *(uint8_t*)0x200000015c4e = 0x10; *(uint16_t*)0x200000015c4f = 0x40; *(uint8_t*)0x200000015c51 = 9; *(uint8_t*)0x200000015c52 = 8; *(uint8_t*)0x200000015c53 = 2; *(uint8_t*)0x200000015c54 = 9; *(uint8_t*)0x200000015c55 = 5; *(uint8_t*)0x200000015c56 = 6; *(uint8_t*)0x200000015c57 = 2; *(uint16_t*)0x200000015c58 = 8; *(uint8_t*)0x200000015c5a = 3; *(uint8_t*)0x200000015c5b = 0x18; *(uint8_t*)0x200000015c5c = 0x1c; *(uint8_t*)0x200000015c5d = 0xf6; *(uint8_t*)0x200000015c5e = 0xc; memcpy((void*)0x200000015c5f, "\xd7\x72\x97\x11\x23\x6e\xb7\x89\x69\x91\xe6\xff\xe3\xdd\x76\x22\xe9\x6e\x2e\x7d\x17\x60\xab\x64\x52\x47\x2b\xba\xc1\xd0\x68\x61\xd9\xd4\x9e\x41\x00\x60\x6a\x22\x7d\x34\x2c\x61\x75\x94\x5a\xde\x9c\xc3\xf4\x6e\xc4\x62\x7f\x92\xca\xa5\xd7\x32\x27\xfa\xe7\xa3\x60\xd2\x5f\xac\x9e\x57\x44\x07\x3f\x0c\x05\x4c\x9a\x5b\x82\x58\xdd\x27\x9b\x73\x68\x76\x58\x4b\x90\x4d\x94\x3b\x23\xc2\x6d\x9e\x6b\xc2\xdd\x3b\x98\xf3\x62\x44\x15\x8c\x76\x0f\x0b\xf9\x75\x02\x91\x42\xb3\xf5\x8b\xb6\x3e\xc3\x76\xd7\xf5\xd9\x61\x18\x20\xd3\x80\xef\xd7\xde\x61\x63\xac\x8d\xc2\x71\x44\xe2\x1d\x92\xc9\x3f\xfe\xcc\x2d\x8c\x7b\x3b\xc5\xea\xd1\x81\x86\x3c\xd9\x6a\x0a\xbf\x28\x89\xeb\x10\xb6\x87\x91\x3f\xa8\x21\x4b\x89\xde\x11\xf5\x2b\x7d\x19\x36\xad\x9c\x1c\x45\xda\x86\xa1\x5e\x86\xb6\xc9\x06\x02\x91\xd8\x5b\x48\xeb\xc2\x34\x4d\xb8\xad\x8c\xc5\x2f\x79\xd4\xf0\x37\x7a\x89\x3b\x3d\xa6\x1c\xfc\x15\x13\xd2\xba\x95\x36\xd6\x19\x0d\xe8\x86\xa2\xd1\x8f\xf8\xab\x1f\x46\x3f\x15\x47\x1d\x7f\x96\xdc\x92\xd0\xac", 244); *(uint8_t*)0x200000015d53 = 9; *(uint8_t*)0x200000015d54 = 5; *(uint8_t*)0x200000015d55 = 7; *(uint8_t*)0x200000015d56 = 4; *(uint16_t*)0x200000015d57 = 0x20; *(uint8_t*)0x200000015d59 = 9; *(uint8_t*)0x200000015d5a = 2; *(uint8_t*)0x200000015d5b = 0x37; *(uint8_t*)0x200000015d5c = 9; *(uint8_t*)0x200000015d5d = 5; *(uint8_t*)0x200000015d5e = 0xf; *(uint8_t*)0x200000015d5f = 0x12; *(uint16_t*)0x200000015d60 = 8; *(uint8_t*)0x200000015d62 = 0xd; *(uint8_t*)0x200000015d63 = 6; *(uint8_t*)0x200000015d64 = 0xf; *(uint8_t*)0x200000015d65 = 0x40; *(uint8_t*)0x200000015d66 = 5; memcpy((void*)0x200000015d67, "\x71\xaf\xb2\x61\x7a\x61\xe7\x55\x29\xdd\xe0\xf3\x2f\xa6\xca\x4b\x85\x7a\x84\xb3\x12\x0b\x93\x61\x68\x64\x2c\x34\x04\x8f\x29\x2f\xc2\x7a\x3a\x8f\x1f\x74\x58\x0c\xdc\x36\xe9\xa4\x0b\x4f\xf6\x92\xf1\x32\x24\xb9\x14\xa8\x9f\xb7\x30\x85\x79\x3a\x5c\x22", 62); *(uint8_t*)0x200000015da5 = 9; *(uint8_t*)0x200000015da6 = 5; *(uint8_t*)0x200000015da7 = 0xd; *(uint8_t*)0x200000015da8 = 0xc; *(uint16_t*)0x200000015da9 = 0xf5f1; *(uint8_t*)0x200000015dab = 4; *(uint8_t*)0x200000015dac = 1; *(uint8_t*)0x200000015dad = 0; *(uint8_t*)0x200000015dae = 0x50; *(uint8_t*)0x200000015daf = 3; memcpy((void*)0x200000015db0, "\x17\xff\xd4\x73\xba\x28\xc3\x60\x59\x1f\x57\x1d\xc6\x0f\x13\x24\xd4\xa3\x4a\xb8\xd9\xd3\xc0\x68\x6c\x13\xa6\x1b\xda\x24\x64\xe1\x63\x54\x23\xeb\xf4\xed\x34\x03\x7b\xab\x62\xfd\x30\xa8\xdd\x0a\x89\xf1\xbc\xbf\xf3\xaf\x4f\x0c\x98\x9d\xdb\x6f\x03\x76\x0a\xe7\x6f\x63\xff\xdc\xbf\xbb\xfe\xe9\xa1\x35\x25\x73\x14\xaa", 78); *(uint8_t*)0x200000015dfe = 9; *(uint8_t*)0x200000015dff = 5; *(uint8_t*)0x200000015e00 = 6; *(uint8_t*)0x200000015e01 = 0; *(uint16_t*)0x200000015e02 = 8; *(uint8_t*)0x200000015e04 = 0x2d; *(uint8_t*)0x200000015e05 = 0x10; *(uint8_t*)0x200000015e06 = 0xba; *(uint8_t*)0x200000015e07 = 9; *(uint8_t*)0x200000015e08 = 5; *(uint8_t*)0x200000015e09 = 0xe; *(uint8_t*)0x200000015e0a = 0; *(uint16_t*)0x200000015e0b = 0x10; *(uint8_t*)0x200000015e0d = 8; *(uint8_t*)0x200000015e0e = 7; *(uint8_t*)0x200000015e0f = 0xac; *(uint8_t*)0x200000015e10 = 9; *(uint8_t*)0x200000015e11 = 5; *(uint8_t*)0x200000015e12 = 0xa; *(uint8_t*)0x200000015e13 = 8; *(uint16_t*)0x200000015e14 = 0x20; *(uint8_t*)0x200000015e16 = 9; *(uint8_t*)0x200000015e17 = 0x7c; *(uint8_t*)0x200000015e18 = 1; *(uint8_t*)0x200000015e19 = 7; *(uint8_t*)0x200000015e1a = 0x25; *(uint8_t*)0x200000015e1b = 1; *(uint8_t*)0x200000015e1c = 8; *(uint8_t*)0x200000015e1d = 9; *(uint16_t*)0x200000015e1e = 4; *(uint8_t*)0x200000015e20 = 9; *(uint8_t*)0x200000015e21 = 5; *(uint8_t*)0x200000015e22 = 0xb; *(uint8_t*)0x200000015e23 = 0x10; *(uint16_t*)0x200000015e24 = 0x3ff; *(uint8_t*)0x200000015e26 = 1; *(uint8_t*)0x200000015e27 = 4; *(uint8_t*)0x200000015e28 = 0xbd; *(uint8_t*)0x200000015e29 = 9; *(uint8_t*)0x200000015e2a = 5; *(uint8_t*)0x200000015e2b = 7; *(uint8_t*)0x200000015e2c = 3; *(uint16_t*)0x200000015e2d = 0x20; *(uint8_t*)0x200000015e2f = 6; *(uint8_t*)0x200000015e30 = 0xf; *(uint8_t*)0x200000015e31 = 0xe; *(uint8_t*)0x200000015e32 = 9; *(uint8_t*)0x200000015e33 = 5; *(uint8_t*)0x200000015e34 = 0xd; *(uint8_t*)0x200000015e35 = 0x10; *(uint16_t*)0x200000015e36 = 0x7f7; *(uint8_t*)0x200000015e38 = 4; *(uint8_t*)0x200000015e39 = 0x1c; *(uint8_t*)0x200000015e3a = 1; *(uint8_t*)0x200000015e3b = 9; *(uint8_t*)0x200000015e3c = 5; *(uint8_t*)0x200000015e3d = 0; *(uint8_t*)0x200000015e3e = 0; *(uint16_t*)0x200000015e3f = 0x5f33; *(uint8_t*)0x200000015e41 = 0x40; *(uint8_t*)0x200000015e42 = 6; *(uint8_t*)0x200000015e43 = 0x81; *(uint8_t*)0x200000015e44 = 0x54; *(uint8_t*)0x200000015e45 = 9; memcpy((void*)0x200000015e46, "\x22\xa0\x3d\x11\x7e\xdd\x7f\xf8\x02\xcd\xb5\x09\xb4\x9c\xf0\x7b\x18\x84\xa5\xd0\x6a\x28\x72\xff\xdd\x1f\x6a\x97\x4c\x05\x74\x87\x1d\x68\xb2\xfd\x80\xb9\xdd\xe5\x57\xda\x7e\xec\x4d\x7f\x27\x78\xa5\xc3\xa4\xbb\xef\x51\x9d\x15\x8a\x59\xf1\x52\xfe\x19\xf5\x98\xe4\x33\x60\xf8\xa2\x4a\xa9\x73\xc5\x6f\x46\xc4\xa6\x8a\x27\x3a\x1f\xc4", 82); *(uint8_t*)0x200000015e98 = 9; *(uint8_t*)0x200000015e99 = 5; *(uint8_t*)0x200000015e9a = 0xf; *(uint8_t*)0x200000015e9b = 0x10; *(uint16_t*)0x200000015e9c = 8; *(uint8_t*)0x200000015e9e = 5; *(uint8_t*)0x200000015e9f = 0x38; *(uint8_t*)0x200000015ea0 = 1; *(uint8_t*)0x200000015ea1 = 9; *(uint8_t*)0x200000015ea2 = 5; *(uint8_t*)0x200000015ea3 = 4; *(uint8_t*)0x200000015ea4 = 0x10; *(uint16_t*)0x200000015ea5 = 0x10; *(uint8_t*)0x200000015ea7 = 4; *(uint8_t*)0x200000015ea8 = 2; *(uint8_t*)0x200000015ea9 = 7; *(uint8_t*)0x200000015eaa = 0xda; *(uint8_t*)0x200000015eab = 0x26; memcpy((void*)0x200000015eac, "\x32\x16\x2d\x9c\xff\xd7\x54\x8d\xdc\x15\x24\xc6\x65\x1f\xa1\x12\xcb\x83\x99\xeb\x7d\xaa\x74\x6a\xf4\xa3\xf4\x58\x15\x9b\xd8\xa4\x87\xda\xde\x32\x17\xae\x32\x24\x61\x5d\x50\xba\x56\x43\x30\x19\x52\xfd\xd0\x82\xab\x52\xf6\x4e\xb3\x8b\xdd\xcf\x02\xb0\x67\x28\xa3\xbf\x4f\x73\xd3\xb7\x80\xa3\xa5\x80\x4b\xad\x04\xec\xc2\x27\x87\x69\x0f\x67\x25\x76\x74\xf7\x28\xb1\x02\x31\xba\x2d\xb8\x3c\xb4\xeb\x84\x1e\x55\x23\xeb\x43\xf3\x48\x2d\x3e\xc3\x3c\xb8\x18\x7b\x87\xaa\x08\xa2\x1e\x94\xe0\x39\x4a\x1e\xe8\xd8\xf0\xcc\x08\x89\x10\xab\xa4\xdb\xe5\xfe\xef\xc2\x45\x38\x0f\xf1\x44\x3e\x3a\x97\xbd\x4d\x5a\xdd\xd0\x1f\x11\x26\xd4\xb7\x0a\xbc\xbb\xe1\x40\x71\x6a\x1c\x66\xda\xc6\x1f\x66\x51\x4f\xce\xbe\x67\x64\x7b\x43\xbb\xd8\xe8\x48\x33\x3f\xf9\x95\x7e\xba\xac\xe9\xd0\x57\xb6\x27\xa6\x67\xe6\xf5\x1d\xae\xac\x30\x2b\x21\x29\xc2\x6d\x41\x5b\xc9\xa2\xee\x74\x95\xb3\x31\xb7\xda", 216); *(uint8_t*)0x200000015f84 = 7; *(uint8_t*)0x200000015f85 = 0x25; *(uint8_t*)0x200000015f86 = 1; *(uint8_t*)0x200000015f87 = 0; *(uint8_t*)0x200000015f88 = 7; *(uint16_t*)0x200000015f89 = 1; *(uint8_t*)0x200000015f8b = 9; *(uint8_t*)0x200000015f8c = 5; *(uint8_t*)0x200000015f8d = 3; *(uint8_t*)0x200000015f8e = 1; *(uint16_t*)0x200000015f8f = 0x40; *(uint8_t*)0x200000015f91 = 8; *(uint8_t*)0x200000015f92 = 7; *(uint8_t*)0x200000015f93 = 5; *(uint8_t*)0x200000015f94 = 9; *(uint8_t*)0x200000015f95 = 5; *(uint8_t*)0x200000015f96 = 0xb; *(uint8_t*)0x200000015f97 = 0x10; *(uint16_t*)0x200000015f98 = 0x40; *(uint8_t*)0x200000015f9a = 0xfe; *(uint8_t*)0x200000015f9b = 0; *(uint8_t*)0x200000015f9c = 0xd; *(uint8_t*)0x200000015f9d = 0xe1; *(uint8_t*)0x200000015f9e = 0x24; memcpy((void*)0x200000015f9f, "\x66\xc9\x68\xf6\x7f\x56\xd0\xab\x89\xd6\x81\x9c\x67\xd1\xd6\xc2\x15\xd2\xf3\xcf\x61\x5b\x37\x02\x8d\xb2\x69\xd9\x36\x08\xcd\xf0\x70\x41\x18\xe0\xdd\xbf\x97\x16\x6c\x27\xaf\xb5\x1a\x13\x2c\xd7\x0f\x0f\xa3\xb7\xad\x5e\xe3\xa4\x41\x02\x7a\x74\x12\x27\x81\xab\x0f\x1c\xe5\xfe\x7b\xd1\x15\x3c\x8f\xfc\xcd\x3e\xf1\x09\x21\x3f\x20\xd2\xba\xfd\x0e\x33\x1a\xbc\x5c\xd1\xfb\x54\x80\x9a\x06\xc8\xfa\x60\xa9\xf0\xfc\x8e\x11\x3f\x31\x8c\x3a\x7f\x7b\xc6\xfa\xbe\x19\x30\x94\xec\x49\x3d\x24\x6c\xbd\x70\x2b\xf0\x19\x79\x6a\x88\x72\xb3\xc4\x02\x34\xd8\xe9\x07\x31\xb2\xdf\xf8\x8a\x1f\x0c\x4f\x17\x86\xa1\x90\xeb\x16\x65\x1e\x3a\xc4\x5e\xdb\x14\xd9\xfb\x89\x86\x44\xbe\xd6\x15\x76\xbd\x7a\x9f\xd9\x0c\x52\x17\x21\x7f\x6b\x9a\xed\x19\xd4\xa2\x2b\xff\x48\x2d\x05\x8e\x60\x3d\x2a\x0c\xdc\x48\xb1\xb2\x71\xb7\x9b\x1e\x25\xd7\xfe\x6b\xb8\x20\x50\x6e\x48\x57\x9a\x78\xaf\x99\xe7\xe9\x42\x9b\xcd\x4b\x07\xbc\x01\x34", 223); *(uint8_t*)0x20000001607e = 0x40; *(uint8_t*)0x20000001607f = 5; memcpy((void*)0x200000016080, "\x8f\x82\xcc\x05\xdf\x67\x73\x41\x41\xe3\x56\xe9\x36\xa6\xe0\xa7\x24\x7a\xc2\x3b\x30\x90\x0c\x5f\xc4\x14\x8a\x14\x99\x0b\x50\x04\x68\x6d\xe6\xca\xce\x04\xad\xe3\x50\xf0\x4a\x3d\x07\x8c\x39\x10\xf7\xdb\xa4\x92\xaf\x85\xda\x64\x94\x32\xe2\x6a\x78\x54", 62); *(uint8_t*)0x2000000160be = 9; *(uint8_t*)0x2000000160bf = 4; *(uint8_t*)0x2000000160c0 = 0x88; *(uint8_t*)0x2000000160c1 = 1; *(uint8_t*)0x2000000160c2 = 8; *(uint8_t*)0x2000000160c3 = 0xeb; *(uint8_t*)0x2000000160c4 = 0x43; *(uint8_t*)0x2000000160c5 = 0x23; *(uint8_t*)0x2000000160c6 = 4; *(uint8_t*)0x2000000160c7 = 9; *(uint8_t*)0x2000000160c8 = 5; *(uint8_t*)0x2000000160c9 = 0xc; *(uint8_t*)0x2000000160ca = 0; *(uint16_t*)0x2000000160cb = 0x40; *(uint8_t*)0x2000000160cd = 8; *(uint8_t*)0x2000000160ce = 8; *(uint8_t*)0x2000000160cf = 5; *(uint8_t*)0x2000000160d0 = 9; *(uint8_t*)0x2000000160d1 = 5; *(uint8_t*)0x2000000160d2 = 0; *(uint8_t*)0x2000000160d3 = 0x10; *(uint16_t*)0x2000000160d4 = 0x20; *(uint8_t*)0x2000000160d6 = 0x9a; *(uint8_t*)0x2000000160d7 = 0x5f; *(uint8_t*)0x2000000160d8 = 7; *(uint8_t*)0x2000000160d9 = 7; *(uint8_t*)0x2000000160da = 0x25; *(uint8_t*)0x2000000160db = 1; *(uint8_t*)0x2000000160dc = 0; *(uint8_t*)0x2000000160dd = 0x81; *(uint16_t*)0x2000000160de = 4; *(uint8_t*)0x2000000160e0 = 7; *(uint8_t*)0x2000000160e1 = 0x25; *(uint8_t*)0x2000000160e2 = 1; *(uint8_t*)0x2000000160e3 = 0xc; *(uint8_t*)0x2000000160e4 = 0xf9; *(uint16_t*)0x2000000160e5 = 2; *(uint8_t*)0x2000000160e7 = 9; *(uint8_t*)0x2000000160e8 = 5; *(uint8_t*)0x2000000160e9 = 0xb; *(uint8_t*)0x2000000160ea = 0x10; *(uint16_t*)0x2000000160eb = 0x40; *(uint8_t*)0x2000000160ed = 7; *(uint8_t*)0x2000000160ee = 1; *(uint8_t*)0x2000000160ef = 2; *(uint8_t*)0x2000000160f0 = 7; *(uint8_t*)0x2000000160f1 = 0x25; *(uint8_t*)0x2000000160f2 = 1; *(uint8_t*)0x2000000160f3 = 4; *(uint8_t*)0x2000000160f4 = 6; *(uint16_t*)0x2000000160f5 = 1; *(uint8_t*)0x2000000160f7 = 7; *(uint8_t*)0x2000000160f8 = 0x25; *(uint8_t*)0x2000000160f9 = 1; *(uint8_t*)0x2000000160fa = 0xc; *(uint8_t*)0x2000000160fb = 0xd; *(uint16_t*)0x2000000160fc = 0x103; *(uint8_t*)0x2000000160fe = 9; *(uint8_t*)0x2000000160ff = 5; *(uint8_t*)0x200000016100 = 0xb; *(uint8_t*)0x200000016101 = 0xc; *(uint16_t*)0x200000016102 = 0x3ff; *(uint8_t*)0x200000016104 = 0xa9; *(uint8_t*)0x200000016105 = 1; *(uint8_t*)0x200000016106 = 6; *(uint8_t*)0x200000016107 = 0xfb; *(uint8_t*)0x200000016108 = 0x2c; memcpy((void*)0x200000016109, "\xdf\x60\xd2\x33\x06\x38\x67\xe6\x38\xf4\xac\x47\x4e\x68\x5f\xef\x8f\x86\x15\x57\xd0\xa3\x15\x66\xd5\x8b\xde\x1f\x04\xa1\x13\xf6\xcb\x64\xc9\x60\x56\xa8\x16\x85\xa6\xdf\xa2\x97\x8a\x60\xc2\xd9\x4e\x45\x0f\x66\x75\xe3\x8b\x44\xc9\x6b\xfb\xff\x6c\x5f\x37\x46\x60\x93\x46\x49\x74\x83\xdf\xc8\xac\x21\x27\x36\x2c\xdb\xda\xa0\x25\x39\x51\xa1\x82\x27\x21\x83\xf4\x56\xaa\xe2\xbd\x12\xb2\x92\xc6\x09\xe8\xe1\x4b\x4f\x8c\x18\x53\xe0\xd8\x7e\x0c\x31\x79\xc8\xbe\x7b\x07\x30\x72\x1b\xb3\x01\x59\x04\x08\x26\xf0\x93\x51\x0c\xe0\x22\x58\x76\x91\x62\x7b\x23\x6a\x66\x21\x56\x20\x41\x8d\xf3\x34\xd2\x8d\x1d\x14\xf0\xca\x3b\x9f\x4f\xcf\xf0\x6b\xa2\x49\xdd\x19\x50\x81\x98\x50\x3a\x2c\x2c\xd4\xf3\xab\xda\xdb\xd4\xf1\xac\xe4\xe6\x27\xbe\xc9\x72\x99\xa0\x02\x28\xe0\x9c\x06\x4e\x5f\x34\x2e\x00\xd8\xc8\xf2\xd5\xb1\xfb\x56\x48\x5e\x73\x6a\x87\xdc\xfe\x51\x0c\x21\x86\x32\x72\x91\x22\xa4\xeb\x5d\x5b\x5d\x81\xdf\x8b\xe5\x85\x27\x18\x3e\x48\xf7\x60\xb8\x5c\x59\x9f\x88\x13\xf8\x9d\x70\x6a\xf7\xb2\x2f\x77\xd6\x8d\xc1", 249); *(uint8_t*)0x200000016202 = 0x6b; *(uint8_t*)0x200000016203 = 4; memcpy((void*)0x200000016204, "\x07\xec\xe0\x65\x86\xe0\x15\x05\xf1\x26\xe0\xdb\x2e\xd1\xac\x18\xb5\x75\x49\xf0\x80\xd7\x41\xf3\x8b\x0c\xce\xc6\xba\x03\x4d\x09\x64\x29\x40\x56\x19\xd0\x1a\xf4\x35\xc8\x09\x2b\xe0\xe9\xc4\xa9\x3c\x1b\x64\x7e\x7c\x7f\x14\xf0\x5e\xff\xf3\x05\xd2\xb8\x5d\x51\xfe\xdf\xf7\x50\xb8\x7e\x59\x90\xd0\x28\xfd\x33\x86\x45\x02\x9b\xd9\xed\x95\xe0\x03\x05\xac\xce\x8b\x89\x9a\x78\x6d\xbf\x30\x89\x5b\xe0\x31\x48\xa7\xa1\xe3\xbf\x25", 105); *(uint8_t*)0x20000001626d = 9; *(uint8_t*)0x20000001626e = 5; *(uint8_t*)0x20000001626f = 6; *(uint8_t*)0x200000016270 = 8; *(uint16_t*)0x200000016271 = 0x400; *(uint8_t*)0x200000016273 = 3; *(uint8_t*)0x200000016274 = 5; *(uint8_t*)0x200000016275 = -1; *(uint8_t*)0x200000016276 = 9; *(uint8_t*)0x200000016277 = 5; *(uint8_t*)0x200000016278 = 0xa; *(uint8_t*)0x200000016279 = 0x10; *(uint16_t*)0x20000001627a = 0x200; *(uint8_t*)0x20000001627c = 6; *(uint8_t*)0x20000001627d = 0x14; *(uint8_t*)0x20000001627e = 6; *(uint8_t*)0x20000001627f = 7; *(uint8_t*)0x200000016280 = 0x25; *(uint8_t*)0x200000016281 = 1; *(uint8_t*)0x200000016282 = 0xc; *(uint8_t*)0x200000016283 = 9; *(uint16_t*)0x200000016284 = 4; *(uint8_t*)0x200000016286 = 9; *(uint8_t*)0x200000016287 = 5; *(uint8_t*)0x200000016288 = 5; *(uint8_t*)0x200000016289 = 8; *(uint16_t*)0x20000001628a = 0x210; *(uint8_t*)0x20000001628c = 0xe8; *(uint8_t*)0x20000001628d = 5; *(uint8_t*)0x20000001628e = 3; *(uint8_t*)0x20000001628f = 9; *(uint8_t*)0x200000016290 = 5; *(uint8_t*)0x200000016291 = 0xa; *(uint8_t*)0x200000016292 = 8; *(uint16_t*)0x200000016293 = 0x10; *(uint8_t*)0x200000016295 = 0x64; *(uint8_t*)0x200000016296 = 8; *(uint8_t*)0x200000016297 = 0xe; *(uint8_t*)0x200000016298 = 7; *(uint8_t*)0x200000016299 = 0x25; *(uint8_t*)0x20000001629a = 1; *(uint8_t*)0x20000001629b = 4; *(uint8_t*)0x20000001629c = 5; *(uint16_t*)0x20000001629d = 2; *(uint32_t*)0x200000016780 = 0xa; *(uint64_t*)0x200000016784 = 0x2000000162c0; *(uint8_t*)0x2000000162c0 = 0xa; *(uint8_t*)0x2000000162c1 = 6; *(uint16_t*)0x2000000162c2 = 0x201; *(uint8_t*)0x2000000162c4 = 3; *(uint8_t*)0x2000000162c5 = 8; *(uint8_t*)0x2000000162c6 = -1; *(uint8_t*)0x2000000162c7 = 0x20; *(uint8_t*)0x2000000162c8 = 0x10; *(uint8_t*)0x2000000162c9 = 0; *(uint32_t*)0x20000001678c = 0x28; *(uint64_t*)0x200000016790 = 0x200000016300; *(uint8_t*)0x200000016300 = 5; *(uint8_t*)0x200000016301 = 0xf; *(uint16_t*)0x200000016302 = 0x28; *(uint8_t*)0x200000016304 = 4; *(uint8_t*)0x200000016305 = 0xb; *(uint8_t*)0x200000016306 = 0x10; *(uint8_t*)0x200000016307 = 1; *(uint8_t*)0x200000016308 = 0xc; *(uint16_t*)0x200000016309 = 1; *(uint8_t*)0x20000001630b = 7; *(uint8_t*)0x20000001630c = 7; *(uint16_t*)0x20000001630d = 6; *(uint8_t*)0x20000001630f = -1; *(uint8_t*)0x200000016310 = 3; *(uint8_t*)0x200000016311 = 0x10; *(uint8_t*)0x200000016312 = 0xb; *(uint8_t*)0x200000016313 = 0xb; *(uint8_t*)0x200000016314 = 0x10; *(uint8_t*)0x200000016315 = 1; *(uint8_t*)0x200000016316 = 2; *(uint16_t*)0x200000016317 = 0x61; *(uint8_t*)0x200000016319 = -1; *(uint8_t*)0x20000001631a = 0xf; *(uint16_t*)0x20000001631b = 6; *(uint8_t*)0x20000001631d = 5; *(uint8_t*)0x20000001631e = 0xa; *(uint8_t*)0x20000001631f = 0x10; *(uint8_t*)0x200000016320 = 3; *(uint8_t*)0x200000016321 = 2; *(uint16_t*)0x200000016322 = 1; *(uint8_t*)0x200000016324 = 3; *(uint8_t*)0x200000016325 = 0xb; *(uint16_t*)0x200000016326 = 0x100; *(uint32_t*)0x200000016798 = 7; *(uint32_t*)0x20000001679c = 4; *(uint64_t*)0x2000000167a0 = 0x200000016340; *(uint8_t*)0x200000016340 = 4; *(uint8_t*)0x200000016341 = 3; *(uint16_t*)0x200000016342 = 0x457; *(uint32_t*)0x2000000167a8 = 0xff; *(uint64_t*)0x2000000167ac = 0x200000016380; *(uint8_t*)0x200000016380 = -1; *(uint8_t*)0x200000016381 = 3; memcpy((void*)0x200000016382, "\x85\xa7\x64\xd8\x29\x53\x29\x17\xb6\x64\x7a\x68\xa2\x49\xb2\x52\xf0\x1a\x99\xf8\x87\x67\xa2\xe9\xf1\x3a\xee\xfa\xb3\x9c\xf6\xa4\x05\x49\x7e\x32\x44\x29\x4b\x1b\xd4\x85\xc0\xec\x99\x33\x86\x40\xa5\x08\xfa\xbb\xf1\x1e\x0f\xd6\xa0\x3b\xcc\x9c\xeb\xaf\x83\x03\x7a\xa7\x73\x97\xcb\xdf\x09\x11\xc8\xdf\xb8\x42\xf6\x2f\x94\x76\x6a\xa4\x45\x92\x57\x73\xc4\xf7\xc6\x70\x1b\xe8\xa0\x56\x73\xaf\xe9\x5c\xf1\x9c\x27\x9a\xc6\x2f\xd2\x72\x0e\xd2\xda\xe6\x89\x37\x1c\x51\x51\xbf\x6b\x9e\x77\x27\xf8\xf4\x97\x09\x1c\x3a\xaa\x90\x2f\x81\xe4\x4c\x51\x73\xac\xf2\x21\x52\xfc\xbc\x4d\x72\xa7\x5e\x9a\xb4\xba\xdc\x67\x88\xb2\xfd\xbb\x7e\x34\xb2\x02\xe0\xe7\x1f\xeb\x1c\xc9\xb1\xca\x79\x1e\x92\x37\x4c\xfc\x63\xcc\x7d\xb5\x64\x85\x91\x77\x8b\xfc\x19\x48\xf9\xda\xd9\xb7\xfe\x74\xa5\x88\xdd\xc9\xad\x49\x99\x93\x06\x26\x66\xb3\xe0\xdf\x0a\xca\xa6\x78\x02\xad\x37\xa8\x6f\xcb\x41\x1a\x22\x30\xbd\xd4\x3f\xe8\x61\x0f\x29\xc1\x51\x79\xbf\x42\x9f\x81\x87\x6e\xe9\x0b\x7d\x35\xa2\x26\x3f\x91\xeb\x8d\x3c\x7c\x87\xc4\x66\x00\xb4\x52\x82\xee", 253); *(uint32_t*)0x2000000167b4 = 4; *(uint64_t*)0x2000000167b8 = 0x200000016480; *(uint8_t*)0x200000016480 = 4; *(uint8_t*)0x200000016481 = 3; *(uint16_t*)0x200000016482 = 0x8406; *(uint32_t*)0x2000000167c0 = 0x49; *(uint64_t*)0x2000000167c4 = 0x2000000164c0; *(uint8_t*)0x2000000164c0 = 0x49; *(uint8_t*)0x2000000164c1 = 3; memcpy((void*)0x2000000164c2, "\xcb\x9d\x5f\x1c\x5f\xbc\x94\x74\xd5\x9f\xfa\x54\xa9\x2b\xa7\xaf\xf9\x7b\x2f\x65\xab\xf4\x8a\xad\x8e\x2b\x09\xb6\x0a\x5d\xc2\x74\x4b\x25\x0f\xe7\x52\x90\x97\xbf\xbb\x2b\xcf\x99\xd0\x54\x8a\x03\x4f\xb7\xae\xca\xf8\xdd\x80\x84\x95\xbe\x13\x2e\x1b\x8c\x84\xab\xe5\x33\x75\xdc\xf5\x40\xd5", 71); *(uint32_t*)0x2000000167cc = 4; *(uint64_t*)0x2000000167d0 = 0x200000016540; *(uint8_t*)0x200000016540 = 4; *(uint8_t*)0x200000016541 = 3; *(uint16_t*)0x200000016542 = 0x407; *(uint32_t*)0x2000000167d8 = 0x102; *(uint64_t*)0x2000000167dc = 0x200000016580; *(uint8_t*)0x200000016580 = 2; *(uint8_t*)0x200000016581 = 3; memcpy((void*)0x200000016582, "\x04\xdd\xeb\x57\xb5\x07\x2b\x0d\xc9\xdc\x62\x4c\xf2\x79\x2d\xaa\xc5\x35\xb0\x25\x70\xdb\xb7\x01\xe1\xdb\x0e\x6c\x25\xd6\x80\xf0\x7b\x51\x7f\x65\x82\x12\x5b\xaa\x7a\x78\x49\xeb\x0b\x11\x13\x0e\x00\x24\xef\xe8\xa1\xc9\x51\x36\x3b\xf4\x7a\x68\xfb\x5b\xd9\xac\xf1\x85\xae\xa1\x62\x73\x81\xf5\x03\x43\xcb\x4b\xb8\xd7\x17\x51\x31\xf2\xae\x52\xa8\x42\xdb\x75\x39\x04\xd3\x05\x1a\x0a\xb0\x82\x60\x85\x60\xe8\xac\x66\xb8\x7d\xdd\xbb\x9f\xa3\x51\x4a\x31\xe5\x59\x51\x70\xe3\xd2\x1c\x01\x8b\x37\x85\x59\x92\xa2\xa4\xb3\x48\xde\x99\x46\x9b\x63\xf5\x43\x8e\x24\x0e\x23\xcf\xe0\xa2\x6d\x30\xa9\x1d\x95\x36\x91\xd7\x41\xb9\xd5\xd8\x5d\xab\x27\xd4\x0d\xa7\x1f\xc9\xd8\x67\x7b\x0d\xc3\xe1\xd6\x06\x0d\x0d\x98\xa7\x13\x00\xd3\x74\xe7\xbd\x55\x0f\x6a\x57\xb6\xfc\xd4\x44\x31\x3f\x37\x36\x7f\x5b\x55\xc2\x0f\x1a\x2d\x44\x86\x1e\x8a\x1a\x36\xbc\xdc\x76\x9f\xfc\x14\x6b\xb7\x1a\xb5\x84\x6d\xcb\x82\x31\x24\x7f\x16\x36\x48\x3d\xab\xb7\x10\xd0\x74\xfd\x2b\x80\x18\xd4\xc3\x56\xd1\x82\x5b\xb1\x7b\xf9\x63\x27\xe9\x6e\xe8\x67\x58\x32\x43\xe8\x25\x4e", 256); *(uint32_t*)0x2000000167e4 = 0x9e; *(uint64_t*)0x2000000167e8 = 0x2000000166c0; *(uint8_t*)0x2000000166c0 = 0x9e; *(uint8_t*)0x2000000166c1 = 3; memcpy((void*)0x2000000166c2, "\xef\x2a\x4e\x82\x9a\x0f\x6c\xdb\x32\xa4\x49\xbb\xa1\xd4\x8f\x5d\xfe\x86\x5e\x51\xf2\x28\x7e\x21\x77\x39\x1a\x43\xf9\xbb\xf1\xca\x78\xd5\x73\xf2\x00\xea\xe4\x0c\x60\xa2\x1d\xdc\x2a\xd4\x82\xdf\x2a\x85\xf2\x75\x59\x81\x5b\xb4\xeb\xca\x56\x05\x30\xb8\x65\x53\x45\x0e\xe3\x8e\xae\xb8\x71\x2f\x6b\x77\xc1\x4d\x47\xf8\x5d\x8b\xbf\x64\x1e\x1d\x9e\x09\xfa\x1e\x2b\xe5\xe9\x2c\x18\x7c\xe5\x6e\xf9\x94\x9a\xe1\xd8\x7c\xfb\xfe\x0e\xa1\xba\x9f\x9b\x2f\xf0\x18\x2d\x4b\x05\xce\x50\x68\x91\xc5\xa3\x47\xee\x33\xcc\xf9\xce\x7d\x86\xd7\xdd\xf2\xbf\x38\x57\x4d\x21\xd9\x65\x4b\xbe\x80\x65\x86\x80\xbe\xf5\x58\x9e\x2d\xb6\x07\x2d\x9f\xd0\xfd", 156); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_LOW*/1, /*dev_len=*/0xd9f, /*dev=*/0x200000015500, /*conn_descs=*/0x200000016780); if (res != -1) r[27] = res; break; case 51: *(uint8_t*)0x200000016800 = 0x12; *(uint8_t*)0x200000016801 = 1; *(uint16_t*)0x200000016802 = 0x200; *(uint8_t*)0x200000016804 = -1; *(uint8_t*)0x200000016805 = -1; *(uint8_t*)0x200000016806 = -1; *(uint8_t*)0x200000016807 = 0x40; *(uint16_t*)0x200000016808 = 0xcf3; *(uint16_t*)0x20000001680a = 0x9271; *(uint16_t*)0x20000001680c = 0x108; *(uint8_t*)0x20000001680e = 1; *(uint8_t*)0x20000001680f = 2; *(uint8_t*)0x200000016810 = 3; *(uint8_t*)0x200000016811 = 1; *(uint8_t*)0x200000016812 = 9; *(uint8_t*)0x200000016813 = 2; *(uint16_t*)0x200000016814 = 0x48; *(uint8_t*)0x200000016816 = 1; *(uint8_t*)0x200000016817 = 1; *(uint8_t*)0x200000016818 = 0; *(uint8_t*)0x200000016819 = 0x80; *(uint8_t*)0x20000001681a = 0xfa; *(uint8_t*)0x20000001681b = 9; *(uint8_t*)0x20000001681c = 4; *(uint8_t*)0x20000001681d = 0; *(uint8_t*)0x20000001681e = 0; *(uint8_t*)0x20000001681f = 6; *(uint8_t*)0x200000016820 = -1; *(uint8_t*)0x200000016821 = 0; *(uint8_t*)0x200000016822 = 0; *(uint8_t*)0x200000016823 = 0; *(uint8_t*)0x200000016824 = 9; *(uint8_t*)0x200000016825 = 5; *(uint8_t*)0x200000016826 = 1; *(uint8_t*)0x200000016827 = 2; *(uint16_t*)0x200000016828 = 0x200; *(uint8_t*)0x20000001682a = 0; *(uint8_t*)0x20000001682b = 0; *(uint8_t*)0x20000001682c = 0; *(uint8_t*)0x20000001682d = 9; *(uint8_t*)0x20000001682e = 5; *(uint8_t*)0x20000001682f = 0x82; *(uint8_t*)0x200000016830 = 2; *(uint16_t*)0x200000016831 = 0x200; *(uint8_t*)0x200000016833 = 0; *(uint8_t*)0x200000016834 = 0; *(uint8_t*)0x200000016835 = 0; *(uint8_t*)0x200000016836 = 9; *(uint8_t*)0x200000016837 = 5; *(uint8_t*)0x200000016838 = 0x83; *(uint8_t*)0x200000016839 = 3; *(uint16_t*)0x20000001683a = 0x40; *(uint8_t*)0x20000001683c = 1; *(uint8_t*)0x20000001683d = 0; *(uint8_t*)0x20000001683e = 0; *(uint8_t*)0x20000001683f = 9; *(uint8_t*)0x200000016840 = 5; *(uint8_t*)0x200000016841 = 4; *(uint8_t*)0x200000016842 = 3; *(uint16_t*)0x200000016843 = 0x40; *(uint8_t*)0x200000016845 = 1; *(uint8_t*)0x200000016846 = 0; *(uint8_t*)0x200000016847 = 0; *(uint8_t*)0x200000016848 = 9; *(uint8_t*)0x200000016849 = 5; *(uint8_t*)0x20000001684a = 5; *(uint8_t*)0x20000001684b = 2; *(uint16_t*)0x20000001684c = 0x200; *(uint8_t*)0x20000001684e = 0; *(uint8_t*)0x20000001684f = 0; *(uint8_t*)0x200000016850 = 0; *(uint8_t*)0x200000016851 = 9; *(uint8_t*)0x200000016852 = 5; *(uint8_t*)0x200000016853 = 6; *(uint8_t*)0x200000016854 = 2; *(uint16_t*)0x200000016855 = 0x200; *(uint8_t*)0x200000016857 = 0; *(uint8_t*)0x200000016858 = 0; *(uint8_t*)0x200000016859 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000016800, /*conn_descs=*/0); if (res != -1) r[28] = res; break; case 52: *(uint32_t*)0x200000016b40 = 0x2c; *(uint64_t*)0x200000016b44 = 0x200000016880; *(uint8_t*)0x200000016880 = 0x20; *(uint8_t*)0x200000016881 = 0xb; *(uint32_t*)0x200000016882 = 0xc8; *(uint8_t*)0x200000016886 = 0xc8; *(uint8_t*)0x200000016887 = 0x21; memcpy((void*)0x200000016888, "\x01\xf4\x8f\xe8\x31\xd8\xd1\x99\x24\x72\x17\x3e\xa8\x19\xa3\xa2\xad\xe9\x61\x21\x34\x13\x54\xe8\x5c\xa1\x98\xec\x1f\xcf\x85\x90\xc9\x39\xf7\x27\xaa\x0e\x85\x85\x6b\x35\x7c\x23\xbc\x06\x8f\x24\xa2\x2c\xc6\xb7\x1b\xd4\xad\xd3\xae\x66\x95\x5e\x3c\xeb\x2a\x8f\x15\x5c\x4f\xea\xf3\x6d\x9c\x48\x02\x96\x8a\x53\xb0\x86\xa4\xa5\x0d\xc3\x54\x75\xe7\x5c\x18\x51\xe7\xd4\x08\x54\x07\x74\xe8\x98\x21\x91\xe5\x06\x06\x99\x1f\x3f\x33\xfa\x70\x8e\xf6\xa9\x40\x41\x51\x10\x98\xb0\x26\x7e\x73\x7b\x9f\x39\x9f\xad\x65\xb7\xcc\x2e\xfa\x80\xea\xfc\x73\x4b\xd5\xab\x1f\xdc\x3d\xec\xc0\x26\xfa\x76\x75\xef\x45\xa1\xd1\x7f\xfe\x1c\x0b\x1e\x00\xb1\x02\x73\xd7\xc5\x7d\x18\x3c\x74\xa3\xd9\xb1\x47\x13\x22\xb5\x9a\x98\xce\xbd\x12\xd1\x6c\x28\x34\xb2\x26\xce\xca\xea\xf9\x60\xe3\xd9\x07\x76\xc2\x39\x23\xea\xe6\x8d\x1e", 198); *(uint64_t*)0x200000016b4c = 0x200000016980; *(uint8_t*)0x200000016980 = 0; *(uint8_t*)0x200000016981 = 3; *(uint32_t*)0x200000016982 = 4; *(uint8_t*)0x200000016986 = 4; *(uint8_t*)0x200000016987 = 3; *(uint16_t*)0x200000016988 = 0x280a; *(uint64_t*)0x200000016b54 = 0x2000000169c0; *(uint8_t*)0x2000000169c0 = 0; *(uint8_t*)0x2000000169c1 = 0xf; *(uint32_t*)0x2000000169c2 = 0xc8; *(uint8_t*)0x2000000169c6 = 5; *(uint8_t*)0x2000000169c7 = 0xf; *(uint16_t*)0x2000000169c8 = 0xc8; *(uint8_t*)0x2000000169ca = 5; *(uint8_t*)0x2000000169cb = 0x14; *(uint8_t*)0x2000000169cc = 0x10; *(uint8_t*)0x2000000169cd = 0xa; *(uint8_t*)0x2000000169ce = 3; STORE_BY_BITMASK(uint32_t, , 0x2000000169cf, 2, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000169cf, 9, 5, 27); *(uint16_t*)0x2000000169d3 = 0xf; *(uint16_t*)0x2000000169d5 = 0; *(uint32_t*)0x2000000169d7 = 0xc0cf; *(uint32_t*)0x2000000169db = 0xf; *(uint8_t*)0x2000000169df = 0x10; *(uint8_t*)0x2000000169e0 = 0x10; *(uint8_t*)0x2000000169e1 = 0xa; *(uint8_t*)0x2000000169e2 = 4; STORE_BY_BITMASK(uint32_t, , 0x2000000169e3, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000169e3, 0x30ec, 5, 27); *(uint16_t*)0x2000000169e7 = 0xf0f; *(uint16_t*)0x2000000169e9 = 0x82; *(uint32_t*)0x2000000169eb = 0xc00f; *(uint8_t*)0x2000000169ef = 7; *(uint8_t*)0x2000000169f0 = 0x10; *(uint8_t*)0x2000000169f1 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000169f2, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000169f3, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000169f3, 8, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000169f4, 0xf, 0, 16); *(uint8_t*)0x2000000169f6 = 0x8d; *(uint8_t*)0x2000000169f7 = 0x10; *(uint8_t*)0x2000000169f8 = 0xa; memcpy((void*)0x2000000169f9, "\x42\x2d\x46\xfc\x73\xf8\x4b\x4d\xd0\xc3\xd2\x4d\x79\xf2\x70\x97\x5a\x97\x8d\x73\x6a\x0a\xa3\xe5\x86\xae\x4e\x9a\x23\x24\x83\xcf\x25\x26\x97\x18\xcb\xb9\xdf\x73\x03\x62\xce\x6b\x7c\xf0\xe3\xd1\x00\x79\xc3\x28\xee\x2b\xe8\xf5\xff\xc2\x42\xa0\x7e\x20\xf7\xc3\xdb\x60\x7c\x73\xe2\xca\xc8\x2f\x1c\x73\xc8\xfc\xac\xeb\x15\x1e\x20\x22\xfe\x0c\x73\xad\x66\x19\xa4\xda\xce\x08\x65\x96\x99\xed\x76\x60\xd4\x52\x02\x74\x9c\xda\x47\xdf\xa1\xe0\xdb\x87\x66\x4d\x1e\xff\x73\xf0\x60\x6d\x30\xb7\x78\xcb\x88\x08\xdf\xa6\xb2\x4c\xc1\x8a\xdd\x57\x9f\x29\xe8\x1b\x12\xe3", 138); *(uint8_t*)0x200000016a83 = 0xb; *(uint8_t*)0x200000016a84 = 0x10; *(uint8_t*)0x200000016a85 = 1; *(uint8_t*)0x200000016a86 = 2; *(uint16_t*)0x200000016a87 = 0x48; *(uint8_t*)0x200000016a89 = 6; *(uint8_t*)0x200000016a8a = 0xf2; *(uint16_t*)0x200000016a8b = 0; *(uint8_t*)0x200000016a8d = 2; *(uint64_t*)0x200000016b5c = 0x200000016ac0; *(uint8_t*)0x200000016ac0 = 0x20; *(uint8_t*)0x200000016ac1 = 0x29; *(uint32_t*)0x200000016ac2 = 0xf; *(uint8_t*)0x200000016ac6 = 0xf; *(uint8_t*)0x200000016ac7 = 0x29; *(uint8_t*)0x200000016ac8 = 1; *(uint16_t*)0x200000016ac9 = 3; *(uint8_t*)0x200000016acb = 0xf6; *(uint8_t*)0x200000016acc = 5; memcpy((void*)0x200000016acd, "\xd7\xdb\x75\x8c", 4); memcpy((void*)0x200000016ad1, "\xcb\x02\x4e\x33", 4); *(uint64_t*)0x200000016b64 = 0x200000016b00; *(uint8_t*)0x200000016b00 = 0x20; *(uint8_t*)0x200000016b01 = 0x2a; *(uint32_t*)0x200000016b02 = 0xc; *(uint8_t*)0x200000016b06 = 0xc; *(uint8_t*)0x200000016b07 = 0x2a; *(uint8_t*)0x200000016b08 = 2; *(uint16_t*)0x200000016b09 = 2; *(uint8_t*)0x200000016b0b = 0x80; *(uint8_t*)0x200000016b0c = 5; *(uint8_t*)0x200000016b0d = 7; *(uint16_t*)0x200000016b0e = 7; *(uint16_t*)0x200000016b10 = 0xff24; *(uint32_t*)0x200000016f40 = 0x84; *(uint64_t*)0x200000016f44 = 0x200000016b80; *(uint8_t*)0x200000016b80 = 0x20; *(uint8_t*)0x200000016b81 = 0x13; *(uint32_t*)0x200000016b82 = 0x2a; memcpy((void*)0x200000016b86, "\xb3\x64\x4b\x33\xa4\x96\xf2\x18\x7a\x58\x63\xe6\x4c\x40\x7c\xec\xd2\xd6\xd1\x3a\xe2\x3e\xcf\x1c\x3c\x53\xf7\x8f\xf2\x17\xcf\xf0\x21\xe4\x71\x8c\xea\x7f\xbe\x4c\x3b\xa3", 42); *(uint64_t*)0x200000016f4c = 0xffffffff81000000; *(uint64_t*)0x200000016f54 = 0x200000016bc0; *(uint8_t*)0x200000016bc0 = 0; *(uint8_t*)0x200000016bc1 = 8; *(uint32_t*)0x200000016bc2 = 1; *(uint8_t*)0x200000016bc6 = 6; *(uint64_t*)0x200000016f5c = 0x200000016c00; *(uint8_t*)0x200000016c00 = 0x20; *(uint8_t*)0x200000016c01 = 0; *(uint32_t*)0x200000016c02 = 4; *(uint16_t*)0x200000016c06 = 2; *(uint16_t*)0x200000016c08 = 1; *(uint64_t*)0x200000016f64 = 0x200000016c40; *(uint8_t*)0x200000016c40 = 0x20; *(uint8_t*)0x200000016c41 = 0; *(uint32_t*)0x200000016c42 = 4; *(uint16_t*)0x200000016c46 = 0x40; *(uint16_t*)0x200000016c48 = 0x20; *(uint64_t*)0x200000016f6c = 0x200000016c80; *(uint8_t*)0x200000016c80 = 0x40; *(uint8_t*)0x200000016c81 = 7; *(uint32_t*)0x200000016c82 = 2; *(uint16_t*)0x200000016c86 = 2; *(uint64_t*)0x200000016f74 = 0x200000016cc0; *(uint8_t*)0x200000016cc0 = 0x40; *(uint8_t*)0x200000016cc1 = 9; *(uint32_t*)0x200000016cc2 = 1; *(uint8_t*)0x200000016cc6 = 3; *(uint64_t*)0x200000016f7c = 0x200000016d00; *(uint8_t*)0x200000016d00 = 0x40; *(uint8_t*)0x200000016d01 = 0xb; *(uint32_t*)0x200000016d02 = 2; memcpy((void*)0x200000016d06, "{*", 2); *(uint64_t*)0x200000016f84 = 0x200000016d40; *(uint8_t*)0x200000016d40 = 0x40; *(uint8_t*)0x200000016d41 = 0xf; *(uint32_t*)0x200000016d42 = 2; *(uint16_t*)0x200000016d46 = 9; *(uint64_t*)0x200000016f8c = 0x200000016d80; *(uint8_t*)0x200000016d80 = 0x40; *(uint8_t*)0x200000016d81 = 0x13; *(uint32_t*)0x200000016d82 = 6; *(uint8_t*)0x200000016d86 = 1; *(uint8_t*)0x200000016d87 = 0x80; *(uint8_t*)0x200000016d88 = 0xc2; *(uint8_t*)0x200000016d89 = 0; *(uint8_t*)0x200000016d8a = 0; *(uint8_t*)0x200000016d8b = 2; *(uint64_t*)0x200000016f94 = 0x200000016dc0; *(uint8_t*)0x200000016dc0 = 0x40; *(uint8_t*)0x200000016dc1 = 0x17; *(uint32_t*)0x200000016dc2 = 6; *(uint8_t*)0x200000016dc6 = 1; *(uint8_t*)0x200000016dc7 = 0x80; *(uint8_t*)0x200000016dc8 = 0xc2; *(uint8_t*)0x200000016dc9 = 0; *(uint8_t*)0x200000016dca = 0; *(uint8_t*)0x200000016dcb = 0xe; *(uint64_t*)0x200000016f9c = 0x200000016e00; *(uint8_t*)0x200000016e00 = 0x40; *(uint8_t*)0x200000016e01 = 0x19; *(uint32_t*)0x200000016e02 = 2; memcpy((void*)0x200000016e06, "\x1a\xc5", 2); *(uint64_t*)0x200000016fa4 = 0x200000016e40; *(uint8_t*)0x200000016e40 = 0x40; *(uint8_t*)0x200000016e41 = 0x1a; *(uint32_t*)0x200000016e42 = 2; *(uint16_t*)0x200000016e46 = 0x100; *(uint64_t*)0x200000016fac = 0x200000016e80; *(uint8_t*)0x200000016e80 = 0x40; *(uint8_t*)0x200000016e81 = 0x1c; *(uint32_t*)0x200000016e82 = 1; *(uint8_t*)0x200000016e86 = 7; *(uint64_t*)0x200000016fb4 = 0x200000016ec0; *(uint8_t*)0x200000016ec0 = 0x40; *(uint8_t*)0x200000016ec1 = 0x1e; *(uint32_t*)0x200000016ec2 = 1; *(uint8_t*)0x200000016ec6 = 0xc8; *(uint64_t*)0x200000016fbc = 0x200000016f00; *(uint8_t*)0x200000016f00 = 0x40; *(uint8_t*)0x200000016f01 = 0x21; *(uint32_t*)0x200000016f02 = 1; *(uint8_t*)0x200000016f06 = 0x4f; syz_usb_control_io(/*fd=*/r[28], /*descs=*/0x200000016b40, /*resps=*/0x200000016f40); break; case 53: syz_usb_disconnect(/*fd=*/r[27]); break; case 54: syz_usb_ep_read(/*fd=*/r[27], /*ep=*/0, /*len=*/4, /*data=*/0x200000017000); break; case 55: memcpy((void*)0x200000017040, "\xdd\x9c\x62\x25\x17\x5b\x3c\x37\xdc\x19\x63\xb4\xd0\xf4\x63\xd6\xe3\x82\xd9\x56\xed\xab\xd1\x31\xd4\x19\xff\x0b\x34\x34\x94\xa2\xc3\xc8\xbd\x5e\x32\x1a\x50\x6b\x68\xc9\x62\x1a\xb5\x44\xdc\x8b\xd1\x7c\x2f\x62\xf3\xc5\x6c\xae\xcb\x39\x08\xa6\x43\x0e\x4d\x9e\xaf\xd0\x2c\xa1\x3d\xfd\xcc\x2d\x07\xc5\x31\x31\x38\x62\xad\x42\x71\xec\xb0\x7f\x10\x14\x3f\x48\xff\x7e\x73\x8a\x4a\x77\x62\x3d\x0d\x4b\x89\x21\x08\x4f\x7c\x7a\x91\x14\x22\x06\x24\xe8\xf1\x22\x87\xc7\x36\x9f\x8b\x91\x93\xde\x6e\x3a\x67\xff\x4b\xf7\x59\x6f\xd6\xc1\x07\xe4\x77\xfc\x1d\xf6\x7c\x16\xfe\xc9\x51\xa2\x12\xd9\x60\xcd\x48\xe3\xa1\x75\x8e\x8e\xc8\xe7", 154); syz_usb_ep_write(/*fd=*/r[28], /*ep=*/4, /*len=*/0x9a, /*data=*/0x200000017040); break; case 56: syz_usbip_server_init(/*speed=USB_SPEED_HIGH*/3); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :6213:17: error: '__NR_socketcall' undeclared (first use in this function) :6213:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor2530557145 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/28 (1.53s) csource_test.go:157: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: r0 = syz_open_dev$admmidi(&(0x7f0000000000), 0x302d694, 0x32400) (fail_nth: 1) ioctl$SNDRV_RAWMIDI_IOCTL_PVERSION(r0, 0x80045700, &(0x7f0000000040)) (async) r1 = openat$hpet(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) (rerun: 4) ioctl$TIOCSIG(r1, 0x40045436, 0x17) getsockopt$inet6_tcp_TCP_REPAIR_WINDOW(r1, 0x6, 0x1d, &(0x7f00000000c0), &(0x7f0000000100)=0x14) syz_clone3(&(0x7f0000000340)={0x8800000, &(0x7f0000000140), &(0x7f0000000180)=0x0, &(0x7f00000001c0), {}, &(0x7f0000000200)=""/114, 0x72, &(0x7f0000000280)=""/109, &(0x7f0000000300)=[0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0], 0x8, {r1}}, 0x58) kcmp(r2, 0x0, 0x2, r0, 0xffffffffffffffff) getsockopt$inet_sctp6_SCTP_RTOINFO(r1, 0x84, 0x0, &(0x7f00000003c0)={0x0, 0x4, 0x0, 0x8}, &(0x7f0000000400)=0x10) getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r1, 0x84, 0x22, &(0x7f0000000440)={0x6, 0x8207, 0x96d, 0x10, r3}, &(0x7f0000000480)=0x10) ioctl$CEC_ADAP_G_CAPS(0xffffffffffffffff, 0xc04c6100, &(0x7f0000000500)) syz_80211_inject_frame(&(0x7f0000000000)=@broadcast, &(0x7f0000000040)=@ctrl_frame=@pspoll={{}, @random=0x8000, @random="63448edb2fb0"}, 0x10) syz_80211_join_ibss(&(0x7f0000000080)='wlan0\x00', &(0x7f00000000c0)=@default_ap_ssid, 0x6, 0x2) syz_btf_id_by_name$bpf_lsm(&(0x7f0000000100)='bpf_lsm_kernel_create_files_as\x00') r4 = syz_clone(0x2080000, &(0x7f0000000140)="2803837cbcf37bce72c1a73b909c68fe5bf7a6363cdc90c00dc6013b35da02a66a0591667154a5567c0e5ee6933d6da8bfedac5d278a291efa3020ba15e390eb38da76261c3aeff9eea8abeace", 0x4d, &(0x7f00000001c0), &(0x7f0000000200), &(0x7f0000000240)="6a0b56ff4b8fac28773ca137652b5b0fd803a0413c282037f721cb96ecf2bb1a616dc3d56eeea26f6b16f4562d17c6d8b8838f1844b585ebcc0b562f0557b2c7e9f0dda1ce4cc61d") r5 = socketcall$auto_SYS_SOCKETPAIR(0x8, &(0x7f0000000480)=0xc2e0) syz_clone3(&(0x7f00000004c0)={0x18000000, &(0x7f00000002c0)=0xffffffffffffffff, &(0x7f0000000300)=0x0, &(0x7f0000000340)=0x0, {0x9}, &(0x7f0000000380)=""/41, 0x29, &(0x7f00000003c0)=""/107, &(0x7f0000000440)=[r4, r4, r4], 0x3, {r5}}, 0x58) syz_create_resource$binfmt(&(0x7f0000000540)='./file0\x00') syz_emit_ethernet(0x63, &(0x7f0000000580)={@remote, @link_local, @val={@void, {0x8100, 0x6, 0x0, 0x2}}, {@x25={0x805, {0x0, 0x0, 0x27, "ed9d0de7c64477f8a5d951f792474cf5075158244f9b1731f0f24acbf5389ee283a5851cd5cf33761e5cea7eddd7b163070852dce6e12da0688ac4ee0a17dcca77143e90d7e7935dc9bf2e32db4a"}}}}, &(0x7f0000000600)={0x1, 0x2, [0x9b6, 0xffa, 0x777, 0x5fe]}) syz_emit_vhci(&(0x7f0000000640)=@HCI_EVENT_PKT={0x4, @hci_ev_clock_offset={{0x1c, 0x5}, {0x80, 0xc8, 0x2}}}, 0x8) syz_extract_tcp_res(&(0x7f0000000680), 0x10001, 0xffff0001) r9 = openat$fuse(0xffffffffffffff9c, &(0x7f00000006c0), 0x2, 0x0) getsockopt$inet_IP_XFRM_POLICY(r5, 0x0, 0x11, &(0x7f0000002a00)={{{@in6=@local, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@mcast1}, 0x0, @in=@empty}}, &(0x7f0000002b00)=0xe8) ioctl$auto_KVM_HAS_DEVICE_ATTR(r5, 0x4018aee3, &(0x7f0000002b40)={0x5, 0xee00, 0x1, 0x5}) ioctl$auto_EXT4_IOC_GROUP_ADD(r5, 0x40286608, &(0x7f0000002c00)={0xee00, 0x0, 0x8, 0x1, 0x6, 0x5}) getsockopt$inet6_IPV6_XFRM_POLICY(r5, 0x29, 0x23, &(0x7f0000002e00)={{{@in6=@private2, @in=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@dev}, 0x0, @in6=@ipv4={""/10, ""/2, @multicast2}}}, &(0x7f0000002f00)=0xe8) shmctl$auto(0x2, 0x6, &(0x7f0000004040)={{0x8, 0x0, 0xffffffffffffffff, 0x2, 0x10, 0x4, 0x7}, 0x7f, 0xbb, 0xf, 0x4, @raw=0x800, @raw=0x2, 0x5, 0x0, &(0x7f0000002f40)="a0fc0337faea631f704d04b5a594dd3a87e2747c38740f4357e5cb221bf4405795c29906227d364e0446ebf77d111ab6668106a002140a81071b6d28cfabb37aea4e26c4657db31916f17181ef2fbba8cf194a98c435a1007c270cd6eff5c6424537197a130202f28ce2586be0ceff0db47a35351218f49a4599a98e93fd6fa6be92176782d29ccfc900c767f4de102c3a7779577ff36f427dcaed1e8dd389650fbe9cc0cab5b4390e805ec30ad6411cff6065a8a57610ab7c610132a2a1bf37c871d06a9d78cc27688f4befa7bd112a69df64b551e3", &(0x7f0000003040)="64b9520eb174939ec87643a2fdaffea4527bbfd51b07ac9467169d3c7baa5dc65b8a38d950c858ff99237e6ec06b4656a52acb76c755c1cff1c0a65e3d1632fabd9e1b381852b6fcfc058744856a80a29fb4dbdd715b3cd08e15a53405d0fd2ff7eac836338c4eca0456ff78cc5712332146b671bc42861cd8bb43200985a362f39f15bd437f06458b867d4bea2227493250d83fb46f7297b8f8c27351ccbec4ffd07175a7c5e2319e94210d4af5061e743f050f2ea538a3ed9d0359f5a7546c3d0113e255268cd0483ab186f9c5550202a9fa3fa0c4a2a5805241819cf9c345cecc6b77dd7c299750b67ff8cb5d9a6b0d3d9816dbeb6fdbc5ea9fae4a25e19b48e510ddb5d4d1271ba0c4a083d04cc509b40f1a849195f3bc3e9f63b7cc7473ffc740cf1a979bd1d7e9317f6fc77a62e5acab36c4a063069cfb207dcc7af70b77a743b362d9d9fae0dbc680923a0e3454026b6da9579f352afef7abbca7bfc14aef0fb3d1305506b97940ea127ffed13eeea6cae0be96f5be7385e8e9ba4f00fdc51859d825192718dcf23e0b6da413aff854ba5221ba8d27ff02b6c0f9667f2ffe72f434f4c7085a52fee5f0871bc20aebc8ef87c17c49b2a434242154770e3ae268d5bae11f22f2146169d7a9c16b5daf83031111ce5ce992d275bb9bc5d1290f7fea356607e8dd9acc55849eeb502827374c45dc89dd1186ec9210bff8e005b7cb2c134a922d6ddc512281e6f5aa9b104d04bcc6000b9f95f74393f312c990f7d29dee0ef7a4b158fe69196b0683f35e8b4ba65bb49b313d92d6f67f72f7c3e7de4dd884d72c786d66bdf598a15f9ac296ea70740343d94591186448ae73eea6101de13df667ab6ea1f55aba4c113d0ac42bba7ec5bd1d56b6bc947045595c76c8f69339bd2f193de246533010f42ac93ce0af99f40ae8bf3a30543d6861b2ca306c0c081db792af448820409c05330bdbe44f70c5561dff8704b5eeb712acd321fb7bd58c809fb11d017c34879854f153241741fdf8de35356bee7a0cb40a726cc783175759e266ddbc98e3e5f822024e3359a7fec0e09f0d1e214262ea209a9ddf12280e28723393368817de6d200ac6f9d14cee80cb713547cad55333acaff3a32b48964845501bf108e8f515728b36726290b478f7f3da9a62ddb1d44f5ed569c7cff30451b1355d3491eb80345cfdb938475f9d16181cb1e3d733ea45aba04cbe419b1fe39de514e8b00db827fec195ae7731b2a64ad258c1cf2d4cd97dd9dec3564f9ca74ed625830ed32b0507ad8c97f63f5a2b39bbaec04b3b889b6d7c9fb98993d5e5ae40cd6b6372bc631d37dac4ab3d48b5895b0030e002e7f443bead14a5777ecf5ee99983b3c0f500539d02ba11cb4bf3259906bbcc34855e6d4b2c49316816d4d17340d8938dbbad5f2cbfe83da57f59e51c9eb6ff6215f794f6822820b05912df85fea53c046dd6e88924a18e71c0cda658b58aff26194f88df81daf06ee0942cda0df18b41b0e230b305b4f9a47fdb18c6d68cceba1f24f2756bd96a799112c3485e394d2dd9fc87ab1b4651ad058a3e44461d2c72f038ff881104cb75cc79683a9d97d881cffb92b05c12bf4d3ab4dbe17908fb799eaffa9cafa4a61ce20aa4b3ebc3c75220aa65c9803a77f181da3924cca5f6059612e45486106f22b8c891f7b14662abd64b3258ed13bdcd6d1a77c6a41519d66063743a1918bb13e9b7577fb6bb7df23ff1b96e782bda6394d4861a7e0ac80d1c6cc84a303b7841e589d66bed37ccc05f4e9b4dfbc53d3b50d50e02c87d41f53f86decb39c706f5372e9d6e3dde53059620d27845f3ed77cd5899e33aed5c4fb140f8e405fa2e0e1172eaa7d4e912987a0aa3acf7c2d8e94d16c998c987fd404b234ef7361d0c5387e6b9d55fb972c7dc217226ce13d82a59311fe269a09c384e739a66be4354791f381e74cc5dfb9a92fbfff8595df24b403eafb00473eb0b2e7fee36dba4a908938bcfcce961fd10ec29e56dfe40591e13d5e53f16c8759ca27f80ce904f2d7c43321097595e907639f20f9e8dce700c39d0e442da887a4df082eb7e172fafdcb00b008caf5523d1fe5f240ae991496db93389af4185e9c9ccbdcb9731ce7a770ae2abac9d8cddf313231a55e1277bd36c1e44842b3872555ccdcb3a0684591321ff15dc6d2ceffd585dbeb990e4054fabc18a9e9f1de13bfad9de7f8deb6b6c472c423367eead525004defa9e17c67902360bf163a01e98f6e755cff6282aeebd1e8a09715c15b9edaa500de074c28bad6d03578c5e1c87be7117f54eefc3313c38b61d88a6a50a0f36fdbf084cb41447c690d3ffcc8314e91ada81d34accd3e06d19bca28fb49bed5e32f4ebd54929e4ab51a659b81c1c35df9e514769b9eb31d71d437864f54e992a2b9b15e2fd3207817756b486d081af397b21a258443d86a20a82dab3094a4883324791d67cea918bec7994abcec180f8fbd4ae90ad2c785de7747308d80a7331864bd1a9bffb514407785193927405f778a166514a339bfe16f5cb8ee349a08e25b94dc351c72e98c6baf186025060cd98d7d14bf8ee060240405a1c10202cb34857ab674eff41cd46c03d2ffccabf194e0f351658ab02d9a1f92830617de69135509534647bc4cc205287b251553fcc7689d5e669f9ba4bdb4036e064b2a791ea5de93c66918ad61cf10be4f5564a071b02b9365bc587316e65bd1264fe1f8dc7d244ab3319e9a905e244a0d000bf3c566811f729d10f9d81b060cb7ff93da8056d641f93121c50b987e4149d44c23491e9de6a5c1d6b26f644b3b020627caf32d47f95a4857b36530ff5c5be38ca37b90dec3bde10756158d6db91bcbbea6665fa1408aec0025d9dfe3de8a57b8af300179bff26032e61db60d6e20acb671595056fd65e84038040f07d46dbd4cb8c0d3ce9fda002d22e24750f145801af85d782681bb9b1228fb281c543e5dcdef84b7a2626de59e1ec79e44d1a230fedda6e3037b0e9c4ca475dcd319b86bd4ab2cc3cd5ee47857adaa88e7e77afaab3fd85076edb3615ba44e97b5e181b5e8c8611784854a8aebdcc0983e0b837455a2901b91980b05efc9223d206dcaa5be6745cbdfb6f9af13873b3773f5a59beaa0f4a36ddd383d63e12f50e0f7c533e6a559e545d2851d04bd36e412d891eac7bbff39936937fa3e4fbfaf51037c50a7d5730051e4c6984f394f3f59faa61ac96fc2ba4e33564c2bbc607b18ef8aef19b88b7ac63cef3e0971fa1156233373fa5b58f16fa99312d84a6b790e7a663ba05e237385eb413e4260e021ba387912357fed39f1366e7318ebea7b921ded5d9f9ab5a86121648310f0904258a9e4d590d65431d23e622309de964cb77df8f2807667bd58181e485c2e03c295c15e5274c706c1a0027b6751e40959a1581c710774bd5575367c93c17fb8444976e384711d4debce09754e97b048d47b3dd82f75fa93937d0722cb2379e8b4b02675991ed1bc5f1f15fea5fbe59c63a2991af998a21991f1d46cd3d211a532cee732ffbcf55b28790c4badba768c57a2623df69b396c2accf925806d55261b7087435e497452975b15266522ef97637956faa20e8ec653c9c0c0773603d77677d0ef1ec99a0f61cccf7e1103051a7852a0077f973369f6d8056b79c537aea6b410709df6937b6b7ce03398e1a7a1ef8e062bf5b5a110bc0daf2765c92e695834add9ac03f5ea56f8ec1d64a8fad07410e3019d84c0e7cdf1c49e95091794a3aad82abf63e9c6cebabdf05e80503d1ba7037e9b0b35aad5517a02988a343b6a4af6d8277964fcd3e720c19ebcbca7c4a877c4b17405d4e04e2bff036d6f5e8da62d6ec70d1cdd970e8ba36f7fa956cbde78925a443b9579be039e5653966e745b1d93c62970f2907fb535c88820b95b24409d1bb81e0cdfbdc397278a8b1eba6325e693a93b550dc2d7ff05598f8246794b2d01b58f30324e44c439ec6e170b692ef2d552f332242101fe24586564b87e4d04c5c4137f453451dc82ce49f93d50e49acf2b966d0d500fff99b984d70faa2061187369a3dd50337872c230e6fbda2420e565886b6eef53eb532239a98237bf8cf3549f60b083d81a16e6a30c26a74456fbf8ddc2476784e776df7490a31e1113cb0d876d5ca9fbfc32cf6081f7542015b41ae86f9c0bbfed2b8474bfcd78284467c22f1d6df54bb3e28f5cff007e9d5d5597c837a72eb04ef8d1f3ac060b9f1fff3d74da35bf1cc3ff9d836bfc8d2ccb07214afd357c296ae04a5ce01fdc779e9b4ae6d677c6fc48f7383064f2d217d51e390609dad933022ed7c35f89e83b555c8e3ccec204e593228f3244427cfed43bd371ee5f584ceab01f88d1c99474189b876c9534089dd5d0460da833afb14cb1cb1f4bf8517fff86f94a919b9f8eeb360887b139f675905ceeefa05786fd7eaa8cc6010ee286989b6269a45052d4c62f742bdc252fbfdb2166f9b0215316ce569d53f12d7ff1e92d2bf11b6ed6aec3fe3f62c49a4cd2febcae8e1b44b38eaf1a6e78f2da3cdd94edea7150000d7015cb652ba46d3b2315b649edccf47b51d4585dbc76064a12b05ced6fd11fe3703ad2267f96297bcd455810769746ee264e73d9043384e3af7b445fda9f12fffbc7d63cdc105ebf8ec1f52475c73b06b4af080037babda8888b05b3d0051d7aa6c949140df65806c8366f8e3640f5a7470262696bd3cd4db85502cbd5fe22bb0f59287768fb9c52e6933e568e0d3ce7283a420c89fd04e93e565df0ff68cc743cdcf4dfc7ff09cbe8a77a020804f4c1761284616d958401f57af9dc71362992b3ff3439ccf85f43b6c0850989650d8f55ba1922a6500d272dd42386cbb23e6e67ec926a1ca9357f4c84b767152e6c43617def94ac6014aa3c6ca841859dc57524a722741246530da550671ec17d2a342e557b43c08a93c1267637fff37ff4a4085528e7ce6d09de642996fff98688544a7c23bff8b6fdbe533424ccb119a567f1f15c0b4650ed80efe24ab4d1c1e33305afd2ceac682c0eacaa5669e4434f634b1c61271d95b0095c7b1a62a2d073aad80c51015bb5150845c118633a3c4c94b7463fe7339182ea01a7e28637c27b5f86068a7374ae77c5cdd6dd9b469dd9a475c37528e2f1c40132359e9e65e23ad4595b160ad9a2d83cce078f4d6181fd3026c2a0b1302faa69a5180a2c20b3a32876efc2a6281c409c2e66e00deb53098197f13185b7da589b0cfe2a312f0f61efab29a7b1b614faa57ed37e01f8b0cdfb2ea7867745d6669a4a895b97e1ed24c2f3cf23e8851138d9a640c2c0b321d00f0a4dd9a72fe5ba43ac47dd31a014d31b725ee28cd8fbed0bc78145980b586d371848bb96748303d0ad1fe2a2e7f5dd34070c6fc50e109dbb15cddcbc04e1cf6358d1050e6319a34f1452f44436d8cea137a37a1dad13efc2b9a9587a43c2c3f3d5aa32c0978520d24dadd18efa812a72d33b2f441ac885226555f7cd254ab277175c435683c36df697c2fb536271948e538dd3bce3909a5c8c37e97ea3736cd1ada26f13f121a990633d95b59e67393432993c0c84fd6d52beb7e3d02a437eb281af573ba1c47f373f6ccd6e0b183a21cbe9fdbb82ccc396f16aff1999fb839ebcaff97fa0bfd0d34cf8e57606fd82341db318e40cd9e85c154465dcce1b7fd8b22808f0e0d454ef9a2b5a4c35c0a125b9237070072d1cd827cfdea8e3de833b0814c8ff260e6b39807ef86ac677abdeb507dd57f6993d303d55517840bd7af1db3980821"}) shmctl$auto_IPC_STAT(0x10000, 0x2, &(0x7f00000042c0)={{0x2, 0x0, 0x0, 0x3, 0x44, 0x7, 0xff00}, 0x80, 0xe5, 0x0, 0x8, @inferred=r7, @inferred=r4, 0x800, 0x0, &(0x7f0000004180)="b8472da763b7f233e5d2387c998ed4355657", &(0x7f00000041c0)="10f121593543ac483ee5d9fc0093e203b927b44bb534a8711a28df30c87570f25d8dd643467a2c9e531e8a4aa6e033f571b9feeae8b65d093f915628885d3f028c3f4447632b36f22e16c1fcb5e7bd6992c089df961fee65da52263c865431c8324d25205427653902000ee5f231b03df00cf5b4ff9f8779d331a8b511c4ddf3ba9b68b48133a4cd4f26e7376650cba610c62a68f4810220009706a85a063103dc90df67137a34a2dc60eacd868a66d7f68e69c04cc195fdc8081c4be4148603242caf94670f9e25557ef9ada0f23c5961fc07fe58c78bff013f8344dd9611e2314963bf51df6c984c56b9af"}) shmctl$auto_SHM_LOCK(0xfa95, 0xb, &(0x7f0000004540)={{0x9732, 0xee01, 0xee01, 0x5, 0x4, 0xffffffff, 0x5}, 0x80000000, 0x9, 0x5, 0x8001, @inferred=r7, @raw=0x2, 0xffc, 0x0, &(0x7f0000004440)="aeb6d5073afaa31c2e2b2c269112dfff493937392207d13fcd1a8ebaa997fd976ccf817f4290a89565f45f54382b313d3498e2a676fb908ee4d892131f01b83dedd09498c8c2c56df4ef1c8232320b42d583cc6061c92cc06c764fb0d446a8b9a5f1903c9b2b2ba45c1ece47cd249f201b457ee03c79fbe26feea6dec142689ae21b9ced8439f10a2e3b657a1e3ab73854c1338b6db905248ae4bcee973d068e9bd49bf4f9e8d0177c72612bce4ef6b4d76c093996de65", &(0x7f0000004500)="24a7291c4abc17ba4acde1c6fbdb58896ad27dad256440207ff6a5e48ff2a6185f2c"}) syz_fuse_handle_req(r9, &(0x7f0000000700)="2bce1778fec9a1286bf6aba53c3ac40286ad6aa7112d6f2fcabfd2ba713eaadc8139e14f618070126ac3a38ad9cd7b5c94b1783b2611520729353d56fc5bd5cbd4f11d01359ca9eb2e0c4cc66095846c2b10d41eb84677f1c352bd90ebfa66123a7a19f45caea84f12e77657933246c44a209a4b9f155687e2a4fd902f57ea49085faa760119406827db2e6ade2029f8201de47e97b133853ae73214a796e4818d39cf10a8e6a6f11a88e082c9aa25857a67a32f35bc8f867f044d0f329953dc0602249d83197e0ef5c983b9d556bd527a6a599f52a211f9c7113edcc0e93fc18e79ed69fb2a7fde97c9c35e31e35f077137c8fd8bec401814fb99816d1ee5a5e7edc210c610970daf8aea89acbb754082d8f68eb4a0010653c70684a8dd7c002ba7e461c8dcc45c2286da3427351418cb24a94d6556d69e2a319b5c0e69e6bf111a9c45467c41575fdbfc2646dafda3179b0fcacc149b45ef10dc13f5fce2e4a2c22c2ae992bc6bd51323e724e466c736db1d3457ee0f7de147661dbadc942bf0df2f089e980381ae888ab022fb545c0343c4087f2c1b6ae0cd21d0fd6565790958c93a6759a5754b700a6f53abbca7d22cddcdd709b279d111d6ce1fd791ebcaf260480986b321ceccf955618bbea2781d331490cde5734793ab075f5a729321aee177fc3c20efd0797446e512c625a3bc1a56f4c01889f574933b726f7437ee049491bcb91f1c63a0b175e2ce567507dd354bf26b08059ac229046a6e75d3d321ee63c5abc1a7409e207e6fc51679df37bc7ba339cbce32d45a9609068851b0a7f581aaed7e995c36779d07c357e5d976f6deee4f3684f97e7c619d3ccc28722f130d936d3c073b9bb5194eb9ff69910c6a3d5858c2862ba8ce9425cec1e801182a7fb5c7017a4185d13feb353829dc681a5619f0a02db6ebde860cf7c6294d2145f9a5291849762d93816682d19189dd768280df4a68c80801f66ababdf722ec213a7b7f58c46148686900669bdb0c643d005d600d95c5cb5d28ac4cd4c7022294352ed1350c4e75fe8927895392b0062c78292fc15ad7038d1bddc994535e73ccc33c9ab23311d6f65de598f5ee9f9134ca4e4b409f21b0b0e40f36aa5c782b7bb864707afdce1e7cfe5a27c1ef3d2dc14105d6a489b87e7ae167ae87a5f3cda0b8a622176297f5328b79690df98979a4806dea069395f5b8e5bcec683fd39b86bcef865de60fe407291d127c4f0068bec8ae95738fce42205ef7cbba2a10766e32191cb4e50c06dcf6ca3ae78c0caa658fd58b652cabdde1dfa9d1f54a4479ad61d25a47ff08b3122560099bdec55deb110e406e08595340887e49677454b60860153c4b1f7cebef25dad082f4d3402078298bfd390bc766234595918cbb3b6cdb9961e1bb1d4f7c7f2401a8d80ac62b14624a3b16d97046fcef8d025deb794094d2cea50ccbe272e1c79a7167803c40a4ccee138444e7a415347783bfe0ffda3d50016d0f6b1b06126fcdd9237aac400b8549e4c1917a25db59cdbae29d1ea5bd7d25c575022dc55ff32ed42a610e239479beab0dd62a30a4fbeda0fcfe1d0b613a8d066933466a9ab31262701d08e77928f88cf8a838e9729893e55070efcc83736f3cb32eefc08f240d449a61cdf2116ce4eae7b9669ce6fc528b9834012b0f7c5425c262237ae8a301b6cfc03a579cb109df417d8514af612d320d0ed96b7f7e4a48aaa30f6c8f427db2f981bef360b9d8c277c84a8015f49bb8840dfdbfd5402a053fbedc0751587ebf6df4d69285cc398e98a7fcd68876eb2bf6f94fc0d03d7a93b1446cf2ac7ec11f8c3b62fcc0741c376d15ccd8dc9c85929453a177bc2424b374ccad51a57bd05290241e00389e5d9733dac843b25f4394db450fe16fdcbb56333790044d65ad606ae8ca97ceec3f809d789049a3298881339d2ed1602f2bf2bde3cc87163cf1dc3f8e32e859ac7b2d271ae42a7ad05e6fda9b98c14be9a3f65b16253743995982237d3130d15a18f8f532a8d0273eabb3386702859833844781dcebf2164f0a4b1411d88299fa82e7bab71a0836d50b418a6a47f747220fefee2685af32c2de7c3375cca11914f2da17ecc46e635afda8c36feff10c7d6ebdcf7da4414b4fdb28c42f738c9561a656b01ca0bcb0224ec803e6a23864e01438974bba22369212caf053e560cf11ac83ec0485f570f6e536744243c211fdc03cb35904f1b3ad1e7965d4731aa048215dbe3b33d0963b0d5c0ecc90fa99997f19b583574868b4081c9ea2712343b918d22fa37e8df4db670a4be4295f699c924c4b7feb71103d9aef0270ded29d4f42af37a487e2bc8dc0b0bd3f6870385a1a8a984220f79a47a981e987dca44695ce6487d53c019010543b204222efaef7208dfa23f808c45613d514468b97fe57df911eac0c90ed04f00649321c3abd2701ec1a0122b4bb48377b5e9251c0203faf0898260ff747c5a82eed234250158851a50906ac5492719f970a9062005ef1675576351a8b3d9dda735cc65b8209e98668b8d497885fb1d91d893e3e3fe96dbf56b61c606a8463c41fd8c9be64df1a595627fc711438eea8dfb73235a47be9c03704feda19e54f65a2876294495aca4d611c9b43842915fa7a51e45e16c7d22817c1b159e0bf53dffe16ed634161be4cc9169c952b0bb5fbf445aee0e9d386d300611857c70e95cf2e42a3e79bf7c202b77ce4f52d5e8ddf50d5db3fa10e95f24d656186d356dedc85c6f8684b8102eb019c18da8a663d70be24ead9f1dced78bd068a6c9b324dd747734318ebc62a4a9c74eb3422ccdee02f947c1a76e738542806ff2c9c851ab71217f7539da9c3350a1fbd5e5390a048ccac1f5413ab2d8147d7b2d7d4933e24d7ff0d16fa34e238e931622730da47e8ee853549f57d8cd0411fd3ddcd5d6bf36388d0368662f95dae7d3bcb932d62e0f895a56bd879d1f57043eb6ad46e35976c4fa6244221e9a68fb5a93f2568c1772ad1faef2aab0021fe7dbc57f3a777ddfe61f41cc3f7db0bbf637bd48f72d11dd052fb4e32520d4139ce9b920621f1eb6f378871f1e794c38759650a0a742c0e3403b6be88e31920c0f3afb58c686beaee1d65d6d83b8eafa7d0bcaaef875efa7a27371cac0599d41ba51aa5ce65ce48bca24d4a438e6e3ac33cf1fc7cd8cc3cd9b75116b53a09d98141fccdf0b08d8f9d6efded52d101c3ed6b27f6c6e42f9ba199f39c9a337728bde05bbeee63e4dc680ecf0f020bcbbb7b6ad0ba9b2aa614391e8aa41552137356953ef21535ca4e3220a26f061c7e78eb424288981695e651f6da9057c61102f5d58d331358d691ce1bd7f68160cb76fe77f03ffd460ecda1fdb1a78333893f1dc5d0357dc24335d3f12d7df9133169d9d21445b6a58195663da0330631b732c1dcc3e658f237f0f69a11602d4cac6468353fafcbf4cad1a3a26d2deddba7ccc886347ff059dacf969698001853307a3c5b3634dea162e63bd27b7c9dab63a67059299d6942675d10688a797d6b5163eab83b45b18460c28d6a83371eca626e9bdb94b90a11a7fb7f7d9fec0d773cc0566636292c7d90de6479ae9ffce8c34e284ff2fb4da4c0b4629a023f1e9c1e79c5d6bae6252cd4a30153e8c1ebf08389c206d66bece902ed877c36756b3f9cafe841ca61bff315fae3af3a18563f71a77eeb6fde0db2cea7fe494a78391afc1b21b233e0c4b4a1a23eee6feba1aee1124eb04ec4d23b6ae5ccaf13acdb656c72707fed010fc4ab31ba093a22fa85e47389acafe2a22298e51d36732695008e65affda75613bbd22f869b05e9dafe411da8549f141e018b362049c6af4ed782378172c55ae7b1d005a19086c2ab19742ff7f9b329dc567f614730ef3e7478b62209ec2db90f3a6037af0cb7bdcc8bad8b32864a4167a370d0f916dc751fb28ee9c800e59e2e3720dbff363b28cf2698fdb3061bc39197677efbca4f86da8a976a1fe5f9e183ab9f3bdc9ab6ae44b8713a1ee07b894bf37490464f9d2c4f5a2a46c6b3035343b926dca5d993ecb074191df0e50fbb114c82b369e19d8ce958025e12a6e135c33c4e7040f2e5e4abb143bafb7c712144a99109b00dfd72f66d6a5d7d1e6aeaef794fa404575328feefd9c208ae710236da12de525c78403e78fdcfb5cb3448f93809eadbf8c6caeca702833a3d30bbafe94ca14b5e91864aa575409498939c5b2cce2d33d1f14ae3d7169ffd51a7421d2be6a4f6ce0d7fd5dd834e020c3e69cf5debe69ee863f5702bab78feccd285ab472b56d1c06ce40a79ef15c072361636317413726643c950c67e576ffd80d5f80807b6729736547b00a0d458e93bf964f47da3507747ec323d3108c449826224ea09afa36613331a961c5cf259252d0dacb502fbc987bbf6b1c8c6225a6c0e65ebb5a55945c5a064ec346f84270e3b38a12ae72c17809975ada72bad05a12fda83f1b00a42310481ca2a0990b663964e194c925c99cee86279f62c64548a57d3f167d6213accbe679a9fc204d21031f64bd5f68e8c75cf80af207cba25aa42fbc7df0734257000e5e9c223366d1df46f508b8a8fba4933352cb7c3f0e25d66d8c5129bdc467dcdaf4f4a871fea52b707c85ca1ad30f00804ba500cfbb2eee18c6842091c120ff9f5fe915a75a623e5407e77b2f2d7aa46e24c96986a60865517c267945d391692a1d3feffc935576787c90da846f959e26eef2f98ce0b13174fe456c5d33fb6bb65e8603af4f102929d8422b8bb5a24e0bec7214ee23d9b8dd07e7daf18d83fa66d849b91c708f99b4685c7b5dc956d95c7fceae7759feaa0d2a01f26b17b9e5a230c18c610a7e724db79becd4ac0f176bcf20449e90c3fae89c3a993e2f9c51e428dc0bddf67a7cd11f9ce0dafb4277c3281b88fa7138d217d79fe3ed72b195f27820e33229c5a6d7f493720f9190a1cb229a3bea0a78f629d00593c988c2d3fa09f8935e25bcd4ce0276a16f2306f7cbc8912523591ed88921aa7aefe26712f81028906d730fbe81995521e02e3ddfca0f881cb98a661d2cf8d1fc310845df4ec588c2b30fdfce181e6ef9a654e83fa69b773fb51717774936e6d037754782fbff13d32a50c75e2753bcaf4ae373526e610605f07c677aedac8daf379283f2e59aedde2c01953d1be4591ef165ca1906debdc0b8e47def1a34d3c3a4c12eae89668d143d1b0984f945044709df868d0975514dc1093090b0fe42962345ef40b0dd84ff7a20f394d5b3fc5a55d69b4bbd00b53e3174c760cb9c79f275275558c6967f03cb7b54ec6c2a8602a5557c48e0cceaebc38c4cb35f171fa42622b1e8be6dd323375033ede7bea93b6d667758fb997ccee896cb3a03e47fe8b51bfefd7165b4b162546c2e4d46710353b73f6f1dea17e442b8272f6aff99c864372e4c3e5631bb739b59ad1235a18af7d59b79320a41b7c0e8d64d5a79481cce1e31b334ab33e92e6a4297f3def0f1b34675c7de910fe38e494ee014bb844e707bd302b24786bd6062bacb82d527acdca236f217bf0474742476e6a9325d9ee282dee43636beba541e6af65bab1f58233a6f558d8c6019f4ee4c8e833ea1618b053b3cdb8f88f09ce1225a68f319de5bc583eb3d22f2732343e9c0acbd8efde7d9c0f22406b9d1beb10e7bc92807c7bbdc00b1d88534e65dba2562167e2cf12a6f4b1e89b2495be631fe9a7afaf3e440254a2da7eeb261b40b4b2c8a2257d75b09b85b81d7954ac55313ac4990c54ae40793c2158cfebf329b267405dd2a5e76154d21d74edd4a1e086f0f240e71996a04e8f96ec8822bc5fc91838d17d97b03cab995833aad9fed8dbd944fc11ab74fc515fd8bc5c067424d32dbb99e49e0d42a597dd807317d669df7c08979dd647cae4b9d123a644037c68fd7b454d158b5128185b7a071b77453e29ef5183c03f3dac2758fad6673d17b95a42d428b56dd7acd6b44a15f8a6acc4c73d23fddfc44fe57a9add195796cf45c0006f6a24160dfb879862b011e74b880f5a4f5dc8053a1f2c7d0e1d772c62ca028b09cebac88ea7a8a1855996201674f2eb71ac526c0a0ec4493daf01a5516d2bf88bd81172a2f75fafb3cde2c92b7a020e0767cbdadf655755c3715c6bf9cc3df38c3834a7249505a689480ca3a978792ae9befdfb3f25e3dfec22a90d66acbce1633a297cc2bed975731fbc97c09da8942265336d17b13a52efff98626a8b7b188cfb9dfd33eb28763408732bbae7b80122a91ad9813897757effb84358dbd62b0133241ab9afa79e353f5e7db9163921d65efc93e408bc38ff95842905a913d084d24fa22359df710b39694de240389831e344e9d5332ac0c5484edc3a9ac612f668e4e78180109e1249ef5dc27cfded52ea37ef3a7d1d0288a9f7532fb9f3a380294cf03329628fe8fac3b8121130bc3dff51ed6f8300806786f9e505de5d25d687c402c0bedb7d41cdb9cfb87714ba2928bececbe1aa32dfda001707c784cee7f6464877ef8798c1608c487ce088d07308b4f1672fb28efad8aee845ff99e00db8d0a4eff10e7e0482e10d2d4f536b90a17f2cd0649958619a3bfc4c72654ab9a0dae3099d6958cc43acee94a4501524e0a9dd76700d81461ffc9cde222715d4c8917c2e53560b6353a098c948ce16131bcac5694846942657fbbd47d14f0b9e6e0e383e7d60efe2d9935c04dfee10e22f474cf382329cce12ae8d210ffbd17dd0f1868f6c10aa34dc1fb7bbb7a25db0cdb0afcb3a523445564c6bc6c0f8433a6775881852d9970aa4203c9258a944274168899d5a815d665037da716d5304e4f26c289a46384b965f2ca5aacc1c8123b54c14e83a59b99799648814797784254e3fccca53790ce3f0c24ba01722d42baffc8168a36c95b5388def137e6c929e2ed1429910d138e791f8c45c37ea0b8d5f25dbb2b43a4c2e0527327a5847df44a214222330144d26446366764f816db2847bba4860f22dca28aea5bad298dc4e5888ce737b1696c952c2a515574d10d4d2c3d0a21232422d0d600745862a31513c978c8442bebab3e3efbc5bf0657270d1db26e979cf50ef7a3cfee880f77a0b802c7b371bf966a5413d6874d9111e7b98a972be26e28fa9ec1f779391e3a491d5e8695f73d88773a3d40682ffe1cea237fa5a91d48bd82d8ecd25e6a6292d1777e38be37ccc8d96cf9d191ba90585e728dc415bc406fd94e53c674071df12ea089dcd94f9d96b0386f726051267c96e5c3d7949e85502b5da43f10493baa2fd77a02faaca33558f78f09f00433ba991ef1b40c5999039bee177fda3ba5dc0925162e59a8e327c19e7d4e0aa8f1371070271e003ce63f427265b6a2dfb1d6864f8cdf2a9d0f8b38e57712b8543a20be5024aeffd250a106e783a08a5ae385ac9a576b3c1b09036c50f1a8d5699f1bad3d16968f11e9b1f54efdf3c2ec03a1f124ab5e5c453d19b939b68d0a339951b5bb55da3eb459c3f86a1de1b8b9cefe6e60d14d8c6143145e24a85e9c062a8f6bf5c9a51b2a507ffdf6f601cd7d10a7f3cb16f38d7f2c46eb2c1ebd205d5b60c5d5ec3d60e15189b9f445cbf29177b8355d8af6bad6c6e3adab39df71ee2cf90df9ab86808e62d1ec24ff2bde6fd56a231e4e556cc227f5fa6d617d549aed8e2e366013d8a2c2899a5c752620d54471f9cfe17b687fee42799eb8621cabf3b8176df654b20f348c9167d70e959221338bf47cf3b347ddb46e4ea71fc8250cf4818607a35951665aeec1b4684a9f2d54039b644e3ffcf5ef2a2673d97408fb9c5b9ee802867fcfcbf3ced4295e59e78365de8f38d98066bc163b755568bb02eeca38e04fe45b7809cc4424023a23b15e374e383d01e02dc66924847f372d8adc3b8aaddb6eaf9575f524251ca6fea93fa3357e81e94715fbbe3ce2bbc0c3d447a5118d859b1a743b3e8eebfd352fc50c28c89d9fbf2087cbedcddadd1993a35f71bff4b6e9190fb1826fa2b308901876165c70417dce16ea0c1975574bdc7ccf8d92b3e772b57fbadee74fcfe7b73dbef59c7f2e5ba57b9be6843e06d0c13da2f487840737a8dfc790cd553c693a9d1268a13acfa44fa5e4b4f0da376fcc0ec8294fdc01823897f912127db76903df2cdbfb9902400c86bf526ddbb47c8e49b673055f70a7d90081cd31964e0519d504c171cd41ab7997916a711cdec24f80f8039cec9f65bfbfa93e7bf228351a81892e57180aece3e6b0ff3366dc6664447fae5bed381f629134adfcc51eca2ab3276682e5d9f677b301d6e6dcfa86461a567cb9cbfda3d2f91b3abc20a5a7d465d57c507fe9cad8343d64f51be630ce818ab78e92cc5408f48025fbbf8396d88201c042fd71182c3d5dd62ace3ec9231f847bdff19b7bce4e04d1022b32d46c74709aa4963166aefc5ad6ed94701d4327f394e1c9d01fbd3f25903c5020a8487963008f8e4eedfe9c8d62ca9cd72a96239b1c0427cb4e17118219b42cb897353621d667a538d3ba3e9266738fd2524681fd633c1f71a51286210bc793fc89c0f043866480b7e0862b7a108593b2e9f8d1fc62b7c67f50dff638f9318fa260f3730cec7080afd743641de7d59bca4d321f031f35fa616c433ed572a39bb17b93c8581b12aa1d251541bb5b21c63917c5b70ec65e957c59c643a6c0ab002b546dd970350be2a57e1a8f0f46b0119950aab3301e5ca0543532e1f08199075609f22cb8c8ffcba4bc81df5da4ba7ae6b111b4cd9c6e2e6c20ada232820b47753d6262c2b9ea61ead281ba0c31c3bdfc06b8a42982282a215beada3ae9b2ead9afd24f50bc2281890097791cf37b1969b45ba7eb1305366767eda01efd057da567431c49e79c55a58954f12dab8f1b688513f4c3c49a5f27ee53750d89b633779980058789d26a6b1720be7ca549de74bdb763f4db1a6bb860b05dbc4775b20ced871b4a9d9d877abef6c4bb39d368ef7e7fbbac5cb88212d87f3c7620659cf4ce1c6eeb0ea8384a6df2f291334e58084fc55a3b6d7a8351f625a71eece16fcb52fcca888093a040f5f157ae27dd79d26ae555dd0d219b58553db3bd8b48d856b3e233d19726578d382be3d123f8656dba5e61db14b627eb074db68d5a69c9351174492b50824824d3d3af79295f05cdbb47c8ef7c85d815bdcbacf4b8627965c07c8e1079f201e50980284f2005a92ba8215d06ef5efed591f5279f18a2fea042466d783e10864e93a54b8649bb4436d886c78819e927c163c769c22fd6c1ffc509849f685acbc5c6eabe4bfb2e2650bab1739a6953b27a1846464ea8f56a76cd371a7474595949b6fd4db076d44ceca31122274ec568c581d088ee7f568c0024a491920401f165dd1711a2f9b037ef4b4019d2272e19ed5cf4140e58d74ae1d93018d09fee3263e8119fc7a4809459c434e93d304702f110fc3a40dfa78fdac5edf2425d8dc1629bc95bab9327032598c2f553078187c3d076f15674cfb9e0f182b68cedcec34cf0490901af10a2d10ac8731f79e60ea1eb178a6014297a5a3b84b80deb5f3b56204cdaf3a4ca0bca0083acac6d2a563717eb70b9d8275bb31dd4da25f6aaf3bb576152cc598399bfc1f703f9d65c7ca6fc45d7cd81912071a94b4981728bd3fa532dd3ab95edc2c8a8792316b7828c17a0a115a80ee5f7c632fa123fcceaecb311915349c9b26f2ed275223d79bac0c137671c3ac5f489b42fbf5b19b3a46ae22a72fe347d8abf11142968562c6329dfb942249b593d37d17f40d793a48189210e0b60b958375c08993d34e3eb0ba6932435cde73d568d81e0df7f76dab7c1c1f7e5b764144896fe5a819a4f0aefa099e1d84f8c11202bc141f7ae03fb4fdbf5b6c30834a4dcc7f9a64bbe14076110b9729767e5f31edbf5ddc540f3a31a36f4a332b5a24d9e0be54f8161b52f76b78083e40a663c8d20bfbc446533c2c4b78e630bbc94a24d9516018faffedc2e85fb091deead3612c8ab241b12647c2e71407a9bbef11c975edbb9722ab6174a9191c5f0128c1e0f4393353689ad18b96785a7d8e045adb801afe79000f18ecbc07ea839306becb862b1753fed504df009546672fd65e60a2b523ae7477502db75deb994452e0b3f7a841a98b8c0b0e828f0ca679e1fb97f8df292e2db30f756fba177545a09beb2be193fb3a1a94d34456d9071e634bb8a43309302f6ce4c338d439270c426baa048bb92ec139e50fc457db0f37b494c591f67115bc9c522152d28f9cad1610bffcea139bf2c5e0239d4f8db125f0c668768a02ab702814ab61b57e0dd839549cd78c1d331d3cf42e0e94359df9f9d8d4fa2b982a1977cc55a888805646231545c2e96a8b80c9dbdaf7b7644021f8dbdd8f3c373a72a9c5a8ad05c67f50bd32a96e19a606170061542a0b1ee90e3c75619d95416e1d2f6c76ef08f611882c87d096b2f84c1b5f79c728727e00b0589ff867824b88939c3acba96f59a3e308ef7068bd4ad8478b9f0d6d5c90c8d3fdb1bce0822fd4dbf60433d0fd9a1d00fad05b135b0fca522982bd41a1d32ca9e13cc2de1809e51e12b540df58cc4bcacbc39453e62effe1cba62a725b7b690a531a169b16cd4fb4230018adbfebfd58ec476742a8ea7e8ff7e56ab463b345a84299867f857de6ea30759a8dd093e98f99c62f409597f9a3ddd490c88133d9831a7ddd0bbc3536d80deaee38acb1ba95ba0cda910f4b120a592bc91504f4b0d99171e2c45d4e256dc03fede68ee1dabf8029c99dec198c4aaddb6817f839f1da74971267c212bd2269f8cccd32495e8f7204486d985987c25a5cb7efd639b1dbd2506022f6caf24b09226227d8035cea83b9cb821ac3fdaeda5f22dfb1191593f4d1655e23546c84a8ff482789bc92f194dda5f614d6986eac829bab2b7a29225bd5517612d40fda6a153fc52b24663368adc2edf56b07bb22f1b5d526bffb21282c654a7795a27631f95d885df4c0bceb0712bfddc058dcbf3283a8b96664df548340466bd717329e6d5425cbd8f9e6442ec4671381b8017e04baf166d7b14ddb516a624ac5c76587a00c6502a9401ceec48269c4ebf670bd1caf4613bce86e297f9dd0022408af5c7a7e9ca4a1a2c7ea506dccd7f840eb4de4dd3c734006cb85e9a0539f988ab45f593d1d9606122a2f106e9f84f52ff91797076103d042586846ff7305c273fe8eaf053f6f2c7fd4f118134a8c824bbb27e3191a8b192555c6614908ba5436a673830c27a63169d3c69d3f7e052a6b6de6fd2a544572cbce67f67a3b3783f4c8db2271a4a13c0355a92c6b036e5ef06f53323db1432bd5bed2601544387dfea3f5ed9b252fc9a20411999423944fdc2d163f66ba1826c7bd6da8e895efb19b4fe0f2038142d7665fafaf979c56352940b55caef5f8f881db23060ddd71f99fcab6bfe412beb2a17d106fa450914aa7920cb21267e16cb4943605609836149f1970d5ca6f311014d5b691c145ba81b4ff94c72fe150ea49e56070cff34abee37061e871aecf5dcf9f91b52a36eb993c6789f021be5170892ca80d1c2ad5bbce3ce406cfb412bd66fd6442d70ebe18cdcc2958c509341f0510", 0x2000, &(0x7f0000004700)={&(0x7f0000002700)={0x50, 0xfffffffffffffff5, 0x6, {0x7, 0x2d, 0x2, 0x400000c, 0x7, 0x6b, 0x80, 0x3, 0x0, 0x0, 0x1, 0x4}}, &(0x7f0000002780)={0x18, 0xfffffffffffffffe, 0x4, {0x5}}, &(0x7f00000027c0)={0x18, 0x0, 0x8, {0x101}}, &(0x7f0000002800)={0x18, 0xfffffffffffffffe, 0x4, {0x50bf}}, &(0x7f0000002840)={0x18, 0x0, 0x3, {0xffff}}, &(0x7f0000002880)={0x28, 0x0, 0x6, {{0xfffffffffffffff7, 0x0, 0x0, r4}}}, &(0x7f00000028c0)={0x60, 0x0, 0xa2, {{0xfffffffffffffffb, 0x0, 0x2867, 0xd7f, 0x2, 0x28, 0xafb, 0x7}}}, &(0x7f0000002940)={0x18, 0x0, 0x0, {0xb}}, &(0x7f0000002980)={0x13, 0x0, 0x80000000, {'&,\x00'}}, &(0x7f00000029c0)={0x20, 0x0, 0x41f}, &(0x7f0000002b80)={0x78, 0xfffffffffffffff5, 0x5, {0x0, 0x30, 0x0, {0x0, 0x0, 0x9cb, 0x6, 0x45ff, 0x8, 0x7fffffff, 0xffffffff, 0x2, 0x8000, 0xffff0001, r10, r11, 0xb, 0x7}}}, &(0x7f0000002c40)={0x90, 0xffffffffffffffda, 0xfffffffffffffc00, {0x3, 0x0, 0x6, 0x4, 0x7, 0x6, {0x6, 0x5d, 0x8, 0x0, 0xfffffffffffffffc, 0x1, 0x3, 0x8, 0x8, 0xa000, 0x2, 0xee01, r12, 0x6, 0x7}}}, &(0x7f0000002d00)={0xc8, 0xfffffffffffffffe, 0x1, [{0x6, 0x5, 0x5, 0xffffffff, '\xaa\xaa\xaa\xaa\xaa'}, {0x2, 0xffffffffffffffff, 0x6, 0x7, '\xff\xff\xff\xff\xff\xff'}, {0x5, 0x5, 0x6, 0xc828, '\x02\x02\x02\x02\x02\x02'}, {0x3, 0xa, 0x1f, 0x2, 'bpf_lsm_kernel_create_files_as\x00'}, {0x5, 0x100, 0x5, 0x9, '\xaa\xaa\xaa\xaa\xaa'}]}, &(0x7f00000040c0)={0xb0, 0x0, 0xffffffffffff51c6, [{{0x0, 0x1, 0x7fffffff, 0x4, 0x80, 0xe, {0x5, 0x6, 0x9, 0x0, 0x80, 0x3, 0x7, 0xffffff01, 0x5, 0x6000, 0x5, r13, r14, 0x9, 0x4}}, {0x1, 0x7fffffff, 0x6, 0x7, '\x02\x02\x02\x02\x02\x02'}}]}, &(0x7f0000004340)={0xa0, 0xfffffffffffffffe, 0x4f4, {{0x0, 0x3, 0x58be8e49, 0x88, 0x80, 0x2, {0x0, 0x7, 0x8000000000000000, 0x6, 0x2, 0x0, 0x81, 0xb, 0xfff, 0x8000, 0xc093, r15, 0x0, 0xffffffff, 0x9e9}}, {0x0, 0x4}}}, &(0x7f0000004400)={0x20, 0xfffffffffffffffe, 0x4, {0x1000, 0x4, 0x7, 0x3}}, &(0x7f00000045c0)={0x130, 0x0, 0x6, {0x7, 0xf, 0x0, '\x00', {0x4, 0xfffffffb, 0xc3f, 0xc6, r17, 0xee01, 0x1000, '\x00', 0xc42b, 0xfffffffffffffffb, 0x8, 0xfffffffffffff3f4, {0x7, 0x9}, {0x893b, 0xc160}, {0x3, 0x6a48}, {0x40, 0x6}, 0x5, 0x0, 0x9, 0x3}}}}) r19 = pidfd_getfd(r6, r9, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f00000047c0), r19) syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) r20 = syz_io_uring_complete(0x0) syz_io_uring_setup(0x70d3, &(0x7f0000004800)={0x0, 0x87d1, 0x200, 0x3, 0x92, 0x0, r19}, &(0x7f0000004880)=0x0, &(0x7f00000048c0)=0x0) syz_io_uring_submit(r21, r22, &(0x7f0000004980)=@IORING_OP_OPENAT2={0x1c, 0x40, 0x0, r20, &(0x7f0000004900)={0x8000, 0x190, 0x10}, &(0x7f0000004940)='./file0\x00', 0x18, 0x0, 0x23456}) syz_kfuzztest_run(&(0x7f00000049c0)='*(z,\x00', &(0x7f0000004a00)="f77ef6bf4c19c04aa57c4c2ff92ee1460ebf0e57595cc355aa22679547ef84499ef99d9bdd691a9a0ee19fba5fee97d9a92bb7ae3d754a98456cdbfd27da20f977f4bf4630c3ca421a6acf8d9f81d293d3a0b02327e406323e773c64b865c2c7a10236fbbbb9c9eac5d14f18752a0389a5815964041b844f71455ea12ddc9dcfb6e900a3665758cba3c7", 0x8a, &(0x7f0000004ac0)="a58109a5e0dab93137d420471cbb19fc28b13363208467ace8722160a2bd5fa04e7573442cee6621bbaf3e0c408199fa9834f59a314bc375b4a23459d2020312ab4194c9fd9c5864c82edc3367a0f8cdb8a0ff39b96fe339e352c903af49c77365b3acb2eb431c8d988b517dfc639532eed4ae0b4ed9c64d53b29a18fbad20223062a257aa5e183089cbfdaa0c46a4b8ab8dab0990adb18eb03e5c0d4d72ae0de6f67dc96de9940f710684bcfc0bd26cde3ea3fce39ee9d71faf2324cc661626b1b6cf4189a0eef57977918a8b3e2c135549e367e4a7d2527e24cb424d663f00266d3996d6fe636e1a9d035a54ff46778c6b0d18c4acc3e5b23a5566323e1e0a256661d688b18da8298963f74441acd2b82ba472242de35402df8f05bdf0d54b383787dae5ae1d143d21df935fd0305a61f83cc42a45ba77a5317948705b59fbbc921815cd56984c44f89d8075bb7bc5afdad2beaee82b73df1eb95bb0389c04a3fcf33dd342b8353fff76a627d69c5a76bc39bc57c99732ea8830e692bc09bef94da07faf89d6302deb5111ae54523c2c16a35019d120b871e797a9a9f12e2d3b73e6ef1e7b9a4e8048e36b3ee1721b98743a96cab0c508a6a534058b341f4d917fbbff140b8c5b51b8b42c605ea4d2b0a935c501d5b9ae3f1ff3deba846c0d596308f1bf3e0496a7284732d79555c34ac567d731b4677e09287ea315b3eedd503596c4c601210d7ef8a6316359183e039d5b211db87457ea44f43384e3c37e668ccb54964b12ea874057cb6a75559812d939bed5a168e7ff02f22facd5fa33e3067996282f603fc71676d7ea9e38f7ca727b18b933adf118e8bf652cf36e2147b97fb298671a62480065d517c935c5b5d76014c13aefa1a7606018648676eacfe90065aabdeb53e1289471682cb6a1f3efe7d1ca73fe8ad262442414b266fe7dc1dfa1ec7135e9e64e1bfe49a1bfe7ce3bada05f01b47ea14a4c92b50654d7ce442725dae73d5e93f722316920670e213f8b09d9da58df0eecd0b0d98081d5355300e0231a0543793dca00255f3d189b046c999f70cdb5d4043594a486a23cb9c78fd4c0c6c3d9858de57bafe71fcc1cf3327a63b0d841bca21c72977a80c9f4d3dee4c10baeeecf7ccf8071b1f618c749f3b0fc699d910e5282a431a9767c064c7010bc390f8285035c462ef24c879ef11f3e42eb1513791c7da91608a95e5e2b4803c946dcd77b7ce004a6d8c6274ceb2ca3e07cbb1c41d70522c6ed156dfc3db146c3df4f2cc286f4bfe994e1d7e20cae2bab653590845b7105ccc12773330b05b52763bf42826fe3badf907716d8507f8e8a17e51507a0a9cb37e6a663e4c17880e21736f37d17f173685161cb9407007eef711927e6c3ddb5ed72df605cc1bf3b92af0a86ca60fe7f042cbdaeebd9a419b144d2772b10e673f1538c798b82f48a143abf4dfdb76f747517a13ab1f35e598586cf6a7fba9371b0ce35b14cd7f34685ef0c2afa71ce7dd13b4c31732a98dfba7bb9ed0dc35a8905debe4f7bd03bb2ee00ff45b955845a3a876dc0426d23a2c524b819aa04a671fa1cd09dbd35b6e63f64f9930b1f4ee1032e46adfbb94c65bc3d9ec61b6faf65e76a572cb3173fc3eff366435d99a370971c85274736fb87e72bc74e2eb4b6a195e4c7c4de5ca2d65b0ba4fca7fb335ba405b8f1e5ae24bee8d554d82a42d50fad4db1bed0570218f5a47a2e156d76c0956cab5c3a44d63abbd2b8dd54dd3055fade3c31b5946daa3cdac4fb507b3445e2a414d35044938aae903adde90f8412316b2a3b6fca7a908be62eb8c5460f3015b13b5ab43822538cc9b860984a4a257bc9ef6f7fd9193840c3e46361a1ebfc9117dd57f0d7e1cc21ddcf1b17ca21a8fe52108184730abcf9c0be332ad8c37fe842f65a54e869db23bbb6d44aefea29e1ddc32788d242e46989fe3ea6908056591ae9ed91efaf199618a6b6362892e55b83f83b80da9e0e716a2c6e42eaef2016de831f76a7c73c2c8d847595e03dd51a0e998b74b846b8c1f7ad4c528bfbe594e26b66b6fd9ae5c2701f1e1924a449634d64171d2eb2ed04c5accf540b477ce77474fda9fdfbe294b1c1bc051b8f3cadaadaa79aec8a99190afe7b64499d19e9dcb61f3d63c01810726b4956c28101070a1747de55f9baed6ed3bd4dccc963a2a882028bef5805a871fb35586e124616bc141f1c2db9056ac2bd367789beb277dc9583777f5708a95aebca263f57d96f70783919b012737c2c64997b154a26d5bb01fc5a288dbb01cc37e943114cb4d375bc82dc48737e15e209b48cb9645f408218751ae62cc86a38f37df83a0130248ecb35c484353408a343a02704a56321a7b46b6518ba59892b5839319d74f4ffd52efff0b25ab63d2bd33dcb193b785c87cedbf9985b0cdc7a105850f8fcf601647f299b6ce3da49bb042a3d6705a877a9fa60d16a946f2ba38bc73f03702fe63fa12814e9c0ebd6fbf41e55a88b275933d221dd957472c4e0592d2f1bea33feb1a1947ce0391b23b46e1244891d2507c0fcfdf60213e2904246fe0022db77b15466525a8e074ea9229f11a2ce2fa8b3c2184e64f26774d723a01213a7deb991b30e4a18e42a94e26e553c465b85397e8344c87dac3ac004b6094da9ff287b9100f770c7d5b919a22f84fc30534162660ecf71bbff9bff48ce42a1fed6dfdf2930f2974e341f6d8b4e9c551ee437934702e6bc0da5515712d7be5a6b49ada3b6322939df6fd5b319475e8312f41c5d37f52f82e7598d7d71f3001d2db5431c5520ae57ae3c7cc495dab8b7e8d04e5610eb5111184a857af2f0723a52cf4c602c6fe47a3b6f7805d95712ceb22e24860d6a5e17cfdc25ec795a7089ff927da535f2be46da244e3569712dabb82b007e156a17579217c5fb8b43d28836e9d280726cd7192ba8f018a73c129b09479ec3eb2651104f56719cff6adea42c320bdd528d6ab33bef8c807fd69e055bb1c1c89547d34badd8fc3a064eb7abfec85d8d4396cb221d7767282ed873561a7263cb241303825f1fda618a9e64dd6a4299581e7a2eec9e750506c20504ba2abd8856bcbeb36a17a63cc8c77619c29476bda703bf3bff6c2019cd8376713970b56f825fb72e83626c2bd6805031a2945ea9efd2f4780ccb5bd8a3607ba78cd79115849f6d95c93eda04e6fd8857b1f2ea0073e5db2116964e7f8d1d35909a3ef8336e07e0db4a93f5c902303191436b2623235b3c694eca299262184d983ba33a0bda2c04ceb8df35302ab079ca7ea4b52102e39593b2c375f10fb7906d10ef3c9149296dcca884c0181bbc3304519f797685038c4e66f90f414797f389334db759641025af4848af615061d903ce2146e4bf7936dc4f2be7f420ef7561fb341bed654e3f93c1253159f76a75d67378f5e9151f8b665d10676e848329b007ac9aea4c1b37c893df05e9dc2a631818620976190acb08cc4e413b1f371cb2601e1aaf3c2a4787b9aba6e11e838cc41a39983101825627f5591b85ce06044c61f5d6c00ffea265340c675a2171a31da662b7713eb49204e4fd5d478f3599dd76952a7d4875cb972fbce7a59165db90fce3ec9ce9a0311abab969a9e24a8eb5a33887835b198bbf51a857a70455186bc5f0e65660fadb5c7cf45bfac5046931b24ff30b32ed35a6abfd48efe4ff29cac0e03c9cbdb90ee70718fdc5f172ce01b680c30084ef62a41d421efcbba1077d88c6cb5d8f57cf6c896d96e5cac28f85bcfa21c5f929908d6e66f1e28063c1fd98e5079b60d12559bf6a164901337d10e0bb16b9d43b719bb6b482036eee61cedc39b7773dda85ea04826b8669b3c86873ca24d10b61dd16b6a54b7c416deec8b0287ca8f3d2f66aa53012cf10f6f7e2de8c9d63551485d98715337d106d6ae2b7a48f2ede892d8f04a9116d1d27765d4863ea0d2efd68fc1b8a39260e064e5c72ec53d18107b1ca044fd5b42808d71400b1526efba0ceb57c27e53f29327b314901e177564f92988aac81fa0780fda44257056bf6cd90a49a56f942f84d5b1a239d5067f00d0f4c3cfa7cd60c1a90c409b813aaa49e94587bfce1fff62303116ddda4e75bc058b06f46d58014083a4321c3d1a6899425874bbf9dc195448c0d29711c23a88fbd4351e457009a10d1d2ecd47651c5cd9dcede7f8231063437cfb05a319bbd6189d794c6f5c99b6278941c94931c876289ce33b3e3bce842b69689b9aee44a423d2d429d996c6bb6ceeafccb15e1f63366b790d68a093a85cd6b5bd476b283e17be3eaef83b701391d728e518edc491652c06e0a93ee98803f8fc051d90418f905344b5dc6585e2ab9ae7b8c9c8ffcc98f6a76ab30f337b5cdf14e99e353f152c8c30e98acb4452d7edd261fc1f176f9b5c6a4f207a26caa9da306f9c9441f88d274a2f89d8978922bd2af4d1a98ddbca53e08239f0e3ce8aa8ca7f554fd4ad5b84f12e4a6c44a85d8a649f461ff01e77faa59c6eed9d62c73ff34081a31a065f0a17ca7ba63c5fe753f5c1d7d4e11de3568409ad43bffc4da91b22970340ad4b5a5e7dc4574a4d436ee50745ab58b1f06a61ab3c2b16ba2df015be8f1237356cf133bca98ae7f78c87391ab7fa80edbd0ac93348019cf2db466cf046775b21c8d2522a6208b3db796ad26728e4bedf47c31976cf2f1a66207f9ac46c8cbb6cf005642d991fca160e9b259e422e565f510bcd996da07c64cf369d7f7348f61f234349b887a41ea2f98ab7eebfd3968762c50d84116bd21b0103581b54ea07ba388b96fb66024c9e208e506f107f7418884edffdb1fac8fc6ef9dbe021e9c9f8f86a98dded8c81713fcab3efa63509d188a3576f824cff6c5b622a82b6cb74e937f0957dbc0f55ad3d0b6573a7310fe31098bf875eab3b1211999ddac846e5c202a7262bc70e1568f88e349c6d315d39f2c30a2c9db3b97a7e6a3cbf45bb675e3cf75edf033d7b9a5e600c52c8e7bb899de1ad3d98b2ef30b85f1e5adce2837cb1e2190eb341a29a000a03b46552d4350eb6ca5a5d826c074874708580e4bac76cc11f88d368d531ff7248d3f624f2e409d330a2696793f58f7736c08c86d28a3225359730346be9437f035ecd92bc2c8aac40b2592b4c6b79af380f49d811ae459173f5cf917f63f229e87109198b6cd64f6c303a4f8a40972c837e0f51ff047bdcf4bc5347dd748756b295a921b652ef9fd55bed20f7ee4054b45214e54a366dc98ce23ac69fd75a3dc41691de2b0035924fb5e7d2d9ff777d7b0207e9398d1a6ab8496fe6245dcf3c8e6f745622a015e339602caadc9001c30d89ec31deb8cef3e15488d26c1704e30982cf45c9df58e293cdbca0a032da51a08df5d2fe0a93a5ac28d3d512d684be20f62fbdf066d345ebb642733de0331b2c9ac7a6001f8f6d248ea197cfbf662d7bb620d996ab31de7c4bb3ea1303321530c7f63d6a6fd53d9fea3d515f107cb881eecb0d749f84fb687d98cd27372fb06f49d628c4750edcc6b2bb1cf6c5d65c1650e3f8b759716f183314e9f7afe38cfe54fdc4768b624a7d054ff45588ebcccac5ac65b150103976625cdfacacab24c635eeaf40d99639585cfffbc3f16908336425ab7cbd0b6b4dae4e0ce1a0dab2592900a988638bdc9da5b824710a7dd7ec9b818c01b1cbfa687a4428d293579b2cb0593e5f1b1abeb116ecbe1c0c6ac5a2b3cee613676c16537391883ec7792f75b04e342ef1dffe504fdd124ded4e4fc547cef5c60ea3433cfac40ee734602288f94d1570031df971b2c457dc366e77b799dc14e002d29999c2426b124e1992dcc1618837d3a290ad7f892f8461634e67f9afa1b6f841827b289d1c82177f9b035ed14e7a2671adfa1bbf3b6737413364c49caa5dc32bc927143527144f3a46d19735aec0242a80e7ebabfa1bf7222c60e489f0a8706ea2ecd66ce3f9d500129d475c7eefe38545d0a696c8c8f01bae8393c89adbcb85e6eba1884c674d9091078d4c3759b25e7f511d4fbd70d3dac32352328c066ea2f81cc7f5427508270145ebfd80807d9ec0a6cbb2219d69ea0a30d5e20f914ebae00a9e37e49c6c611f17c799192c7120f8f89e3a316f98f54d36078e794464941fa43822a701b55ac941dd30f882d0795b9c9ce0e86cb670fe920d4f6fb595e657599e6da0f7de097c0193cbbacdaef6c3ee2294ae7217311315ac073b6780b6365e6a1039526eb313cc5dcc9dac4aadfdab4efdbff316d59091231cd1a54d6c6d644c8efd2baa527dde2c7aacb9dd305047d8bc04d67a7cb60d0270cc4a01f2a6dc9bd5bf0d5e0c52f45721e4508dbdfe9d1a37cc04769d82015844d10e74defdb36973ce0fe8a08ae859bc8d1fda984c99a6be8f024d99b6f1fb85f390cb2166b275f7376d5460c9181116b91778a91ffd5ccc4acb50d4e1d6e241aed090b7053303ab6ede389eb0302f7522e92778034d0a9a0bd5f56494734d7315d627dc7e9746ab1be23a4b4e6646b116ecd04131c56c6ca3a18f8d3754c35932ba5ecad1d5e0b5c37bc4519dbeeb4b9e7ad044a76e364c89bd52a3bc2fd089ef1229b55a378faad365fb36a6d363e0263d378f06862b7c6e16a0ae886b9b5392ac4f9ddaf86f5de4e463396e99de388cd4c346de1038a46b339a121a07aa415aaf8c76ca129a33ce42e00d59776e9ab89ffc92a01665bb5a10709c644ca3f8d8eca20029173a36b9d3741190e0d296cef78012d90962a4db05412c154f84f41a503ba3cf60decdc2ce4c947b4e379a4627cb5c09525e60133e8f80d1bd9201cf39762b95f66a40c62fcb7362293361319265d687bbd9cc645ee9e7125408ba40ee6f1e63b4d546f14976967c21cf74dcd824a73d9bd7041befbcfd6ea0a8d2b7758fc85e09baaee1bbc890d3134253e9b0491f719d8812532d65ce926390fadcdd25b05f45a61ae8e61e61bb83c8f9b6504312bde871b10a6c5b487cae61dd249ad157234ea8d28e136169f0559c93d67315ab3a67d947ca9b5551cb6be93dfe22bb1aa07c7dd99c493d0623bdd3650f09965054ecb738b5d5740322f57ea9f2494622f10a369f1dc8d38468b21931a5138a9fbb7814ea39d0b914a2c3fda44c1c63ed8725986fc07567befa41ca21adf7909beb981ce3944d4af2917dcef3e4581a6238a5280d7d613ad28528df86625ce764b8b03e26454cbd5d74ba7e047fa6715399f12f97cc5d0f74cf6c1085da2b86bba80a6354493ee32d9877a7c315a7f99b59a3831e61704086158fb751ea302eafc5bad6057a4280ba67c564f1347a775e428548e6e09bbc160eb1e8b3e40455390d59dfa1f0de5ab2e4f8f6decfde3cc1ba04938d9344b7a9beb36f78ba04dc031c9fab5c741da098cec3aedf4e253df7711b2d9cc38efcf310b6a777b8de675288d6c90786eeecf935f437b27738cee097d4978a9eb10c1ad686d5a4d739c85cb92c7694a5ce675beff415abede4b165881ad5f9ce9d0a17ae710c8a890f53420dbfc9f3935a8771b6a48324c13a6e5aae85dbeb26845a9469f0187793d0faba88ae60822dfdfd9f2f2921b863046d108be2f6f809c95e5e3e57413cfc0fc94a6d0c95faad1d7914c454502ae615cf562c86c8362285c35e7bc011fdeae0f402fdb813964ce1012243a791868b505bb4a62ffb9c2545b5e2d39b2696839a510f0a1c41ad45da72de7a077c39a24312b8edd290d0fb6774c6d4a47dd3a6f4856a6d9108af7d5042164a578616ee49dd3a1cc74e8d083cae83bc1117889f9744bf95092d70ca295d8f66a1a18454ee9ec6982ef1a1ed9550a87cfeedfe12ca5b7cd9099591f6f9f978c938640a4fb880fb9b61ff04b8073857b18c87ec2f038febdd6162909523fed57387bf0aad4429f3ce8b99663cd060bb2f9a09922e579ab34765be81b0aa877d99d8aa0ab0ea03ebc4cf3d8e4af1725651386ad6dbfda41888a0dd20c8b2de01123bfb8d496fed4070056c666004cc73568e760e2276a1baee496a5c836d8854dc3ac3f645f5433ca815b580f787c3864b232df3d372c50474e45640d8e2933aad519fa64cf4fdfaf029b41dfa454f423a8a8d4655290ecab35136ea1fde850d3e7c67937b909fdf0de0af7a2fcde657a601b970471cf992e4e2ccc8df88f7064911024c0306f59734ddf01e0c864f5c314f658588aa179c1077d0f2804858359173cdaddc4f9c15816c8738e6aea3a83c28a12e1f1bbb9d9b46be631268aff72b605bd6115d0af106fb0e362f82170f8c2b0f67d91496a2da8783105529c996af674c80daed482297dee05d32bcc55e046f7d81348946cd183b63e34ca25d624a66e448bb8d532c335eaaabcdc2ca8c822eb6849cacb1fb0039f90fc0f7868327e9b3474880c15030ca2490e0de01e254e4a257d730bfdbdb1897e37ef516e2af7cdb9108308350f77bdc500a3740d181ee8e9ba6064f6af79624512b736a03969ab5735c247f2b417b87597fd33cf0cd406a42747f938d871186fc6b20e02a0f379834d0a2c1afb2d07ef20e857bcaa16fb795e66405ffa3867b35e88f54b953ad8907d89b62f56eb148cc5a051f2cda1f4774a251b9f9a69a1c048928c4fe0fc24f9f77ec55d864e9c3b6afb0ec5c1832e8eb6d560c900a347bd85f7d017da13daf645667db3ed1dc3970b5a5c246858d556f5b266a212c2d70e7473c359e967879bd39c574d22f17402bfa850a0eeed253035c4b79209d95ff3fcfbca84e14412953c8c690708699a035d021a2a61d317bd19ed34418b5ff4bd53b685b9bcb0eff6341eb2c749b1896e2d4f14b782b0a43b78eac491bf1c49c9512d848630d7d7bd80b9356bf60540c8465f7f6b0920ca8d7e9fdef6d64bbd81ac6f838193b8146b047c7ac4b934ca28e742eb73b4d3d2b6bb795a74684192157e4a1b0192c3115f49ae45f06296794757b27c19f33e0f3ee30d756164695ab589aef025da931b2c3153220b7ea56043bc27f806affb93296ac617f3abb21a2a34f96c7257d1a8efbf252ed417dfa42886eaed942cd06c3281e6df3fba6a2cec9b90ddb63ca533b21aef73bfb8db3666785fad461b7479688d8f5530018dd8a52849a8c256f4aa86460574c702b9bdc1ec1e6bc246913b8f2686f697b0809b9f55fa9b8521d69b246cee705ebf7964c8e9200b6600b488033fc88a834b00efbe385326395df0f530f34d1d88c6a9c605a67ed64da81b4021874bd8e66f96953cd8bec7b1eaa4543f158bb4e1027895cb8e8c8ea9cfddde92de0f79387543b2021739b1156b828ce23ac3ae6aeb250692b9f25733207aadcbc0aea4f46ac4dc8cfe8d53b5839e9544002bff2a791ddff2b3bc7efdfae13842732a8bfb7d971526f6ca2998f9287fe03397e01321b3a13a128bb61689534b06550085290c7f9202b07b3583ce0461e9bb3716362bcff7f28ced83aa57311c7dd7368f0e285a9b7ef805ae8d43406d70e753ecdb7f9ec942a0370f69468583615ca7cf746b497642b8bd3545d5218880f6a439e4b57318a6f9b11f04def62c91d7d39082209687d93bad79f4cd874f5b9f9615ad75bf02ae6689f4142683212bf4abdf2662259dc3007002b791bbb17caef153e14f0999f33ef3e9288401626e2d4acc4040f735e88214454a59bfd412b090d6c3e9ffb1e0512cf033c60fbd04ccff556e8735ee57bf3e78870bf8382d85f51a9afaaa8d23eb7ef95cd64d2c14e4df21d675379e8b62373d11b60e4c3cbfeeef453048bffc69e13dde6bccdf3a598e0c4954b3c91f842e8d48da9ab294b49bf1e7c085c6eab52d9529c2dd4244f731997ba0858480a17d125e3e735d4dd1fa420db3889e57a6f00b5d88d669d837fe46978e99c8fd3c0daa663aee7442868a7be6530f72fd2da551611641530967d5e3f44fe15fb437d6675ba911a947804a92495d57fc0038e9f4956846f0ddeaf5c7173a4d642bf70f4c4a09d00a67306873e2e01fe789e16c334949cc4bd802a5890361eba8efedda780afe2026ce5d9da88bb9a5c01f098d7a45fee1c213db3b1421c4d8bdea3477654e24bc40b152e9871b174e3a94d6968b21a24c1abf795edb89308fe666e1b22fe4002b8c419f98c1244e0a032d18f0e10def94a12b4b38266489e34ad7361af7a860f8ae19fe08f8f76e5b458212dc62aec387667342598f5bac9c12c57808e218c85822436ff75b12998078373d1f7a0c4076b5d0785df6c0a5c8af9422cf89058607b69c701712684a30d4db89f32334ba86f5ca420cb38765e612237962292066772b0f407d0c0ec346d4eca1bb80bf8cc68f807d0f59baa4f9d5f505e67737d5d6b7d730d6d146b604900563067893d08c31660fffdcde2c57619f4717b1086bd14c417c3c893e777a92a2a00cde56012bb1fda1ee20c922417efccc828247cd4e3d62aaf1e889e0c7862474288c8bd145e7345c3110e941b5113b05d84d1cdc54c8c8b1cc3f2b93ca822559cbdbb4e5629ab98b6cd9021c84f385415d3b3acdc4a751bb22fc0f643bc39c03264dbeb81dfc7b1953767f2c5db305c18a636ea6fcb5eb685cf38a0539bffd437265b966f46c062291cdd14a380bda6e7b31301b8db274be67a2260865c5187660aef5d16642102a7c61671b13505909173cfdcf6c1aaa6633f4730d2cd0c8500e8cebfea8bb2241daf9ad9447c67569b31abf33e914617bbf1d0c4342507be61144ff0d3eafeed6776d60e07f02cc120e6db38245ceb8f08ae630ed9e548e459878c84abedab3176030d820d72eca7808688868aa72324834377e201f42b6e5c017eb8ebe2c2758720823d645f37d33c072955cdcad179dcf14f008283ff3a7382296e9272ccb6d3ad0a1163cb970ffd1d5dad50b31f75733f792a7dca4fd13bca3391c90d7828cd044c0e72225f7146875717af9ce4e65a06f8ecd67f1899b4cab06bac1bc2e4944e62419ec9fa1b0735666e4f2360b9fe3b51cdc4d6523cb4f8820c5bcb8feade4cc2c09533cfb326e090eed808040182373cfc2619662356cc5ff8535df5d03f68fa01020f149d13327554320ec2b199cec922d0d7f0495e3bf5a35e9ba8cbe717fc2d5f2d7724b7016cb07c3db1f06e9dfb890b45a8cc036422739771011c4a4124b1600c2cdf16fb9df3f76ce1b31236ef41ef4c3d085f9c8f44ef82bf042a1eedb77f515489c5cf7ecc245965dfd29b9bf27664a5684ac5343228e42bc1779ad40476ac8860a59418d683568a907f678471ba9df5a7ddd28d7058609d3e577fc1ad425d8707f9503718859f28273755924876d469a1fa1f447b7612d2b80768ab044dfa3f662e969885a82896dfb88707aee9c11f96c8c273cc87facc17778e5d1a1d0d2a781068a56e56c0d7421aaf33167cdef4022802cc12ceafc99948fa2a02c766758ed98da6cfb3a2148b9f78095dad01e35bb36ed8d49af270ebce76d37ca39e7ee7fc614dbe7e85d78f4619888289b0a4dd2f965e8314ad4069b6750fbcce00e64a3fc33119453227645b8182078e6c813db7e5ab787fb990ff52ad1033ce56a2c849fb8fbde6259a6af5fae321ec771fb59e15c052b71336cd46b8a993e2a335c64f25fd588f1463247fea99bdf9cf90e1f83218c4c43e97f0938cf991e4a735763e565918177b951071df51c3a17dbbe319681912fb4814bf47c9830697aeb7a5a923750236479cafa956692d983d24b2e848052af874df7a8cb2987b7a80c10cb4266fc47fa7603f56f0b8cae45cde5632540a7e6bdee9a44656adb538dc504a898f2a6bafb396239031e70081eff03a5999f942db7696a8da01c99817a71cea8129cd27f7fbbc6f171034a84305cb33e08e7d9979fe70b5dc18da2db64973dbcdb085368b18aed290f36135d634343d068fcb94774b0266cd45928406930994702d39dd87326b2ace2bdfe10bbe9ff1044faeee498ef18182f228424f53abd6b70ac64c907913956b4241a4d98b6f392a61a984d98020bd7594ac09ca269eb7dd86261021b5f1aa3772cee8de11bf8512cdab489ad67fbf2f6f86c124f5f781b288344d7c6117e75ad3bc097b4d17026aed559de65219044a8d5aefda109dca57011e888183055ee2112453096028aeef3196b8350ce5c7af28ae0b187b64c7b6796c801d93f620f9e8af2499a27e5a59ddfa907e826bad8c3b46250ac1561ec0e21fa17b72565f3fe1b0a369273de5bd04e65512b41333ed743a51a57d8debac85ecc46a41408b551f2f46fcba4babde89d353e654a1f7cccb06389c4bb30dcabd5f7f468bd6a1eed6933f85e9eebd0348f1c4dff82e39a1a198837f8aa69c6251fe1d64211e379b1b84a1f2f430db7d158ddae9d0d2da1a7aff1fb5cfd59f0c6b8afec6f0e48c4ef7ac2a764b54469d78fea5d9b2b5445747b69d4f70e9f980928b816e354175ba1291733844ab959772eafb60a32e6eaff4779eacb11356385845e4a2598688eee44b54af6b0285fc7fc5e2b7297398ebdba3190a3ee656f54849be33da2d679700ec4f78d45e7e3fdf9c67d822434dea8cef46d34148277dced030e80b3214f3e568de522f744e66c61d08165aecd311d86d3b343a33e20c1cd965fc72f37a34a63f1eae73d3b03fa704589353f586e202c458234cf4d52af8e583077c784229b3db98189c760c97b3f02af5ed34b0b3a87ebad6a2d47fe6c060f9c08c573549e649eb894ace871adfeb681bd4e6ea5065393afb66cffe8c025c18f398a373dd8ba0c543f9fcec2ec7fff239d967b1c1d17ba2bd7fefc473c75685e844ed73703738c25bef71ee392f70d5105fb6c477e254d0c6e42b62906dcf7b74744899a0f199512a0bea3dc7d1ed1f64d316fc1d8aee157b3e22d00c129fe798a8d3bb1baac4812ab9c3f914a080e484b3894cc72dc2113570660106741d08c8f0199e2196866a83fa53b304d36cc682f11f7c925ed532feffe9db4f855eae8b1ba9cee4463b669b5cd91323a2d51e72e24aa292d2a1579a034b9a39ac3711ec9974ff6f91375e0a91975ea3259964156329f47d6fe8d6596ebb46feb7557bad5c3c7492745bd7e214888174cd1573bde3b044b98437ff6917366b1d07a445b95c604c098fbc25f53712ae786f56326d9580704ee3b44d1106f7b7997e37367e108b46886511019cac3ce31d759c267e067e8f2518bab84cf27bd430274ce4f62e9741effc8447d4f7bf98881e48b94c575e6304a0015f10ff9ae6a942d0a410595f55e3b9a55460cf84b0590ab869aa4dfd2b02d248040214a3549b9031ef29c639335f68910a65e105fd83e16f7dbbf76eb9829935231ba7409c1b4ac81f20097a0e60eda384adf185e64b056805c80eb485aa975f35a571b3de5b7d6108e89049d1a37f121a3be8818b69c6141f342fd75f7c5ed80aaf42b9152d8356716f47781de9e63e4af5ddad120d1bbf7bc68a2f4e5cffaf80021606949e4e2311f6a15df4eae8a2d6733cd77612115047a9aed3524edde7df72ea1c3d976df25dbed5e7ba341a7bcce987039f7b99a93d13b2c14eeef72ff7b4611c13b37e6f6ca2d54bc8756ef444030b7996b42b8f58c9ed18f7b719378fbe94f64baad4273c51efcb2beeb57545490debc9bea9450a8d781b21376f6c62c440940887af80a0ae87c17d624b9493e37402dc741c65524ed09aa115b43967ee8153966b435ce3f204811fab2bea5f2ef5e5186df86a2ce2370597894ef31ec2c0c19208daed00be9bc9c0306f1889ef797ac87eec61e5cc61ed110f6590578a91f987ff86deed1f4dce08f5f2b96c0502f5cdf88a59d9628ec41a7ccf192d3aefa8ec975bba4a877059138488664adcdb393a47735ca5f43153e0c79c403ce9bec7012259333cd11e9e42e3863be2711a48bf5330c207c0d8da651a1ce0c53b94ddf246d1054689502763b34acf020c4ce280e0c8f22d406319f54cad6e6d5b3976969e687138a52a292277634f2cb6c1337ebaf11684d1e2601a0f92f2864c40c57547e5efc32b08cea3964860f90f0133a17e13c60ea71d16e6861cf3e1865f584303b0f16b80e6128aada9fc0e6fae29dba4a3fc993b406795bfac7afb5ec9ec8e6b4eac7a86418ce9513ea353ee47811aacc144975eabc6dc9278631a9e92ce0668b0db8bbbf5a54c79906ff638809f7d696ef49ae47e0740922b15c503559f0118b0a979e2ec8d25081043c72ec0c5f3e20f6182594bf5f3aae3be1bcc90b994a7a88c35363e12f76fe9a67c256b4a30d73668676cb87e1aa1cb90eb253a2f6642b9a2315f48f6b44b5857e692d8a6db0e064cdbd0b8ae746352cad11812e180df03eae8de9e5804edff73d19a22af88a7fea01ae7888c77f06f42c216d30edadcad5ec56ab99c94248b6fdc1d5fe0411ee122f375ec47bd9ab630255a2b14e71fed7068d3e2d58c558a5106fd0ff61c6e9309bb5899ddc993d529baa355e9c4bfdbd04e88f67c564b34f1c4093a83ab27a05929f29162b448bda177a4725008ca3d61e31f10192918371c568e917f3212de031a5c5696caf0b2f85e778c26fac0c642e69f759da27c8c7a44cae86e0d0972ed8ba0e87416740b3f0687f052dededf00101e230c3662c36dad8537592871199e48a7235f125cf031311e1ee339b7a62387b52ac1640d5b2795ee2af827f09c8314b013536373548592d64bc54e36c850c44c39dc230cc99da7bc514d29043bb9ef2a227f1f912e2c6d906123c1d1db2b813985db6ffe2c41b3dc5f82620b9eb51f9e351eb6a115409b70eb5227122437bc53ad500af869b84c624cbbf5a0020ac0cbfde82229b3e7bc3063969474efdbbee571cc553ce2f1e08be6c494c5c660a220e9107be93dbb4e04cebfcb8107737432b144f90cb9b6b078d813de2c803c09003606af461c18a2b5e6d472f3144984007ed13474ecc167fca167cb9ebd6f7e37070b4d5ef787d90eb776d94ba5fd63cd3dc1c555176f1d5e090aff9013665ecbe4ffaebed5ddfc40434dc1e94c954a3e5c6fc8a2ccf679c1ad8c5c98bc3107f5bc7b639f23203aeb8d3c00d89a0675f14d486b83b72bb453ac3fb74da84aba00322d7716cae55a3865e5f4d18070e02d3d19df09479a41c8da91fb084a429849a7907d2b9f0776fe0bb5d51bbdd0045894e96a1f090be36417c6603d5ef01864f221b36dc34ad05f43dd8b099afad95f23f2c611ad9581deefec4e8314fab34761f9bcb47fa508b38ab19142148bcb6bcd8d35074919d89de51fdebcb40ae9608a7edfbf3cdf00db9dbf33bbace91ffbd5c25c29a71305a2abf343160ccf922dee487519aea764bde66617977f0be874a35d468240bb81038252ae8994dff0053fe21a82f68f039fae01c52cf1f6857ee51e17d5cb2c6c8dbf8560afec66f1a0d527507bab2b7df5e8984d12eba2d07d836ee7e01967fb23599a3583b625a75e7553bc66b2cda3a4b67b0e864dc868dd1c78904a74686a91919e670e7fc918037c4f76df3a78b860bc0459a12bc207c30b1badd85324f5a1e623b661aec28027bc086ccea49bd22f39560d289e233c4231252e8cfb6af721ac7cd1b6b37a14fbde4393e44e1b25e302b1ce29bea6344912d1f7e90633816845fccd3ff7242a008a743e5a47d48ab3e01c21f2e4606e96b08567496789315d87936f45c66db50de407fc101153536949306822e1bba513ea3375581b8f235b827b3bde08213cd1852f36744d9ec05fc35de3b5fd1912b14a38eed439a6f7dbb37c3e55690af6cb75945423ee6dd24362327874e960677072199c4d3d03181f6db4370a7269d9d778d0cddf67e266a29a22d5eb7129f2d5204ab8c3c5d01bbcbfa60b11fcac944ddccb27661860a8addf6377a3a3b9f7747334f233c5a44a55ed08ad05d233c7c43e6eaac0f89e0082ddf70c406814c3dd60178c23ea58ff7e6ee0a3a57358337e7fb83be96255a35d17914e6237a3a74215bd4ceb8e9fd3f0850dca086c46efdbd99ffd86f07d219d1e2b087b000b8ccef9e49337563b48a27a505970f30cd550b873e32a8447d8853b129d0a40afbcd900aa29a9a59332435587b38d2da503171da6f7f50d2442ae1d23cd4069c38d0a6eca268f9e162ca56f920aa7b0e6799d2029e82ba34a82959ae737db3e7906dc8dd1bdfb36e4107e36a54875348b9e45b8e7233ae4a1c0fe85755ba6166ade7d34bf631e9af8f5f90548ac7acb613f32c74addaf42d97fc9be84d30d18821b796be490f28274fe68233003641a956acc9bc3a09d5f43aa22fe3a2b98a8b2a15b23265ec438e3b15a1d137ac2761f7349311c8e4ee18dfda5f96d66e16ddc255fe70ff2a051ccf744fb7eafbe2b5fb713918c8c776436f09004deaef5da7409fae7876850bbf62f17c0d48ca74d902338c756a337d3286a72087788f7a42f4f1675d6f0ee957b7984f21cd95074559b8b2ca49e67b4cb7634f513a1722351ee15e9059ffe289e8c989ada53b47483d4077e9d146e5428da1cc19194ff182f7d2a2287635fa4e4a81a290a3cfe38f376eae489e1df5e9a5d59beaec83a30e9af78893e4f3eca07fd4379b15353c7534c639c7b33a0ad5b58b956e8fea983ee12896bb61f07564ab52345ecda4c181f4d810db0088f6054b8609aabb4fcd48205dce63810eda0775307d72544adf2828a2a3bf105b6a6af965b8ce30eebec78f49383e9e0542f0d3aad5bf48f639e022a021b1e661b10fa7ac6a86322537822c42a4883b0522bae9ced98b1e4812992384859925860eecc78fd0ecd14f4cc117d9350537a8d80c2a6c952ac2cfc4fd7adbedea1c0634438d88126307f01042ba7a13869802d0798cc0b42cf2c1db9132dc7b5e69c807b5a2baab3a35563cff152cdec01c47aa9accb546d2b0287fbed70359e15b1f7a78d79d32cb6047d9de5dc87850e23976280dda2e1622be5df43f0bd2f71234c631cb60a6736f1cd27545dab2db2fad1b6ca00b85b6180bf8ffd8b32a353d1c251e8d0401a7dc818b51efbdb52cbbb4f7370d2ff05d320e97862c7ceb40972f58f6175e88d22db6b18d0ffbee99f0f90bfaca89b94296dda5d2babcbee5189332d9ec6f9223f0197e5a98b85e6bc00e8801f52ae06bbc73cf8d2ff6ffdf9211f95d5c18b27c44a9d33dafd6b6ea8568154a0168610898f9b143f5aaebfdea26c0b7e789036c99d9ac8652794bed15212203b8dc3ffc5fe9a50cb3f493dc4e0e463f828d0d9f1b50681c30e155f1e3748769a61ec7f305aa303f32a1a149f399793041ed3cbe612b6a73b03f61c9ef4477311026bfff61678d33970f92c2375e862e8c5d2c682d45f47cd59d9c2bf7f5bdaefa550d4cafb6650fb5bdc3842215efa90e6d259e05098df0d27adca16a386b6f9f2f94a477bf10c3bf9d06544ab19d9d0da819dde1d61d317db510cf3483d0d7cb4ff99e076a2be55348c2a1d3fbcfc0855ff8492d2e1b87fa50771fd68ef7dd2c20ce5fc7b19b7333a8945ef4b614d487ffd49bba89bbf0eafd5980ee6d196f8dda8b07c723d1fce05295c646f0d20eb0ba3792f657c0408d2ee889022c169461bd494b62d2b9ce26742a324ec630cab022637122976bd24e587ccee270c82f0e5c182ce82eea8ba0b67b7a78f2604ff9770b9943516b471867a6d9f1cca6a49dd717ff8d2528e54f9d297dcf248805b9228ac6f072a947aeab962ac407d712ee40891f2a09d6265950fc05f4ffab6068a59043a3ebb67a3b947ee0cbccafbc5e543fd6c685c864f32c5b37c1e4b0420dd1fbf4ec519e6e8b38ede98dc0daab773bbf3c9c3eca5d3d50ad2204fab49c3772c369bad9df71c00624f24eef6770cc0a151154252ef33a2585b53cfcac85e22dc8aae052038a31e9d55013ebee2204775d07aa5210e86cd63ef1b0466431cd16adb9bd78b0e1f8ceeb86c052ea9c986afdcd6f9c297afd4b14011c34060203f4e13965e12d518785dfea41d7c726f4918d20e5f1249bc84e380fe0dbce2548c1d85cd6bc6c996257a101e28d3d62b75b7fa492f49561f1046590ffb2838e2da043b1d83aac7b5e9b8a3f9ef22740e1f91fe9b0957e5d3b4187e4380a47599ffce0a56f92260708ae42df7a7c69517f2f9995edd32ae81bddde727945fdf1a99b13a00131f978a354f54b7c3816c168ccd15d5c7985357e1dfa254713ef6608a4a4ed8190baa0fad97ba418c2a9aff145bf721f1fe9952e848a46073e9876ddf1a91b1be116016e17c6f0eda76c4bb577d24069f116c327383e1f01b189fbca1d553eddc8848e9d7ca67274811e2f80c6b4b523e95e0429bb6fbf818f1270fc90b32afc8b2324cb746bea8f14123323d253a8eb005561fa1be4d4a155ab4e26c92d48aaa0e10f9822cf267cfa4b5bffd4c89f80a7b84cebf71de8f1b49ced1cefed76fc5235228fd98d68bd1646e54c77eca6839209d3f088cdd806cfbcd863456b41801b68cdb5b8106955013a56b5b829c8d3591ec6bd8328bad2dacb62c98ac8dde7591b4350c2b7cf3e20e99ac8c19aa1c52a164815cdd1c56f053dd0e4f293c1cf06c133e11448bf2c1f26dda792c3cef658b714f1f7de70a3c42211558289625ed699242aac645613b7faf7cb1cc76fa0e346092dca4f88d59ee9791db16bbe92085fa1fb1521cbe0db5c00378a5af17ca725c1de4a9fab6d291d55a2432f6f8f035a1e0a4eadbeaee9ffdf7b11a2074f2b7f5e495029a7e63c9af460ec7c34fbef8b874ad06bf7c08f78b0c683d0d89bba894de6d6147f6de02b1872ad8d86183189b11ad67dde3adc51355819bc5d1225cd326ea3daaa9cc4184ad92db15188b1e39058cf730eafcdf6b169f1655032a5b7311beec7f145232683178e15ff8440f2801e5e840a48103d82be492e5bd17dba0c47b653b781c1af173a0c7273db72a674e3a00d70b897451fc903dc43574e64fc7569f881ca7379c6da873732611d5fbfc234d758ec0c16a141ef17763689beb502081ede9b11a9a492debdc9a09a5cea5e2316cbc0eb5f5246ee0fc838173eddbff63a68dfcf4265a5db77db823748209a5aefb86d17d90f9b61b64f8e789888a29595b5fc475fddd1242dbde9662cee751041174e5387506b332de62511b2b3bf89ef6ca8498b42ce1cc1aea01f4827ca8c4989008b10acdf2662b06f7635b26c8a95ff6d4d4c4dc60b44b9e8364a98a7d98e6abfaff73c1c2dd69c52dd12deac3ca415645b1c1c7b963a0ff113b44f54ea1444eb907f2657df2e95a73d8cdd783c4676bfe5fe5a71abbf2aae079f49e6d51e10cdc8a7fb8e26b2f605e54596fdb178133f746fa96435455d5fbf1b19b585d34e8205c92e7e03500b8b80e41c42eaeea933b76fdf2c0accffd051cc0f77b9d85cfe84ab71662c7f83f3b6e272b82fe886d0febb4345d9afdfcff94a1ff107b6678805ade9f768aa6e33394b391779ca937c90282e9124c41425289cc23507eba96df73e2af99993cea1306f59b8c59816b538cca401d7f2bfee84b3aec9e054d048054ac2cd280d3e55c5e027716938b7b31ee1b2f00f95f1b3ca9540011a4844e86d2cc75f681394e4679493e9d18075a659a458299961d18cde645dae173364a4dc0be39f4b6fd5ca7b619b26686a812417a9f1d3e46646c730eea7b4f61a8152101a56732e09d2507b3a0eedc180bbd4e61280283f783aa8e9759d6670bf28e13526d89aca86780216f137077d761972a988e1bd9303d44b7e00027bc7f537ba703a2d285b659e7c8a5d14c5ca705a1eae9ce67dd99f5bf5992bc612c5a0a01d161d8547211c072d33f6bf88ea8980da01cb87712e9a0c8b93f80e6deed1b6a092326a1da99bfa9de4dd9fcb53e586ba169cd008b7623468fd1bcd7ccf915902158a139311a02ad62c6272a50349349f8a6aef9d44038f759ee57b816122a5ce8c2d7c14a65f24694c5338d596d0458c484afeeb8c25fdfa10560aa42ae8cfc82eaa108b567f86e33e9123e69d84dcad2f1fd9ff60f90ff413a22b2870f16b0d35c388183595d5bdfce35b314af588ce9e5ee061b8e8f1089b14e1e77b2b3f6acb232fadffdccb18bac721d90a852384fe51a16fd4da788bb76645211cc162a9f1d0dfc1eb29aa11d85b783ec23db41db8caacd9e88614a51cd444eae3db3e22c5a92b0d30cfa5403a2f28778bd9df158cc082bb8c7e7bc6484dab455c390b85a4304a8bc23a268c6faf3bf85c98056d0f715e74eaa86c4b6af45458a3b0e40b658702fd883a55eb4b6fd3fd65556157bd58d0ec42f06f23214c537a5b6bd1394c74615748b337c8c1d7fdf44bf49e35f7bbbea1d8ba854c060f883fc03f3d3dcb7244977f5ac62e696a0ecf3c419e0794d3abe77d156e0b97ed5a043b6dcde1f7f2ec010d9e4fd5d53a13956027a489eee7b497ad2649a0523de4767a8fdef6fb66bd49744ccd599d2efeb267f0d2990f234cc80fd069a97d1875390d6e2aff8fe2f1eddeaaa4f3ed528cae8c9ee67953e3a3c32732f0db007f106f584390c5370e3edbe2bad78fdf2ac2056a9faf243546d26b856b788eb5d7969837b3ba153c655b4c41048192b77f5528bc75abb50d85eddd8e9686a48d722b03ed945276a83d9abada8825f6a97eba1fc9fdcf92a74b05db9ce32fee161182999d06727875439ff109491da219e0d53e03dc46d205d4e690f2543fcac1cf45ebc60194306761d8683dd2586929a5dadc2547f953d99b7bfcf9b4c2c44937e7de619643b392a866bc88a8eb9b6d0a925e4d6f0d574be68f31059d14edbb50bb75b705f531b66bfc5af6d29095f38a127b46c01b2640f952496e7246ddafa8d3289b36b800431fafa24795b4a73ba1ff13bde91b5a1f69e151e6ee9eb795197bfc9ff7ab1b3ddbfbd959fcefedbe5bb15b64e1122f231870f7c3d4c372a4c1123d30aa097b4764f4d14851833355d7b1a01e5a37b867ddd53026ba9038f8fda171ea1f1f9d85ed47d90739a85e0006b0ed40a2b10b4154178240ee2e42cbed699efa0720943cd35836ab42246a1e3f890d727d1cff39f7fe2c70851065f0c52631770f62ea024f60a8ca18e0ae7afcc8a184cb6fa4a2c6d6c311a91ec25e7efd7e8d09525fdbdb9904364ea00d331c354d33c2ee010c6294a9acf7cc0ce7c184eec91fa95accad3dd7e43d66d5c5b8440769563bedec750cd4157b1e96a57bcad3ba84fde6998591d2a435a0af48be7810693a3e4dd4ef072db8b5a14b9496a53b818bcb124c0b6beff036c373f1a9afdb2344819903f173a800a29d412aa3d22bea42d70e95e061e543902e60a1a2747a2e0344189f942c03a2b1fb004bcb11bf0e495ac79b58cab4dacaad7d8b84ab2e0fd199728029b16e0bf714a8dd10750931d167e819802ffa3c177e0e6d8df2d43daa2c55db0e3edea123d0da42b4d8c0c12c92586594444030f217c8e545eee3a723c57070f02def3f50bc6d21a6ffb635d74117e23d80b14c36a0c741189dc77b5c9cfaaae1b736e8663db61fb5b6d354a53b6344ac549ef3ca9ae5edbdff88ca10f1ae2fb33d2f2b230827a50aa40a09fe87a34ec4dd49a76de5483b7f58ef1ab4d8d78214818a8667f9e9e72f9cd9a6adeed0f63aac8fd5a3510e5627f5f3ab8ee216f9dc3c718c04237ec3ac1f67e119753704ff4c6a7b913890cc3d1e18ec06691808e72ad057896ede0974cb10b0e70388384f377499575836a24bdecfa92aa379307caab1a27882439707814b25bbedd64d7b030a6bfbe5d3048e6cd9ea43008a018a77f3ce008a22d07fcb237e462674bacfe0862f255625b2f455f61bf9e5fa363ac46afac12a0fc687b6d802c6c04a5db7ca3428e7afbd73d1934058e6e2836cf9bfc19f7b796bb5aab698cf9cf1d9cd031862780cd05cf6a9c3285070a5745b43d8c52303308aab14ef77982dfbf4fd8f5b08480cd283246eab28d678a22a692588eef2c63044c739fde5f96d13b4b21b19b8d926752d061c7dd09c94aefa338be45987a2b038d0db15be1254e9afc337b321aef2dae93708b388bd1c0661ad11d461e69927dd0c9710d89de9ed029d99b9ce06f739b69d8184354aef35d8783f7cef2a3aa3edcd4786605a743def859c6c9ae766eb73ed46e2a58fa655f0c8c12404ad083d0f76d6ba561cc152956b636fba83fc612bc544f9f926c35fc508e7d382372b26a2f0c3b3633f76c0805201ef9e35a83fb69371b5c6aa9b3840740e26d62c3d908ccde8dac511bfcffc039bf3fcd91e89e6f9a77ef342fbf2cce80ce2ba8648e61210ce698455e3c90a099f8409b73acc15cf99f7969a5d9d6ce52a7f9b590579f3292324e1ff18908467ead6d425938e715c640179429668be956a52011e16dd94e2bcefd176d7f8f3a68729d72322889ef6cf64e0cf040318620167df45b71a80f3db12bc8645c055268a5b7ccfcbe2635d64862b8c75c070171f234035ffe120e6395a2be238c02b1324cf52937b49f915c23a31ef3c8b36cbc20df99f0be4af200cadc4be04de5af0152b9f95e5980a4c94efa65d86d95a7d9533c643f2db6a9f9054aae02a4b9715405b6cda9062c8edcf925c8ee3eff1fdfdb29117b8ecd6bd15bcdb82977286bc771991d11110941b3ac2c5091249d1867a8ec1fd63415966c4cbfd3a686fac9cc89212dfdc6d980665c5857d3add0045cd0a7fcae14a929c8672f95c5aa8fb24af5fa88208c2ecc5bc647cc8e29bfd7e27ab76509efe431c13fdd015336f36c1adccca0def73d33ea6e540421b4c54377f4c4ddb53ac33b2e547fc0dcaf801a8be09afeb183a3eee9f04e935296f297aae794d42ff0fa99d5a4a80989f29738c30d7fd66ab2de83d6409f7c09133f3b6f77e56f443b419d42a814d86d8ec4f6e7fe3bbeb7af41cb7d4956be1c5668c6bc5761139bcc3a4a15d6d8c904a8877f336643abe7da978ec24c59e991502c4d7912f86a77d7d2f10742fecd1cbd3758d69989af8032bd91ca0ba4c82d7883a47e07bc6990e21876bd590df875ba7b434f53512be5e8e069e5fbef1c09a2e78946f4bc93d067f5e5bbac905fb3ebb3001346c40270998de04524d1c94959b1c0a4a858be5139590d5a082763b98de9f9871238494d985f8eb9a063fcb08005742a4675312f40183a2a72a3a230c2655f4bc880388a7697ccca97be15aab36de2c275963b4650c636112800401c6aed61351839fe1d0716c0e9ed48c16015dbfdede31f614443f10a52d357fcfb884da7adfcea1787de1aae9380b505189f14e50d55f297306fae7f7ca911cb0a11b8c17c64146dd1b1f20092788f90151bba09717769a3aa09e8fb2474fa8d7594115e8a6e4c201f07692f14ba61e295c029e379a6337a6ddb24ce5ca6479516131784f727f10ac32186e1b5a7cee6560b5244a68bc79049ac92e97f20a9f1c0c3243b8efdc25599fce6d2dee1658e8eb2fb82db4c683f814df56f3c02dcfb4061b579423db569cf6a7b1ca97658b8884696419273320e7d533ebbcb69841a73bb49c1fd4b64730808c08e9672ca774010c6b23fe3b52e5d23a06023ea3d83c03a75a8d8bd0dc6c7752d120c68e48e69dc32cfebfc7d33de0138d7f0b6eeac085381f6daba83fe587177db68a6d789b1b0cbc59c72caaf525b0948f3034181a4a8a9a0c5a854b41ad44e987fbb3c7451fca963b90148445edc4bc7b53a821992bc547d06f14dd456788dbf4bb3e0f390a4df70d67fdd906b60a4abd72982df615ab711e1b564fb29af96a217b35453fb7ed9c3ec684b9cd6fd6bacb88e60c39eed8a95baea27af6ad12b5525d91a3b41ed009d5e87683a2d7cedfe25ddae724bb60bd22c54ebe8724edfcf6ad0cafa63c4163370fea7565bd7e12875b77ece62f399e594e3af27f75dbd14b7ba859dbd6b4480c6b9ef34dafdee8c2b36d28e52f320e9f8f3f635b7eb03e584f5b376dd81fb1a41316b6ef01072772a33ccae1c43c5c9e22435badc3d8ff28864a39f2c0dc7ac3d5feba33e70aba25e0c49084c1710078e1cbb5525fa17c3e0b128fc45028b6c266bd3ab04e11a6fb07ffb58ef4f6dee7bf2ff554b759d35b50e0be22f7eaa3250265282185772e08293b0dc8bee4c8d7db097556e860f482c8c3e9b6e864fb477d45c955ac82f034b397e6e75a4404637f0c61d4ed90dfe15382e85ef48e6fc1d248dc1b943dc4fca20568fdf634b9b0baaa7874186ac02a887b0344275a985785fdf59b3a71d3c75b275d10d8b591d6b72096a77e2b996d0349dc4d9c54830616c73e8c48a472c4551ac4660e196d38e890f7931c1d0cd6d90c551315e85fc3661338773bd4a4ff861f0f3e892fb4d58069b3ad97b2d1bfd72ec44e4a295684d1422b30e1ae95b5c1c7f275a75dfc4f7a1c2e3bc0f0f42252883992912c95ffb334b1878c65a4bbe1e34f926babb642924229b1021f326c8a50e5525121f49dae936dd56844d9dec93aa1435a16574ecd414bb039032db875a2d729d47a3d8f0386fe9b067cf025b7e1dd3341827055ccc88677999609ece87add06b2f07f957703524e99aa0c3389741b14233b5eded5af8e44a47031803ab23f734aed4121ad93b12e7f632733c2b57219ef9879b4aed4af9094a4924efda16615fe74f3585a70ed067d38f722541082ca2546b032a991beec9efdf6d055f9cfe33717ee55af6b33cf61fbff69b1c1301173d20a2511249b5c6438cb510b36c54c7fec67c3bff5cf712baa3a2c36c415f488e883a4bec4c2a10cb3fa105d1aa3c829ef6967ee6d6add1aa9b3a88f7a6e69c4a0cc253f17902f37cbbef417195127b21d4fc95848312bb82992d5a95431aa8eaebf16e10a4030ad676d5f29032c611fd5da2d4c887433bbf3280d7d0626989ad5f31f5bb8d85e3d83bafc3747a52e5cf844d6130679d5893f9211eb9d09d1fc90d83fc56c5809a86c055c14489712ffc6606144fed013bbd2795bbc477afd5712c41d2a23ea998f73e5f0f6ac6c5a7debdff6f978295c1385d946e5e388c05903d77264bb45db975d1a4aa53d6e76599507827b86ac522a63f999d5bef7c517f1c8a80027e04c39222588e5b405576b0c2a902207c0d5cd38ff267969479d0111c21fe4559c4d9cc5173d761211b2490cef996cfd500a457f774f2a2180b1e2962851f8e50086fb27808cb4e58d835124633238778ecb04dcca45142657da5766f2cf330cf5c8de8ae869036da37cd3e43291590c3a22df431d2e271c78d3bf1c2554497ac43523af157b96b799b8c52fd5a7530c4065c4e23f9be087d911d9123ad6193db87bf4bbac1c62d1ef5af2f12e86d23342c14e814bce96b58bf22957152ea290ae0916e88beffd93704f7895a2c8a329bef11680989dd1d3e0aedced41acbf80efc3f21c71c2c1c2e93ab1d9984f76b70ade85a391a4bfc05192b2b773dd3209ca50c35be3344b143142b25912763cb1555faf6155e83e57cdf5f0e4c0d865d297547a6087fcc7df7e4512f4691c90d25b1a8693e76b4ef8dd37f8f93e982a2beaef083c4fcd49f904b7c9d1ecd8bd2cb56282fa90314ee4f601565c497557d4d3f304cf2dd67bd973d7c6bf2ab1c4027d207218b71f2e19622c655689f1551bad47d5d9537a48cbe5a2c3288413c2b458deded658a4f604205d58915514bee43c783082d656b431af8b2e29db931f4a6871a587905571937c7e08b2080f901364f029bbe175d1c317abc8048461b717c36afd3ff608f6242c0b256cb5fe817b87fc75d07cd0e477023ca620c454b339557802842e5d60ca94e6cb89185ebccfc1b34b8a00a5ec56d350581318b8dc021d85223cb6a07bc512885577763c99274ae4d295514b94aab14ae0d0dbb9508e2eaada54a66de04fa0d848ea67ced8d6adf278a0de8ca8bd6f36ccff7cba1ed67e145201d5258b40bf1ca99279ecff9d78ee85a88276e5533c620e80ed6c7c17a9a12b03f5a740c37774e889de0e0761501ae589562d3240cbac3855eff6eea626f2c64d297e9cc97dc739ec7a7cf9c33b54055e630c8a84887281bcc48e8b4caf4054fac8ea7d0c0b06f220f80f9f141346fb8df194c314104f623b44621bcb35443346ea09914a96d6c7ed59cedc7c4ce71912bb8dbf8fdcf13bfa13080ac1e04bdeb46c5c57be88db4fe1f7dd916bb44a34afa1902f502587d7f910eb91fe910f359759975a7748fda76d42bb488b0c346ead2bb433ec158b1ef83f1a65581861656a32221f74598e38217c9b39405221c74b16682fc98a52b1e139de85e3b4329609449d4dfa4f21ee40dcaec4e827416f3636203abc837275bb08b69e55fd274fda90c1cdb3482c47ce59523e136b2302b300bc86bf088a6952a56fe1627cd6aecdf5a5260f78c4a677ed1a21d8952e2e161a7378a181479825c437a8ae26bd4e9690b1f18086decfcb311b625f40b31082d143c4f0e4d2c61cd2bd111d35855fb2ad1fae254175a6ec2c997ec8120b1e87c132d477ec5aff4b011b82355a2bbe72b7b191e0ed3583900fd1ed473a11ceb50b218e064ab7042b751628fadc59d1c5041224abce2e3ae008a0fef5efbacb160c2b5a712310012ccff9d20bf50a7465b621d860f73af8d3f6c195ec548d31e13a179a21b0ffaffd762fd48fb955a6f5a97632c4af55dbca3ff6ad479600bd96ae31f3204aa83407f8b8b1e16e497e26d6b1e64d45d8e9ecf7a2dde939cfbca025246b7ffe29fc2388aae16dbe4577a920e00c27975174d0207e458e55f4778c5a9e62954645c322310cf09fece830043ba6b437be2ad91212c3d5219dab65d10c76052ee3945fbc37ae320b016cb7052911063c65cc5ba42bd91f62371a0fb6dfdf5f79d179cb96e21b40a4bbd95847055efc523e264679c8fbdfbd89608a227e413619536ef2481e9b1e9c888e0c96a0882e9a0d3cd8fd3a152b3b41d8e7c25ac72734fb31697e42246c33392201b5209e75f148ebfe5bfaac751ff30e1c2ff276b1b55232350bdc0183763833429e3e92d522fd00e1a6db089b89d9ed044886d9c6574b874eebb5d0f53f57cb97172d09a93c1ef21676c24143be15dcf7a9da0a9dfcd864d029065dfaf64a9f3aefc34598c40d374a79bfc1ea338f85918e1150aa97794932aeafa662fac1ecfdbc2aa798b1b73485a0d1f5f518e05c1f6625756237a934e5e1c8b018d349ed85f592d9294e5a2a62b90f76c29e2e031fb7c2b0d00fc6ce1f01140c3c9b38e5e8055b05eed83d78f1b8b004f3d5d3eaef72bb7e007d99d74b0bb171aa057bd8f61bd370c2bcf8223a236380fa5e509811ddd96479126cd358aabb4b3260c1a18a94e108ed69aaa11e9518c0ed7e3e57aac3e8f515624b473700777ce1d04bb181d4e184579eead6c344ddc948bd8806e84dc0cc9920d9022b56bd040278e3aab3085baa8495858567578cb3c6e4f923e2a342877acc4d201ee570954c39c88942aecbb26a9536d037c6ea9c494f837b8075075d6749c4bc34c0a99351a488367a3b04431459ec541372a55dedf8fa7f82aced1ec8e35aec3c7e5982d764625e82f5180cc2a80f9320dd83a69952a3058dab1afe582877574eea63f0e480e4a6ac3f97cfd767603b9f3f80599a928fb07242a3bd9b351d019a22c5a1a3e0be03ee2a196fb5bea872ea5ecf879347b0e0a90291d99ea55058df72d2968bfcca089e3aeee0a1dedfc8788384daad697ad0576a744182bfe2753800b15864a858979faf21e447548892c100fb563a6b30d6d3ff16179eaa0cdd1ee1e0fc66d14c949c88d6ee66a75cb200656be83f4450ca6c0dd082df80c6ee04a97bf9e70007fbd80342b879c2b84c7b1891e6b53f47e5b935247c67bdc86cdc14c86e138282c61abf08dc80644aa56210c8441d2a928c7e0114cb9b60e13b40c9439a9c45c49296b0b5965ae7d67062ffbf9d41ed4159085d00b6089b0ce0bc273a7e9ce3f2ddf551f1b3c3665fc2d10dac4e2474057634bd8f416750b093ea4ee6e2545c7e8d6c9cea3c6f526aa3a26c18bbb9843cdd6a13a07ba65ff28e54b30ee85adc3436d63bdcbb27f9d0b311eee89435baffeabf61eabeef68adfeca8c90c075e64f63d6b2706219bf37d32ee804a42e3893470a5a2e2262e02cd49d7371a65bb54326f1a770d8d497cc47018262db5bb76a5d7176ed4f00d37ab55cbbb09d4800e5db5f4e15bdeb8922e4841c6a69782658b1bfc1f8571ac40aef4cf29573b600f1c8ba9bb97b1a52938bb1badd102c9b886b13da8ca1fc5a6775fb2014cbbd00d44595d9ab996020e64993cd7d0a7e9668a736d9383063a807f455d3940cd60a778308d40f6b4b3f6c44a6a7c384ce205f7253fcaf58fc872294827aa0fdf2acaa80b13901a39b54a5c4068fabd3db4edb01395abab31fc93ea622fbefef1f1be3bfd3821f6324b5f2136bd859a73bfde1c2e1f03a35e39e511e9d75dfcd141961ac295731c12650a34c3d4ae62a520597c1a6796f0c9837c1d1f6f489a885ec3c817223c9e4e00b5316326cfa04ed0c96ec2982800f7e24efacb9d318eed725bf09985f568e2edf9cf339e0955e07c3d13c46d390977dceff5ae53574cf11d0bdf761e0a63faba357cbef4848cfdee7d6c4c8d0b25726272fb16d91b644e2782f24f3e9c8f248590c67da670854100eca4152665c8a19270feaf30fc7640a859141aa7891b1f31bf4820de7b9494c1eef30b82d51772813ab49586e15d60651e679325bd92fbd462d85a44bbfbe2784392881c5049c047d8fe58d492948189fe172b1eff1159af539a1a5e29930dc6075ec1cd33828fe3095af3aa657f58b2ddbd714d2a3fd9b4361222b4ac303421a8f956ab8999812d6e48e9b232d3a87d192035d90b5df5e02da633e0eaf432dc1c9a695129e6f43d399a7c9415455e022426c28063da8084fd7019ba2674da9d70f7f6a821e46f6dcdd6680c9a10b455626a7eeb736aa57b4a22d42eadaa207a517c8528f030920d778f43e61eea485220dc76c39a987eef36f3134cf6c11fb4cd6a19be039c8c6c30f69228b045054f5e92a8f682448143b0c94065d783f8b62365002a3cfac75fd0b4074a35b704a3de7aacb72a86ccabb9f5d03357f41728fbcf954befdd68a24bc29a5b9177cbefcc9ce022d5f64bdeac623b30a53a8de8047174be91f54bda1ea8f753aee703a53e47dc02c3f84676b743c56fd2b2516ea9f2fd4c32ba085bdd7e39ccc47b6b0ec9a41ce6b5c35ecb79bea1d47f7088963d2cc5e1744d5a89da8fc5f2dfecf5e10809d28b575c32536e6057f22e98f53c2e5245c633c2147596e75777b707c670a8339d69c4444979a291bb167f4f410dc17cc215ec3cee119869821cc925f8e432689eb1b73e31473eeab613966dbb11b0f3749ec4828abde9f28044dbe4437ba556e01f16f68a763b7484ab8ea0b14263130fe1f00a1171396f1ca7a2c8a0f495a9731a9e37b50cdc9fa88bd723a572002b07a7ec9cf93fa6d0deeb97962baa2b4b0e31cb14630968c9690ad0d278a893d1c345eb7788ccdd4b9337a6f5d2d70c1f28fdd9a1270b124f7772e843b8e2a849caa11a3689813b4ccab6cd43276fc64d28aadf3e8e7b3437c2f5c8a6f3ae9151c07d30860b27c9d2934478f10a86bd583bb4f2ddecbe23f4edff95ddb2fd4fc9d7061dd74f4bbe620acd61874bd2e9af9f70061d764a87c9abf3b7eb296f7a0edf17034571b7c28c43edfa27bc5a3e0745dd73e22d0bc7dc4a7d110bf2158e9bc9c8a8bb7b6ad1ab7ecb68f47fef387383e8794507783e03bca6c9b671b4739c0f11f38664485ca3712ebc32f613ace20e734ca5755b940d9dba51d342f2611ac2734b20353c8c1075c7661f85c65e86fe92405b8c2032ba1dd5bca75af90434f911de577093fffae2195fe621c74b3cd8558a7cbb49861da17abb9fbc064c1c4955f8910107bf2989bd29fce7976d4500f537d6e233770b8022bae47c133f5b89088847d0ca3dde83547d8496c04b718496637c54b79a0503487f06e91f082216cdba4ea80b572b488cd69982e1352bdc9b0e544e068f73d1dd7fc2e5f5c5d6ebc22a0e6953c8b196607f12e9e31386e584ea5210eb666460b36e82bdf986f3f8ca1ade7bf79b9dcf1a6a06fd0a2f51271124db1ee9cb39adad646e20ae318e49b7aa8dbaae5f857b63ae802719e80105d3663cf006da07c9e06e0d40c7907f07fab03ab70dc5262a56e04ac7756b0fcc89b18c67642732341c25212136b9d325b324cb197612b30ee9b9f022f04ff454000858ddac08749670ba112884ea4b2ed85fabede4b892c554336c9451bfcf36d78dbd9ddd9767b550d0cf7ef7c264fced822116991445e717c8d69e975e3d9d541ceb413983a6d96426e62d2a921ec7600dfc3931f32d3cba4e51dde53e212fe07ee159ca4ade9e30d09f7c2b3b0fccf6d187d589535a3aaf209732ac42fe81cb00a889ad8b9bb75f1772c18b44d3f4261af589eabdf9b8e9b469096b41b2b8eb98078c9ffc798d64f81d043cd3f66744e86416cd4bc5f71f24a0311a4dd0fe4fc510d832680b89334ec7ff9118b7281928d7e4b2932de5b4082a677eded64c7bdcdd467eda1fa33b62e260461124d865452cf7491f960dad10a51069ba3dbb9f083c434789cf69c8902bb4969c5f0647967ca12a5f899352b3b024c576f8ce6b7dc50781f2465d1737765f056c72428207c2fa19fe1d3f2b706685cd7eb1073d491e414953322ba3cf13cf92dc474f6bab9d8f313475b0394a48bd78677a6451ecc945bf4fa497e859fa682a01778728717fe908e3d48bc82db826d9703bf504ddb3cb5c84d38ce5839caa6207dbf71a12d172c77c1ee024d3be331d0cc96a67927fad13efc14227e0ad78119d6880733a4002e3cb350653fe7b0e4958b0817599367aa6411da366d21aa606f139a3285e3e74a0f40e6bf85638bb03280e4c027b39b35b2703e15436c613ee72c7a0674a48d4d20ca92a0d425ffc8fa74835fd405406b282bd33620b314351e7f3e5562cc2daa2dcf5231858c7359c97a2226c8486738b22197a015ff487b5448ef37ea634d2cca81cad4d61fefbca05390bf40e7f27115c3229644c919d4fa094642bf85294640c521bd5a3e2141f97205757c4894997b5daf67a4a62dda7b38652c3fdcabdfe520508db54ee4c17f9385f14e61f5d707099356c979cafe94e6d298735f45cdfa27beb45cc223408afa53003f5541b066e5573171b00d8d53bc4396853dba190411c8b8089ce92b632bd48ff54840a5dc25965d6e37aa6395925a752fd7ebfce007bccc40e14c6f8f58304a3d0e7dbf03cbb5d836b17c3ffe71c2456f7f5147154dffda5cd403165913bb3486ed6e8c15b8a1e221a468cd0761e8d2e615721528879dc68124c5b9122e643ba77050542ae563871e048585e53bfbb4b34694916a917cd822bb773569b80fad04beca3bcdc4b58003fc2451ceeddae5110f5c836b759df3a096d0b577d5c337c584baa1e33661abbf15888a07e9d77edc465a39911492daa3a7f3854a081f1c099055ca034bf2c3051a3e3b89a3bba56d7d0394b8dafc4a5d32d6a2e9a459a72a5874da011ce1fba698bc5004fef10eb9174955f8c2e8ebd6fd879304fa0261631999ae144e904d58af1f8942dc9e5ca7f4d9cfe325e21839f1a5416754e3a8516c8cb44918d614060a876dec4ec9d178553af480f2ce021419e34c0c94183c6d69518f4429707ee433551cece21aeed9871baa3f661ee0c9d188fe58107842664dbfd62703be0be82b8434ccac61ea1e8eba609411a4e8eba9b5b706cafc22684f7c4702a8a6c04584f95f62e4be8452920ceb06606589a502c41ec5524daeeb527b84af3eabbea7b4cbef34b62a2503f32ee7713668e637336e51042a109fc7447f0c5a29b5a8daeb2347cd393f097f57bc1f4cce1fc8e2f4d7df8e1962fc8d60ef1857db7040147606d0ab30e6192c549eb49f22d93b3ac7dab5c309746d564db0c4b2a7298d9204d703cc6926423e0ef97fcf64dc459b3c709e1cc8cdecbd9ccbe0d9767bab9204ef39273aed5607963a86db08cd32d7294a1167404f0827b905a0d9d72440b221a637094f2b9d7a278356a10ce2791bcd5fb948c0711036192df7d0d5c48d1874351d90b385a81952499fdee3d0feec349b148cfdf69ef89b4ebe2b49eadb9a67e9b329c8106ca2ba96919501820294489a53721d194571c01e21a3a742862d0dcfcc80ad2533c35d68a40b4c052ce26c6ddd1e99f1d195534858ccd4bd86ebbdb9548d00dec3e65cd5e99dd701d86452208d00dde644c74a928ae4014e22c40646a5cd68ff740ce9e45a8df5cf11d7e42b7ea56f67ac9de7f581eb01ce9951c251e19e9a8750b4b08742d94582cc348589220beb8630d293d8fccac127e160da78f942d86e3b6ac03084bbd5c0d8dd69a6d9dd81e118ae7b703ba2bd0373cb93794f10584e0920700efe62c2c3fa3d3ab5ab310bb08eb714d597a531593a283a56a195e61d190410e9101cb3eefd7ebdb59c72735bd614a50693b8b5f8d60974a2886355ce6ef33290cfb0fa4cfef47db3f54742057dd6f449dabb06806736e96587368d0cf2cc8d6b5d88c2880c58b60c28dcf8ef8b8183348fa7c958ed5867a13a897f830f6050b4dc6971bda930a175bf1e8922471362a3d8924497465c5db18371bf6138d7d43599eb498bf42589250bf81a17eac6876d939939b377c5a2d36034d0946b9fccce67b753e705ccc014560bae394f9433bce16b8eed5cb857cd575b4bf406878fb325cbe98a0ad637b90613a4d4fb9c59d9885f2c16d44fe43a5209c49b0e6c4d300f5d7cf93d3aa5483c5884c6a457d035c1a68c4f55ff153d8115584def9cb093a5fc8176f57699d9736a63d3dbb5cff0c286985e81026ef6ddd660ca636c4e2ce29b85e7cf0053850ac8b35ef628f9d26aa7d43aff1f9bb4bd4573df7fa4594aebe69d7f9b3495a2ad47a79d430cf9853c334c4fa0808dd39cdb61a009decb23137377c84422f37b2d37801d7cabae0ee026534d57111a549f872ef6c401a9f438da15462b8ff7b124a18b04d3f9f5f5d9412dd0b902f455a5b91e4eda472e2c79e09e6595e3327ff1fa25a22abfe7249b3b75d9d3c28514a156ea721fab6a1d5ab86c6651aed8e4ce344290bc50191a9827190c4e111cdd866f1218e0e580b4677e2f3dedb97b62dfc1707038f562ce1b112b154a008c87e7d7e0d57a54de120e06285984db8837486d9b88208375ad5e672362d6cfee921b4bd99f3d9ce654ac9746713ceba947d45fb77879dedd89cfa09ef8b36279a3966216bc7e6737f8352d6acf7839d547e6c8f60197937af1ef1c40d7a8d68b37389465c1a253f509a1ef224ace5d352a45103638b4aee55edbc86b4ed1b8c57bde8305ef11ae3b7dbfda735141d5c5109ce18cabccb84b84af3f5a7c7d15f47ee7b2ad7dd16165537e9cca3a286f0e1c329ea9aacf5e7cbed343388cbdfc846c09717d35037a73c48e0df81e0a743845332b783185824e43b09e4fb3c3af605c568d967a679086b305e1b20e31d83627d5a186fcdf6853134da031a6038f8ddc96b056db1005c4c9866ef831e20a14e29395102f6aae11bf7e9df48511dba8e0939362a20faf369a7848f12e390d89f5a6c020d43b97756fb4d9ae1bc02025fb5099fac5e5c60eece74b99dc3259abb6fb1a28bb134f9cf89ec17cc0ce8d76575c3e16e59e48271fee7193354e41affea19b6840767244b7903a4ea44d3c541301a6db9aa403dbc7f961b03b4e253ecf4392e1fc170b81a62594157271dd89825510c10c502603366b4dbef6b112b7a2c68f50f189cbe6a187caec6abab643abf8943eb2889a818f314b0b7dafb178b2a4898efae1b18953ebe25a503024c9d7cc61213d332f76871dc6e57b42ba6185fde1926a745c8660f433b16c10262ddce1f4ef61440e94ccf4ec05c68a350f7fd6bc53809af8296005fc48ccf4681eb6387d0830dad5cb6b78ea044633e9c07714d5231ff329cacec19254403f55eb1064b9d900babb4bdcede3169bd43c8205bdc10a33bb48952afd1361e3dcbee0928ddcefa310f262abffc71a009b57c5bec4f8c7376813f5858712d46a053dd4cb4a7b3ba6dc5cc6f14fd6ab8a8ff6842972b91f5478818caa679859639ec8c8d4315a4e60634e03b7d38f638dab4724704a4b1158a0ca18f353ab2567cc3c4af0372b50f2457fd58791aa15bac8f0e089bb2fccf3616df85d579d99dd36742c5636aa79a0a81d2f482d5e349c25f53466b8590deef67eb326c67843629037394937ab5f63cbd9b005fcbe6ddadc1e42607a8a9ebebfc0cc67102d78c3c30fa219f054f256fb0ebcb86dfd1b53412cad52e1b1af8db229187c0ac79ec7f694451705aa508baf79dccfb074a08518757dc1b1ebb6b9690dcf987c1e89192b611819b5139c1a387f111b99f64443eef1a174289e0b5a5121b1e049f34c2bdc44375852269ad6e79fad6ecd78400d788f337a8c6a4f763d51cc7acafdf26cabb4f2d4c26d7f041a876e74f600758cbc497fc3ef5a1562af0047a278504f321b219e81af6130b0a0c7ea0664e6e173a87c3bec8c9f6bc7648a3765c2e04e62f71d03e12f97c971f63c34f2be07d8e702744370e818a690ab2ac354dc43d0a57aae77897679665d14f9b51e74856ef47548d9ffd8879ce92fb17b37d0e82927901fc93bf4b83c26584150fdb31caa28753bc146a37f4ed3088461a79ac84d4b770b0379b303efe3bd29b03642ef42e182571943f99715c4e836dad10262e0b1ac46525eb5a04cfac7fddac48482e5144f3be1eed50994371262df1617e1c339ab0da7daf130cee62f1d8d29cb4d3a80159dbb4c2d76468dffb16e6f0121b97f63639f9833656b0a31882eb95de199c7a82eb9af95cca03a4cb0b16c8757e4524b9ddc0ca0defe255411ab47699351ea8ae0e06279769899c3964c71183850e7b17c488567c74547242b7b863c6d6add597b46769a4eeb41f383e79c8b186b77afca4875cb377809dfafe197e440d07cec9f1fc2d588d206282cec08ca99ec3b31bf38102a297ae26804390ce1e5a3f21771a9856ac0ac9d94519fa79b4cf9e09ca292f8f01c1ff6f038cd8f05ce647240ac71bcd3c1f1e561705077ae8551d218bba050ee59fbe09d983bd690703cbccfefa6cce9535f0cbb9365eaf1fd46a823f254d143c85f9045cf1a4d1432350465585f888ba1be810f479a97f1691530145bb5c0f77d01f607dc801ee3a2a7d1f5e1245183e91ed4170121abd7e7fac429c1476fc332e7d9ba5ecb4a63cc9bd343ec1104abab38504706f1f53bb5bf2e2fc2393389144d7f3871051aea5846c976e4f7d4f0b73d8299f0a545842eda16924b5008e31a5306c961f7dd9d00a428c02f8e37d0e199270a27515ae73472eb9d8b20ce24053873cd123250efac0c95b86cabc4b096f0df6c9f69fbec30489b0f1b53d81c3331a2dac9435eaf7334fb55e0127b1097adcb21b38da9d2d674de21b836e836391f05de168fc4fc1d79c61af1bb79d88b422a9219d00bbfb997cddc992a9a85257ab84e0b9118069c25bbe4e539f850919b6815a776b515627eac1069d2138c7a847cabbf7edc86334a98882d9eaf580c42ea2ce1ad8381c35353184740d9f2d0e4e6d2f1c5a62ebdfb4aff0ab01d78586afa3b9975e32c270547e0eac603357a92686ed42fbc437535d4cbea0e67a9d0a24d30a6e0063ca3d7a92c167c2b3a5bc16f0bc7a903261df582444cfbe6d584549fb67ace7e358252f0c69d3c2e16ce07ee39b66ebaee381efdcc7eee9a45bc9ffb0a1a834a894093be1200f2128cf5de140ae726a569570ea1175592ed2708752425c165cf761bebe4c59e55deb288a18c7a034b71e9a352617d417a0b7008404732cb1f5a5de959ab865301e6a3526dab2ecc25b2f162abaf3e851e945a31c30e09edb32c65ff7dc25d76dd2a146f888ba0e2367c8479d5be598125a6d57e60e6ecfc362c61d8066254297e8c0854ecdf8268b83ef3be802342be14292d51dca07937dcb6a374651e3c54dbf3e5d8e8b0c956e78916612c6aa0407352a5f4fca1af086c212659a6493081ab05e5abc6a929b1c5c3a9e375cc8b5067ff145830d9702c7381ea21e21e448cbbbf19bc5d0efe82c5324bd15596ddd7a2e7da4f1e4ef42baba96fad664ebf06b178ae923cd76d0f346ea3cf090aa209d4e2cac9787804af2daad3436ea0ed675e75087a0e3e861d9e03cf1b43ac1354d525bf4cb0abb4cb5e32a55c8ff0ed9e109e10a97c0d5a651c0e066a7e11173218b17c9331d94a98c812e23afebbcb915e3bc88cd49dd74d4b63a099fbd2a270f1edc1c23ba93f2d8b0952f958f7768f6a5be0f4843ffd7cc0334adb9f21540fa356174b7f7ff9537477f78b8b5cbc6d59994fa7092aac0b50e253c9304904754c2b848141fe57400bfcec940e3cd4735300cd2970a8612de4f35571f12e77cf3004112795f38bd7344686fd378e14cb2a59d0f93f02ca35d3a13ee66be128f5aa341883b699a87365f15950183681a4dbd7626cb78c2324e7ee1fa5823239cd6d5b4851e06c7e4d1670117b7935211f340e3e8b398440aeb253c8c9c6b3ece94e33fa5c1ac5b9559bd485220b09494f82ecf4c63be96122864c6ac4595c6edb38555bafa58627ddb0a64f9a2890110a44a4a75ba83cc1713d316af0dc15105d7f85433db0fa5f3c1cc27f8b7dc170f84fa476624eb5ad8a9f74aca45bd638f19adb63203cb60a1cd61e1ca386267455f546a985f6ae4b1e0566daa33acae1db01b4cb13b513186038b5e2d08b8ec0e1a0619b0c0de1e08ebc9076c25367bef919287e2d105da4985a45cb5bd34557f55b3958fe07185b4315280406207a4c28f557abac99b93aa6ec7615a405a83603e8900c013380ef8ffd7c5285bbb976f5f680cc5e0d67948f450e47c5efb3b3e4d252060efa0a1e4310bf5487480586881f49676e64a9b1b3309d75aae70a3fa8a967f0576b18477e87e6a5dbb9e8e1eb365c3c12152f140cccf6fad11218622053e7e8978712955c4b537558a5ca9ae6ed0f6d20d3adebee1c1174d990c97c6fd387ff527c3717fd3fecddc2379015461e0ef1270d03810bbd44d03c9548744990ab84df2e961b272bdd889bb59e588d0772dadb5e41461331e7a0d85e065c4016ca40a0b18c6163c3d84edea32efeb2cf6123d6b64d0f6b980f89ceb9caf62854fa1d026c0dd965cba5216b7d2755fa4c7384d77d006bd0bb0db39063dde7a6c244feb5d745c48a893f3f46ee091e832f6d114dff8bc0fb8be91060c28f2ccaf6c3aa3d066e9579829a7f39f36682e4e8e47a9c0186e1528a97bc8c155cd0b1e2ef43a6712fdf84546e84e18c1000e9dcc1eaa7f0138bad6fe137be123a8cbcc399c8f49f3854fcfbec9b7d034be5cf7b9b39c804065fabcc5dceef8ec6e9cff42b9aa7a4135c9e42e4da3b8c7db3cba3cde41917368cb3d2c50ee9cc81e0983312d52c116e260758270929980323ad9eeb5b29655674cbcd7a77b12cc6a89d31afcd831720b283449cd87cee6f63dcc55908f19a10c97e264264cc9f14264d5646c3728b63d8aee045b4e4a4f2bc9103b81b5ab97729b083e849a891f27d4a41f6f97a85c81f703695b1ee5a45b8e95a8d58b4c8efa5fc3f6c10cbd4aeebbee4ca7a1e2fdf197d8b01ab64c8808846f374f1ba9aab06f0be4ef6537f4b5cde1d41e281b45dc9f77b8e9ddd066285c5088d9bdd5fabd6ccfa6a138989c214e87ae9c21e28e0a3892ac267f3778930833d90f7d65c33c8990b43b18a30b730b82282a933d22249706a21e516f4144e08195c9aff5056c68c3cb78fc246cb255c3293254f325fb4149977a1c8d1ae6c17f47024ea5c267bf2fd52f91c42fa2477958683e33cfbb2c01f42d21c7cc7ac96ac9fcfa030030ecf95b97569466adf3663c4ab8428b10e096a03059c5db55b445c486dd0750c6e95f3b081492d193b4c3d879849f1d59e558d0c84fe46e97f85bd1bd158bbcbdb5058d66e10f4b785ceb39a2e0940295369d58e4ab3f9d360ba1f08a1306b3e4ab28d14d0652ebfa8dd4011775dc77410d296e0b9747ad446a851a1185f82202d84052e1f01baed09470a0742722224365f0c3ab00293a84643568b36c2a9e9db2f723b232982a3532647e8cdfe45f2ac4b348a7ca5f1b29b199c9c1eabb9b475d30727adfb73c5c631f75c030c2e30da1afbc0991bd246b5011e1c3b1663bd0d24f6d135b3025e6b30b0bd64c323b02376de98cffc6727ca9f12ce4f88e99ca67f1eed3260e26596a1c1464674b38da151b470f501e6f936820448dec3bbb564e0ce79ecd21d3d4d8f5732747e3f9c14c7bdfcda194d50c6da3898b1fe9f65a06bcf04bdb0c5ef86b0358a9ee8786e4f20ed30535c8057934a28bb8bc81909a779ac3a5ae9c82021b700e37b2c9443ed2af742f97458ea50ac965c6b31d5f12494bbdf884a66f81f879e4b1c9e28a191631ab71c7a4672d663d563bb0b62c82176cb1c0685b07e662b0dd0aa66a1c36666311e9feba90be9479b38a268a94ce26b992bdefcf04d90b85a7e1ed30883acf162a504b35ef88bcfbf933962b804fcd5850e4a23dee62f2febe03a63f6074637e75dc4ac3c33e2a8c0a794c0f7ec4a2eb99023ffb398dfec22bc0221ab320c11a004042775316eb0fd5c4697ca7a19de0943323bcd0c566816299810236fc9fe576f41be808a5442ff7b1cd1a4ba8f1119b6191c1371c75c61bb7bedf95226c0aea22139777285324f052acfec873de5da629a99c75f8ef70ed33fb47a2712127cb2d6b79e23657dff6eb4f13903d9e0db788b268d94368d332ea55c067346b2a13fdecf34e57ddca370a3d86a03f2e93a88c71031cb418afe036cfc35b532f60416d0005811398633af0015a5ec75f47a0183cdaa52e92a5813966adcba1e784c539f58d136f6e25a73dda0f33507b11f82a7bea1673f96d702065c87ee6408103610ddcb252a85bb22a2e34cd136b9720a8747508f5929908da6d9b2a3377fb9363514b24fb17c884067bcd6200614394eff78ec3c62660c006874c7a595149fa25f0582830e7484523ffbcd3094c0d08d22441debba0400633f4081c7306eaae9b38044dd11da2ab0436589a0d244aee003049f0e1347799679de5c8ed8f155cf648093fde2933fec97fb69df07e18b6984f4f4ecb2bcaf74ecf38d4eca96ddb692d977546e6f26e52d45c2a7de16b75fefa3beba96b36741591b46ba24df1a8de44768c41569458acb8605dd2edf305f00982079c93a6aaedc955992166c367476dcb8fbfe7f86c4446b5b014fda58d49e0651f0be952d76110541849921683cfced3178cb15f9920d6825a865302516bbc15c32503855658844a6b33767d712f631523ad7f56233f55025950fd0aa9732266243070bfaa7136f3f821169ba3d015d71770b22fa46632079c47a1a23e9c53eecb1b3f955bfb5350214687b1d943a5e77ff937aac9424362ccbf6eafecde9661924ca33962cd2ef9796b27248b20779360ebe11a3bf2d4459756ce235880b318dea65f9bcd7fcba6a33de5f50cc27047e492eb138cc4591ae1c5fe34cf6d3a64b3eb0d02ba2d22698e8678cb8d899671544ede6b8921145a2849fff42b427aca7f7bb243d853e46ae18efab9107179ebb86f7c8a81ea015983273f2e4c29a0470ef8832ae2c214adea2b3f01936a3d2eccfcd6105d04e7b09346ed3aa304c2db87202c918658f431d579f6946f51613d395b984e7567b2d301ca8b2685bdfa0833c643008f89dd20a440e5b244af0035d5925617ed84707a5473431eb61fca3c5b10de22400a2eb0eddcd8a5134c7916316366e1bf8a3020739cedb85a4dc8aeed1282407526dd7da644baf2034e29bb6caa05374fde9a9109eabebc0482bf4b59875cb120b34f5e9ee8a0b85948e8db59b5fea4bfcd3caebfff3aeec731045ef384e2e15770dc759df8a09cc007717845c18db806f075cc76a2d156dbbdd3876298b677c31716dd37b76f4cfa635bba9898afb11d480a825b6f97b1515fb0b8b6e42a63d95122d6462c951a9779b1158de5eae17db71e3f2bdb86a4f09da628d828234a35eec94352e1388618f78b5f1cddb4753e4ec94204c36cfc9468d378d9ccf2333c3ebd4c04788de26de37989c82bbebf44c64f9d45a1e662fc25141f41bee53d890de898b3e699d6de74e2e1b90c606753168c893730df2a00cf624c3b34f8cd4a43c4ab63ea0a6ed7cd52fc5c6c68a57fda3936cea35f547535a45debdd69bfa886d282b22086529c2a69c6bc0bb6f11762badba6309aef54ad27a3e6895b4a90131d6df547a114326d2874483b2fac339ae3a934fc989d7b666903b4e90af08535e9ff279dd76c874341347343a2e26aa76cae3405eab7ddad8c3a60f8347d30d8feadc041549473d197955b91f7b738327c04ac34516477c1de75009ae8951ea020acc5a497043e970f0a67a693ac7b4a48e19d52d553d893b1fadadf219cc922a9aac10f8c7d7e0e549bd84657842d3d9830733396da1c1e2a88724b469171697439c884a379dd3943d10c27df424260ce8bdf91113cdba1507a01e59de6c0474852032dd54e8b620c9ba7c3736e34fd16c665ef10902cd1c596b2af6ce83f5d0add77b4559403756b79e041f5573418f12706053f4c726666b4d79a3df6fb4613a8a87ee5ae2bddc369175d7b1ac4d033910ad2f00b61fb1c1586da8ba4d3011899edeffe9bdba511d5bdca105adf1fc6e3d9d659ebef369e9acbc004d395a9f5fb96d4be3400b688d5f05f9ce43a7d87bead0b202bd588209b2a3e835f3804a809fd5cd1216bf93a14469e42ff95846c974fa6fb62b2021e71a31e1e66b3821780a90cafdfc7345e5a937a803ee4d3a5051a68b0dddd3ec70b7002ba20d54003de6d185e2e43cd33b87e6d3cc4589fa890054f39a40783522c092f7205310bb4216d08273a2467006d57c66adc3599995d25702a79a75eeae658aa06af9cf2492b4ee3c18e73965b8dc2615ea1ae7efa407f5e2751b91794bd28c57f7e652ca1a50d9fdc0dc165482fc13801910d77cf4ae987a8e67d8e19fe9e002ab55e997b977b0541c7c8c4e76871ef700b8f0c47e73d3d4473c17ff30da32779b8d1b1a289046038e606590d5aa672c11c3650859c3c31b412e1385a7f5f4b9a3cf757eb8cf64e2f6298fdfc68d659eab6fa1baddd0695ea5c97d50cfefd518ec8357f739435170382b6033691b54600890e20205b8683c47d7d436ebf42c7e7c117d38175467f0d24af74d412ad77b9f2535154a012be7cc5f01242345356f24b64793c6e34ac53683b169db9c29ccbed4f79fd4174426bffcde651db4c796333fedf446a5ca1fd98780bfab32cb02e23dd2532bc6ee5cddd9cae2ecdd90902d01b22b8b2d522d8049b0cf890d4f807b1ef23a871362edcb7bf11df5a056f2ed1d855d9d268bed624587a29c1c2116e6fa2756fd1869b956e999e5baa07ded7bf5899e9bf9b92c157e93ce9d34fa87ebdd1c2d8a88e33acbb4c7d0dd4f4e469bc6249f93e1b11efeff0a49171dcca566f0d3ae8e66fe659816db503833351febdc802b58bcd0531c5f1a9aacab91dac6dd7fc534d6a8ef2f2b9549e0261ba19a633041bc73044c7c52406195f0edfbc223eaf922e70769ad2bcd00ffe5130c6e1f70b5b520ce3efd8cf2a2688d2965697cfc1108c15301f157a598830d7e0f38f6f66fa965e141233242c30f555dca8480793e45ec30d7fcac73f077ab5e6e10363e1039fc4bd1401aad0669d2b15dd5b6fb3c2ce020ed6ef87ed28f1c056fd48bd934515896d69011ebf8f2710603b546b61b2ff4283287d833360826bc8c10b51eb90aec5481a1904f52c2e0b6680863e52ea691db2f48a7f7dfa12a8cf26d3da8377e6486a417e10849cdf1cf67577343184d2b5b4085d6e1a933f81f77fb50878d263eba1be1246552d8572b36d8dca0fe9e2c90178f335e4a75de232d67e1f7a7557bda375094bc6af447522d64ff6b89057f8e467a90d8e7578aaa91cb37a1a2c886c9fd933d0a938d6483bf7c10da4e861e7e73077bddc1923da616e8c073355559318b2d518b0fb4d76d86a01af9fb2812a12819f7692db73bd4d9dc02b89192acdc0322f3fab51b4e27fd94454c891165e41830423ed14b9f42d6131d4ac22076a5577020615a6fb9e8c444cb2bae4b957f55d36e7708acba083a42a33bfcc0fa1302ba0897df69d3289fc9e3094a7ff849325b6c723c305271e369ba8e705bf9be5b78f97681edf1ab07106077304be151512008fefdea23e3bc84ddd0e03fd919be860d797dc6550f067122a685a58ff810057b0a1ff35545a62b617b3cf85859a5962302fb7f6f660e0a840f823039b6a5ec186599b9428deef3899ffe6bb69e8d4584daef04243011819ee52f08c7eb62146e8e43c7c3836f9cfc3b330a56719ad32215896d23176cf46886a80cfe4961b7c29b6b35d07907e9d05cb66e2c5e1e7b5959ff1ea53696fdc6fbda789a16892eeff4f99a2f5b951d04fb01a9dfa4e1a422e5a75e7504ab530f2e5283747897af16b9e468edc921ba3a3bd4132dd7a2881531865e0a858cbabce180e9f1d20faf2ef90e8bc74139d608f34246cac9894d0872db0fe2b0469a64f7ba507be62d54f7cc069df2617f93ea94c888e1b7e1630b00f16ff12699033bf800d4680ca196ba4381a383e11fbb90dbb071fa109aa054cdcc00a9be4d0a118f21cdd487a14c8e02a4260b62d44cb3bb8de6b6decd86f461328b89a9e56137a1ed2ac6f72464262e0de7239b2b61082c0b6ec2e2cd8679c0669bf3f95c4c3cfbda5f9b6d01ce316d8a6890507f4eec10dc24e73599f5732d8fb388fede07545a6135fd72d8ae5340b189c83602cd9e68c4614297a9c73983825d1eeed7a6f852811f2853ab5d82e477e4048ced6cc74583abb5ffa5e83a256dbcd574693cb43663e7b555f19af242e9c232e3618e724d732dc5f5f402a9e3145db2c5d57e229104a72be2f9cc8cd9be7a51b8c364e4271731f6d2574db5523bbf86b6a54abe98e05e08378a50db14adab782b693c3e38b9fae76ac7a92d99ac54cc22ab02c4da5ba9bb2d6c061290fe1f718d27079881ea1b8c2f009bc30fef95d1137334c3e3076e3708fed585f24c566e462ec23217e0c743847e32dda3f562f6290d4d078ed29b67d3e8489199b3bce09a25bdc779f332b9400424d02decface9f5b035d6e4015da8c21b15a0de7d24176f267a653c518d48ab85d884345d5b9dab8a1b3ce718b4da4ac17557d4a45e18d8ad4e12b5dd890c226ce720b529bfc708055f2705282f516b76884a65b3e36dd5e3a996aa49045d3d04af3f1608ff8c8e128894cc60d434e24e4f7a37e43b848e3d97a233be44b0d871cb13337347efd0bd39236aa8ba98d816d069aba2989a871e08693ac0d36aabf9f816172b73104e5261dbf21aaccf71af5a23c24749506f8b3f607212672447a7479ee9fe0cfb8278cff53d16601ba84f767c9ade2f650a65dc98c6ce825196c0ad677623d7d08496abb32ec48d4e41b38765e47784316e59e29b800cdac01733c165d995d7a2da4364de947c8ba5a8d92277453f75da3eb0ebfea55f6f4a81316138d98707c26d82909947d8b10f8eede8c962a6971e43bc0cdbf3d336e1a2b26d8bc193d3f3ddac7d0bc8bf8469191583bfd74e3ec7bbe6d65ce9439b78f0b2b961459e33c15e5b394faa0a1031e81248ba57a29c5fb967f904dad09a5ec165e6779009c3290eedb2cfb436337f76a090129183cc06c6ad31916e2608b4f75bc937456909ef3e42616ea7a61632744b2e26b23a49a9292577491ece6a0c1fac4d8b799d73a6b851a45faae4c096c11064e3868f198931c0bb31684c73958083a4aa38934989c9b65f6a9eb741faf69471e8323db69e64488a3742dd4b39b8e48d223b2149aee19aa788561bbfa180786cd147d0beaa1353cb83804d3f8baf651a2170a240ad0d7aff2c6598dfff27e990960e307b6aae80a41ea5bc1108e2acc8281f821937f32434fa05aa4065663bcbf8c78f9d865fba140c4ee44394ab6618528f74282477f1bdca5e46fc6d94166397de69a592e7c8c065913742cbb7c0967d07a33047d9c4a4e01d9faae52046bdbb2bee22abc65cf068ad3d3265ec6dc1553c514ad41c15c436b98d77642b8fa63eeb38d6efd2d7d90ba7ac034337238a342fa1c6d7bbb1ca43a9f3035c4a5f16757fb521f1d45ff3e81defa599088c33a866ce7efa466af415ea22e54bbc60ed404cd12dc0a7d21f8a3b6211edf4feba8913a54df4f0c6148c41ffacbce903085f797481a93a20fb199abd400758d81746df44cc4112e3490899e058e7cb25e1a4ff90175b12ea03b5eae7ea66bfc54106c9d600f0015a43d2d322fa52bc7a12acaf93c38781d5bfc4f6d07a57a937a1a59eaf2277c9c498a878ca89fc7dcded6d91f54e66e563f06319cd818daf054f3d2ed62c13257862084e5246d1b99089f9239eb18403e6a098c354815d978dd27f4f0fe1f0483358c92821a65b7b601d98936b1906bae272bd8a45067826e4e0ebdd1efa253b0c178315c7ddfb658fddd1d6cc01703fb4b6a5244451d4b220d6a67f42de30df871fb81e416f2c39a8aec52c22d5359777fc624be2d7eca7859832b956c05c130930b7304194863913156cb36d5e772a780f334abbfbbc59269e71fced1b39faee80a60e5b440117bdbb9dc5f8de0e01de14b1551d85e96b6fc02a383929e1016254a27d2ce2e10b21bd7344707465488b8186b01e6ca347499c4ddde942b522395e05d0a681fad00618e9765d5945db954818e5b846395187ef5e1fe2a25be1d48055fbe9bcb9673f9b4d6d9a40daa3d99707c45f6b298e71c8a98b4cc6b4a838e0a64303c9f799638699feec8641ba6c3f97ad6bc641c193c29d1ccb9f910878acc0f486a29a8e9a7ccf4582b1e1fe0b71b8ca688395cc0bfce5851713eb34d4a4d444cf29721b7fec0294a1fe949ddfffbcf550b75b89fafddb2676f6e14b6bbeb5ffc357037c5db4736b80369323ec14e8634394dba9c347451e8a351a28e4bbb9265e18460b7fac0e272edeff89eed69e85a3f45c9d4b56225c34e3146905f40ed44a69325a58a01cfb6609c1b320fc80048f1ad7dfb5aac1288275653b6d07d3765cdb45b64f9905c25f828ce61d42f8c310addac2e74ce83e429e6c29249de2094e90015f432ceeee273db535f59a7b4de6506c7ea84665236e9a4224e7ac6a3abeb227a3911e683d5ec4588a680dd786bd6b632f3b092549215440064314b8523768341faf0154925b228504f8ebb69e760451afddc79ba57195d76a5003b01b013a4d264605108446ab17d1d57d6838c62cc10ffdef3b02769246c7e69917ee9bac22bba79391463f7db1c3be1948faf63b7df86d39818265a5719f4b7f2ab0413efa5b87952e112ffa74ceef99dffd8822da76e2162b51055fae76a996e4dff4c02df53c108245217a8a9c65683fe1bc2710b7e29b6963cbb21cdaf3d83cd1a91543faf5226e2e77099fdd4a90528f7209347c44c195f2dd897d6b66b341540721c5988e7502e10c40a04a4dd5e30f8f380b612f6d651818184f278a98079830d75b8e2c2b8ae5a7d3d2dda66e6c889761f9613fdefc418013e691e87dde8e18b83b6948248f8292672fe54e6bfa709870c9cbfefd114734b70459955ee7a04b2f7b814b1b3535e64c39a0f157d81f863ac8beeeef806d5afb4350b28bc07bf2bdb6249697ee1798b85ca3078e3683b4dd7dc68e44a05ce5d0763a608f0ddfad90ba08652c8f143447937d1104398343d6faf6586d2a45250b3f5973c3deaf26fa4e4a52e4bacd4f99ed7e76668c3597404a28f31746f94c12c5f65b1b57f338cf936e7c55f6e9aa5ee608efdc4b706674bf07423a30e8538122849903c6a0a7b814a41852f8b4c1dd136c31f548f54853bf10fea0d147d420b9b63e4cba3d68b18254114c68cb21e9cb60241aac96a308b70138fd441d5b0d1f3fe589e4b963ed18490a45914bd40cfa03d4e130ff3be37b12b63052c2210e90447330654900a9c00cf8edeb4884f9fd09f4009cddf0b7ae23d7a04ea3d02871215d5b8286d1adde59dd572cef31b375ab5e9a128de765ece13dbbd11f7be8ceafb7cfd07debf8ed1cc7e2d70b8f6ad57f16272d83e3ff3087d000c1f0aa1ba1e380c12f4abd810d40fb78f160e03ced14c6ebfca4dbe80a3c398df7216f8661d4179e4527e1ba0be1bc846d76670dd6740fa4165e3eb6b7f0980de86c9f2bfe31780a9c8cbf60d046ac604b60e2d850021e79014ec3722f06ca33a3fe047043bd0326d54db57658fb3170f602b25ecd1f1e7e3e6654897974ef8ab0248d3eb4bf4860ec45abe703ac33971bbb16eaea69d0480956c298596d1a90487ed5517850c726354820f18c0997c9116f12c148de2a663fe4810c1aff6a5e05f350c42187920b98dda54c35da5f6285e687b306278fb9e429f8db1f1e38c998acf318456e293d182b3612df2505bd4e63769bce1d0bb23078eeb5b4ec09d92a1bb293c47ace0dc768b35f807ba31546a84ce3bca34b58e0a575763ffc308bd64c5c339daf909767ff62820c90c427a58fe9bc2979525e1209f56f708a266ce14356ed3847031d73c3eee8cf1d2d27122cb432a90f35b19dd053ba6738a3c6b5606c2221c3d5fd28283911cc71eb74f0e397f1feca139f6c6c8e0f9f5c12786a42157845183a76716725f7e7e5dae6645a736337a49b83e152ca6afe45d6748f7f4c496f736d96e8b10ee74c71c003550a4be8bdaa56101b7d9bd0027aaa6900e58fcc77772ad493a8a613603c3bc32927dd2c2455923e924bd66c5d7ec7937fe0f3a6f2eba16463480711142963da156cb9ed2c1a4f5a3c541eb1358565687f6f6206e0414d610b4122beb2adc9f521af15af9db87b6adbc8205183582bf1c916d0ce050a0ecdefc24353d00d435d6b07ffd1eeec39b3154f654f733a5c95371168b86be13932cc0df2d27c487d0d6860be3c5c5e7e209157b32f709f2def27bc38662629d054fc4b51510b62a1a53795ad5936e8afc2a1f410334df60fd2a66079f9c6065868b75e2699f15bd07ffec14ffbfc54cc40c4a01dede88fe3b34303867194afbf3810a0b3aaa1aab621d572479c5b8dfc7ed5bc233dee16b56401698a9fa5c0d12b5dd0e3f4db43eba06bc3445ceb95e5594af8221f884fb6ebf7a65691eb7cb67e844e32ea088105e35e96cbee00c323bacb35e0607e3ec9ac48eabe223de34074925d459abadd5e76c79220aae51aa78d558c5d3dbe2d0bcfe8727337372fc414388104662bd2baa1e840d9d6e594c3e2f7e89d626208d6ec0a5e203530081951de4b62347488f79af8bdbd26c5679379abbab3a7ce861197292af472a71a5c459944b7439b13b4649764aff5096182c10a71c1815d3bfe77e183c93af8d78007c204862cd4022da552901ca37328546a62acbda72427c8b1c345be78330f623004b388dcfb05a6f5e007362f70da614d08645b2ad355716b8231946950218b14971ecdffafc99bb657995b7959b9503d97ebe08340edbc45e2714b9975161c56b070e00a0553261b466b198e4686f097c14ea9212feef595529ad03b617e6a1c6bca1d3cd23e321eb694d37bdc83f36bf23e3d581555366f6c575ea8221fff4b25fb9fbd69e9f024e7c5aea79cc96e66501eed51d4f3763a92dbe7ccc296f9373afef9b18bd5d2ec48c44b5c5f7f5255a5fcfca7c9d9f176fa5ab4ad6812c8aebace697645887b33463eda823b1285380db9a63aabb7057d8b7832a50f083f72834dd5a19e9099598fd155a827228a95572754096720a754c6cb488884bc5b2078558f39ef9135312271720ad6b13ff397c7d2f97c28f4ceb2286d5c59512f6d8859c5668d74faa8f13f9adb520ff42d18a7521bf5bfac4216d193217fa222178bbe75d1ef215dab17326d47fe3166e0f6de5ed889e906791edcecae3df5bf113884e95adbd600cb07aa372bb95ded3fd88ef7fb5397a243783134794cadbf514ce633089bf1059222b0b43a4e07694a33480b180d10d5e7db4e678a144337e2a482f8e5d2dad6c4c15ec9f89ff641c46d2b5f77e045722bd706e6893faff3f4a2eb87a7751850b9092b05a9b81f901e2b180c1793515863b5b97601b20f26bdb9021fc20d6668fdbe555f2839c2fb275b10b047ba757ca3b7a01695a0407468e0b96bc8825ebba00273f21de02825f6db3c0d5db001285e5c16f4292532f6c9484f1b6e1d208d9c33621d66bddc1229df59eb12a27bfcec3cca6a83a2d217b6219ec4262e13650ed233750649d41c94c449659a09a7e320e0c5baa04750717b948fbb59ee30eef68054fc5d78af32b77593afccb04d31930c9c13874d3462845ea68ea7b4ef4e09dcd3aa8e32acdb473d2d6973f64846f8137e5a29505a6e29bb2342107b333c2c52f4dcae0114eb09215db428d4d870396f918a2b66fa02ad8e7a6831b6225428c0aa82b31d330be622d0439d0cab77cd1067c327b9b76ab619cac5660183863039545102db106586cc9663f4c57390fbc9a61211bf330a362644c23c1d9d61c567f30c661502961a55ed5135a273c5a60ac7115a20b8c6e0c544a252d63b446e8d36a93f4baa6af482ee89b72522ae090466072c7efd4e9577a50b89b33bd58cbd926281a63d776eed85982b46c5782bca2abbf9c2a4f494ea5373453b3ed9059262d081518754094367893772e2ffa11eeda145aea80ccb114afa3d41baf632c29777759731618b2ba0b27467612154db70052a3054b46705b30f48a543e36e2a80b6485ac73b650819fbdc0981ac5af93f930a93c026139e1ab88ffed59377d396cd43794439db3c8675cbc95865dc59f523cf60cc9458dc55d8ef9e124daa7dc4a2113f22f19dfe24e2c286e76b517ea0ee654602f30a09c58c46df9c48625a939eb217f0f7675175bcb2718fb938dc5e7c3c0608f73905ed94c64e033cdec10070d979b0d6f1f8c15c45a42eaefa27f3485b3e72681406a2b0971d9e106c5e538e40ff6a2499b627ecb5ff2fef9d3cd42812c22a965828495e2a89f2657aafbc389c21e8abdfc0f7a13346538d352c968c05b45850ac585ed5a667f07f33033c546f11c0d1dc150c6d9cb94e9722fd3d1b1a57aef79319ffc6d087cc60039840865f0e5cf978a06b5d18f08864d433d5310d98cc32dff4b373ea1ce8783caff58d1bb9c687abb74de768dd3078a013f72e0a87ebc88871bb3e3aab075242a00473566c4c13c17645d9df37e50a6128c7edf26bad4cacc140355df5b313be464b4eef7a211c2467cdee511f4fc5b803e4bef5ac1aae85e1c9b772d4d5a879e35f11997f11ff1a09598aa171c5c05d3694382a80d466e0ccce376dd92a6ee85e7906137ba3f934aa6a97761abe99ea0270754d73f9a04aee8853fa4350f55780393a3d156844fc35897ef0ae4f987041b1166954f8d96114734a777e8ac21a7bd5c5c7b02f5cd38ad2160ac9060973a91a58c36c60564981209620d88ecb44b56fcec157cf1dd518b22b0da5fff82a3e444a48f3f2f1e3cc23a08847c99e074704669294ecd576378deae6cd1c99871a513b3bc3b68198e6b18b2913c3733b378b6cb54bf966f429342f959bdc6c3db2a53eb3bb20a31974858e7f232b4324e1ef0048b9a71244c6cd2c3edfa20e1cfde955e2bf9044ba4f105ded26b2c7a95ec1283849e5f5eb1c578580cb3aa2026f072e7256136adb7fe23918b3cf703e11d8a5674d72726505bf90be55447bed894cde5c266ebe02fa26b167125320e47da1229d4e7b6101c0ab3ad58a0c99c1a60c7540460c914ad9da5fccf3eb1e6970b29a801a2bead23270c8eea61d84ea0db431043a183353864b693398d96267d7375b483d810a1c717dd68540c82bf828ed7290fbee27362e66ecb4f00b7a97e676e06c319fd2b2db6d56f6ebd50eba9dd30a1aeae5892dd51d2442e73c4facb36eb05d0c9592a6a5544e3467aaf6707852a5b464438c80f3e004b761fbe0047e39043d10b4995384c19e8f0797ff770a12fc9914fc7707083aa7392757debe027b051fb9374bfbf826892b2d9f52dba07cdbb024126e77a65a8230982d8d5216e26d9abe79d4e11149b160fdbe2098f60fdb11049a2f33a53b1d86716902c238d83c587d429315c0e887c0a6e81b24c93ca6deb7fd0142cb781e0fbb32767d20c7a5e4624526aaa4547bc192b43854fda8ed1b64810cb79079de920904f5e35313d7acb8334cedce1dc173e222c374d85c74df41edcbe894d57829e6461fbc21532a87f930ea6cbfad678af4987bcc58fcd035550b00e73615e4c581adef7a90639aba3a37c913ffeb17ed58e0bfe8b71c321ccd62ef13c73b7526c322ffabd04713fd83722895432efdaaa76a162e48b881f830029865773559e648959f368b60a58185ea62be84f3116445c0def90f4db6d8c64ac032bd734f9cfea0da8a670d3227a99b0687bbd5f01e1cf45b300745a628bb61835976afc8d49c40e31288065894c816eee600d179fd387f85f0bb9ebaebf8c1fcd2361ec5ae837e9169e5f164e0b4add81daa50f8e94a5d44e5845f49fc07dd10a68cdd6d2f8102f25a2da3103a9dd6e60267212833d684e28f20316ffe1b663647147f84e3d7130731160ae9b35aa2ef8c83cfbaf2268007c5c896a360948a8bb4370f6a6b6612f1fc8ef38cfa514fdd33580f048ad31697fd2ec177d4d27d8b4f6f591eb0c6cb48972012647f9dc77f6091adc0c5feef2b188942d81febaaa8470c2fd3edb621f1fc953924b38802c563c2ce2c35bb57503d09858b90671f0847dbb94608a0956d9267bfaab36e58f17586fbb7b747e51152ed1cc1966b262c0a77b08d521a0cf8d9790b82b6dd54b5082b152ec06c8bb7ed3574af7d813f2de720a80a9145173d886bb0ae641334cde508bf49f34dd65a31e6c1a188f323258e782c819106c7bf5bd7e1ea0865dcbe31f04e4e6aedb1abf869f8b424d4cd1a9b4d74b7999cd9572b575c89ed30ae8c072f9c403bcbe237d06dbce991b05bf5ab04a1df6634acfd289d6e8b05b5cb252008a2d0fd2fae67ffa56c0ef17b6e077dad36911d9fd909fb00f66e20182f6b496d30dd00d38a3020e394f1b66d69a0043609c7b70c0e9b4c7ba3dac140c60767e463bad88631ee5af9757e89be88e9fb89a783bde3aac1e0a0a44fc5c820330822f3969ef9508e24bea9dc68165d7cb8a10c227aea4780e19a010a451893cb6f29656b34bc202b4191faf3b2c965ba3c3d750b77560bc2335ddaf63557f3fdb2ea421c505224103cd6228964aed3677b68485c38942860b14f18e95b2409bae164684aae856207b6a17e1aa569f93634d1b922daabc0c423feb28d7c4bb3b32b6cb761f01912ca12ba023882af2d80b215f54ac3aa6d4c2dc1d2ad9e4f88799ffc0d8b19b379827177d75a82e2d661b20d75c2620011f89592b5a6acd861706e9ed56a779272583a3c60f479864e667fc8e214a413eacb563bdd584c594ce633d3f10bee3713d453e32f147f5bdc7a4e775ecf20eb883e6d4e866fcfd99bcc41fa8e3266d48b97f0a218892233536fa25141a46d5a41f7ae4713297a2f95ce0e6661d2116a05601a346210f5ffc0dad79efd531156be2cb07ab6be8bc58ed98cfa69bab6ceb638dbc8d97b6d44603bd96c204acce5cfb677fc80e5f7cd9058fe77100fa41da58b4dde00bf5481400422a1e1ba54ab8e4b80c22434e80a2f016149f0899f6663bdf9a89e201ebb69aad3c37748b71756ab35c358765bb77d1289716fe89899f49f22ef736b90b17516e1cc8d9e91e172d56a6361dfc06fa10852005be0b013bc0a528e56da8b69e30cbde3567f0750f99daf96c64e35280245861c092de0865bcb2913156f08a84ef7ead5a357408b244c61b26e34da3a80fc82e1485beecf5377d3d95d77eb3dd11979789b9bc24fde7698f7103891419eacdcd32e5287e79a72db4338c986d3df9a04182e18ee200551ebce1f3351bc0728cf3b59d5d95345092625e9406d14bf8a53348e279e518096d98018af438d87686ecd02bf442d73e46511c8e8fc553a58f9faa99ae9fbae97154ed855c7e85caf2d980d267684c6dfdd7bc5e6fe5db46b4ed64567df9b38a71bd49ec38802b91c8515efc7aadb278381685ccd253f2ef88ad1cd987cb10ab5de4bd8de8faa6c567b5a072c2403e92976e87e1749b995d5da1b23369c70d7e009151bd3163f1d1e69755546882a1b0c57b1cf48fd62a8c46b8b56ccc84dd2799d0bb0a3be9121eef3f860cd1aba1da5c4491cf117a09c330a08b3aa5c00c7f91a898ffa405cae4fb84ee3033e44a808b309eb89ceefa81e65bef7d27672b2e0aea89b8522c3ba136df5241c4ff20469351ad28e8f2e3645a01e0a8ac15181b247ac95b91a08d0f184d166f4fc19f98148f2193ad2a6fd39c9a06160198615123b884b3318821348cf5bdccb04ff6bc8cb876fde4588c3244e2aeb2e8d24b1775a942a41ac7d274155b8910c3685d4146fe5400c17e83e8288a560acbd6a819f80024e548ac5881d6faad171b6223c5883defb2d5fcfae9ef86d046bc7a24f69fb9b1d661178caf72fda94b29cf03ed188a7452a9e8fe9f0d1e0ce0c6ddec550dfa0281b007a752235cb63ef66ccdd05591067516523a813ab7186f2be8d8f88092628ed50b8b8fe3355e963ce181b2a7761640b6433596c330ebdea5437d2579f795810a1d1353e2a7eecd868c23debf3b417a43d71bba4e9114c64a7743e762ba34fbcb9002ac936e869f95a24d9558b952470f6fb124a7a107d2934da909278593aba7c7143ca0cf802f957a3f8e0557451c216f82c1750fd74baeb0a414786eabab18a5cb1826f9800c471c23dd7ad43d497565c078a75e3d02f6dc72cbd9488849389af509d5f8b64a4ca215ef6b148fb4ab9b52e72181945cb6d64b951976c34c315bc7edc2705838ae09e821ce5b1821bb3d5d409dd6542745dd5a74aa6276add2d479c6f16c1b868d7856256c93c6d4d4a2f630ff40363e0a07182bb4131eee6fbd18a236da2adaaf6a7b70660874d7296f69e9309668c75e4a5f8144f93348a4a8141c2d1885546047f343a096eb255735a9590b9714bb5263b3bcae7a467c6356f50af9d49ee572ec529f2bf3894675d554334c1ea92c5fa121de3ef1b9f74cd953aca996d23ab6decd343ac53e2f99a249fb988f4ca796c0a849798f0f97495c10b9a0c8509c4bcff637662696949efc09251a06a22c22603847584330cfea0375d8c5bdce8dc49574865afbdb3673a76d91a4dc0eb7e3adf438a8f0c8c03dcccfdedddf4d44abac93d84d8f73a7a4bd8d0bd07122410bf9215dca11ff32e98eb1739b26e71890a21ea173ff62382c56bda1514776e65d36924e2590790e812d24cd2aac5752a02dcca068a4c5f4eb69a707280721e755d3601a2a18ded5eeb61fdbe7dae292976137780bb94cdc30a247223a39f94b324d9d013da3189c2cff87cdb6c2d60b271f33094db4ef5dcf9ed72fc21244c9cd4be4d3328e815f5101643868abb4e50de054c95554316f3a827016dd9474787d3403472ccf47484cacf52ba3865dd233b99e6884bb09536e65175f4ab58e9b138fb659f29a216225a1a89c94a0a537ce70f69001aa8b3f3e9c271d7acc8f61da6d9f9b0beda683fe87e40e61240ba431223cf98fed0ce930bf8e44edb42afcf54fc10c46f93b8c4d70d5b305507e6a5e2ed79b32085b7598a90659d2d929def4026ef7e9fc489bd22160929a0892c3897226fe63b54424aad314454ebe080e29ecc3e6172cf0f64fb2566a77813fd0f03df52f7542399a134cf6bdb23b01276ff2d6e2db82661fb1aa69388e55c087c3897309940477ed3e222f860eec00e012404ae81c6ca35f1ae7400e0aececf33348bb4adba665abcfbaea95ced173132f6d6298c2899cd6184f9e9d2f62e9d5c07177a3de17f59e7ef60600c3b741af36e7764ce2cb376ca9646f1134e89a0187662fe24c7be0973779d4f5bb3dcd05d8ef4e3481bba1d7199149d1b34c074640a8a2d9614a1d3f2547837c9dadcba164da6cb5899f85554640792f0d3e5076cbec862732dd8dda895695efbaa77ca0ca967630df62d746780e82cc16a066ed736889c9f3c533bc4340b3046ea8bf75707daaceee2c7582f179b1f1259b03b4bbbcc510768bd494b4ddbe27db9ac24aca119bc04175752328c5bf91e4995392c98d934ae13ebb92756e4bbb80053c1dbd56d7989a0d13f81a62f05a33653ea10edee1b38ce2608ec8c2ef69152bd442c79463e563ba7c5461ef96d170b0640a7566e56e510e66cc795f71d9d728ae1b235e72b546f7b3219d05c4bcc39ac269cf69f1c301d228060b8093322378b1684c6c396271cedb32989cb13da07022dae62db8a489b32bdc5989a7266528c5857a43f0cea8a8926aec1a732603fb80ff5b0342f17092f2f4ba5e9fc4e49bd96405824578c2543fb27c32f3299060de4b11c12678da6aa215e2a02cfc99a602405b130495b699483143274e1429794df198ad773abcfa16a6417fbe9fa64f97f8037dc80b0ab21821058990c4775a052079a1adcdc89deb0ecd2f1e916b0d77489438857c462ad98eb4d601e6c313c8c590e3543b4ddf31bdcc2fa83e193c74688dd1c5f8df7cd9b0401f2c67ea55fbc47fbcc3d8289d548fa058ac480d71d8d4fc4c48c1f1b82e1777e298002e97af72a4966807b9bee4f244cd8bd2a8c37ad5a91a520e30a43142ee4c8e9d1f106ce5b108b71508d67aabed8332800f1383514748c57b2d2689432bf826d7894ffe86f7f2e7cee69d461060f21b37de45abb6e7d15025bca8ff9b582a6fd4ac7f9d61cb356592f4a3ec762c5027af675d65b73a5ff5a8337c42bba72b71df49a0ed42e9feec65dfd4d96d79c7a4ecc2f51bb2cc056300d941505de6bbafcbddf7c663e48aa5fbe9978ca1789b794b6bf4fad0b7efd18c30a0e3641c4ffb3531d1fbebb11e01784279e61dce68db708f838839433ab24268c36123367d20cdd91cf0302452e23b83b3118d8dff460701ada0c6d61b7d054e9dc07d5460ea91e16103a26290962affac4aa486c29e18056ab56dc87c2f0215ccb7ff553427bf38e76488b38bcedef19033fa05ddb5a4c9f352337914ed1acf852adc9a8355a231741ef9b82db7178a93f302a39dd1feff376a21e469a72dc59abfe41624aeded1a0af7a20d89551f8e4af0b1ceb5d934c5ee7e9cd0497d660d0d58513de8ec71f89384ce4f3047f5c5e599c444f52d7080f266785d9cc950d723ec588edeea7e743f477b50ef6d493cb350bbb867f9367b65ccbe52a03674f284a08d36bc50aab4a3f0c91dd68acf6d2b5c605484b94dc331257feb5b3b8128aab2a441d7c04eadc7521e6ba756e3d7e69a3a2f41cc71d7115f4adec5eeced9cd516171ec3bd6106ce196783e946a23aab8dac73f2559f59a998dae80cdc54d83aff7a88a9622bce3045511cb77de14789832efe7340fbac4ff25a7883ad5bca41741a3144a0f9c5b8d2f03ded15b72415cb3447cb621409481b4501eea8cfb8ab6ae53b9d0095aea90fb84c7160ecaa8d04b2a2f757a24c75599472e7c6f629279d57ab897ca4b84398f1841aa0acdb7cc208455e9ddba3db8095aa6e31a5e5a284946b26db2706951d5a6ca7b33354839fb8a424cced92f9db490534b27c93678e362b5a2c12041827004abcf80b3c9f7659fb1b2c671002796b86869b29388d5df277289535c976fb56ea1a938cebf824f2e9093ffa058e41264abb4eb08edb505e51c0f9bfe3d4f97e52e84884793d4db290692fb25cd68509390f1ae6869ec8dca8a824279a455ab7db604e563bf6096755f838e5b4087380035f2041426ac0014fcc4c5decdc74453cb407616c57ce736039464e998b8fee6d423bb377a16a2b1fd8adc418abaaabdb2bee541a5c312d8454a36b4b1c718ce74e862da4a9e239da612f3f07d529e46251d85629242c7b0d4f5370f7ecbdacdf9ee925d7b717455ee78f11f99c94ad4cc2f8c598e845226669251292287987019a6d4df23999c46783f66d9c0d1ab4df572c972c9e837993bfa68bfaeee52c98211dc9e0c1b254e7c23bb6a05de76d7005e2fa82d4d2ac444f31a45b31fbd4237f2805cbb18111e091f182ee7d43501c1e4e1ae69997d7dde527b01bafb92482ba3870ce8211b9779a1479f168676371e606ec9c4da411283c845839f2440f6b9373d901653a26e45ae2145ad6ef2ef5729d9eabe50cb51d17eabd72e08a61a428a1a336836eed361e9a4d1cb2f312d7b3e5765f054edd1d7477076db18592b8b880c78f1ad6b9d6e680729b906d8e44652fcdb628d7e0ac1b5ddc8ffa2fa26710aca2989d3e5dc0ad481829c9dcfa99f5560e3aa2ec5f11c1fc995a14e2959cf492b07002cd80c066ffd4bca1e0c5f8628717daf7eb3cbbbe2542e3f5a18c9ba54d56bec9f52f0310635fcf92df6a4738cdf845a3caf7b3859edf9220f291dba1aac89c07693dd220763739798b687cd6b27d896a692536ad7e847ccac64984cf9ae18174d0c23109f82cc943b004e07ac6741045dc0cd4a302257b6bd4eeea0d0f3e7af93f1b3abe724ece35482f2afe205ed2265824302454e8a29bfc39e943232b7afb435e7517d6ce926c5fdd49ecac1be18435ff5665d0f724a2bc2d22f19a6c1428e2f686419b124cc76861f3070ebcbd99812cb10ecb357a0e1171ee64a67237762927adf9784ab9033f6b566f7218fa67109f9607fce2a4b8b74a3cd5a9ceafa4ce0b38be85144505c0bdc18a49ad0ca23051d563d14af02e2ec8147e8f2bc0bd30c69debfe2c170dda04de73fc777aea45027e56805a4b8c3fbf09315da5b05de928df4397977b26ce3e54d36643b0e229cfa6f832085fb3008c03e924a5b6232fd0a82c1b1b91967fa5a1b166c67f05ee6481d895f21aae704825fd44a635c29ac3ce0f5aa28262d845f4cd0891134ca5846a6b62ce7fc90a6bae5304eb0f533838b522a74365e6ec1957375d09c511d221439dc8f17d4b90e298815d7b9df23dac9a6adfc2608c062d1328de36b9b8390b330a99d50590d7d3f566e11022f7c066869422260b693c06e38b025157442b473e97b7eb2b4365e494f813a99c695447bd3155199597ca8ffe224b08d3fe81eb80afc5f2c5ca9778754251d8c7e35b063855d66cdb5ebd722d444c4654989edde1fbc78d2647b041148a159414b94805b0c76eaa242886d8b45f3f98489cbcfaeadbdcf2ac5ebc6b32e684d7467e63e935a6cdefaa3f78f8ee8a00ff9da25feb8fce6fff1033231a4aef0725907534f174e5386484fa18b781f3f6894affba4d496deeecc374f4b3e69f95a5997c8978a4e0a29c470b32864261d08d5679796ee633a6230d2b2f71e9f219df7e95d4042b3cc991352e50715c5ef56dc07afe11509d905b2d357bf03b2366582ff9d473c9a559670a4dbf02d215c5b3367a1bf08adb7cc5c208a2264906b67d4d9ba2a15f146549578b20aed14013f42dd268aaad8e2979bb51c5ed81988e6030b6f5082d1cc212ba2e2c8b8084ff0e72490f0d14048a507beccfabd6d4b683bd7dbf4bd65a45809166b207b187a310fb2558df0caca91362dc72c3ae5d2def3c16a8f4b96fef21f76d1b7ef57c93917976d0384d06f0bd1dd8088d777eb6c1bccd68fcd68efa860cea38018e46668210d678b248f53f83f0c4b922e8de99a6e734289991e1046a1291b249874de24687c24b3070d7e8024f47973570660787b0854a229b014e38ba8dd1d12250b899e46df956ddc02ee440a577756fa0052a305b3dcd21aa4013be057a6fbd43b579a5d57d3edf2c74d83114b96e55d601d5076eb3d113311ee1abae22fa5ea7107b8e20bce63e2806e395e86db9302fbcb1e66a7f03158d508a06c17fd81560cf48196ac12813c7f1c7a2920121f26194210632af96a2372a96bab8f2b237d9260ec7e9c5fee28d4571c3f74a47ffc4303f794f6d161061c63eab2d6b71e6fa6601edbe0228a47e62b5ec8fe591c147545b74d57c098e2373cc1cda4a35d1c3c40a5a5baa4af89d1c21cdbc2c4d8ba4db7b3c58db287ab79f63ac779d6e812776e143a32e12746ed3b1c8cffde5300b2428c5eaac80d63dc69242c83f86bf7166a42a0f70daf00a005f6cdea71cc02a75490f185f6e3b1524b3de595df869652a502aeaa9873a10960387b3b8610e53e84ef62f4d211f81c8bbe4639bfcd02664574f80dd9904b9552c0ddb1f0bec77868f116325e82208b93b11e559ca17259c7c2be47ccfa0a6e87dc081b2bafb7cb9fe41eede8bce6c2ffb156294d436b814ca9b222339711efcec9e5dde3cb9ee5773a96a8a241247d69cfce4a51c8713b85d11e2fa1ba53adb8290701aed0a755b97b7e2c6304566911de3181a6515c056c7a484e3910d1974eeb9eb862109884781881aa681a43e1dad8780c4ded42fb4d6a19437e8d523ca01401e3a4bccaf17b3f8eb98e7826490ca1ee44df361c39c9e9f9623fa86c7fbe46a4a55b70576332372930c4768eb910d4aa4df356327ac851f87cba7637b991577987b46d7020c118452833a683f7aa9953afc3faff0997011415fbdf8088418027b990b62d7ae15dd99a2789b53f20fb9dfac425ba5116bfc0bb903a851ecfae1895bc86a1d50ccd869b29d7ae0b9a6833bf16ffeb0f65ed4be2cbdb742456010cfd1eaab378d1b394ff3366b9000a79bc0573ce4ca6ae5946650c94c192b6c84699ed64b44c59fc890e510a8f6c4e2430f482f4ed9bd7501790bd9f7362e34afe53a0dc6aae15dfa531b85c837af2ea7ac9ebdfb2f960e6a4d18890ee9afe1a4d2c7c4a2046e2d260fab484a9b62752fac90214633b10472fb143c66e41a7d5904750f3ab61f10731c9fb11df99417bfb57f277ac9808d7e1ddd05e4840c5fca77f16bda3ea2e8defbb0455e03df458c1407fd6e4ee34fb5b264f8a83cf1437992202c4bd4195f5abdc136fabf9bc6e04202587cc87cd8254e7393839cb35fed61fc6c6cd1ee20845b79f418cd04cb533e82c42e956d7bb781f1ecad11e440593c9cffc2e6ffec8d21e04c3f80fd29c4abcba1110f8fdc9c16e9f8f0c0bc0e82bbcb43b46b597b48b94e73d106553d51de33b5fce8c0f183446085b690738464f6ca44ab07d8fe63df04d9462632449644b970c5db757d7f1d8d8da3c5244d8b85e958ac52a34079f5712bd1e586abc64aee4fd75a62800f202a5082261ef2e549999a96a1ca69e7382b59a3f702fe96746a8bcf917ec39556adaccb91e84d0345d789b0c14b09a7249e8143023294e08e55c69a8e15447d15e4856929051f64c760d4ad8501db3a4d9ae65d39060f27c78582f0e772b9f57eb748fef6a3061136f908cfafebee6b3295dc7e15aafe03cd975f9318560ea75002dc70b2e27c64cf8459c63aa7f1cd3abb5a2b28bb797b557c4cf05c56102deddfd954c39800a55db62e79bf256d763e8f854ce3d075ed2efd27e8c6d6558602bcf7c4be0036c6ada79ed34db5995b36e2da666f36f7bf5565c8f5a265acbd909cbb1c8b874214682e64a852f6aecc7354f81da36cc00de2c2cd22163837a7c9bebe44fc520a1564213a939dfa2b11f531d246460861022e78e7745316cbe2f212238fd22bb1e3d0813136b0ee7816b0db76e47ac08ff9a103d2b946d0b656bfaead6af2e3d766a853f8cb09bc3b53295d2e21cb9e34cbf4e8a6075e8973d74e8a01cb78b660149dd6c0380ff8e6d59430d542920d62bb915d74d2503d6a0b49377a618a757476f538719e36013409579661e04ff86f916cccf3a7aa895da4323364961c6b340c9b82c7200abbb1cdef23da98ef8a7942a8b633f7f6984abbead113210042bdd6e99b69f8d7e65bb1fff7d5c4c98a54754871d53440c86c1a4c228fec4bb090335c5528aff48ef3ce9ddcdb3c1ab44ceee0093f74382f93c5b66c45b9d9b2ef7bd92677397c9181f1f53d90c49939a4e9481a1d22548e7d6f727be762bacb6c58cc7224ef4c5279abe6cc5849c216c2f69d41460cab2e6e96a43d7f3b08c74b15e2f9af245c8749acc8eb7f93f19eaa2255f82a532d8acc5c7d7ae0553fbe847d658f7e47d2c770ac02a72df9cd764cd47e29a552b6d28d3c8340fb672adf10a8921a0e361d59e48eaaca7a7c931e5603cbbbd3ffb37a7f4aeeddff8ae56e5c37f1407a78a986c4aa3e19919e9c2c93fb921e72ae93c3b030853722d03cf59baf3cb086e3e3e4047d51c64f28ccfe468a6d492f824ee68eabb4dc6788a745ee23faa23810dc3196a7d6a64eb7a7c42ce6afa846840604bbe0ad77319fd41a59aaa40e83ff99a5a5d1543bb828894f9f1e79000f3d0fd21883aeed024ec5d0ff5190e7ed6ad7ede9b3524de15799b28bc2bd9568c654f9100a47a2e8e4d1042b2a2401ea990359fbe1ea9c5a23a8c9d52ed8b01cc65c942e136a862f7be5fbb30f438f8bc84d599bc18d4fc1275da1c1b3f64d03d25e9daa63bf2537ff257f591c55af5f56402fe83d18f9257527bad9b2ac65d35407d4b0a43c58356c606b85fe56c387ddbbefcda8a71cffcb29193a51209748d8021d5d123540e50954fc4131d2535681a6799944605b79b4de9fb12c0db182d6204df04db4cb28da9e41753cc3dee7658483efe54115bcb68017d65af0ed4ae29939d6c8da3b3c6b23dbd1c86877c9513fb8d2aa04870f212a4d5d0261d8067997e4618fa3675db86b472589bae3f9e6246b83187a84b2cbd8194548c2651b2e32430835d6e1392c0729e5e718e5455c5548c7ade623de02991ef30b34647622c8961eb14d305634d59844af5550e99858de852451fb4bc9b589e5fb2960b1e056cac90d3c75b17cf2caf98e261a3c4f24d848902f186ff916e776f65e9cbc0a84afc58d7b97352e3d73d0bcac5b8930dc5180788fbceb260a0a8ddaf68116b467874c4a2388713f8aae969fe09fdf1aa072ca5fba6239b27fa1d1bf5a77a50d5334b61c855bc2a494ef4844471be8a02f04dc9b182e48bcf8f44440f897de9bdf03cdddc340a0a225dc4fc89b6a65f3685ee414e26bd9d998b7d764e6da265c15efe857e226574c16c5fd9ab2e7bce95e9c61b356f39029b7b2d293d2e96548ccb21637f4e10c5911c73d3feafa76f760c8eadedc2599e0f1330f95905e694b601028742518c3b31df3c8981ab7640fc86e6873ec0659e08375b7beaf648ef96b7061341153491199b5da75e217cb88ce407e1b5a1ecc4b2e7e8db7238ee1914834e2903317fc40fe42129af84835bf647f90af2ad6bbdef712a2a96cc822e6c40a65ebffbf37d022be19d16a8249640e0349da99e4afcfe04b618dece4713eb74ad58984f1625e32d9bd266fb9cee63d3c71ce16abd1ea5f6ea1f4a91b70ef74e0a919f34e9ba8277df39b047f759a8bacac75fac20ccabb5f2e6f60e3436711c5711955c7742dd6d9e8a9b83d5cccd5ae3448b25cdb35ecc8f20a4c34bddc374ee9167f7fcd2f6a2cee9672ba4eeacbbc98574db1988c71e8212e2d35dd0f303691c4191990bdbcc3fb770d59b0a90433bb2dfb3539ed007bf529702031fcf429fe0bda4abfc427a9fe71a1a94bb264ee88dbb8c31f222adffd9ddbfe46feccd67655fd944bd4751466a59d69ea36d910e2c9b4111a955ff14d46ff6e6afe568231dedf800a90773cc1f8f956617ac44a2eb6e64b88ed5a07b943321c63a02ed711854f4b60a299dad987a82933961600db05a2f4eb7846a8d01cc22bc4529502c9ed664cd90f5d2f2a4d50334b4c41f45838d5de74a6b2b558ea1d1b34dc21d7f7d0fd6c01967852ff0e0f40fee4dadb242b7b8e7af4cea79842215e4baf008ccbbaa475006f25340c392534d4ede113ea0245c73bc624af6de72d50562eee999a5b98ee53bd69c1b1bd999328456e154b7430f2f228749328e25233b5c598ec8b9e5352814fb3fd15a7112c0a8f9855dd55ff6b747777f93cd15a07f118657a267dbdc51d30e9681fe89851f5a6c7b6b4527a97753d0784a9f60406b54b47028407e177c43888278968fe637e336cbef51ee438608d052efa715c874fccea267e400a305c22a2357d9c5afda431e0adf26ca41c978f202792fc1589ba7ccbf9900e1c9e35e9ba5843c864f8eb28d226b2f3c3212ad02100d8971672190f56a6e058f70daf9764cb86c36d677f42e06bb291b4ac3be2e1dadfecf2807eb62eb065a91dddedaccd8cce08fcef4488ec725be165765f60ddc628b555952449cd8a2ddd50e06f6244184b7266a2eae1db9a0e951ea4b80f1d973011a1ddfa3a0adf2ea03ba520c9025c3de01faeff8b74cd343efa2e886d18a50861dcce0941de826c5cd4cd9adfa4658faf8ca8f1bdd5fdd2742f55528f190b974c1d756126dd587bce6c0a54310103fcb750b4b0b97e032f7f3c1a64c5b37e51fa88305f735c6acad068a4fd8836049f9b1ba83ab3bb7301370429538601a0d2599aa1fb71085703f000f0f00ca386cc2f6600c0948caec2451f373494db089f4337cff642ab03059174ceb2a20ce3f8d2ed77ecde59855dc6a380fa0a9f1e0fb9dfd007ae1af1f101dd154ed5bdba618715261795b60ab5079d085634559da89134c141da8ab660c12d3e85bd90081478e8a0e2653d26c303bcc58721189d02688e9b7f0cb8d26a0c011f3b31611ca63f519fc1d5152f0aaa2fb599ee719b9f5e3e6a5e00173f87d9b3fb9eada124df2d95b0bceb55c984b1230f93bf8e114dbdffe2d7df566f596a628212bc50cac930df46bbcf3b28ccabc05f33c8c529e54fea057949a50aa183d2be6a17c3c825622793c0f8c93ac0ca3cdc1b748273d6f9a20cc09f2ee1f1bffd215a3def20886bab9047c227bda97d87752df8914d7dd0361b4b089611b5a4bce46fbdbb65709ea7b6026201a121eacad55bb8d0065555593d44d604d8c567f6ffa29d3f1cbb69b68402e85c0d5d951e74a46ffc4fb77711d0a3e28e4718d2a6d2f2118d98660d8920e914013caa24e3580ea7bd689f2aea02af380c1d7eba106c5ceced9e6070d00edd5f776a631fb83d021c0b410999c0cf55f0867ad828881d62677b3fa39c4d83f24b737220ed4f125b7c74cad934c3baf98a7583a6d5919271d7d7da84b360eac3b27a6505770f1b92305481dc6a0eda80c5ae69c90851e0283525020904fde991ed16da489bb25b2c82bdcb2a013130d49e7a35969497d7bbbfda112262a294ca959c005620144fb17448866da6e10cb6241ba38b1588dba72ffb8d04cd84e6d4ca0bc590f2be21aa223b0d5ff9ce06295fcdcb728a8ec85d92bc6fa270fd93f0ff4a0610c9904986a43d1275560ab2f50b3f5ffd5e860e8047f5c97e1d77d2643090508c3809da67ce192cdc9edc7f62941807ce1ff296fa1b8ab53b8da2d7e009be69e4213a0b76fb0bfd573f41d8bcf751686c41340713bfd76dc91ec0d7650cfa3c827631de51b70424d1d75d8f5e7c02d3344e2bd4d0eb848842c2d5a61f37b03986639a19b48974d943124edff77c84e57107974a4cf44cfac12d09cfaf96f5b914f9bdeacf9ad1c561486f5beaa92c9eb3fb975009cea69df9c0b2ed1c2a67ffe6b9a32b964ad127cf224479732005f66bb8a3270b013e12b74cec9cdcf24de84f4c74bca46c58e1dceed2fe2f79d4ad4963b129396deb616f878c8efff2998d96ae66aa3ddf059369457dbd321fe13bc50debeb8675c5c57e20e652741cc9e9dd84d3b30711947299b438c3dafa4146f4491c799822338acb8355dfe2633639f199f44e4ecb21e00a94cae6aee4e283d0db21dda8b618c6660ec344c11904aefe8bb5d977100e8ee4dbef63b9f353130e284923efde506b315af747a360b8adf718a63a7b8d5423b32dc484df2c552ff396cff605a228d54913202c3f6ee7e8042a4499675735569481fd5ec03610cee19c161f524ada7461afcb61a75d1b4d8b030ef3cc7d9880d2bd7aac7892ad0ed4784c15036d2456db2f0c082cee850a6d7ad435575f821a7cc5276d628b5c17f0a02d9df2ca6f62e6dad864ec46531c49fbbfdeabf6391563a0b8612d79272f222d85226918f128f50cd94753cf1f375cda5c9c5fcffc326c5f2d9d7790bf55ff665f7ae3029f983f1e9b0d8de6c0d239b36ac79bd43093839a8a7e3fb02fa8c47f6152e00b3bc4510728bbe5f8ebf24d6125a781e5c88e1c71c0b84f0179020c849936206cd98cac5bad53934a44e04b1803b0f2090b2c090eda5adcbb6787cce9aea155064290b05504a58e9d9539512ea246f1119f80148bebdd2490d7542a393258583ec4ff745458626abb729244137b67d7566fab4cbf3e2adda931509bb7d7dede5106db43a7639ae428cb33716e91019f784768682a0f0484b0d3f61104c52029a45a43488595d70357457010ad8bfc37c38fd0ab5536c20d18e40718e04cc8ac529432d6168ed48b95790ee9c6581b6d3b3fc14a3a864d6858c58af0ff02689d9de1b47f58fc0a8fc5780ea1742204e73be47c87121cca8662930a36eadca33487359f1a0f298971d83ec5562b2a9f32e69ea409cfc55bdac633b0ff384cab1d47ab47ae03c435d518ea5686e038a048b5df7241e51e884ed590392968919bd32593d6af5eeebdbd12f55820c138fd6c77e74d247b3cb28a70216615720c4bfd09d7068fd7cfadf7293fd6dfdf13a96867cda9db64b71255bece80bb8e376b4628c1a0064406e28a9656286941f1536c3375b908072c42c63a58bfca416497a4c84d917b89574f736c99d821569e2c785ffaefc545e4560d1425260d27cddd471137f17f76b7dd2029666f0a27d3194644d366f051c3066639a34d8636db5b8991911bf15743b23bed633305c4355ac820b85e7aa6c65e95ebdc68afcf1214ce569ecb575f760810da7edd05f5c8889a6e9d9940d2705702990860f3dc4d93b7230e94b1e317192bfafe8f8b5cd5ab7b1a7917a6dca13cc5956deabde65b1ba3e84e1f91dcf2ac6f0fa7c9ec942f2d7003b8167139dd2d6eedbab9d882131808a73c39554d3621aa75636ec73a1a8e30c697f4784f901eae702b4c5a7916341642f4790589b84b5c9a9f1999be3e29745154cbafe19ee29df11e231217e3475aafc3260f0dacbae05c74a9ed6c8856a84449611c67677be04ac0c31253aef76a3d5f6f431ea74f117fa76a3a888fa533b7bd84b0bea1948751790127e106b26a4c20160d53eba82f316c15bb17387bd3d0f9fa45005bc7630ee47538cae45ffe236400e4107dc9b5da5ced163acc49d85e2749208d218421f4e197be52bd75db2ea073b0cfa6fcec7ba7f2274cf7bacff7e459ce37317f72f084ee8f8dc573495dcef970a2e630013da40f5fdfea42578864d532aea7790e0319ddb4c93764b4a6a3d3269ac34f05acb211e4022245ffa64c46081ba910e8de2662a714e637d5dc0d46f83d85653799c7b22c931a5ee9f5b5365f23110721edd3c8812a5a124e0828042a9d9e5cf4934a3ee44a1550bf41fce8a14bbf372b01c3891cfab88560804bd838eb145ea51f219fa325fc175f38e63ad4fb30fd0ddf0062f871f3d5cdf557c3c8b6a02c2bdd7ae243193572e6df06281e3996b2e288f0375720afdc44206175839c50cf33fce705cbd6f65dbff9122946c8668bdedb016914e418145b104fa7c0d76b42ad8864ebbf916b03baae9591c473d60d3590c92e2803a7804c6012d5b011e96c6dd5248ab2c4e78e9402bc49a036017c1cdea653de71f4b998f553bb34a9b6b7538de01fd27d52d2d2523fe3a596f1c6e90e0da6ed3296d9690d3afe291f34d40ae76eb1bf7cbf61514ff3b32399794afba583849887aebe463814461251d08116c9b6c05db158ca15071e993e08ca0c49af4d23c1f7631df7fb7b5236d76d6aac8e6f8ac33688e94bf875c428c90ac2cfd16c7b19b959125953b2ebc38c478d97adf89921379a682622c107a466983e1d4a018dfa27608f21a9051535cbf4760f5631dea4df7758208d827dddeb18301af4c0f9597ace619b1e695647ee17770b85453bf2a3894ccb1894ff65616cf29327898ccdc544d64fdac5a3e4b01b063ea1a68546607e7b51465b58d60cd94c7b514a5c559724e6b1f802a0591e00b75679cbbc8eabbacc17c03f7449562dd8ac34249e7290f22d0173c5efb34c92de42910034f2e5ed65d04e6709355a9ea7c58fd5fe3f85f009bf204864560aca7a879fb5e26483c90647ab0d46f4bacbdf8430a76b8a94150d70b8db44340157d0b9fbc03225e33d63c44441836ddfe85649d2f1179fa96d5ec5583f6d01ad2e415b9683980f331843080e89110fd593687a6b767ac47b49e9704f26eba543c28dd26889e5d8107720d11e92a761f5021f77d2df4ed85c65d7d86c65bb68f149be503b93641e56922d9981593d5178eb25570be83dace578564123db5db6058d98d00d09cda503372ab65602e3dd7b63fd8e2fd8fda5f53dc29cb2bcdff527db0d49625716334bf5e3dfc4224968c0a9de9258e2e0a0a6bf16dd6667ff4cb598da611120e330de93acdc96048a638959c76e0bbf2938996639c6e324181b1fc70c7ce91988c32613840b7b6ae89b5886e7592ef39353583c62fb9a6742efab711e6c65507ae8dc66e85fb09c81db26c741dfc6a2ae64bcbca671ff426ba3a2b4f23db884b0945e0bbfadb90c62077bf729e7df1b1c20bdf15f7b1d549c63e056aa31312bd32c1d455ff18fe865f4704f0b3c1f8b4add3b2d6f1b4d70c97ece5faeade75da3846145b0cf4d308e8472b41990bcb7ac1e7868eb814c6d1dca980583d250a50974474e9f79032a80c34f44abe3d19a04f4059359d4bc6b38afd1f27254c00e7cdd1c4e5e501e2f99ca0d58f5010a5bb19101ad9001491a69378038b464d793d4832af28a2e7266cc61b9a82c01ea9deea974b5e386a239e93a7e8f986915900589b615b780213bfa24f56b425dc7456e1fe70dc57d0e1bc3069b0fdc6024ea813e0e2554223b0fb1991d841e539104c30adb0a685c24a04fcd6d0409d2dffb949352218df4d80978c64249798213b6c4368468cae0f61d636cd1f57fc99cc27f9feac4380a896449562ebfdbdbd89cb567422ab617ccd41d674c400907fc51b12e1a9ef2b35dd1dea86625a9819ffffc4cf2bf0a090fbb323bb2b410b01355c6e036bb70fa0b5d7df25d0180ee48cb6a84be30beee9fefcfc386dc16146cb772146b2665786763cd2db1f06a44340ee6d942f426cab6d9988a14cca830956e7907232f47125b866ce223a58fc04c1440bafc8134ad0acf1dd2ef5279390bb842f1e19f6b39898616649d7c1ec8421236fbc779b1693c0030220002b5a4b5de78ba14caec8a9f578483b07aa13543048b28fe2403bb8a3a5c6632f7e52f737534a19e87e7fe60ae03d9273573159208332ef98be87018f024978d4ec6629c9b79ea490973464adfb9bbf2b84fadbc3015d8dc4dbfd372cc54f4c84d2c402c538592ce2a8966b44daf432f8d1fd0a9abb66debc10ff2f6c874815c596361064f935b57b26cc31571c2ad33dc9cefcb307684d295368e4fa8c15d490833b11a1bf787ca1d214ed705e33f139218369fb694ae42da41b2e830e29b8d609e51a2d793471ef2c474fb445d0b3f2d5c65e8418cf16f0fb0937f785005e8a678df65558987089cfa38d78a926c179a354bd40fac48843a7427a5c135e85710d1ded6beef534925cad099d5cb3e7af503bfff666f7a68a5cc36a4098e04bb65de79c81888b51b88537521579b150e5ef9d0cd621ea956820e8a384ae98269c09e88a59892ea43b10b0aac13141903cfac8da80bbb60f70f8681620ee655cbcf1973983e6f24fe3070fbe323657179e7a0bd44ef5d619d3686ae06041b1d483960ffcb3d3e088e78b6e8fb6e8fb7cad6db7617ca8618c3229263e179de93a3b3a538b14bd060480ba0bff298fff01d25e40c4ecf8339b18035ee22f46c2f801c9a158750e5af4d358e9f83c7d849c136e23d509e24850729fbd32f2d7f10c04fdd70bbae22c2ade00abbf1fd6aae066894c1aad0d947b7c78a9a27a74e19492dafa1024724186ee9b3db8b72efe7d9c15405edbd97324870f080aa3260df0a2326992d796d93a9b0b727bd10ebb1aa4b252b8e08d2843750355d443f2a8a688898048810530048c2bb97104fae86fe8888e09bdc935a64f51a480bdc35151cb874616c21c6d02be49925d9e69196cf6d045c7823666d4902ebfa353f8997695e1714337990fbe98435e75c0ade4353bc4ef208ff6b389477e9cfd820061c059139781291b5cf213769dc429a34d04cf2606168c724acae08df128b468dc73d4965105fd46252633ae7e93cd2389cbca0ec43c03ebed0705d278468f84835a22497e88de4f97b3774ec1145f2dab3ec5c3ea9a03232f458e36e5964b25bb4b7391aafdda257a465d915629f0ae761ab62634e5896f566f2b09c9c0b6d0e7c477812f7dc8004b6250ce4ebc4073d9f0d67890edbba6bdda25a43369f0e15d358232b8b801790db2131880de8d7ac41259dd36c143559d83bbdea615946370697cf665f9f8b2fdd7f2ec5b41dd61ab00b207873c8db9b2e75f71b3d2f68eb4dfcaee6cd7400d981f59d770d51d15598f6622ee4765222e77ef70e6e31468c4704f145f48a9beaafe9a08195e2ed3a09ebb21ee183cef2addfa7b8cbea29ef00a06565f89fd8ec23dc1e03c236f1b706aede07aaffbc35ff89eae9edee57ef81d51ca0b881ff474d49264523f3f7af130b7e9bafb313fcbc9ec9d7ce8a23857d669294eff470937afff9a361f263a378d99b45697e61db08249ac838570c39687e4678eb9f3d45429b814f1f63e4b6cfb329b5639500050cdf21e014184418fdeeead744bdfd7d18bead1635340abc1c3cede4d65b5a5f47a3abcbafb537f0f56fd43ed5b3384dc8c1ee9875d4482d11c7ebd5541c37bd774e6faf6fe67db625d331b9a5ed366e45de2c1ed84e1a19959821d974d6478510d12bfbbc4c7c5bbd208e67b6f5ca526ba93a8f1fbde0cd8bcf8dd2e0d01ef54fa404e88c72180257c260148a02499f1d9278cd92b27cbfbf6da4c2de1c06453525c8193801bf892065c5f33a2390b81e84bfd146f8cc9b423e230ea8b7ed37dbc432f51e44f913b5a444f6ad4169e31df307a61a69bff3d26fc6f4fdb7191d4183de0c2fa7802ae0c23faba43de1b43f430b84040a90a8f5096a8a382a5d0db6a0c305b817ac1a59f44b1243488e7c3d80cc322506f2f7045a2c937876eff2d5fc2d077ae88fbe7455569cc278b2fec421b80e6bb99c989c57d323976ca99f40785d8aa3e3e2c57489dae2b2d421eee284325b7477231cc38d5d40945f5813119f2263bde664ee72b9c3ad5a8b6622a6415a38e393f8bd815af4fb7ceb4ea28d28939be965f5e6645b36ec726c00fb747d6ab805638cc90d773ad3dc669e771414adb6fcfa9dcabb6e537237dff6883bd39dd56b0a57587f8393aa698c46783616932d038c84139f3483179943a29d217b45c8d80b7f03ff67c3267a7c3316c2c5acd3914359bf9438d5bf93d6a33cfa5f86a142215f87d9becaeaab6173e03d292cf9725cf9117d12a9230b3871aa56dde5e7f9afc6c026d88ffac657444b1b07579bbc488c6f5e97ee1c88e90a6af2cf9f8ef9dd8b08980f9bbf1b2353bb235fe9f16677f20516e2cfbec3d4b2eb3bc1c87dee889ab2789e3f3e78b2da2dcd03644773b88f210bad65a1fe92dc71d2bfb55798c7a3802a5f9d9908b4ebaec5520d09ee1a84ee2c5699c9aeb53916647bc0096f329206ad50308b08aa2a7749e42dda9f8319b29d3f30e0c113d5e3564132860517143362dd48c7487e64065a67ce5922e76614790eea4a9f34dfb22170a6b2eae3590fe32c0764e7b738f1422664d23af10ed6c55f7b4e29c31b50a93b933f860e03192c39fab3dc9a1bd962c279bfa302aa80ec9fb1040d3b1a9265fcfb73f13ef73c4fa12151dbf9704c6f89d3042bf3c27c646bcf3d3b2f3b623f22ad71047c3c5edf248becd4a1064beed0dbcf357a086bcbd7bb40fdfcd792ff2fe3edfbf620e80e816c08e921e1688cffc780959aa2f3a6c3b18386072f17ad9936894e66b0947b3841dd18ed84b26dffc62f3f278617d681fb5f12bbb2b0cf7e6178c28ab32145ff7930365754798ec20664ec52f707908733e25f29980cfc7c3fa152c3a0dc3ffa80c53f1927e78278a5f06c690586ec268aa253aea10b48b49fb2ed1ba4e76e6d096736edd66cdab50c8f18e0c9be6a1a187ad0e7b3ad6facde6935c7bb1c4dff3358b5c73b306557f18f3924d8bf877fab3292d22257ac0098e4c9fa5b2a0380491b9154b450a8f829feff76529671d3b8ba957d9691c8b551ab0faaf6c2e3289149b96f46fe28ecf63fb55e3bd097b4e41fc277de00ab74721df09501e12a95c266a171dd15bc2c29564af4089efab7a478405acc384571e6c02f5b5ac8cc36be77daca524a1f0534f3d2dad60e2b6a54cac6225876820d8ec00ccb301f27724116836577d60fb96fc7f0b58fca0415be3c04e943903b573ff4ed860570a6cfc6ab953a57651060c4b359e1e5ab8aa49c7e571c8bf9a638d03db810ea30e58ac093563f5c675e56bd8ecd7209d13d0837b71c6f033ae89bbe7cc1aae7770e9ba52124fb5ffd929c877eed4e79585b7edff46b8aab917198ddf6a74d573b9ccf47f3b1f7d97cbe7a59bbcb2f0ed438eecae94f7006d5c14eaa14e2598536c37837a071cd6ed9b72c878b9d1e81bb215e76ba0cd4bff039bb2b7c4db87768099268c1b9de5041c3243315209b15ee81dc99cfa2bb034211b89f1a944131583f1b087f72b0a63bc1187511b4f2d8bf339b73faa6162d926dcd77396f0e39b533b657296bcd6e46475dddc33a1436fbf7e2b23e135bf87705f3a76bbd119d9d4c711da75de651cf8f02d8d48f8f7aac3457534cb2c45204ff46ea12190a7661e3cb82b56cdccff9f96c6710653f28c1b2e1ead24e09ef2be6bfce7f1880944fd1b7386e0f70e992fdef00abcfb9b277ff417e054bbc075b79d23dd9418d2bb952db441f0e92712e0a17884a60acd3446127719aa1520321305e2c47d670177d42415500d726dde18bceddc2f4ab17f050dbf20888257bdd859696bd52583acfbb55b62b82470425472b4b64a02677fee8b4c4fb93dc36fc415b08fd0f7bc5186ecaf82b24560cab3a3bb79f91e7d8a22bf8d59efd09426ef012c485bcaab4bbe7c5e42c69ed15557e630c2c97aaded06a18d51aa04ace19bbb97bce583cf66191b94953b0f070b5a32e49f160c5af9855f1ea5e02291f974175c30830e95846e2f3ce2e16050f7109343abcecf018a1cb389549d7c5525106872c74db955e4f33f3f86e38c5dfffe45686bf35a84b986590f33d57530125ea3ce3ed31d4295847c5ed1340a22218bc3e8597bb2739b55eee5a9c3c998b1866da55415a4bddb9cf22bac8dafdba6178eeecf9b9e04154857af97170da61c67d4a4a9f6ddb23258cf6fd1703e7220d7a0d14830cccb0954d9b4921b62dd976bd2522f2b2f86113ce2fa875f26d58f5779b16d42c1d4ffd0738b4489c2b2ccefae55099f8171d9b1b6398476b6be2fa9b789e62a33e66d61a5d7ff10029dd4e10aae05ae40e12e862d2d98ff9f18b923eefce9b696e2a773e2a89ec0fb332816d4349de32911eefb35d715c0fa865e0b0b78777fa08a88ce256ed754443977c3f806da9ca26a54c5823610116460c99afe44a678912915532e6320bc9303ce4f28cc144d1d246970a83385124a9229027c211727dac815eaf9a119fd892a7215fa6509fa232881c80e0a3c6780b928485ceeaba80830d8f9abaf408d1c929a120466e057a4d30130bbee808e25a6d5eb57ef51a581f5322670afb48d40b439ce0b8e756113785037192ba57b4285be38d4670829f863dc33a3fca49c8f58f8953a3e2ed44439b923e5c398b6e790cb79cd8a844450f086e770e6c206ce74968903136f0bbde0d212bd1890239054f257a5b0f81805b0dfa9d27ce6d6b2feecded46ecde172e8699423656ad431c5f6dbd24e2dac50b3449e789fb6e66521756f3753c4422afc49051c7825763599916e04bac0554a9f710642e3e024ce560c7532bb2a3a38073220e7c3ae2fb39e6e0133b7d210a806a9b88f4e13a7b43406405ebca415cd6f363517ec828a5e704b05599623d8fbbd4545516297b8bca5d990bb243c550ded2418292282cceb1c80ef7a706a3aec6e695a3fffc3f5ce37f579b986c27ee81789ae8541d3bebf624ffda6650a27d4aece4f1cb2ef7f13f40c2bde287cbce7c400ce5f508a44782560778409d9cce8698210c38ceaa66d03f8a02e777152068359464742570088ef5c475a5b542bd6c735bbc75f33f30127b0c4a9c4ec179e16fdb2a459dc0dac4256568041a19fc672c8dd2f67ef2d870ea59520dbedbf1e3a64fad80d167da484cb2ce92d7e0828886deeed1b9838140a8a9c0c1a69113679159e23dbd37f3d7779eb721c71b11cef8b14d976849952ebb54245c19b0b228701ef9f951f1e3e024f11b8d63c44a0562d6ba3ff30d6c3c644331c3422d6335072c77b71740c197640d7d5619cdd8e2330527b59ef15d0b96ba9ab8ebd775f45df018db5021e87f73a719ac0be9d36fe02735f9f4f6ce921883a52b05f2d505676cc49492a70284c3c590a89c074edb0cdbc6dafdda6e7123774ee64618eafe99a4dff441b004d32ef408f701cf35748b9c9e60bdf97c4c2bd57c5cfcc67a426fe5ed77cca7678bf50852bb1fed48b7a4aa1bf58f65b6694e79094af25f5d97f96aea0c82ed6be5288632fa5203eaf9521e5e19a13e4f24b1dde4058393be8faab1b077d3f288d0662205cf4226ec21622f81b0aa2867e1a565e4a400de4a98683ae8a445ac65f59b78790636dfbbe77258a8f568b743fa37186658d185740e95b39d3d9756660553458fdec896d65a456b5ab5b96326215fb73830fabd4d4b0442816197992a44eca9f618daf658e090e6e4fa16cc6529e37992e4ed67bfc6d331a6fd2299ded2436e1d086895ada95abd83ee0f1d72601dcf77d36eede5201c8f6eee07cc8b36801b1f5489f4ded0943da3dc349d93832bca8d741eef51ad0f73f1bc9ca8f0a04b053bcdff7a11662660b11c6ebee6a74eb3ebd986ed6a88c48a9f2399d6e80d70c6b9a7e7c0e5f6b805a3b8b6e8bdab6f2a6da910736c208db7938489aacd44e82782994740ff32eb6626a3b7030404ddb1bf5491bc085bfc8c741e7184ec8c470d6affbefc4576263a3166961e1c504eee8637e228c261361fd87a5d420090ad06aa3e39540efaed838556c019970faf1306356fdcfd68b428a818edac3b9dbf16d9ff4b0b8b45fd52d9eaab2dc8e59810050fc88d1ec8ff89e035ebf9ad891aff06f6a9376d229c8d71990b8ed6431674316035cccbb4d5d1749a2fd1b5d66d9b2591a046cf192544440ce064d821f11ad40b2cffe83cc1ac18f4fd1c1c072a4576985ef15f31d5446de6b36a3a0824f13041bfd48079d3ebf543c37142aa6dde5b87e1d4c977638a649dfd07480c85beacffbfd1be7e9a98fae468bbbbeca077216e7946e7f7bd2c17507e05f6f81965837f60c1836e18d8def34b1e8ffa0c2f6cde41da73ad051781038428ed3a0550585c5e1b933ee11046b353020344d681e9d83bcd21158095387ab8ac66b16d920b2dd1f8e4b8ac9dfb594949eafd31b5e3495c5cfd5f9736d95341548ee003a4bad9dd95a4f480e5f61f961122645e11173cef83749121a77f48ed2ff3e4a28158d87c1d4602d53aca09f071942a88a653f9f70c27102030872dfe56f3148ea6cc1f4eee92d45ba7a5dca60aa9c4cbe832ae0184df7922a6a72fc062460081bd2964001db833637b428f7f913d7d7641fa98d76d7eda3656da056135d15f7ae5b2ca75c6f5e606d1796b69893ec828a41236f39da152bb3e742e82fc3ee7b62dec3f5ecbf4f66baee9b3f86ea642fd543283f97128aacec9f54cb132c6ddadf709f2ccac623737a53b1bda6d355e01bff73f1c43124c4484c8fd9c11ad736e442bfa4ca7edafcc1319c22485f04fd8ef2b536dd02bcf1fd241b25c4d4dc7aef109750665b8f9ec0c554bd82de1d5ee6da379d6220cca2eb14c8d3db2617152e448f964b2e5abb0f921dc8bedbfa1ea4cbf922c8a1733865a918b228881443d8fdbc3d5f575dc39c94974da3af4b22b68a5172bda348f27359151096ef041d4d1f8fb3b204ddf0302dc93286dec600088b4d29c6d3f55c1d5154d1e56d454f2a7a22f65a22253abaaf10ad6160c3ffb9f76531045e01b2a4bde5ad042ab30e3fcaf3e35dcd963ffd432724b9f03692c2cc64a31bdfdca3bd8949c1e3377ca332e96f15879eafb95c40db9bdf3dd34bc097feac69523c6c29c423923227abb1cadbeb710dbc2ace43e6831b858fd4eeb8fb2a540349faadce46397c71a7e0ab45c6e8b15f03f43a8fdc68dd0ec475af71acf4b4f7a13bd116e10da73c668e72646ca02946961eddb7565a08f40f738f23bbd84c686c76540e873da89f19e2c33f57a918a1043c4d182b4dad50c86b2f921d93820d3550d12121c8ac9681bf757e64283add0ceb4751d5428632bd24f52eb0de77eafb16e86824bc9c21b518fe1596030f0e27015908cde06bfb3805dfa46a1993c8cb2428433d8ef60c92a9be5c7bfc542a3193bc2cf2784647906761816aab0c31556fc09a603f3d5919f85275591c668eaf161467d68142e5bb0ed0c2ec76d5fd653205270c96eef8f5357196fd3f4b1bb7b2a983c07acc261eba25f2fe3b255b22e7dea596deb2df73fb47bd7cf1070342b0a59c6975c066d5d7b5ee7e068fd3d9a0e0d9d4978bf97caf551000d9cf8b2b14b624d89ea47a92469a61e85e646a6b6a571a37302b13db3657c1d360a2bb336937859aa98607a41771c5f48e762b6e062971334102823d334a40396df9dd8cc4119675df5b8ab3d0965fb5f18a6ba9afd66c1ab91dbc49c25349be57299635b6168a85fd6b682bd3bdca1eb8dbb0816f7702117008e40f7beedd509778eb168eb0bcea8b229547c55048bdfeb9f76324070542130f255badb471011e6d110f459ffe53a2b60c2f2a00ddb272d34a83fb2365bca876b03afa395ae5d2c0f812affcb437a9f84fccf4ff790c2e43991d7a5757696d7ee6e92ce9e0e6e198f2f152e521dccb88a31616be1412100ce6dff66e3ee62b68f7d3891a9f5d938e1e73930d21b56076b9ccb86fed1ebd3311b7874e7a586ac0dc164411765d595c208539ae3dad52c5aaf8b9ff52ec2763eca5e1377dbf172b3de84f6d38beb5dd8a1fa885f5da105fd707dca4f744fe659b096deaf2941d1bb2093634f2ffdf38207a77673cc613bd2d2fc8f61f21fabf960c89b4adc82e9c855aff1315633769efecce87a24fced0c14f3f1e0c60e2a4ae3be7bfe2858721a454bd33c460e8dbb6e2aa85ec47c845cc5a40dc755f78f96827f7bdc4baefc47b251d4f96e0c170fa5bdcf3e1461893bec60a9e937489ab9c2c3af32a333da69af97b516b755048753cc99759cfafb51f4e4aae449bf322ee52b1ed55510a14a29b689c072088aeac0cf45e34b039111406a44bf7162380f35088ba09b8a4697bff4e5f6d1c69c8fad4610b1ef51490ef964c370fb182b47f1863ef451c5022399630776c43f33ab69d5b7d90f38f7e01059e3ddb3f4e89a73af0726a9d5609dc765cfcb5d1047980bfbf82b3914897adf8a3982d516439a38ac1819e6ce1379863878ac97fc4b5f2ff441f5f574e3630acccc51793e952c7e6063fcae352410e04997f577a6ab021725d8e25c1d101d584eb0ce9b5fb547566c906a0a555749f8ead9a9acc791f2f1e4e7233b21657f05ee2d75e4fbc71f269d2ef05615f0c933ab4d7ff3afd64b21adcf7ddb555d2ee6059c41f6a2f57bba943ded97cced510bd02cbbf52f9142223e2b030f8171643ccac365e89f3d322a7205a0aed36e94c1e300f31c9d71b93935d4ce1b3a0e42670eeb76b9b6002e6753bb8747c73fb7a0c702d2df14a75a5d1fd85bc0094f348505454998c50ea1aacfb8a63bc5c77418a103d8b6ecd6d0d4a481237db141fd684e64a0b63142631180e39eb1e5224bdf21a29f576ad84ceed390f3ef1228c204252da76f0e3b15bd426b1ce66727c1e700a0583cd716362607c0c09db433948dab990b445d005c98f6d401242dd831b0bc9edfcc8fe1bceeccdf5ccc45272a45884bcbc957c0f1bb8d2fc3a625eabb2ff61f83a95a99c6ec0e1752ec432205bc248b148d1dfaba0a9cacf8d54d6fa27ab941e350835d64a562f2026a1b29b2f5199782b384c514c19d1a76b20cc824b510c3317100afe3eff9b01a02380e5bf46bcd373bb756337ce8687702f5a4beda1d25a2ccbe3d53fb00c957814318349b4bab4c9211428c867bf42e6c625379eb0ec5b75122b0ce70efb304a9ccd708df5d60753aeefb0bd95f451cadc34900f24e45366753c1efa92131d2effaf41bafa3919db783b2c9d22cc7e1b8f236c2260c9bf2e7a3b9a4ea751b7b55dd47381bcadd544c25728ae62e2d6a96fd51fafa5c76f61b8bf50b5891210e16aea7b8bbea3e73f61029196907e6c62bdfbead62be35e2c714b6f0e5fc8224378988f487fb4799c23e8718274f0ac6881153024e541a02bb392012dfe27f0815e56ac7f02b88dc4205cbb4d036cdfc58c164219ccec2444a4477b7f8a9c15698178bce12e386a82d3920d5811eea072ff302410642ebc1e7120278e14c6643cc5f238ac4765e1b45c239f7e838ee60246e942405c807a17b235465cbb17f03afddc69043ae73ae578f55da41759062d7186199ecdf507d12aba73441ad2e6057bc05b00fddc4feec6781284364a978992eb195e2b27571b15fdd10e9ab8888eb0826bcc76b5534b7f5446474a31b57411c525fda1fa2934022f6462f6851aa1bd7fbba495efd2c275def068c3b2fd3f438f987d95e8a96dece5c18ecf9fad5d953a2c3d38f66a4f0022a74335119698b5f4a6ff428538470d975ae1fe80fa87abba6e1ade85f5e5fbb96b808b4e4a435ee171b838e0a556c23c1b980af93994280ebaaaae79a8b9b0b353344276c687b82d2bbc432672f02c7000ce49870d74a52f8bf66925778dfe1cd0c148d443c903c019e440659ae9fa326de59db3a597b4d208a3d9c4bba2641371603e528311078027ba007e0e5ae077244d3f290939ae6735604ba178c3469df241da9243055fb7bdfcd348091bc29bb7c290cbc2abcb1634de18efe0882f3eb638bddd9f4ea3f8211ca8d23a65767c4b45427a7c424182531bc3a94dc823b2ecfa57484ff6e64d8ed098e94647fe84d9828bd0d1ecee854a92a6bfb411991982f44b3dbb3c71015c8cf6f824d47aaa715e94ecd6e46d3986639d27ca0a9e2635cdc4c52a6a5ccb6a03e24de7aea55c7ee492ac3fa52dda7d306c2010165953c2ac16775be79002e4e68dfca61a052fb1b2fc74ca4f203765ab60ccb296d8adf275bef5ff9e99d554713809412b2fff3adef94965921fb04f2c9cce39bb36a57f61426d7921be06fbd5900e095fe9ef930bfc53cc0489b46145f26af0e1ecfdcf362bef9c0869d277999ef7bfe9e37e1c17084ecf19079863f562b50c653f520a3b5176ce09950d66816e830792bd759b6150ae189d2b0d0c6c03e3b7a36ac41052ae58a7edd85b111100db8a68829706f7cd3d5dcbb7314e8cbce8c80cc011090fdd136a74d807d375b9fddaca0f6a181dacc3bc7bceeccdc3424a339428c0e1bb805a60e8b99337285dc65bdc29f2893c42ef76d7da18700fe3b5006d8d95c532a78fdb7334c6481319058dfcfc2ad2924bc3d4f111bc301ddce84ba64cac72e6d4830d8033d736b830a913c02e338ff106b97d9b48f7f023073dff4cd48b7fc61d338cb4839168881d4224fbf7524d8a6a7c01a13068a19a5f38c7ca034d13d582b2db8421b570b47c656b2d51edbc18cd39643127f5c8e0bf0685bdf6b44f64eb4c07d2e9117ca45afdaef6979d37a7eef70e82ebada130561a257bb63ed5c9c3d3cf101d42c70cda123ea81a9f115f8bb78256450dbb6cb2899ed10684e8e18a1042ad83653e21c4c5f48aa887d399cb9fcf259b1ce5fc659a860a08c5a2c5fb3c126073fff976a57cbfba1074063435fcacb27b0caf0ac19b8e8f8f06fce07482d65d2568f908e93a0d0ef257285103797cc9f88f58eed2cd1717167f1f2dd006f055f27e392705f1ccb650bdfb07d3ab777ab9ba3ac3dffab3b1e663f154c62113da66b2fbd270eedc94a9437012625ce8ba9f00c1c4a83d588e5fca0e5401c66391a4155f3f86f552ccf9b4f0004a4cf1fbbb9760d1812f0c43cb54637b0ebcd7fe167c7700ea0031a5bd318338be50ee2783384e097284b8e59c170e8a156828bc99e773314e6f7a1f5b493ac21d9fe858d48e98b977caf42b95e9d54d4f17bffc28cca75a647263825f129bf12049394a45e75aa0e6c12b23ecb2b3251099a95422f19e447f6d3d337f9437037403c93d6d705c0d5a5d201a8e30d6b48cddea751d9c1dbfd65c04112695feca2dc25e9d9e73e5a5e1b146dd2ffb66f5647dfe44c1dbf502ecad9726812e9ccbf19c72cf32b0418b714995f58742798b624494210de0d2888a3bd6ddb47f9034344d08fde2d6b2ef97815c6a3a6e7617924dc02d70d713daca363a44a9325c4a17d6b7754dd4232c27c2ab9f796cabc49347cd35d2e25f918aa4ef2a775b556a248c5820e606af7e3ed95d06313cf7a07c3b0571b8ebb05b4b9770a047d9916906270959253b71d26a16297d5c6f2ebd84f9140a0e4543052ed2f8561952029286a358d7f1e1ad6650ea206a469e87874d281c226bc29bb5ae95c7c2c1145aa22c2f2c84f1d431f46e94d8e372456e0ae74323e680348d361f89054aa99f90526c1f243f72d908d039753d0a960f7788da707fd1f2cc95ba7be64bef54f395329533938951b7c85aad62a79ffc33f487f803fcf6bf2c26e6f82103a6698d76bf780ef70f3dacfba41418bb55e4a16014c71a9a2e56ebefac29a4804ec152bf89810f07b8acd9c5e697e14d40c3c8502c51182ca9e3870b392de488fc5d74748f700ab286e00db63f8c3e56d59e68a01b9b4866ced3d1e9106d1b7df659a14f59fd54f5a4727ab068889425c07a463da32f69b8bd7e747b08c7bcd323324c7f790a76f4dfa16f26d4242b16b3aa7ccd115f5ea17f5468f29766829fed9bd9d735d82b4faf5aa9dc0e4a577b53d9cfae701a54ebb67c75057053d8a4243cad178b9acf9c087518fdf50103b4ab347eecdf6a1c1b5d0c2a236d429cf78c2d21f0a7d213bac5b95d7d8c8ba71a28a21828b5cc3e87c67afffc37c7daa627343347789bc1316a670b298144283b81e73042039d627404ab5b6cc2001839d1fbe36b8de715a838a24c81d15d6071b04a285823f78f53d99491ecb2842f17de6f508441c8d3e75f6a35027c72c3ea003ed6ffd6c4043bc067c286406b531c0b553eacd468943659a586c17091b975b854dfb8e197bd72768b86458a9eb2e8cef2c6904579e6ef069191a0a2db735c5c8fee1102c0c7acc7c1f0f0b17913559e0f0fe6f19da77f878603d72170c398d11a838a5370edad089b0b0527a5cb07b33d7b38a49713be10f1ee477f867d5600936b6a9c74bed99a4db81e1cd7f959cdfd37116382b2f40d4eb980744772f73e1aa4a93dcfee36268845131c124369db4d0cca54d4f8c3899aace46adca0ce186ca23e2ebbbfb7b19ee441490a4962e5117782ae12c191f6dda42b96473d22cfe1636c460e56e7ab0548070db7a95fd6b3df5aed579b08b5815cfc8a153bcf141253d88c55b5ca968b811c0aad767a439db58677d5bb13696d6376aa6926b8f0acb54363fef2c29d358532eb252208471b146949f0af762f40417ced7bec03ac9752f2e16da680d29d9ccade97546fb9c0f46d911d735e9cc578308cefcfe8f406af2b7239f47643696f24443cfeb9f27259ed77a876822f734b739dbbcb9b72096b1e581e5fd12c957ce71f3c69a0885d02d46503798e7b09749c4247fead044aca5860b2242258763140f706e7509317f1ea81691f9d80d054535d639da733aaeb7cd4a9b0af300ea02d384380d50ac5842dd8fe47b82cda8ce9424ccee49763fe46ecca3e1e9e10f1017e333eb94ff1d20b3e59b92ca10872c482a4c1d1f1fedc95272bef6173a58d94c464cb52f34759dc644d972031a1b5025022e8f85173efb913ea59cfbec4da2586b29308a4d418432a79972b64d9c756905b96e2426f634860c944791ab13cf4010c83ca630d2ba4cbb55505eb0790194d927164ae80c0db21954943c66f5bc89beffbdb3e22a3838406704e1bda3aefb5fdb2a71ed23b4b75352aed0db5c8d60250a49a9e4899b0983efd5662be361fb28288b620666e05953cb031407c0a2605559d8cbc0421cbe61831aba85c5d62c1baafb86b1692456b6f0628289bd57bf9187b40d4aed39013f857d1912e561fa3b5998168662010a287c7e205e4e8a9c13ba68ce1de8561d9afce4b5d57917558e13a7cd3f4ab1fdb2c8fdfa4f61b8ed6d60ead1efeb9216a1fef78fc2099e8716522d3cfa575888823f558bf15e30e1ca995ce19c9069ddbd57c409d52f0706cb3e562fa18405e4181614230acd0c51e39bb7d9621ca50affbd209fa67bdb7193cdb97dcc6e5a7fa717feb917c13aab6c41cb4f2541738b0dca8b2b129e5f631c2a8fc77f366078286c90d83910d1604e805f9c2333b853c14bb4a3d5f22a641fe545121e14b7b1e3ecfcfe3ff8914a716f2428724c3ff13188b5d06c8ac9715d54e81836b2f9405ea8e8515177091afc064922ac4f409fdd1e1359b640f6337c4a3fd4a3fcd3bbe63c984671e15654c1d6621de7b3a95241c1642fb7a713ae1bfe8aac7bc26f613fdd226b19e98987c3041cd84d5ef2c78faba10b0094968f2747d42480a7b8ddb2acf2f87ac4dd22bf23a2da943c35e76dfec22234c0f254adb8e3d32181ff35809f41a619e646ea3ab7d2554cc237eb80aae024aa3616369d00bbd6c62b6e17c9f5d45bf780c721bd49fceef369349f58191a19d468e73dd9fcc6e38e20d3b131a9c67778b4f6cb8d4db5dd09036908119b23de74af79d71abca4869357b9c5e808dc60b6a4323b2d5b8b75e4d8607207334bad78418d6b7287b90d3480ff5946c5c41cc5291487701a08cb436fea3aa7638aa5f4ff7369f526783746600794f28befeeb543a11c3ec5f3245e3e0557abbca2c42ad2dd7f7d4d386884c70dfc1e45d56cef5a086808f3c94bef9881d0e45a98a731ef16a432be8bce4172b4a8b8f12d2ac858542816db541f11baa9f8632fc604dedbbf197c573a293c96465e64eb1e2071be5c060f168700bb789e993264551620303bd5fee285129ffec0eab47ea52f856224839787d2abc159421016c18597649607de74eb86f7454bf2b7dfada50c780449b1d636de6374f7fd9109f5b39ba67fbbc209e37c57610ee7811e26be2dab80005d72d19506a23861b88208a883dc9216c608e7d858e33f58088a05ec626eb3edf9ac3ed7de4ea80b0c23d1f0d6ba248c31b200e28702a3e713a7383bc3b6c660c2e955c39b6afeb4c9e0a72fc4e1e0a8c00183d8123815f0e943a7bae2bcbb1d4eeea175abb5c4b93e85d41542f6b8cb65bdf10c00fee8d8e079ccacea1f3a0912ab7ce1381d821191c7cb4be46bbf8cd07256b0f81be4758f35fb7537e5353080efde7521dde5e9881fc91bd6c7846c77049ac303c32ad9de7754d06e00a9b8feda1abad27192c550955589a6c41cf14bca6cac53527a37f4bc08b9005b42b9c70216c51b337b335fb5a1cfd9cd6b59f76ab90affe4732c7e304b9ccc82ed6af679dc39c91998fa682cfe4a6864c1b79e5e2da85c3211502aae5764a004a3b3d41005d5cbc118deb022a51fc1ca56f0c6f5732266fe215a3cb6e949698bb1ef1a7e67ddeb8b6bacf9aeca16b073309d7a7f8edb56f223c39dd2bd08e669131bd51b8cf9bdeb9988f71d8e553324492790d6a7aea92bb41dff044af0da6b0b403c80c5bc4f6fe92380440372a0e993a4ff3923b327992517041db7ba01280cdbca96667a0f37213c204cd7bfa009c2b4adce2846f9e9eae207cdf5350b30d0ec746bcee5b29b44fbbe3910fc015d164deabc65e8fc44253a7e42c38051fe184408271f8bbe0efc739a24820d97db1a5b351f3c3f02b17ad9984bd4c140972a71680ef1bac678830d5fe38562bcfcbdc268d8feeed8c7da82aee6d12ed0ca88454f2631d86ab6742167eb34eec9360c8227bf96fc1b17b3d0bd5ec8b297c61407c6fdd3d6965dfcb363326a85f0e84773f9fdfbbe3efa72edca1f6cf8c230738e104c15947e8f54dc46a67a40e4787fda23bcf4e4dcfc43a213fd09f1c4e61143d4ceae85fd5237c141d1f521abfff83cf23c624dbef356fccbb880c729664a568d54fcbe1d264deef7ab4d7b9be1d0ccdc4e6e78b324270a7fc806ba7c5c2711a34f43d3fcbda22968dce2372cc3fb35aa6578cee49b7425758be5fa1c3c6729f9669d9d067e56b7024a8ea7eb118be8b65ed817a7a2838ba8959ab9f3cc0c9b4b13945e1ce89b02f86166aa89c504a27503d1f57df0516284b4b4f36265b5bc9d8393d15f6b8d2a18046f78f2ecbcd410bbd2842be4ed69dd70a534490befd3843e85b12f964a12855e2ea18002200c728007d3ba098a7be3afce3608dd533eecd536c4d8d7f4da1ac96ad45c84e811ec3df571c78fdf7f8b9d0a1a45882c53eb2891bfa6f5dbf4c5b81ccbbc1ad6d73847f014841eac73782a1b5ead5cef12bb5a1a4ed82a9f4faa96cf303a5904c5d51b3053b141eaeac0b4b333e4affda6e869472c634dad1f270e1d39dec683b7e84afdedffb1daa22eb3ccbda3380437b67022c83dcdbef46978fe85e4b0e066621c1ac5372b955ad5b9048fd0f7ec567f1cd8e74ec8dfa4d87f553ac3b581ba69735a8d4707cba2d0ee9671db59b2790d43e88390c2ec109b94b1b55179b39f79026c8f1685a50c6cdb84c0770b30c4fc2f4690922757878d607d3d10646725f2c07e8863a96fe35e5a206f39aa74891a643acd4b3e16e95e69118b33c5a0bb16ebc40f8cb25aa3c1ecf83a9fe5c937381e165f273bb0476bbf8cd351510a53138124acd75ac598528d6bb492d1229dd50c1d867181d20fa6e2b00b46f5cfe910b61958484b176a6f168e9161ade81411eab0aee2051d30903af597ab648a2062dc4e2428a6efc01d3100e120ef09578596d0fa3f36721b7423d477bd9c74f77418bde1bb94ca8aadea4027ec2e066ebb5fdb37eb841a8d0522349f71a0c4c9a4ed958b0c76d35e6dde3ad296eac72409ad47574bea30337fb226c335d78f5cdf8612cd1e04e7619c808ecdf2b9a2ac0616a0720d6c3ca856fa8370d202f3e622d547ee3316b3ff1d271970091d00b338871f9b70feac6844c404a9343e4cea8cec59b7be9da09b9d125d73f0e8823d3fa9bd247a1add73a73064ea265bbad9f30aa3424314a48eb710f4d5df40258e9299335443226d4bf7812febb7b2de941ddddfd88ffbfcb5bf7518b8e99933bcbe477bf1303c263133d9ebeb1549bfd552065c783ec284a9ce9b553a20d7b77548f49cf519049ab5783afdbcfcf6c7429e76ab5419ebaaea468f8181d3adaf30528e67950b5be474207c1a7a81f0f3db8aecb28d79d56fda42b955194f6e47ad33ec19f8d8b996fb6d8b1818981aa2af6e069a4608258c5ee64b70c9fb3a0e45cc014e4f9addf951da9a06727dd22005c921dcd79ea3c711615b8a5368be587203fabc96b712bb8b7f7361dd268bd76a26931566a23ba17c56db36e003e6b75a2e756fe979aaad3b304ec8afeda488fb40ab38d3a920264a4f2bf1dbf55620b6093a9b36699b9c32ee344d043a4766184f102196feb205cba518f069952b3bf8f857aa2b16a6e55a1fd0004b7e8a5549a8825708a48bdfe71d2c138bd0de81f7f3686584b3ee09ef695a6fa68c2a2bcbf76da1734fde9ded42e4ee908e1e939c4ebcfc1dd5ebfb50ccf79bc877a396bfe76be7afe123c5538baf0e7c286a0505c63b9b9493960500153751017dd98eaa898110429ec87ab32d6d6d3908a27128463f01da7d7a410182bbc32e667031835e8ae20ae46467a73b1ac2f2a18341dc64a558c75cb831cd3496fbfcf42d88fd609886c90d8a71286aba45f8c7edafe0176eea6050d36f202f7c9e6bb7924396e040428eee610c4abbbe1cba688f508f11e01d4640e6c87c45d29cc3dde93d428b5028ce4c1d9bb95907a557223bfa9e9f6eac9195aa1b4990a9c125a7e116c8e5510f69c8b741836d7c43f13400c894f366a7d22281ff871782173ae78ab8740296aaa999587cc0005d2f4ee7b1b9be642ac1e496bc29946f72cfa6426cb3b07a2e948c18d2a1bac5e5b08562aa5f5407635c18ec0754f92d769a23c5e73f570c23b3d9561840d39b6a7271d9354ed79e26762946397df3ed2b2a692fcfe5109ef1941bc527658891033d97db15a08311c51fee65c8d98723569444e3945fcbc81632d19dcb9373868aaf4a6a3cdabbe97a915f83a386deb483d3dd126a9d1ee7b2b4f386dd32566ca0469aa6c6d80f982f90dd6be7b3e6e5c231998d88951ab0eeb8bcea07f82ad8cf260482365c413d48e7dfe108a91b2cbbe4cbe2f9a52132b4d54fcd36277225c68ac40b5e3b443d543b891476f271d2352b3095bcfb083f2c3a51f248cb4eb3085d0c910741c1ae9dcc1445358a6bf44e626a954dc909ce85c1bf979b88cfac5fdb65d27e65ab08245aab32fe2dc08ac6312e0fb7f408d75e6b01a3ccee722540016b0247df32bf72a767c76008a92e0b11fe9c05004545409ac608e327c0d7dcbbb887c36c33cc9a0e6906c177327f2ccbb43a72d588eef87501112a1b643731d2bcaee89a250663abc668a3cca8abd78c2d23f9e6643df9bc3028fd56b34b21bcdb808492e35de98c316dc7deb4112fcead0ad74937997a397442d38eef00a7b4d31dce64f9bf09b514741bd42dc0d3cb1b310a34bddac411f46a523113d571b4acb991dabd8f1d1525223c5656efc43241574ff51c847fe329ea20c1ae30eef094c0e64c0de95d727a37bbc510214fcb3bf6ce4acc12d76c1931e0efe47399a584a590ec68787b17566ab2e518786e858246e8474afd178e236274819a3dceb7652fd74ce86e7f318d82a25306f43c7be9f6babbe2c96a1b41bf442008065d59f8b055c364700624308332789632a682fe243a74e6626127273ca87c3d172fb12e5f9ac7ddeb4b106108652448dbd15598a4ed3fa649b93c02dea87768131d49656272d1848ab4230369a5f043df758aecab659430d5f1045259d3506fb84ec7aac3ab5b5bfcb9689f3c1b5bb24695ec97687c992d10f2db52e0088e5bb7701e36570bc51d376b249597f030e597a84fc61756b0c17043109b035592c2f6355ed8072f5e8d4c155c4f119e07a67062887d1d5601fcfba1195c8230e69de048544e7153108815f9b64d21dafb1c9f5865887d4bb11e1d4dcae48c91240adf033391e1822c849f38a0a29955e653d069ff4d222ae08c14a8d024d64ef1060e52490cf0377b6a7f957e61764aaf155669c8ef46795f92e931c6bccb0b0125f60d0c557c89e67c0bbd0c5a2569690603495ec1e653a39f3b574cb42df7d84989dd3c57df8420ff18f0210462e652a573251ce56b62b816c4257a2be69165c7209a2e12af189961cbe35b0b14d105cf9c8403021d98344a5372ba79ca588092e418519b8002a2a090bbb843f6adb13933439e422f3d6f0317f49b4c92eda47c065383cf4ba9390dabfd757e63e20aa4f2c5e369b05166f80785899e22a08d074e2535a64b814fc105b1b68e77565da771ac638558a611ea4c27ed209f52eed08e53041e1a5709403c3273ed21e3e714cf12448ae0d69fb10482628bc35b031642c0fdc0346e38cae9872308df9c5f1256da8d40db3a048e42ebafb041662e23affced6e7f32e2d70d0087306fb1237a937b90523dc3d4e3939ae06fcea703a6d5bbae8d99323b121e6de5cf5781fdcd8604c632129b66e9693431e04982ef5803cd1ecc3b2fc6281de955fd5e5f28986ea298524d23fefcc2f30b97b3900e1dff4eb2629de4761f9564d3c3dfeea05c633ab1f689bfa8eb5acdbd97ec6d15c4577ca900b401c2fab73bf704f2833183f1903f2f35dfda0efeaf50cf51b352c3f3b970a6150bac63b27024c6ba7d53d49d3abd9e23e4af60b3e004969706b215188fe2bb911ec4495570bc8511cf378578dd1a1c74ca1979834cce7742b4a6de492eea4cba3e63ebc661d17329ca017479cb3d1a16356b336b03e3a538c63a3f5aaa28ff94ecc31987f838d08b3c82ce7b14846bb930510025d8e514c194bb037dc70c72d56a48731c333d7ac4b4fbd410d408d1b879bf50baee91bb1d48880c20cf11b76a8e06e57fe895a82bf99746c1cbbc64469bc1b059e3a621095f841ea57af815dc34a00ab9cf4d30001c9712665d0f98b64083b177e21901bab8382a39a091917aa9bec1dc7bd11f7d3e1289ea746215636c17871f3267de96584b521e1fa3ef47ce41a6f25aba64a05783ee47f6bb8d3f495500d56ceaef1e3a0f38edefd53da0c6853f1c6c24fa434840e558b6d212f90121db3df0bd4f73b54b3ed9fcad65c5aed7c476f9cb31594d5899a32d979b9e20376b715000f314b7d24f99af72899c65f671e522925bfc966dabecbe3081a5a5d610417519d8237a0d102180329ec3c2708d3298c506f7a9a88b15c251ed48741c4cf67ebe00d5c8cb3d950d943c40f043a9d7ddf671577c5bdee7ad10edf26e1c48d12e99d70e5a1c4642af393c972872cfb1e11315d22dda189a36cd35d9b01733a4993f1cd704c36dcd15eba9cbf252a21e5cb17183b886be2e00d3a32ce09328f60e5c1aa26c97155608419e4429943571752fc53ebef0baf5b672f01346ca0499fdf16df5af75823dfa595872b569eb65a930caddbe9673729ee55efc49b2df0dda031167590d976202b78614bcfcd91735f5afd2a5393dcf192be245a0bdd673c6c81de5ab104c5214d3ada64a84e9dc9616ba71678b6f8a564d956e4bc6aa52e9b92961aeab853bcf7ac1a069ee2b81fdfa2aa85aff86ee3c9ca769dd3bf4da010f08bb9e87f2b9000e0b2cac60e3aec7f2e8cbd63d4509d228ab71ab24afacba832f3791bcb68910ada4d9b588a4410aff25149028975bc71bf36ce82897a796f5d5a98e3057dfa7a8a3a021243467e11303d1d3d9d342d6e6a3238a420d90b018cfb90bc4a68e40b73d3133c613118cb6871339b359e0136d873905daee1817963824c3dd9634edcb4f24b35083d4e72ef28a8cc1dbe04d930f99f567e0cd7fabea8315e8d013042f6008bb0a8e5adefa814f79e2f70cc4171af32c431b0b7e148b071df7575d720973b08646b0312e2a6874689a58430ea112f6fc4b5a56c78534f5809f785e6094ee5bf38be21676e4fd71a193033b0de273c2c1452c1c3e4c6de0f499d9839ba1625640a1b2eea532695613372b1f519bac2c6318d133aebb079f9e26d7f47b5cc410681d09d23f167fc5a43da874b9915249afc5c9195ae2229f21a14a178e66deb6dd765b306d9ded7e511945193194f118bc6e1ab326e2e8cc9c116ee1d6122793663319ea8721704c15eaac549e2ea9ac4e7b9841ab63c5e12f80f5081a4f04b0abd58bcf2c2c6965fedc77cc0222a4003ce7f51c130306f74ef98ff1cbf65e02ec98863d7ff02ea309d417d0e6a75c409be4019db6f99ceee78e39ff4d625b448761b4913b43524af7d7ec0dd0631cb97a8be0ad239c2017e9ead8529c6713c760e7b104869162f38cf4111644be90370dd298bc1a874b567e39f606f394f62fbe9b5c6111ed1f12193168f2af7ee60214171578b6c2181566608a3ff2fe42f7b04cf4674a682c6e2b0db02e4210ca10d7126ff38b68782e702a7978ee7a31bc37db46c714858a7d9fa88f86b435cfbbf2d1505d4075588b0543d246283cc09d789f1ce2a60faebf09e11a41098184d3b716e0d46eb6580208cb74bc0142075f35f2bca241d077560ac7dbbd240ebbedd9437c22c401d6f79656bc1f75a5c2c625714fd73016d4d9d0223c65d76e19e944f92936554eaa3a68b062588824d98f07aef58d533e0dd6a1406f4c6dd59b611e7679cc27736816288d0cd9d92088d00afe5fc7dc1527acd9c5cb25e5ac01092e40b530af711478db5c071546a4c74c429c2c77b69bd7c5397645ba1d0d872273daa6db759df53c0a718fdafb222e6d49c44843a31f3780b0bea398e005f53e430ba2bcec7f5ead0ea36c10c2306cbd9cb928e5d788da1ac27366875a623df30263f7851481657e16782b2a27168c105da4bff690a9cb6cc2306324e1d56823b649d3ca9eadae4ce5e0d6969dce92ecf0c0e81feaed7bfd3fb13f2d4e548cb724ff0b1685646f99f754df6a2302c498633573eabfb2802710dc70edb366be7f343f2476ba19e371ea3e041278ff01801c5de4b057c59bbf251404018631d1270a9ff0a0f0191f3d5797498a9b71854736a945a6f990d967f29f5a0ffc7e20c5b8001b73cbe20d75a668b6961b44aeeda1b57e3520de141e4cf32deebda2e562304339e3715389be537276931d78510f83286be11ec8e8ec14f67f603e18dca9f929726be0c337216b88113f00f4cd5526f40f294d4f72eaa120bab0cf536779903576436d22df5953b87a591b5092fc8e5fc5097233947fb07e6bdaa80e18a028721d76b9a8be32cc4c70552223cd1970abb11d33cb1cda59950e18a767df6aff5fb37488621bec27b9292ea88010c4926bc61f9c0fe20e4187da939ff2beb66ab492b45f183d856be322992a7404361e5122cb8568d8ec53057f0d94fcd2b897fd315267afc7a38a99d105448d900619c7423271686f290433546d98565e5f8bb3cc0aa8cf8870bdaebfcfb4bf45453608d74b8aa0bcdd98e2cd8e04352df3e6cbebd384ca197cceaf4bb5139731ec1126d08d217e292bffc3bee368b9d96f85fdf5935587df107a20d05880c6e8e6a758f14e81077011e636adf6ec01fdfb96db24be9a62c74e47a9360055969fa916bcac2dde45e719cf99729766a27306d7353a3ba7686f9ef0405966fdd77c616470b6c196f0286ef16fe5505b1762102413679e9c91782b7ec6a6d04813257b2427458afd627cdd608d408391e67412278af0daa1018ef8876db102a92c031b5a2aab225d2b84ffb6ce07046e9398ba80f21bc07934b4becc299b1cdc27e9c379801c1c3fe3ac0755cac61f59d044b50525dec796e001677ee39d77705cefc294ff9d8cbc28f7984c2e9b7335723e79855b7e92646d11a61c9cf5468d06b54950ca7c42991f893e91d2b1d1e7e4bf3b8c02c7c0a640bb80c2484d5a55ee001019cba3ee242feed1b0d42fcdd7a18ba1e7c2ccbd318f7d17799dccc93a9bee9fb11410449daf8014417498f4a33af9d0ec4f9f1e8068033b8b452c8f10b8b2f62f431658048f5484956fa0977fd980758bd6dc9785ce1293f702afe545286d8804333cb5ed0f7c1a4b38777523b08db5b09a6bb3addcbbd095dae75cd424e30271ed94630d36803f77f2485a11c2cc2b8e78a164ca1c5d514c262429273bac0865320f4f8b950f0e54db424284bb91e8232df4a47e5bcfd4c17ef96f9f6a94d720cb457ad778ef43ee58773d6a2e125a7727b3fda4faae627c6fc7c6e73aa95dcaa72604fa3d5965ac9caa8a4260bf4d47821de3f261c214d762d8f55f77ead902ce343829166ac0b316b6e5b1b34d8bc3e6d64bbdac9fac806fa4e48c1ce6c1a9bf0e565ded6d15fa472bd1fe688ed56b9ce8940fb62c4ec48d29ab8bd4260bf7bddcc09caa9402fe4a299548ea2738f324d66bdfe3a0cea466c7215d68c028ce7d255e9ef6dff9caa4f99ce74324036328f2d717b55dc3c48239cc0cc359a3725dc849f894f58b6908714eff472aba37ab283ccb7dd5707fd15845328d23309b45393755f28b4fc031777f418a4cd11ccdd0ace104c08dd4faab8b56aa37b51068b8f107fb392f6201028b55137dbc6211a6e67b657176b0a05a20696d496d852249102829f96431837335597ff4294fe667a039aefc268f47b986b22c2338cd639e5cc79e6917df9e8132c6a42df0fee096cb192a7ee8a4508e2642a176e28b60729373b444ecda1ce2da57cb966c1d285173c36f9489b1f08db9d8b4b2dfa0e7de81b499f4bd21765f10904b10b30dbf7e8301572b564b4ca57e8349fa41039712fa9aceb450a3d4339fc2e909a8eb9a3a56ed1b0d5996966e3437d6e2d518746d8f8697ca9f375d76dc06059446f2117b48b2fcd081d196988106b13e5afd4e042ccc20016adf2069d81fb303af0778dcbe05688682527017bca7ae1250055882bdbb5d1f0cc54c70cf3be35fe8507b1b65cec2cbce09495ed7af3816eea9f775b31dfba5e968f9fb6ce23598d8e52687142d867a468b55ad9b7106885a5b5f35f33548bd5001d18a3d4244144666c2081db896732a96d80d219c5b7c4ebb435a6d44086d6c411b8ef85455fbed093e5d168d2217c05ba1e2ca1401286013442c4bb01cd440255c7bd0199701f961bdcad1e376adcc20f96cbe887a24128242f8a7996b18de6d01325632d0d5bd27dae2d0a63a7a34c047b9bfbba9abb267f9f097435a3108a0c2686d9cc6ab4e7100097c45b3e58e2c610802b02d108b04cfd218f346ffcfccfa2be06b2ee9327ed4bae40f6cefa6d0a741c740e0dbd12c2cd77ab4e56150264b0cffffcbb27679f73099731921e38eff187c939587d14518c514fac44e35d77a975d1fdaf34e9ad2334131f26c24bbc13f2df90666341d1f5edd07b8d53b7703d4ef25bdd7a4272c0c17f7f6d5914bad5de0e77afa25af1eb30f18f1c6d52c996463351917de5f612ad6d3b57e1e0d9c3cf7659ec28110534f864087864844ced73b49082b77477be465faac436388dee32dfc3dd0cf5dff1991704c8e8d6aa22b3263b66b23f3180d11d21854bc2ffb2775f7a8b3601e9a6e5685eb265450a222118a5115c8dab86db406d8e4e2f82e7c41214ea54b355082bd153a7106048b72984dc0e01e4b8252d36f1e9c4a1b7179ae2a656fedc990cf54b2c4bd927b034604b04989c76c6782c496c23ef8e7958044d5e2a0caeae787b7303db8594005db1f8127dc7ae3c1617710ca451fcb6ffc9d0e5d34f19d9ffeff61325d4b4524995fe0fdb66dacf9de64458d3a28ab8fc07c9d370edcfda9e9c87416039adebb7c99c447624ba0cb8382d2e4c0cf1e8a70139c4c08c1d5d51548d2789fe71708081f2cfd76a8a897677c0cbacd129df1694941d26387d77d6f1aadb7fd4434121c267211843691651dd228e377256578c3c88ddf0426664e86511a3f8595d7bdf37ccaf396bc9e7cb0fc789cac81f6326c3612b3b2290d07041dd0da180a3f74ff96d82348060900216534c3069100704afb1372d36260432aec3f88fd0a4c4ec7ab7f002397c8ac60758f2df97dda34c302ad5bfcf0c15dfec61fc7cadfba50021d0a813012caf464cd6a16cce4ba49078c4c92b3e049b6d955bd0f99121af65067cbf88fb2c557840e6b50d92ef387ebd93fbbcee39a83749249a6de6174b88ec04850ad88d42e425de196fa9299f637102e4b19a86365df7d462019974ab6e790ee909ba3930916473a3e9d5aa856350126933193c807746e34e2f5451672e08e0718778ab3e3946611834948f192f204a06c363355457535c3eeb8a3bfc9dcf9e2a5bd648891255907995e923114b5581a8d74a60fed02f184ffe5f14fce6eb63f3d2bfaa4f16dffca143ea0e922a1fcd3a9f3a506239191b1c25071332ca3adb17e95c77b6e55fc0494442d0574c3bf54326042313602e661b5824920fc454e54c224d7a92e11059e04aac30e3691246cafcd66624cb17907db1dd0702de2554d2db0fe639b8a49735a59b58393a57acd3be6584394ac36d328e354323a8b9c23c9833b4a1d480b55889ec6f6f4fc64a2e91a98705ce5739a9aef3b977515b9370bc5fc69c5ddef488c40e5064653f6ed2381384292087879988ae37f41b515ffdc01de8da66cb9fc6f0ba1d5d6ef7ec616f575349dac097d141d27036e2bb74b02b7d6fed9c7481a84bdd72e2fdd7946eb6793399ed9f7d2a780769b3933e25691351d3d766a0fab511283e2b818af89a2c40277130c1ab6c85872b20548140d57e0840a23f5ba7428e8b6e9f7f5318cb5a5fc1601c06f3c892a1cebf9f08eb2eaeeffbee2337b820e36797c8d33570106eb31deae4ce2e0b70ee9370dcd6a48b4b6d66684b2e53d0e6c1d41bb28f6c7219010418d88c9d17065a6044b3e247af1d2ae04a40a3b64cca6be89f53c39f81fb9449849e368d220675916f81206e5d3fbe58dd4294f89667eaa849f02624ceaec0eb2431a9bfee29e5adc57") r23 = syz_kvm_add_vcpu$x86(0x0, &(0x7f0000014f40)={0x0, &(0x7f0000014ac0)=[@nested_amd_invlpga={0x17d, 0x20, {0x25000, 0x5591}}, @cpuid={0x64, 0x18, {0x8, 0x57}}, @nested_create_vm={0x12d, 0x18, 0x3}, @cpuid={0x64, 0x18, {0x0, 0x2}}, @in_dx={0x69, 0x20, {0xc003, 0x1}}, @cpuid={0x64, 0x18, {0x10, 0xc}}, @nested_create_vm={0x12d, 0x18}, @nested_load_code={0x12e, 0x7e, {0x1, "362e363e66430f57a90098000066baf80cb8288fc686ef66bafc0cedb971030000b8c7000000ba000000000f30420f01c866b878000f00d0400f01c566ba430066ed401d03000000c744240000000000c7442402493a5664c7442406000000000f011c240f32"}}, @cpuid={0x64, 0x18, {0xf, 0x4}}, @nested_load_code={0x12e, 0x60, {0x0, "c421f8107af00fe7649a4f47fb0f01ca460f08b9800000c00f3235008000000f300f01cb400f01cbc74424008d000000c744240207000000c7442406000000000f011c240f524b00"}}, @uexit={0x0, 0x18, 0x2}, @nested_create_vm={0x12d, 0x18, 0x3}, @nested_amd_clgi={0x17f, 0x10}, @uexit={0x0, 0x18, 0x4}, @nested_vmlaunch={0x12f, 0x18, 0x2}, @nested_load_code={0x12e, 0x56, {0x3, "0f01df0fa866baf80cb882caa98fef66bafc0c66ed670f01ca0ffdca460f01b3904e000066ba200066b8b7ea66ef0f0132c4e161eb5800b9810500000f32"}}, @nested_amd_inject_event={0x180, 0x38, {0x1, 0x17, 0x4, 0x4}}, @nested_amd_vmsave={0x183, 0x18, 0x3}, @wrmsr={0x65, 0x20, {0x32c, 0x10}}, @wr_drn={0x68, 0x20, {0x7, 0x2}}, @code={0xa, 0x56, {"f341af66b83e008ed0c4e13573fae7660f74a60000000047dbc1450f0866410f3882941f0e5839ba470f795500c4015651af4104000066baf80cb8e27ff48def66bafc0cec"}}, @nested_create_vm={0x12d, 0x18, 0x3}, @enable_nested={0x12c, 0x18}, @nested_load_code={0x12e, 0x6f, {0x3, "f3410f221766baf80cb8618ea184ef66bafc0cb000ee36640f2139c46241403266ba430066b80b0066ef66ba4300ec400f23383e0fc732c7442400ac000000c7442402907c03e6ff2c24b805000000b9970000000f01d9"}}, @in_dx={0x69, 0x20, {0xc3e5, 0x2}}, @set_irq_handler={0xc8, 0x20, {0xa1, 0x2}}, @wrmsr={0x65, 0x20, {0x12f, 0x2}}, @enable_nested={0x12c, 0x18}], 0x471}) r24 = mmap$KVM_VCPU(&(0x7f0000fff000/0x1000)=nil, 0x0, 0x1000008, 0x2, r23, 0x0) syz_kvm_assert_syzos_kvm_exit$x86(r24, 0x2) syz_kvm_assert_syzos_uexit$x86(r20, r24, 0x10) syz_kvm_setup_cpu$ppc64(r20, r5, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000015140)=[{0x0, &(0x7f0000014f80)="04eaa0ef0000603c0000636004006378000063640401636014c2803cd1c0846004008478830a8464be018460273ba03c003ca5600400a5782772a5649d4fa5607c62c03cdfa5c6600400c6787811c66430b5c660f2d6e03caccae7600400e7785198e764fb3be760020000440000e03f0000ff630400ff7b0000ff670048ff63607bff1b0000603c000063600400637800006364fcf463607609803c6cdf8460040084787cb584645d858460f3c8a03c8498a5600400a578a16ba5647c44a560020000440000203e000031620400317a00003166980031620000403f00005a6304005a7b00005a67e5135a63aafef97d0000803c00008460040084780000846400808460dc39007c0000403d00004a6104004a7900004a6571994a61a75fc07f0000603c00006360040063780000636408ef636009c6803c1c64846004008478b4f7846466cc84600380a03c458fa5600400a578cf35a5647597a560ae5ac03c1931c6600400c678a96dc6646f30c660220000440000003c000000600400007800000064120000602401007c0000e03f0100ff630400ff7b0000ff670000ff63a7ffa07e", 0x1a4}], 0x1, 0x0, &(0x7f0000015180)=[@featur2={0x1, 0x1}], 0x1) syz_kvm_setup_syzos_vm$x86(r5, &(0x7f0000c00000/0x400000)=nil) syz_memcpy_off$IO_URING_METADATA_FLAGS(r21, 0x114, &(0x7f00000151c0)=0x1, 0x0, 0x4) ioctl$NS_GET_OWNER_UID(r5, 0xb704, &(0x7f0000015280)=0x0) syz_mount_image$adfs(&(0x7f0000015200), &(0x7f0000015240)='./file0\x00', 0x40884, &(0x7f00000152c0)={[{@gid={'gid', 0x3d, r16}}, {@uid={'uid', 0x3d, r17}}, {@uid={'uid', 0x3d, r13}}, {@othmask={'othmask', 0x3d, 0x7}}, {@ftsuffix={'ftsuffix', 0x3d, 0x100}}, {@othmask={'othmask', 0x3d, 0x8}}], [{@fowner_lt={'fowner<', r25}}, {@func={'func', 0x3d, 'FIRMWARE_CHECK'}}, {@smackfsdef={'smackfsdef', 0x3d, '\x00'}}, {@hash}]}, 0x0, 0x1c, &(0x7f00000153c0)="$eJxqm+Dw14DJSO1/e8m97d/2AAIAAP//OKcIHw==") syz_open_dev$I2C(&(0x7f0000015400), 0xe, 0x420200) syz_open_procfs(r18, &(0x7f0000015440)='net/mcfilter6\x00') syz_open_pts(0xffffffffffffffff, 0x0) syz_pidfd_open(r8, 0x0) r26 = pkey_alloc(0x0, 0x1) syz_pkey_set(r26, 0x2) syz_read_part_table(0x53, &(0x7f0000015480)="$eJwAQwC8/xqlOy2XIlZYZGJIETVblKDS140J0glR3zwsGkmIykjUUmHMRz5PZfZ25OmzjN5Kq6BcIOpvN6UpQpfiwqdtflUtytgBAAD//9ZjH6U=") syz_socket_connect_nvme_tcp() r27 = syz_usb_connect(0x1, 0xd9f, &(0x7f0000015500)={{0x12, 0x1, 0x310, 0x99, 0x45, 0xdf, 0xff, 0x19d2, 0xfff8, 0xcd35, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xd8d, 0x4, 0xc, 0xd4, 0xb0, 0x8, "", [{{0x9, 0x4, 0x5, 0xe, 0x6, 0xff, 0xff, 0xff, 0x5, [@uac_as={[@format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x82, 0x97, 0x9, 0x9}, @as_header={0x7, 0x24, 0x1, 0x91, 0x10, 0x1}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x64, 0x5, 0x5, 0x9}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x9, 0x1, 0x1, 0x18}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x5, 0x100, 0x0, 0x1f}, @format_type_ii_ext={0xa, 0x24, 0x2, 0x2, 0x200, 0x2, 0x6, 0x6}]}, @uac_as={[@format_type_i_ext={0x9, 0x24, 0x2, 0x1, 0x0, 0x9, 0x4, 0x1, 0xdc}, @format_type_ii_discrete={0xb, 0x24, 0x2, 0x2, 0x5, 0x9, 0x6, "42e9"}, @format_type_ii_discrete={0x12, 0x24, 0x2, 0x2, 0x2, 0xaecb, 0x0, "e0ff89cc39b242b2b0"}, @as_header={0x7, 0x24, 0x1, 0xc, 0x2, 0x2}]}], [{{0x9, 0x5, 0x1, 0x1d, 0x20, 0x5, 0x9, 0xf}}, {{0x9, 0x5, 0x4, 0x10, 0x10, 0x5, 0x7, 0x1, [@generic={0x49, 0x1, "bedbdc40b657915aeea36befa743bbf476bbcc3a55777437fd0c0862a5591f0b8091626c6564a62b6995d0b1ac34995d442de50d21f30da08f64d3bb0e86086e62968216d8cbfe"}, @generic={0xc, 0xe, "1cca42d0d4c12478dbc7"}]}}, {{0x9, 0x5, 0xc, 0xd, 0x10, 0x4, 0xef, 0xd}}, {{0x9, 0x5, 0x0, 0x2, 0x40, 0x1, 0x92, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0xf, 0x9}, @generic={0x9c, 0x24, "9462e78d67a7938309f893388b585f99ed3cae5aeb241e37eacc73fb040b917d697587fd8885dcc892bfee22871988c70188e9e84546a796e56ea48370dfca689aaa0ffd0841c7e28cbcecbc3beeb254d902498dde373f5e920932acdf3222a561174a85ce36d5f5c709829a0429f48de3266211e3532235cacb3a64fff3e30182cd027ea660bce24cc197bf358f77953c964de4530416907fa1"}]}}, {{0x9, 0x5, 0x6, 0x0, 0x400, 0x4, 0x0, 0x6}}, {{0x9, 0x5, 0x1f, 0xc, 0x20, 0x8, 0x80, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x40, 0xfff}, @generic={0x4a, 0x9, "13df6f0c723d233880c0869f46c9399e148ef0d987297635b6bf6f369cbf8f07b34b9376ff57dcbdf27465eb5153fb8dd7ca2fab2737dd515edef1c966915e0676db831f2b918d82"}]}}]}}, {{0x9, 0x4, 0xe4, 0xb, 0xd, 0xff, 0xde, 0x55, 0x3, [@uac_control={{0xa, 0x24, 0x1, 0x3, 0xa}}], [{{0x9, 0x5, 0x1, 0x3, 0x20, 0x1, 0x66, 0x7, [@generic={0x8c, 0x23, "c344bd7f690e1122d6524ccd0257c1185e61c3ab3ccb366ef9037a58035418728d9aab96717e220d7220fb964b7e928d75ef45859131159097fa85b2d24eeb7fc590e048eb1ba830ac343bfd9a3c32dfc93fadcb90f93a63c737834f5e2d4e7368e02ec5f2106bef935e5e74c3e7d2d3d16ebffa13a829499da442f01726d07a338feb612c3b6e5193b8"}]}}, {{0x9, 0x5, 0x1, 0xc, 0x10, 0x6, 0x73, 0x2}}, {{0x9, 0x5, 0xe, 0x1, 0x40, 0x0, 0x0, 0xe, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0x8, 0x9df1}, @uac_iso={0x7, 0x25, 0x1, 0x4, 0x3, 0x84}]}}, {{0x9, 0x5, 0x7, 0x10, 0x8, 0xd, 0x6, 0x6, [@generic={0x9c, 0x11, "61c2c581bcf0dc3a09ec5465d8b39593b51cb568ad67bf219f28a637f8b8f3aae7b6cf31069da551c5d90a297ab0cfeda543a0f762c8185babc43a4c9bb3b095c0ee1396f8b1fd6219b31613b7560d309f173c80673fb08529fc8f175291f99856af198cf47a32c76df6be449493e5a66eb4664b84226ca1e2c8f2029ade7d75316b104a3480fbf7d4509d748c36f659f8f52743fd077fc7df42"}, @generic={0x4e, 0x4, "57fad147fa12cd27896e4e92ba1ad4058c8d43ec2150d8732fc5ae105a174ed83942dcb79a05b10fd4957dbc1ac027a2df5728b2b2bb9b5bc51f9a8c88e9fa851138c7cdd7626641911cbe0c"}]}}, {{0x9, 0x5, 0x0, 0xc, 0x8, 0x8, 0x20, 0xc, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x6, 0x101}, @uac_iso={0x7, 0x25, 0x1, 0x8, 0xfd, 0x2}]}}, {{0x9, 0x5, 0xb, 0xc, 0x10, 0xf0, 0x3, 0x9}}, {{0x9, 0x5, 0x2, 0x2, 0x7b7, 0x9, 0x2, 0x78, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x2, 0x6e8}]}}, {{0x9, 0x5, 0xe, 0x0, 0x8, 0xb6, 0x47, 0x1, [@generic={0xea, 0xd, "d7eef8adff593fef601257eb29f1123c0f04cf50d2f065a52ab835d40454ac46b6638738e9753c66062b76d457d6b363f7b7634feaac719c3e900cceb8d969210b573a62d4516498d598a61e6fa5bbd0fd386f9f1d7afef4ddbe39495d6e555d24555bf1bffe21fc472ab2a8d5d0f8a611ab5a46ae9b23bb6a6b363946dafbb2e741d34fe456f5816332d72d435fbd1fae4763325dac58c2de0a67277e2d74fef5d8ba6de17c31d5c7fb01a13d3bf00c3113416b72b3e2e0b80b4ab9cda77d2de3ed368fab4841fd62acf66e432121b5f5d7c8c036660d7a351033155e3eef2ff20f2aed8241d176"}]}}, {{0x9, 0x5, 0xe, 0x3, 0x200, 0xff, 0x62, 0x5, [@generic={0x55, 0x23, "d522b56c6dde6a698a23e10e4fc0798f87c946fa2848c717a9a33138fdb3475793c1b4d1722b3bcc36384d2589a27e5f22b289727e23f039ffdf2ab25da62c092ed01cb151b0ad8ba7758c32abd07f79514eba"}, @generic={0x96, 0x8, "70f4e5b83374f7b0de44ec45105ac31402140e176214641e3797ba0aea4013e3e7c2871f78528a256a2249dcad684fd577a428a14f446ce9d7de49364aa163c68dd1e4e20c0aa98a263547f07dae9c3e45ffec5bdccfb90b1ad9054da62866626bfbc394a1e9aec6b300420a6167e6e6ef4396dffb6bfc18d3b2537789270423867535f75b1454cc3b8a6aef5b65b9774139adcf"}]}}, {{0x9, 0x5, 0xc, 0x10, 0x20, 0x8, 0x1, 0x8}}, {{0x9, 0x5, 0xd, 0x10, 0x400, 0x3, 0x6d, 0x7, [@generic={0x85, 0xe, "1a54b4a07976e16cec507f7cfe00c93599f9fdefaf8bf86cb9ae60f5e7426c78b3e01cc8cab0aaf09debbacd785c9de3bb89551d0a241f2d65830f5364754991feead87fe8c8b928ac16853ae959eac27b59ccc86d22442ca629d120b1a09cf14184a9c4873f74ae748201f5f4e649e3724c7ddb89f458472b285f9c10ea40393f3060"}]}}, {{0x9, 0x5, 0x9, 0x0, 0x8, 0xa, 0x7, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x4, 0x4fb3}]}}, {{0x9, 0x5, 0x7, 0x10, 0x3ff, 0x1, 0x88, 0x6}}]}}, {{0x9, 0x4, 0x10, 0x8, 0x10, 0xff, 0x5d, 0x81, 0x3, [@generic={0xb7, 0x0, "bea8fdb50e624b763ddddaf5ed85d8170ca858cf74ac678eb54d2045e5fbb2772140e2cf1895cb693a914ffb891cd2c90d4827bcd34359d70107462ead889a6e4ed6968935a81a147ac0ccc81c38d62d6a84cf504552ec37d609b5475018bda124c09ea9f21303865fe464abc38cd84ae42de33e4691127e2b8553837d58cda51f11a05a1538ecff55e90f34a1c566c234c006d00b50b4b29e49b8d090f5a274ae37e03e49682c44c2b1d9db62f63233f9670cb2ac"}], [{{0x9, 0x5, 0xc, 0x10, 0x40, 0x9, 0x8, 0x2}}, {{0x9, 0x5, 0x6, 0x2, 0x8, 0x3, 0x18, 0x1c, [@generic={0xf6, 0xc, "d7729711236eb7896991e6ffe3dd7622e96e2e7d1760ab6452472bbac1d06861d9d49e4100606a227d342c6175945ade9cc3f46ec4627f92caa5d73227fae7a360d25fac9e5744073f0c054c9a5b8258dd279b736876584b904d943b23c26d9e6bc2dd3b98f36244158c760f0bf975029142b3f58bb63ec376d7f5d9611820d380efd7de6163ac8dc27144e21d92c93ffecc2d8c7b3bc5ead181863cd96a0abf2889eb10b687913fa8214b89de11f52b7d1936ad9c1c45da86a15e86b6c9060291d85b48ebc2344db8ad8cc52f79d4f0377a893b3da61cfc1513d2ba9536d6190de886a2d18ff8ab1f463f15471d7f96dc92d0ac"}]}}, {{0x9, 0x5, 0x7, 0x4, 0x20, 0x9, 0x2, 0x37}}, {{0x9, 0x5, 0xf, 0x12, 0x8, 0xd, 0x6, 0xf, [@generic={0x40, 0x5, "71afb2617a61e75529dde0f32fa6ca4b857a84b3120b936168642c34048f292fc27a3a8f1f74580cdc36e9a40b4ff692f13224b914a89fb73085793a5c22"}]}}, {{0x9, 0x5, 0xd, 0xc, 0x36fb25d4600df5f1, 0x4, 0x1, 0x0, [@generic={0x50, 0x3, "17ffd473ba28c360591f571dc60f1324d4a34ab8d9d3c0686c13a61bda2464e1635423ebf4ed34037bab62fd30a8dd0a89f1bcbff3af4f0c989ddb6f03760ae76f63ffdcbfbbfee9a135257314aa"}]}}, {{0x9, 0x5, 0x6, 0x0, 0x8, 0x2d, 0x10, 0xba}}, {{0x9, 0x5, 0xe, 0x0, 0x10, 0x8, 0x7, 0xac}}, {{0x9, 0x5, 0xa, 0x8, 0x20, 0x9, 0x7c, 0x1, [@uac_iso={0x7, 0x25, 0x1, 0x8, 0x9, 0x4}]}}, {{0x9, 0x5, 0xb, 0x10, 0x3ff, 0x1, 0x4, 0xbd}}, {{0x9, 0x5, 0x7, 0x3, 0x20, 0x6, 0xf, 0xe}}, {{0x9, 0x5, 0xd, 0x10, 0x7f7, 0x4, 0x1c, 0x1}}, {{0x9, 0x5, 0x0, 0x0, 0xaead6ee2ff2b5f33, 0x40, 0x6, 0x81, [@generic={0x54, 0x9, "22a03d117edd7ff802cdb509b49cf07b1884a5d06a2872ffdd1f6a974c0574871d68b2fd80b9dde557da7eec4d7f2778a5c3a4bbef519d158a59f152fe19f598e43360f8a24aa973c56f46c4a68a273a1fc4"}]}}, {{0x9, 0x5, 0xf, 0x10, 0x8, 0x5, 0x38, 0x1}}, {{0x9, 0x5, 0x4, 0x10, 0x10, 0x4, 0x2, 0x7, [@generic={0xda, 0x26, "32162d9cffd7548ddc1524c6651fa112cb8399eb7daa746af4a3f458159bd8a487dade3217ae3224615d50ba5643301952fdd082ab52f64eb38bddcf02b06728a3bf4f73d3b780a3a5804bad04ecc22787690f67257674f728b10231ba2db83cb4eb841e5523eb43f3482d3ec33cb8187b87aa08a21e94e0394a1ee8d8f0cc088910aba4dbe5feefc245380ff1443e3a97bd4d5addd01f1126d4b70abcbbe140716a1c66dac61f66514fcebe67647b43bbd8e848333ff9957ebaace9d057b627a667e6f51daeac302b2129c26d415bc9a2ee7495b331b7da"}, @uac_iso={0x7, 0x25, 0x1, 0x0, 0x7, 0x1}]}}, {{0x9, 0x5, 0x3, 0x1, 0x40, 0x8, 0x7, 0x5}}, {{0x9, 0x5, 0xb, 0x10, 0x40, 0xfe, 0x0, 0xd, [@generic={0xe1, 0x24, "66c968f67f56d0ab89d6819c67d1d6c215d2f3cf615b37028db269d93608cdf0704118e0ddbf97166c27afb51a132cd70f0fa3b7ad5ee3a441027a74122781ab0f1ce5fe7bd1153c8ffccd3ef109213f20d2bafd0e331abc5cd1fb54809a06c8fa60a9f0fc8e113f318c3a7f7bc6fabe193094ec493d246cbd702bf019796a8872b3c40234d8e90731b2dff88a1f0c4f1786a190eb16651e3ac45edb14d9fb898644bed61576bd7a9fd90c5217217f6b9aed19d4a22bff482d058e603d2a0cdc48b1b271b79b1e25d7fe6bb820506e48579a78af99e7e9429bcd4b07bc0134"}, @generic={0x40, 0x5, "8f82cc05df67734141e356e936a6e0a7247ac23b30900c5fc4148a14990b5004686de6cace04ade350f04a3d078c3910f7dba492af85da649432e26a7854"}]}}]}}, {{0x9, 0x4, 0x88, 0x1, 0x8, 0xeb, 0x43, 0x23, 0x4, [], [{{0x9, 0x5, 0xc, 0x0, 0x40, 0x8, 0x8, 0x5}}, {{0x9, 0x5, 0x0, 0x10, 0x20, 0x9a, 0x5f, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x81, 0x4}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0xf9, 0x2}]}}, {{0x9, 0x5, 0xb, 0x10, 0x40, 0x7, 0x1, 0x2, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x6, 0x1}, @uac_iso={0x7, 0x25, 0x1, 0xc, 0xd, 0x103}]}}, {{0x9, 0x5, 0xb, 0xc, 0x3ff, 0xa9, 0x1, 0x6, [@generic={0xfb, 0x2c, "df60d233063867e638f4ac474e685fef8f861557d0a31566d58bde1f04a113f6cb64c96056a81685a6dfa2978a60c2d94e450f6675e38b44c96bfbff6c5f3746609346497483dfc8ac2127362cdbdaa0253951a182272183f456aae2bd12b292c609e8e14b4f8c1853e0d87e0c3179c8be7b0730721bb30159040826f093510ce022587691627b236a66215620418df334d28d1d14f0ca3b9f4fcff06ba249dd19508198503a2c2cd4f3abdadbd4f1ace4e627bec97299a00228e09c064e5f342e00d8c8f2d5b1fb56485e736a87dcfe510c218632729122a4eb5d5b5d81df8be58527183e48f760b85c599f8813f89d706af7b22f77d68dc1"}, @generic={0x6b, 0x4, "07ece06586e01505f126e0db2ed1ac18b57549f080d741f38b0ccec6ba034d096429405619d01af435c8092be0e9c4a93c1b647e7c7f14f05efff305d2b85d51fedff750b87e5990d028fd338645029bd9ed95e00305acce8b899a786dbf30895be03148a7a1e3bf25"}]}}, {{0x9, 0x5, 0x6, 0x8, 0x400, 0x3, 0x5, 0xff}}, {{0x9, 0x5, 0xa, 0x10, 0x200, 0x6, 0x14, 0x6, [@uac_iso={0x7, 0x25, 0x1, 0xc, 0x9, 0x4}]}}, {{0x9, 0x5, 0x5, 0x8, 0x210, 0xe8, 0x5, 0x3}}, {{0x9, 0x5, 0xa, 0x8, 0x10, 0x64, 0x8, 0xe, [@uac_iso={0x7, 0x25, 0x1, 0x4, 0x5, 0x2}]}}]}}]}}]}}, &(0x7f0000016780)={0xa, &(0x7f00000162c0)={0xa, 0x6, 0x201, 0x3, 0x8, 0xff, 0x20, 0x10}, 0x28, &(0x7f0000016300)={0x5, 0xf, 0x28, 0x4, [@wireless={0xb, 0x10, 0x1, 0xc, 0x1, 0x7, 0x7, 0x6, 0xff}, @ptm_cap={0x3}, @wireless={0xb, 0x10, 0x1, 0x2, 0x61, 0xff, 0xf, 0x6, 0x5}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x1, 0x3, 0xb, 0x100}]}, 0x7, [{0x4, &(0x7f0000016340)=@lang_id={0x4, 0x3, 0x457}}, {0xff, &(0x7f0000016380)=@string={0xff, 0x3, "85a764d829532917b6647a68a249b252f01a99f88767a2e9f13aeefab39cf6a405497e3244294b1bd485c0ec99338640a508fabbf11e0fd6a03bcc9cebaf83037aa77397cbdf0911c8dfb842f62f94766aa445925773c4f7c6701be8a05673afe95cf19c279ac62fd2720ed2dae689371c5151bf6b9e7727f8f497091c3aaa902f81e44c5173acf22152fcbc4d72a75e9ab4badc6788b2fdbb7e34b202e0e71feb1cc9b1ca791e92374cfc63cc7db5648591778bfc1948f9dad9b7fe74a588ddc9ad499993062666b3e0df0acaa67802ad37a86fcb411a2230bdd43fe8610f29c15179bf429f81876ee90b7d35a2263f91eb8d3c7c87c46600b45282ee"}}, {0x4, &(0x7f0000016480)=@lang_id={0x4, 0x3, 0x8406}}, {0x49, &(0x7f00000164c0)=@string={0x49, 0x3, "cb9d5f1c5fbc9474d59ffa54a92ba7aff97b2f65abf48aad8e2b09b60a5dc2744b250fe7529097bfbb2bcf99d0548a034fb7aecaf8dd808495be132e1b8c84abe53375dcf540d5"}}, {0x4, &(0x7f0000016540)=@lang_id={0x4, 0x3, 0x407}}, {0x102, &(0x7f0000016580)=@string={0x102, 0x3, "04ddeb57b5072b0dc9dc624cf2792daac535b02570dbb701e1db0e6c25d680f07b517f6582125baa7a7849eb0b11130e0024efe8a1c951363bf47a68fb5bd9acf185aea1627381f50343cb4bb8d7175131f2ae52a842db753904d3051a0ab082608560e8ac66b87dddbb9fa3514a31e5595170e3d21c018b37855992a2a4b348de99469b63f5438e240e23cfe0a26d30a91d953691d741b9d5d85dab27d40da71fc9d8677b0dc3e1d6060d0d98a71300d374e7bd550f6a57b6fcd444313f37367f5b55c20f1a2d44861e8a1a36bcdc769ffc146bb71ab5846dcb8231247f1636483dabb710d074fd2b8018d4c356d1825bb17bf96327e96ee867583243e8254e"}}, {0x9e, &(0x7f00000166c0)=@string={0x9e, 0x3, "ef2a4e829a0f6cdb32a449bba1d48f5dfe865e51f2287e2177391a43f9bbf1ca78d573f200eae40c60a21ddc2ad482df2a85f27559815bb4ebca560530b86553450ee38eaeb8712f6b77c14d47f85d8bbf641e1d9e09fa1e2be5e92c187ce56ef9949ae1d87cfbfe0ea1ba9f9b2ff0182d4b05ce506891c5a347ee33ccf9ce7d86d7ddf2bf38574d21d9654bbe80658680bef5589e2db6072d9fd0fd"}}]}) r28 = syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000016800)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) syz_usb_control_io(r28, &(0x7f0000016b40)={0x2c, &(0x7f0000016880)={0x20, 0xb, 0xc8, {0xc8, 0x21, "01f48fe831d8d1992472173ea819a3a2ade96121341354e85ca198ec1fcf8590c939f727aa0e85856b357c23bc068f24a22cc6b71bd4add3ae66955e3ceb2a8f155c4feaf36d9c4802968a53b086a4a50dc35475e75c1851e7d408540774e8982191e50606991f3f33fa708ef6a94041511098b0267e737b9f399fad65b7cc2efa80eafc734bd5ab1fdc3decc026fa7675ef45a1d17ffe1c0b1e00b10273d7c57d183c74a3d9b1471322b59a98cebd12d16c2834b226cecaeaf960e3d90776c23923eae68d1e"}}, &(0x7f0000016980)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x280a}}, &(0x7f00000169c0)={0x0, 0xf, 0xc8, {0x5, 0xf, 0xc8, 0x5, [@ssp_cap={0x14, 0x10, 0xa, 0x3, 0x2, 0x9, 0xf, 0x0, [0xc0cf, 0xf]}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0x30ec, 0xf0f, 0x82, [0xc00f]}, @ext_cap={0x7, 0x10, 0x2, 0x0, 0xb, 0x8, 0xf}, @generic={0x8d, 0x10, 0xa, "422d46fc73f84b4dd0c3d24d79f270975a978d736a0aa3e586ae4e9a232483cf25269718cbb9df730362ce6b7cf0e3d10079c328ee2be8f5ffc242a07e20f7c3db607c73e2cac82f1c73c8fcaceb151e2022fe0c73ad6619a4dace08659699ed7660d45202749cda47dfa1e0db87664d1eff73f0606d30b778cb8808dfa6b24cc18add579f29e81b12e3"}, @wireless={0xb, 0x10, 0x1, 0x2, 0x48, 0x6, 0xf2, 0x0, 0x2}]}}, &(0x7f0000016ac0)={0x20, 0x29, 0xf, {0xf, 0x29, 0x1, 0x3, 0xf6, 0x5, "d7db758c", "cb024e33"}}, &(0x7f0000016b00)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x2, 0x2, 0x80, 0x5, 0x7, 0x7, 0xff24}}}, &(0x7f0000016f40)={0x84, &(0x7f0000016b80)={0x20, 0x13, 0x2a, "b3644b33a496f2187a5863e64c407cecd2d6d13ae23ecf1c3c53f78ff217cff021e4718cea7fbe4c3ba3"}, 0xfffffffffffffffd, &(0x7f0000016bc0)={0x0, 0x8, 0x1, 0x6}, &(0x7f0000016c00)={0x20, 0x0, 0x4, {0x2, 0x1}}, &(0x7f0000016c40)={0x20, 0x0, 0x4, {0x40, 0x20}}, &(0x7f0000016c80)={0x40, 0x7, 0x2, 0x2}, &(0x7f0000016cc0)={0x40, 0x9, 0x1, 0x3}, &(0x7f0000016d00)={0x40, 0xb, 0x2, '{*'}, &(0x7f0000016d40)={0x40, 0xf, 0x2, 0x9}, &(0x7f0000016d80)={0x40, 0x13, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x2}}, &(0x7f0000016dc0)={0x40, 0x17, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0xe}}, &(0x7f0000016e00)={0x40, 0x19, 0x2, "1ac5"}, &(0x7f0000016e40)={0x40, 0x1a, 0x2, 0x100}, &(0x7f0000016e80)={0x40, 0x1c, 0x1, 0x7}, &(0x7f0000016ec0)={0x40, 0x1e, 0x1, 0xc8}, &(0x7f0000016f00)={0x40, 0x21, 0x1, 0x4f}}) syz_usb_disconnect(r27) syz_usb_ep_read(r27, 0x0, 0x4, &(0x7f0000017000)=""/4) syz_usb_ep_write(r28, 0x4, 0x9a, &(0x7f0000017040)="dd9c6225175b3c37dc1963b4d0f463d6e382d956edabd131d419ff0b343494a2c3c8bd5e321a506b68c9621ab544dc8bd17c2f62f3c56caecb3908a6430e4d9eafd02ca13dfdcc2d07c531313862ad4271ecb07f10143f48ff7e738a4a77623d0d4b8921084f7c7a9114220624e8f12287c7369f8b9193de6e3a67ff4bf7596fd6c107e477fc1df67c16fec951a212d960cd48e3a1758e8ec8e7") syz_usbip_server_init(0x3) csource_test.go:158: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_clone3 #define __NR_clone3 435 #endif #ifndef __NR_io_uring_setup #define __NR_io_uring_setup 425 #endif #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif #ifndef __NR_pidfd_getfd #define __NR_pidfd_getfd 438 #endif #ifndef __NR_pidfd_open #define __NR_pidfd_open 434 #endif #ifndef __NR_pkey_alloc #define __NR_pkey_alloc 330 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } const int kInitNetNsFd = 201; #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE { 0x08, 0x02, 0x11, 0x00, 0x00, 0x00} #define WIFI_IBSS_BSSID { 0x50, 0x50, 0x50, 0x50, 0x50, 0x50} #define WIFI_IBSS_SSID { 0x10, 0x10, 0x10, 0x10, 0x10, 0x10} #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send_ext(nlmsg, sock, 0, NULL, dofail); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex, bool dofail) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, dofail); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate, bool dofail) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex, dofail); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props, bool dofail) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC, dofail); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props, dofail); if (ret < 0) { return -1; } return 0; } static int runcmdline(char* cmdline) { int ret = system(cmdline); if (ret) { } return ret; } #define SIZEOF_IO_URING_SQE 64 #define SIZEOF_IO_URING_CQE 16 #define SQ_HEAD_OFFSET 0 #define SQ_TAIL_OFFSET 64 #define SQ_RING_MASK_OFFSET 256 #define SQ_RING_ENTRIES_OFFSET 264 #define SQ_FLAGS_OFFSET 276 #define SQ_DROPPED_OFFSET 272 #define CQ_HEAD_OFFSET 128 #define CQ_TAIL_OFFSET 192 #define CQ_RING_MASK_OFFSET 260 #define CQ_RING_ENTRIES_OFFSET 268 #define CQ_RING_OVERFLOW_OFFSET 284 #define CQ_FLAGS_OFFSET 280 #define CQ_CQES_OFFSET 320 struct io_uring_cqe { uint64_t user_data; uint32_t res; uint32_t flags; }; static long syz_io_uring_complete(volatile long a0) { char* ring_ptr = (char*)a0; uint32_t cq_ring_mask = *(uint32_t*)(ring_ptr + CQ_RING_MASK_OFFSET); uint32_t* cq_head_ptr = (uint32_t*)(ring_ptr + CQ_HEAD_OFFSET); uint32_t cq_head = *cq_head_ptr & cq_ring_mask; uint32_t cq_head_next = *cq_head_ptr + 1; char* cqe_src = ring_ptr + CQ_CQES_OFFSET + cq_head * SIZEOF_IO_URING_CQE; struct io_uring_cqe cqe; memcpy(&cqe, cqe_src, sizeof(cqe)); __atomic_store_n(cq_head_ptr, cq_head_next, __ATOMIC_RELEASE); return (cqe.user_data == 0x12345 || cqe.user_data == 0x23456) ? (long)cqe.res : (long)-1; } struct io_sqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t flags; uint32_t dropped; uint32_t array; uint32_t resv1; uint64_t resv2; }; struct io_cqring_offsets { uint32_t head; uint32_t tail; uint32_t ring_mask; uint32_t ring_entries; uint32_t overflow; uint32_t cqes; uint64_t resv[2]; }; struct io_uring_params { uint32_t sq_entries; uint32_t cq_entries; uint32_t flags; uint32_t sq_thread_cpu; uint32_t sq_thread_idle; uint32_t features; uint32_t resv[4]; struct io_sqring_offsets sq_off; struct io_cqring_offsets cq_off; }; #define IORING_OFF_SQ_RING 0 #define IORING_OFF_SQES 0x10000000ULL #define IORING_SETUP_SQE128 (1U << 10) #define IORING_SETUP_CQE32 (1U << 11) static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32_t entries = (uint32_t)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; void** ring_ptr_out = (void**)a2; void** sqes_ptr_out = (void**)a3; setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128); uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32_t sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32_t); uint32_t cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out + setup_params->sq_off.array); for (uint32_t index = 0; index < entries; index++) array[index] = index; return fd_io_uring; } static long syz_io_uring_submit(volatile long a0, volatile long a1, volatile long a2) { char* ring_ptr = (char*)a0; char* sqes_ptr = (char*)a1; char* sqe = (char*)a2; uint32_t sq_ring_mask = *(uint32_t*)(ring_ptr + SQ_RING_MASK_OFFSET); uint32_t* sq_tail_ptr = (uint32_t*)(ring_ptr + SQ_TAIL_OFFSET); uint32_t sq_tail = *sq_tail_ptr & sq_ring_mask; char* sqe_dest = sqes_ptr + sq_tail * SIZEOF_IO_URING_SQE; memcpy(sqe_dest, sqe, SIZEOF_IO_URING_SQE); uint32_t sq_tail_next = *sq_tail_ptr + 1; __atomic_store_n(sq_tail_ptr, sq_tail_next, __ATOMIC_RELEASE); return 0; } #define VHCI_HC_PORTS 8 #define VHCI_PORTS (VHCI_HC_PORTS * 2) static long syz_usbip_server_init(volatile long a0) { static int port_alloc[2]; int speed = (int)a0; bool usb3 = (speed == USB_SPEED_SUPER); int socket_pair[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, socket_pair)) { return -1; } int client_fd = socket_pair[0]; int server_fd = socket_pair[1]; int available_port_num = __atomic_fetch_add(&port_alloc[usb3], 1, __ATOMIC_RELAXED); if (available_port_num > VHCI_HC_PORTS) { return -1; } int port_num = procid * VHCI_PORTS + usb3 * VHCI_HC_PORTS + available_port_num; char buffer[100]; sprintf(buffer, "%d %d %s %d", port_num, client_fd, "0", speed); write_file("/sys/devices/platform/vhci_hcd.0/attach", buffer); return server_fd; } #define BTF_MAGIC 0xeB9F struct btf_header { __u16 magic; __u8 version; __u8 flags; __u32 hdr_len; __u32 type_off; __u32 type_len; __u32 str_off; __u32 str_len; }; #define BTF_INFO_KIND(info) (((info) >> 24) & 0x0f) #define BTF_INFO_VLEN(info) ((info) & 0xffff) #define BTF_KIND_INT 1 #define BTF_KIND_ARRAY 3 #define BTF_KIND_STRUCT 4 #define BTF_KIND_UNION 5 #define BTF_KIND_ENUM 6 #define BTF_KIND_FUNC_PROTO 13 #define BTF_KIND_VAR 14 #define BTF_KIND_DATASEC 15 struct btf_type { __u32 name_off; __u32 info; union { __u32 size; __u32 type; }; }; struct btf_enum { __u32 name_off; __s32 val; }; struct btf_array { __u32 type; __u32 index_type; __u32 nelems; }; struct btf_member { __u32 name_off; __u32 type; __u32 offset; }; struct btf_param { __u32 name_off; __u32 type; }; struct btf_var { __u32 linkage; }; struct btf_var_secinfo { __u32 type; __u32 offset; __u32 size; }; #define VMLINUX_MAX_SUPPORT_SIZE (10 * 1024 * 1024) static char* read_btf_vmlinux() { static bool is_read = false; static char buf[VMLINUX_MAX_SUPPORT_SIZE]; if (is_read) return buf; int fd = open("/sys/kernel/btf/vmlinux", O_RDONLY); if (fd < 0) return NULL; unsigned long bytes_read = 0; for (;;) { ssize_t ret = read(fd, buf + bytes_read, VMLINUX_MAX_SUPPORT_SIZE - bytes_read); if (ret < 0 || bytes_read + ret == VMLINUX_MAX_SUPPORT_SIZE) return NULL; if (ret == 0) break; bytes_read += ret; } is_read = true; return buf; } static long syz_btf_id_by_name(volatile long a0) { char* target = (char*)a0; char* vmlinux = read_btf_vmlinux(); if (vmlinux == NULL) return -1; struct btf_header* btf_header = (struct btf_header*)vmlinux; if (btf_header->magic != BTF_MAGIC) return -1; char* btf_type_sec = vmlinux + btf_header->hdr_len + btf_header->type_off; char* btf_str_sec = vmlinux + btf_header->hdr_len + btf_header->str_off; unsigned int bytes_parsed = 0; long idx = 1; while (bytes_parsed < btf_header->type_len) { struct btf_type* btf_type = (struct btf_type*)(btf_type_sec + bytes_parsed); uint32_t kind = BTF_INFO_KIND(btf_type->info); uint32_t vlen = BTF_INFO_VLEN(btf_type->info); char* name = btf_str_sec + btf_type->name_off; if (strcmp(name, target) == 0) return idx; size_t skip; switch (kind) { case BTF_KIND_INT: skip = sizeof(uint32_t); break; case BTF_KIND_ENUM: skip = sizeof(struct btf_enum) * vlen; break; case BTF_KIND_ARRAY: skip = sizeof(struct btf_array); break; case BTF_KIND_STRUCT: case BTF_KIND_UNION: skip = sizeof(struct btf_member) * vlen; break; case BTF_KIND_FUNC_PROTO: skip = sizeof(struct btf_param) * vlen; break; case BTF_KIND_VAR: skip = sizeof(struct btf_var); break; case BTF_KIND_DATASEC: skip = sizeof(struct btf_var_secinfo) * vlen; break; default: skip = 0; } bytes_parsed += sizeof(struct btf_type) + skip; idx++; } return -1; } static long syz_memcpy_off(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4) { char* dest = (char*)a0; uint32_t dest_off = (uint32_t)a1; char* src = (char*)a2; uint32_t src_off = (uint32_t)a3; size_t n = (size_t)a4; return (long)memcpy(dest + dest_off, src + src_off, n); } static long syz_create_resource(volatile long val) { return val; } #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = { 8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0 }; static const char default_lang_id[] = { 4, USB_DT_STRING, 0x09, 0x04 }; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } #define ATH9K_FIRMWARE_DOWNLOAD 0x30 #define ATH9K_FIRMWARE_DOWNLOAD_COMP 0x31 static bool lookup_connect_response_out_ath9k(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: return true; default: break; } break; case USB_TYPE_VENDOR: switch (ctrl->bRequest) { case ATH9K_FIRMWARE_DOWNLOAD: return true; case ATH9K_FIRMWARE_DOWNLOAD_COMP: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_ep_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_READ, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable(fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_connect_ath9k(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_ath9k); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_read(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; int rv = usb_raw_ep_read(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } memcpy(&data[0], &io_data.data[0], io_data.inner.length); sleep_ms(200); return 0; } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { unsigned long nb = a1; char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(nb % 10); nb /= 10; } return open(buf, a2 & ~O_CREAT, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1); } else if (a0 == -1) { snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1); } else { snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; return sock; } static long syz_socket_connect_nvme_tcp() { struct sockaddr_in nvme_local_address; int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, AF_INET, SOCK_STREAM, 0x0); int err = errno; if (setns(netns, 0)) { exit(1); } close(netns); errno = err; nvme_local_address.sin_family = AF_INET; nvme_local_address.sin_port = htobe16(4420); nvme_local_address.sin_addr.s_addr = htobe32(0x7f000001); err = syscall(__NR_connect, sock, &nvme_local_address, sizeof(nvme_local_address)); if (err != 0) { close(sock); return -1; } return sock; } static long syz_genetlink_get_family_id(volatile long name, volatile long sock_arg) { int fd = sock_arg; if (fd < 0) { fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } } struct nlmsg nlmsg_tmp; int ret = netlink_query_family_id(&nlmsg_tmp, fd, (char*)name, false); if ((int)sock_arg < 0) close(fd); if (ret < 0) { return -1; } return ret; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = { 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = { 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = { 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff( unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_read_part_table(volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int err = 0, res = -1, loopfd = -1; char loopname[64]; snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (unsigned long i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { char linkname[64]; snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: if (res) ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); errno = err; return res; } static long syz_mount_image( volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define noinline __attribute__((noinline)) #define always_inline __attribute__((always_inline)) inline #define __no_stack_protector #define __addrspace_guest #define __optnone #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_BOOT_ARGS 0x2F000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x400000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_ADDR_GLOBALS 0x17F000 #define X86_SYZOS_ADDR_PT_POOL 0x180000 #define X86_SYZOS_PT_POOL_SIZE 64 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x1000000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu,vm) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 9) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_PHYSICAL_ADDRESS 0x00002400 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_EXITINFO2 0x080 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define VMCB_RAX 0x5f8 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_TSS_BUSY 0x008b #define SVM_ATTR_64BIT_CODE (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_MAX_L2_VMS 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h,l) (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static always_inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1) { struct kvm_run* run = (struct kvm_run*)a0; uint64_t expect = a1; if (!run) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered: run is NULL\n"); errno = EINVAL; return -1; } if (run->exit_reason != expect) { fprintf(stderr, "[SYZOS-DEBUG] KVM Exit Reason Mismatch\n"); fprintf(stderr, " is_write: %d\n", run->mmio.is_write); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)run->exit_reason); errno = EDOM; return -1; } return 0; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_LOAD_SYZOS = 310, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_NESTED_AMD_INVLPGA = 381, SYZOS_API_NESTED_AMD_STGI = 382, SYZOS_API_NESTED_AMD_CLGI = 383, SYZOS_API_NESTED_AMD_INJECT_EVENT = 384, SYZOS_API_NESTED_AMD_SET_INTERCEPT = 385, SYZOS_API_NESTED_AMD_VMLOAD = 386, SYZOS_API_NESTED_AMD_VMSAVE = 387, SYZOS_API_STOP, } syzos_api_id; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_nested_load_syzos { struct api_call_header header; uint64_t vm_id; uint64_t unused_pages; uint8_t program[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) #define MEM_REGION_FLAG_REMAINING (1 << 7) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; struct syzos_boot_args { uint32_t region_count; uint32_t reserved; struct mem_region regions[]; }; struct syzos_globals { uint64_t alloc_offset; uint64_t total_size; uint64_t text_sizes[KVM_MAX_VCPU]; struct l2_guest_regs l2_ctx[KVM_MAX_VCPU][KVM_MAX_L2_VMS]; uint64_t active_vm_id[KVM_MAX_VCPU]; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_stgi(); GUEST_CODE static void guest_handle_nested_amd_clgi(); GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, UEXIT_INVALID_MAIN = (uint64_t)-4, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t cpu) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t size = globals->text_sizes[cpu]; uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; volatile uint64_t call = cmd->call; if ((call >= SYZOS_API_STOP) || (cmd->size > size)) { guest_uexit(UEXIT_INVALID_MAIN); return; } if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_SYZOS) { guest_handle_nested_load_syzos((struct api_call_nested_load_syzos*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_INVLPGA) { guest_handle_nested_amd_invlpga((struct api_call_2*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_STGI) { guest_handle_nested_amd_stgi(); } else if (call == SYZOS_API_NESTED_AMD_CLGI) { guest_handle_nested_amd_clgi(); } else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) { guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_SET_INTERCEPT) { guest_handle_nested_amd_set_intercept((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMLOAD) { guest_handle_nested_amd_vmload((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMSAVE) { guest_handle_nested_amd_vmsave((struct api_call_1*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit(UEXIT_END); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; asm volatile("movq %0, (%1)" ::"a"(exit_code), "r"(ptr) : "memory"); } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile( "cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile( "wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile( "cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint32_t vmcb_read32(uint64_t vmcb, uint16_t offset) { return *((volatile uint32_t*)(vmcb + offset)); } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static uint64_t get_unused_memory_size() { volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { if (args->regions[i].gpa == X86_SYZOS_ADDR_UNUSED) return args->regions[i].pages * KVM_PAGE_SIZE; } return 0; } GUEST_CODE static uint64_t guest_alloc_page() { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (globals->total_size == 0) { uint64_t size = get_unused_memory_size(); __sync_val_compare_and_swap(&globals->total_size, 0, size); } uint64_t offset = __sync_fetch_and_add(&globals->alloc_offset, KVM_PAGE_SIZE); if (offset >= globals->total_size) guest_uexit(UEXIT_ASSERT); uint64_t ptr = X86_SYZOS_ADDR_UNUSED + offset; guest_memset((void*)ptr, 0, KVM_PAGE_SIZE); return ptr; } GUEST_CODE static void l2_map_page(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa, uint64_t host_pa, uint64_t flags) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pml4[pml4_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pdpt[pdpt_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) { uint64_t page = guest_alloc_page(); pd[pd_idx] = page | X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; } volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) pt[pt_idx] = (host_pa & ~0xFFF) | flags; } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id, uint64_t unused_pages) { uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; if (vendor == CPU_VENDOR_INTEL) { flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } volatile struct syzos_boot_args* args = (volatile struct syzos_boot_args*)X86_SYZOS_ADDR_BOOT_ARGS; for (uint32_t i = 0; i < args->region_count; i++) { struct mem_region r; r.gpa = args->regions[i].gpa; r.pages = args->regions[i].pages; r.flags = args->regions[i].flags; if (r.flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r.flags & MEM_REGION_FLAG_REMAINING) { r.pages = (unused_pages < 16) ? 16 : unused_pages; } for (int p = 0; p < r.pages; p++) { uint64_t gpa = r.gpa + (p * KVM_PAGE_SIZE); uint64_t backing; if (r.gpa == X86_SYZOS_ADDR_USER_CODE && p == 0) { backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); } else if (r.gpa == X86_SYZOS_ADDR_STACK_BOTTOM) { backing = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); } else { backing = gpa; } l2_map_page(cpu_id, vm_id, gpa, backing, flags); } } } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION = 6, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void handle_nested_uexit(uint64_t exit_code) { uint64_t level = (exit_code >> 56) + 1; exit_code = (exit_code & 0x00FFFFFFFFFFFFFFULL) | (level << 56); guest_uexit(exit_code); } GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_EPT_VIOLATION 0x30 #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == EXIT_REASON_EPT_VIOLATION) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 7 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == EXIT_REASON_EPT_VIOLATION) { uint64_t gpa = vmread(VMCS_GUEST_PHYSICAL_ADDRESS); if ((gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); vmwrite(VMCS_GUEST_RIP, vmread(VMCS_GUEST_RIP) + 3); return; } } syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx push %%rax mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[l2_regs_size], %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp jmp after_vmentry_label )" : : [l2_regs_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_NPF 0x400 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; if (reason == VMEXIT_NPF) return SYZOS_NESTED_EXIT_REASON_EPT_VIOLATION; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, struct l2_guest_regs* regs) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; uint64_t cpu_id = *(uint64_t*)((char*)regs + sizeof(struct l2_guest_regs) + 8 * 8); uint64_t vm_id = globals->active_vm_id[cpu_id]; guest_memcpy((void*)&globals->l2_ctx[cpu_id][vm_id], regs, sizeof(struct l2_guest_regs)); volatile uint64_t basic_reason = exit_reason & 0xFFFF; if (basic_reason == VMEXIT_NPF) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t fault_gpa = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_EXITINFO2); if ((fault_gpa & ~0xFFF) == X86_SYZOS_ADDR_EXIT) { handle_nested_uexit(regs->rax); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip + 3); return; } } syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, X86_SYZOS_ADDR_VAR_TSS); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD,HOST_FIELD) vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG,SELECTOR,BASE,LIMIT,AR) vmwrite(VMCS_GUEST_ ##SEG ##_SELECTOR, SELECTOR); vmwrite(VMCS_GUEST_ ##SEG ##_BASE, BASE); vmwrite(VMCS_GUEST_ ##SEG ##_LIMIT, LIMIT); vmwrite(VMCS_GUEST_ ##SEG ##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id, 0); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR,SEG_NAME,SELECTOR,BASE,LIMIT,ATTR) vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_SEL, SELECTOR); vmcb_write16(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_ATTR, ATTR); vmcb_write32(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_LIM, LIMIT); vmcb_write64(VMBC_PTR, VMCB_GUEST_ ##SEG_NAME ##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, SVM_ATTR_TSS_BUSY); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, X86_EFER_LME | X86_EFER_LMA | X86_EFER_SVME); vmcb_write64(vmcb_addr, VMCB_RAX, 0); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_msr_bitmap = X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_msr_bitmap, 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id, 0); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static uint64_t l2_gpa_to_pa(uint64_t cpu_id, uint64_t vm_id, uint64_t gpa) { uint64_t pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); volatile uint64_t* pml4 = (volatile uint64_t*)pml4_addr; uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (!(pml4[pml4_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pdpt = (volatile uint64_t*)(pml4[pml4_idx] & ~0xFFF); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (!(pdpt[pdpt_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pd = (volatile uint64_t*)(pdpt[pdpt_idx] & ~0xFFF); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (!(pd[pd_idx] & X86_PDE64_PRESENT)) return 0; volatile uint64_t* pt = (volatile uint64_t*)(pd[pd_idx] & ~0xFFF); uint64_t pt_idx = (gpa >> 12) & 0x1FF; if (!(pt[pt_idx] & X86_PDE64_PRESENT)) return 0; return (pt[pt_idx] & ~0xFFF) + (gpa & 0xFFF); } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_backing = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_USER_CODE); if (!l2_code_backing) { guest_uexit(0xE2BAD4); return; } uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, X86_SYZOS_ADDR_USER_CODE); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_load_syzos(struct api_call_nested_load_syzos* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t prog_size = cmd->header.size - __builtin_offsetof(struct api_call_nested_load_syzos, program); uint64_t l2_code_backing = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; if (prog_size > KVM_PAGE_SIZE) prog_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_backing, (void*)cmd->program, prog_size); uint64_t globals_pa = l2_gpa_to_pa(cpu_id, vm_id, X86_SYZOS_ADDR_GLOBALS); if (!globals_pa) { guest_uexit(0xE2BAD3); return; } volatile struct syzos_globals* l2_globals = (volatile struct syzos_globals*)globals_pa; for (int i = 0; i < KVM_MAX_VCPU; i++) { l2_globals->text_sizes[i] = prog_size; globals->l2_ctx[i][vm_id].rdi = i; globals->l2_ctx[i][vm_id].rax = 0; } uint64_t entry_rip = executor_fn_guest_addr(guest_main); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, entry_rip); vmwrite(VMCS_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } else { uint64_t vmcb = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); vmcb_write64(vmcb, VMCB_GUEST_RIP, entry_rip); vmcb_write64(vmcb, VMCB_GUEST_RSP, X86_SYZOS_ADDR_STACK_BOTTOM + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint64_t vmx_error_code = 0; uint64_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); globals->active_vm_id[cpu_id] = vm_id; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[launch] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[host_rsp_field], %%r10 mov %%rsp, %%r11 vmwrite %%r11, %%r10 mov %[l2_regs], %%rax mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 mov 0(%%rax), %%rax cmpq $0, 48(%%rsp) je 1f vmlaunch jmp 2f 1: vmresume 2: pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp mov $1, %[ret] jmp 3f .globl after_vmentry_label after_vmentry_label: xor %[ret], %[ret] 3: )" : [ret] "=&r"(fail_flag) : [launch] "r"((uint64_t)is_launch), [host_rsp_field] "i"(VMCS_HOST_RSP), [cpu_id] "r"(cpu_id), [l2_regs] "r"(l2_regs) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile struct syzos_globals* globals = (volatile struct syzos_globals*)X86_SYZOS_ADDR_GLOBALS; globals->active_vm_id[cpu_id] = vm_id; struct l2_guest_regs* l2_regs = (struct l2_guest_regs*)&globals->l2_ctx[cpu_id][vm_id]; uint8_t fail_flag = 0; asm volatile(R"( sub $128, %%rsp push %[cpu_id] push %[vmcb_addr] push %%rbx push %%rbp push %%r12 push %%r13 push %%r14 push %%r15 mov %[l2_regs], %%rax mov 0(%%rax), %%rbx mov %[vmcb_addr], %%rcx mov %%rbx, 0x5f8(%%rcx) mov 8(%%rax), %%rbx mov 16(%%rax), %%rcx mov 24(%%rax), %%rdx mov 32(%%rax), %%rsi mov 40(%%rax), %%rdi mov 48(%%rax), %%rbp mov 56(%%rax), %%r8 mov 64(%%rax), %%r9 mov 72(%%rax), %%r10 mov 80(%%rax), %%r11 mov 88(%%rax), %%r12 mov 96(%%rax), %%r13 mov 104(%%rax), %%r14 mov 112(%%rax), %%r15 clgi mov 48(%%rsp), %%rax vmrun 1: mov 48(%%rsp), %%rax setc %[fail_flag] pushq 0x70(%%rax) push %%r15 push %%r14 push %%r13 push %%r12 push %%r11 push %%r10 push %%r9 push %%r8 push %%rbp push %%rdi push %%rsi push %%rdx push %%rcx push %%rbx mov 176(%%rsp), %%rax pushq 0x5f8(%%rax) mov 120(%%rsp), %%rdi mov %%rsp, %%rsi call nested_vm_exit_handler_amd add $128, %%rsp pop %%r15 pop %%r14 pop %%r13 pop %%r12 pop %%rbp pop %%rbx add $16, %%rsp add $128, %%rsp stgi after_vmentry_label_amd: )" : [fail_flag] "=m"(fail_flag) : [cpu_id] "r"(cpu_id), [vmcb_addr] "r"(vmcb_addr), [l2_regs] "r"(l2_regs), [l2_regs_size] "i"(sizeof(struct l2_guest_regs)) : "cc", "memory", "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t linear_addr = cmd->args[0]; uint32_t asid = (uint32_t)cmd->args[1]; asm volatile("invlpga" : : "a"(linear_addr), "c"(asid) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_stgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("stgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_clgi() { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; asm volatile("clgi" ::: "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t vector = cmd->args[1] & 0xFF; uint64_t type = cmd->args[2] & 0x7; uint64_t error_code = cmd->args[3] & 0xFFFFFFFF; uint64_t flags = cmd->args[4]; uint64_t event_inj = vector; event_inj |= (type << 8); if (flags & 2) event_inj |= (1ULL << 11); if (flags & 1) event_inj |= (1ULL << 31); event_inj |= (error_code << 32); vmcb_write64(vmcb_addr, 0x60, event_inj); } GUEST_CODE static noinline void guest_handle_nested_amd_set_intercept(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t bit_mask = cmd->args[2]; uint64_t action = cmd->args[3]; uint32_t current = vmcb_read32(vmcb_addr, (uint16_t)offset); if (action == 1) current |= (uint32_t)bit_mask; else current &= ~((uint32_t)bit_mask); vmcb_write32(vmcb_addr, (uint16_t)offset, current); } GUEST_CODE static noinline void guest_handle_nested_amd_vmload(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmload %%rax" ::"a"(vmcb_pa) : "memory"); } GUEST_CODE static noinline void guest_handle_nested_amd_vmsave(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->arg; uint64_t vmcb_pa = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); asm volatile("vmsave %%rax" ::"a"(vmcb_pa) : "memory"); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint16_t reserved3; uint16_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 5, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_VAR_IDT, 10, 0}, {X86_SYZOS_ADDR_BOOT_ARGS, 1, 0}, {X86_SYZOS_ADDR_PT_POOL, X86_SYZOS_PT_POOL_SIZE, 0}, {X86_SYZOS_ADDR_GLOBALS, 1, 0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, {X86_SYZOS_ADDR_UNUSED, 0, MEM_REGION_FLAG_REMAINING}, }; #define SYZOS_REGION_COUNT (sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0])) struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; void* pt_pool_mem; void* globals_mem; void* region_base[SYZOS_REGION_COUNT]; }; static inline void* gpa_to_hva(struct kvm_syz_vm* vm, uint64_t gpa) { for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; if (r->gpa == X86_SYZOS_ADDR_UNUSED) break; size_t region_size = r->pages * KVM_PAGE_SIZE; if (gpa >= r->gpa && gpa < r->gpa + region_size) return (void*)((char*)vm->region_base[i] + (gpa - r->gpa)); } return NULL; } #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(uint64_t)gpa_to_hva(vm, sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static uint64_t* get_host_pte_ptr(struct kvm_syz_vm* vm, uint64_t gpa) { if (gpa >= X86_SYZOS_ADDR_PT_POOL && gpa < X86_SYZOS_ADDR_PT_POOL + (X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE)) { uint64_t offset = gpa - X86_SYZOS_ADDR_PT_POOL; return (uint64_t*)((char*)vm->pt_pool_mem + offset); } return (uint64_t*)((char*)vm->gpa0_mem + gpa); } static void map_4k_page(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)((char*)vm->gpa0_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = get_host_pte_ptr(vm, pml4[pml4_idx] & PAGE_MASK); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = get_host_pte_ptr(vm, pdpt[pdpt_idx] & PAGE_MASK); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = get_host_pte_ptr(vm, pd[pd_idx] & PAGE_MASK); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(struct kvm_syz_vm* vm, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(vm, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE}; memset(vm->pt_pool_mem, 0, X86_SYZOS_PT_POOL_SIZE * KVM_PAGE_SIZE); memset(vm->gpa0_mem, 0, 5 * KVM_PAGE_SIZE); for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { int pages = syzos_mem_regions[i].pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) { if (total < 0) exit(1); pages = total; } map_4k_region(vm, &alloc, syzos_mem_regions[i].gpa, pages); if (!(syzos_mem_regions[i].flags & MEM_REGION_FLAG_NO_HOST_MEM)) total -= pages; if (syzos_mem_regions[i].flags & MEM_REGION_FLAG_REMAINING) break; } } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = 0}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){ .limit_low = 0x67, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = SVM_ATTR_TSS_BUSY, .limit_high_and_flags = 0, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[(X86_SYZOS_SEL_TSS64 >> 3) + 1] = (struct gdt_entry){ .limit_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 32), .base_low = (uint16_t)((uint64_t)X86_SYZOS_ADDR_VAR_TSS >> 48), .base_mid = 0, .access = 0, .limit_high_and_flags = 0, .base_high = 0}; } static void get_cpuid(uint32_t eax, uint32_t ecx, uint32_t* a, uint32_t* b, uint32_t* c, uint32_t* d) { *a = *b = *c = *d = 0; asm volatile("cpuid" : "=a"(*a), "=b"(*b), "=c"(*c), "=d"(*d) : "a"(eax), "c"(ecx)); } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd, int cpu_id) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)(uint64_t)gpa_to_hva(vm, sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_pg_table(vm); setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0; get_cpuid(0, 0, &eax, &ebx, &ecx, &edx); if (ebx == 0x68747541 && edx == 0x69746e65 && ecx == 0x444d4163) { sregs.efer |= X86_EFER_SVME; void* hsave_host = (void*)(uint64_t)gpa_to_hva(vm, X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id)); memset(hsave_host, 0, KVM_PAGE_SIZE); } sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, uint64_t rip, uint64_t cpu_id) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = rip; regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd, cpu_id); setup_cpuid(cpufd); uint64_t entry_rip = executor_fn_guest_addr(guest_main); reset_cpu_regs(cpufd, entry_rip, cpu_id); if (vm->globals_mem) { struct syzos_globals* globals = (struct syzos_globals*)vm->globals_mem; globals->text_sizes[cpu_id] = text_size; } } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; struct syzos_boot_args* boot_args = NULL; for (size_t i = 0; i < SYZOS_REGION_COUNT; i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) { vm->region_base[i] = NULL; continue; } size_t pages = r->pages; if (r->flags & MEM_REGION_FLAG_REMAINING) pages = allocator.size / KVM_PAGE_SIZE; struct addr_size next = alloc_guest_mem(&allocator, pages * KVM_PAGE_SIZE); vm->region_base[i] = next.addr; uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_PT_POOL) vm->pt_pool_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_GLOBALS) vm->globals_mem = next.addr; if (r->gpa == X86_SYZOS_ADDR_BOOT_ARGS) { boot_args = (struct syzos_boot_args*)next.addr; boot_args->region_count = SYZOS_REGION_COUNT; for (size_t k = 0; k < boot_args->region_count; k++) boot_args->regions[k] = syzos_mem_regions[k]; } if ((r->flags & MEM_REGION_FLAG_REMAINING) && boot_args) boot_args->regions[i].pages = pages; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); if (r->flags & MEM_REGION_FLAG_REMAINING) break; } } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void dump_vcpu_state(int cpufd, struct kvm_run* run) { struct kvm_regs regs; ioctl(cpufd, KVM_GET_REGS, ®s); struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); fprintf(stderr, "KVM_RUN structure:\n"); fprintf(stderr, " exit_reason: %d\n", run->exit_reason); fprintf(stderr, " hardware_entry_failure_reason: 0x%llx\n", run->fail_entry.hardware_entry_failure_reason); fprintf(stderr, "VCPU registers:\n"); fprintf(stderr, " rip: 0x%llx, rsp: 0x%llx, rflags: 0x%llx\n", regs.rip, regs.rsp, regs.rflags); fprintf(stderr, " rax: 0x%llx, rbx: 0x%llx, rcx: 0x%llx, rdx: 0x%llx\n", regs.rax, regs.rbx, regs.rcx, regs.rdx); fprintf(stderr, " rsi: 0x%llx, rdi: 0x%llx\n", regs.rsi, regs.rdi); fprintf(stderr, "VCPU sregs:\n"); fprintf(stderr, " cr0: 0x%llx, cr2: 0x%llx, cr3: 0x%llx, cr4: 0x%llx\n", sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4); fprintf(stderr, " efer: 0x%llx (LME=%d)\n", sregs.efer, (sregs.efer & X86_EFER_LME) ? 1 : 0); fprintf(stderr, " cs: s=0x%x, b=0x%llx, limit=0x%x, type=%d, l=%d, db=%d\n", sregs.cs.selector, sregs.cs.base, sregs.cs.limit, sregs.cs.type, sregs.cs.l, sregs.cs.db); fprintf(stderr, " ds: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.ds.selector, sregs.ds.base, sregs.ds.limit, sregs.ds.type, sregs.ds.db); fprintf(stderr, " tr: s=0x%x, b=0x%llx, limit=0x%x, type=%d, db=%d\n", sregs.tr.selector, sregs.tr.base, sregs.tr.limit, sregs.tr.type, sregs.tr.db); fprintf(stderr, " idt: b=0x%llx, limit=0x%x\n", sregs.idt.base, sregs.idt.limit); } static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1, volatile long a2) { int cpufd = (int)a0; struct kvm_run* run = (struct kvm_run*)a1; uint64_t expect = a2; if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != X86_SYZOS_ADDR_UEXIT)) { fprintf(stderr, "[SYZOS-DEBUG] Assertion Triggered on VCPU %d\n", cpufd); dump_vcpu_state(cpufd, run); errno = EINVAL; return -1; } uint64_t actual_code = ((uint64_t*)(run->mmio.data))[0]; if (actual_code != expect) { fprintf(stderr, "[SYZOS-DEBUG] Exit Code Mismatch on VCPU %d\n", cpufd); fprintf(stderr, " Expected: 0x%lx\n", (unsigned long)expect); fprintf(stderr, " Actual: 0x%lx\n", (unsigned long)actual_code); dump_vcpu_state(cpufd, run); errno = EDOM; return -1; } return 0; } static void setup_gadgetfs(); static void setup_binderfs(); static void setup_fusectl(); static void sandbox_common_mount_tmpfs(void) { write_file("/proc/sys/fs/mount-max", "100000"); if (mkdir("./syz-tmp", 0777)) exit(1); if (mount("", "./syz-tmp", "tmpfs", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot", 0777)) exit(1); if (mkdir("./syz-tmp/newroot/dev", 0700)) exit(1); unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE; if (mount("/dev", "./syz-tmp/newroot/dev", NULL, bind_mount_flags, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/proc", 0700)) exit(1); if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL)) exit(1); if (mkdir("./syz-tmp/newroot/selinux", 0700)) exit(1); const char* selinux_path = "./syz-tmp/newroot/selinux"; if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) { if (errno != ENOENT) exit(1); if (mount("/sys/fs/selinux", selinux_path, NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); } if (mkdir("./syz-tmp/newroot/sys", 0700)) exit(1); if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL)) exit(1); if (mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/newroot/syz-inputs", 0700)) exit(1); if (mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, bind_mount_flags | MS_RDONLY, NULL) && errno != ENOENT) exit(1); if (mkdir("./syz-tmp/pivot", 0777)) exit(1); if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) { if (chdir("./syz-tmp")) exit(1); } else { if (chdir("/")) exit(1); if (umount2("./pivot", MNT_DETACH)) exit(1); } if (chroot("./newroot")) exit(1); if (chdir("/")) exit(1); setup_gadgetfs(); setup_binderfs(); setup_fusectl(); } static void setup_gadgetfs() { if (mkdir("/dev/gadgetfs", 0777)) { } if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) { } } static void setup_fusectl() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); if (getppid() == 1) exit(1); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); sandbox_common_mount_tmpfs(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static int inject_fault(int nth) { int fd; fd = open("/proc/thread-self/fail-nth", O_RDWR); if (fd == -1) exit(1); char buf[16]; sprintf(buf, "%d", nth); if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1); return fd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static const char* setup_fault() { int fd = open("/proc/self/make-it-fail", O_WRONLY); if (fd == -1) return "CONFIG_FAULT_INJECTION is not enabled"; close(fd); fd = open("/proc/thread-self/fail-nth", O_WRONLY); if (fd == -1) return "kernel does not have systematic fault injection support"; close(fd); static struct { const char* file; const char* val; bool fatal; } files[] = { {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true}, {"/sys/kernel/debug/fail_futex/ignore-private", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false}, {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false}, {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false}, }; unsigned i; for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].file, files[i].val)) { if (files[i].fatal) return "failed to write fault injection file"; } } return NULL; } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, FUSE_SYNCFS = 50, FUSE_TMPFILE = 51, FUSE_STATX = 52, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; struct fuse_out_header* statx; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; case FUSE_STATX: out_hdr = req_out->statx; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } #define HWSIM_ATTR_RX_RATE 5 #define HWSIM_ATTR_SIGNAL 6 #define HWSIM_ATTR_ADDR_RECEIVER 1 #define HWSIM_ATTR_FRAME 3 #define WIFI_MAX_INJECT_LEN 2048 static int hwsim_register_socket(struct nlmsg* nlmsg, int sock, int hwsim_family) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_REGISTER; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static int hwsim_inject_frame(struct nlmsg* nlmsg, int sock, int hwsim_family, uint8_t* mac_addr, uint8_t* data, int len) { struct genlmsghdr genlhdr; uint32_t rx_rate = WIFI_DEFAULT_RX_RATE; uint32_t signal = WIFI_DEFAULT_SIGNAL; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = HWSIM_CMD_FRAME; netlink_init(nlmsg, hwsim_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, HWSIM_ATTR_RX_RATE, &rx_rate, sizeof(rx_rate)); netlink_attr(nlmsg, HWSIM_ATTR_SIGNAL, &signal, sizeof(signal)); netlink_attr(nlmsg, HWSIM_ATTR_ADDR_RECEIVER, mac_addr, ETH_ALEN); netlink_attr(nlmsg, HWSIM_ATTR_FRAME, data, len); int err = netlink_send_ext(nlmsg, sock, 0, NULL, false); if (err < 0) { } return err; } static long syz_80211_inject_frame(volatile long a0, volatile long a1, volatile long a2) { uint8_t* mac_addr = (uint8_t*)a0; uint8_t* buf = (uint8_t*)a1; int buf_len = (int)a2; struct nlmsg tmp_msg; if (buf_len < 0 || buf_len > WIFI_MAX_INJECT_LEN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int hwsim_family_id = netlink_query_family_id(&tmp_msg, sock, "MAC80211_HWSIM", false); if (hwsim_family_id < 0) { close(sock); return -1; } int ret = hwsim_register_socket(&tmp_msg, sock, hwsim_family_id); if (ret < 0) { close(sock); return -1; } ret = hwsim_inject_frame(&tmp_msg, sock, hwsim_family_id, mac_addr, buf, buf_len); close(sock); if (ret < 0) { return -1; } return 0; } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", false); if (nl80211_family_id < 0) { close(sock); return -1; } struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props, false); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP, false); if (ret < 0) { return -1; } } return 0; } #define USLEEP_FORKED_CHILD (3 * 50 *1000) static long handle_clone_ret(long ret) { if (ret != 0) { return ret; } usleep(USLEEP_FORKED_CHILD); syscall(__NR_exit, 0); while (1) { } } static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len, volatile long ptid, volatile long ctid, volatile long tls) { long sp = (stack + stack_len) & ~15; long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls); return handle_clone_ret(ret); } #define MAX_CLONE_ARGS_BYTES 256 static long syz_clone3(volatile long a0, volatile long a1) { unsigned long copy_size = a1; if (copy_size < sizeof(uint64_t) || copy_size > MAX_CLONE_ARGS_BYTES) return -1; char clone_args[MAX_CLONE_ARGS_BYTES]; memcpy(&clone_args, (void*)a0, copy_size); uint64_t* flags = (uint64_t*)&clone_args; *flags &= ~CLONE_VM; return handle_clone_ret((long)syscall(__NR_clone3, &clone_args, copy_size)); } #define RESERVED_PKEY 15 static long syz_pkey_set(volatile long pkey, volatile long val) { if (pkey == RESERVED_PKEY) { errno = EINVAL; return -1; } uint32_t eax = 0; uint32_t ecx = 0; asm volatile("rdpkru" : "=a"(eax) : "c"(ecx) : "edx"); eax &= ~(3 << ((pkey % 16) * 2)); eax |= (val & 3) << ((pkey % 16) * 2); uint32_t edx = 0; asm volatile("wrpkru" ::"a"(eax), "c"(ecx), "d"(edx)); return 0; } #define SWAP_FILE "./swap-file" #define SWAP_FILE_SIZE (128 * 1000 * 1000) static const char* setup_swap() { swapoff(SWAP_FILE); unlink(SWAP_FILE); int fd = open(SWAP_FILE, O_CREAT | O_WRONLY | O_CLOEXEC, 0600); if (fd == -1) return "swap file open failed"; fallocate(fd, FALLOC_FL_ZERO_RANGE, 0, SWAP_FILE_SIZE); close(fd); char cmdline[64]; sprintf(cmdline, "mkswap %s", SWAP_FILE); if (runcmdline(cmdline)) return "mkswap failed"; if (swapon(SWAP_FILE, SWAP_FLAG_PREFER) == 1) return "swapon failed"; return NULL; } static long syz_pidfd_open(volatile long pid, volatile long flags) { if (pid == 1) { pid = 0; } return syscall(__NR_pidfd_open, pid, flags); } static long syz_kfuzztest_run(volatile long test_name_ptr, volatile long input_data, volatile long input_data_size, volatile long buffer) { const char* test_name = (const char*)test_name_ptr; if (!test_name) { return -1; } if (!buffer) { return -1; } char buf[256]; int ret = snprintf(buf, sizeof(buf), "/sys/kernel/debug/kfuzztest/%s/input", test_name); if (ret < 0 || (unsigned long)ret >= sizeof(buf)) { return -1; } int fd = openat(AT_FDCWD, buf, O_WRONLY, 0); if (fd < 0) { return -1; } ssize_t bytes_written = write(fd, (void*)buffer, (size_t)input_data_size); if (bytes_written != input_data_size) { close(fd); return -1; } if (close(fd) != 0) { return -1; } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 57; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50 + (call == 12 ? 500 : 0) + (call == 41 ? 4000 : 0) + (call == 48 ? 200 : 0) + (call == 50 ? 3000 : 0) + (call == 51 ? 3000 : 0) + (call == 52 ? 300 : 0) + (call == 53 ? 300 : 0) + (call == 54 ? 300 : 0) + (call == 55 ? 300 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[29] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x200000000000, "/dev/admmidi#\000", 14); inject_fault(1); res = -1; res = syz_open_dev(/*dev=*/0x200000000000, /*id=*/0x302d694, /*flags=O_NOFOLLOW|O_DIRECTORY|FASYNC|O_APPEND*/0x32400); if (res != -1) r[0] = res; break; case 1: syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x80045700, /*arg=*/0x200000000040ul); break; case 2: memcpy((void*)0x200000000080, "/dev/hpet\000", 10); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000080ul, /*flags=*/0, /*mode=*/0); for (int i = 0; i < 4; i++) { syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000080ul, /*flags=*/0, /*mode=*/0); } if (res != -1) r[1] = res; break; case 3: syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x40045436, /*arg=*/0x17ul); break; case 4: *(uint32_t*)0x200000000100 = 0x14; syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/6, /*optname=*/0x1d, /*optval=*/0x2000000000c0ul, /*optlen=*/0x200000000100ul); break; case 5: *(uint64_t*)0x200000000340 = 0x8800000; *(uint64_t*)0x200000000348 = 0x200000000140; *(uint64_t*)0x200000000350 = 0x200000000180; *(uint64_t*)0x200000000358 = 0x2000000001c0; *(uint32_t*)0x200000000360 = 0; *(uint64_t*)0x200000000368 = 0x200000000200; *(uint64_t*)0x200000000370 = 0x72; *(uint64_t*)0x200000000378 = 0x200000000280; *(uint64_t*)0x200000000380 = 0x200000000300; *(uint32_t*)0x200000000300 = 0; *(uint32_t*)0x200000000304 = -1; *(uint32_t*)0x200000000308 = 0; *(uint32_t*)0x20000000030c = -1; *(uint32_t*)0x200000000310 = 0; *(uint32_t*)0x200000000314 = 0; *(uint32_t*)0x200000000318 = -1; *(uint32_t*)0x20000000031c = 0; *(uint64_t*)0x200000000388 = 8; *(uint32_t*)0x200000000390 = r[1]; res = -1; res = syz_clone3(/*args=*/0x200000000340, /*size=*/0x58); if (res != -1) r[2] = *(uint32_t*)0x200000000180; break; case 6: syscall(__NR_kcmp, /*pid1=*/r[2], /*pid2=*/0, /*type=KCMP_FILES*/2ul, /*fd1=*/r[0], /*fd2=*/(intptr_t)-1); break; case 7: *(uint32_t*)0x2000000003c0 = 0; *(uint32_t*)0x2000000003c4 = 4; *(uint32_t*)0x2000000003c8 = 0; *(uint32_t*)0x2000000003cc = 8; *(uint32_t*)0x200000000400 = 0x10; res = syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/0x84, /*opt=*/0, /*val=*/0x2000000003c0ul, /*len=*/0x200000000400ul); if (res != -1) r[3] = *(uint32_t*)0x2000000003c0; break; case 8: *(uint16_t*)0x200000000440 = 6; *(uint16_t*)0x200000000442 = 0x8207; *(uint32_t*)0x200000000444 = 0x96d; *(uint32_t*)0x200000000448 = 0x10; *(uint32_t*)0x20000000044c = r[3]; *(uint32_t*)0x200000000480 = 0x10; syscall(__NR_getsockopt, /*fd=*/r[1], /*level=*/0x84, /*opt=*/0x22, /*val=*/0x200000000440ul, /*len=*/0x200000000480ul); break; case 9: syscall(__NR_ioctl, /*fd=*/(intptr_t)-1, /*cmd=*/0xc04c6100, /*arg=*/0x200000000500ul); break; case 10: memset((void*)0x200000000000, 255, 6); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0, 0, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 1, 2, 2); STORE_BY_BITMASK(uint8_t, , 0x200000000040, 0xa, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x200000000041, 0, 0, 6); *(uint16_t*)0x200000000042 = 0x8000; memcpy((void*)0x200000000044, "\x63\x44\x8e\xdb\x2f\xb0", 6); *(uint8_t*)0x20000000004a = 8; *(uint8_t*)0x20000000004b = 2; *(uint8_t*)0x20000000004c = 0x11; *(uint8_t*)0x20000000004d = 0; *(uint8_t*)0x20000000004e = 0; *(uint8_t*)0x20000000004f = 0; syz_80211_inject_frame(/*mac_addr=*/0x200000000000, /*buf=*/0x200000000040, /*buf_len=*/0x10); break; case 11: memcpy((void*)0x200000000080, "wlan0\000", 6); memset((void*)0x2000000000c0, 2, 6); syz_80211_join_ibss(/*interface=*/0x200000000080, /*ssid=*/0x2000000000c0, /*ssid_len=*/6, /*join_mode=JOIN_IBSS_BG_NO_SCAN*/2); break; case 12: memcpy((void*)0x200000000100, "bpf_lsm_kernel_create_files_as\000", 31); syz_btf_id_by_name(/*name=*/0x200000000100); break; case 13: memcpy((void*)0x200000000140, "\x28\x03\x83\x7c\xbc\xf3\x7b\xce\x72\xc1\xa7\x3b\x90\x9c\x68\xfe\x5b\xf7\xa6\x36\x3c\xdc\x90\xc0\x0d\xc6\x01\x3b\x35\xda\x02\xa6\x6a\x05\x91\x66\x71\x54\xa5\x56\x7c\x0e\x5e\xe6\x93\x3d\x6d\xa8\xbf\xed\xac\x5d\x27\x8a\x29\x1e\xfa\x30\x20\xba\x15\xe3\x90\xeb\x38\xda\x76\x26\x1c\x3a\xef\xf9\xee\xa8\xab\xea\xce", 77); memcpy((void*)0x200000000240, "\x6a\x0b\x56\xff\x4b\x8f\xac\x28\x77\x3c\xa1\x37\x65\x2b\x5b\x0f\xd8\x03\xa0\x41\x3c\x28\x20\x37\xf7\x21\xcb\x96\xec\xf2\xbb\x1a\x61\x6d\xc3\xd5\x6e\xee\xa2\x6f\x6b\x16\xf4\x56\x2d\x17\xc6\xd8\xb8\x83\x8f\x18\x44\xb5\x85\xeb\xcc\x0b\x56\x2f\x05\x57\xb2\xc7\xe9\xf0\xdd\xa1\xce\x4c\xc6\x1d", 72); res = -1; res = syz_clone(/*flags=CLONE_NEWCGROUP|CLONE_SETTLS*/0x2080000, /*stack=*/0x200000000140, /*stack_len=*/0x4d, /*parentid=*/0x2000000001c0, /*childtid=*/0x200000000200, /*tls=*/0x200000000240); if (res != -1) r[4] = res; break; case 14: *(uint64_t*)0x200000000480 = 0xc2e0; res = syscall(__NR_socketcall, /*call=*/8ul, /*args=*/0x200000000480ul); if (res != -1) r[5] = res; break; case 15: *(uint64_t*)0x2000000004c0 = 0x18000000; *(uint64_t*)0x2000000004c8 = 0x2000000002c0; *(uint64_t*)0x2000000004d0 = 0x200000000300; *(uint64_t*)0x2000000004d8 = 0x200000000340; *(uint32_t*)0x2000000004e0 = 9; *(uint64_t*)0x2000000004e8 = 0x200000000380; *(uint64_t*)0x2000000004f0 = 0x29; *(uint64_t*)0x2000000004f8 = 0x2000000003c0; *(uint64_t*)0x200000000500 = 0x200000000440; *(uint32_t*)0x200000000440 = r[4]; *(uint32_t*)0x200000000444 = r[4]; *(uint32_t*)0x200000000448 = r[4]; *(uint64_t*)0x200000000508 = 3; *(uint32_t*)0x200000000510 = r[5]; res = -1; res = syz_clone3(/*args=*/0x2000000004c0, /*size=*/0x58); if (res != -1) { r[6] = *(uint32_t*)0x2000000002c0; r[7] = *(uint32_t*)0x200000000300; r[8] = *(uint32_t*)0x200000000340; } break; case 16: memcpy((void*)0x200000000540, "./file0\000", 8); syz_create_resource(/*file=*/0x200000000540); break; case 17: memcpy((void*)0x2000000006c0, "/dev/fuse\000", 10); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x2000000006c0ul, /*flags=*/2, /*mode=*/0); if (res != -1) r[9] = res; break; case 18: *(uint32_t*)0x200000002b00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/r[5], /*level=*/0, /*optname=*/0x11, /*optval=*/0x200000002a00ul, /*optlen=*/0x200000002b00ul); if (res != -1) r[10] = *(uint32_t*)0x200000002a34; break; case 19: *(uint32_t*)0x200000002b40 = 5; *(uint32_t*)0x200000002b44 = 0xee00; *(uint64_t*)0x200000002b48 = 1; *(uint64_t*)0x200000002b50 = 5; res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0x4018aee3, /*arg=*/0x200000002b40ul); if (res != -1) r[11] = *(uint32_t*)0x200000002b44; break; case 20: *(uint32_t*)0x200000002c00 = 0xee00; *(uint64_t*)0x200000002c08 = 0; *(uint64_t*)0x200000002c10 = 8; *(uint64_t*)0x200000002c18 = 1; *(uint32_t*)0x200000002c20 = 6; *(uint16_t*)0x200000002c24 = 5; *(uint16_t*)0x200000002c26 = 0; res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0x40286608, /*arg=*/0x200000002c00ul); if (res != -1) r[12] = *(uint32_t*)0x200000002c00; break; case 21: *(uint32_t*)0x200000002f00 = 0xe8; res = syscall(__NR_getsockopt, /*fd=*/r[5], /*level=*/0x29, /*optname=*/0x23, /*optval=*/0x200000002e00ul, /*optlen=*/0x200000002f00ul); if (res != -1) r[13] = *(uint32_t*)0x200000002e34; break; case 22: *(uint32_t*)0x200000004040 = 8; *(uint32_t*)0x200000004044 = 0; *(uint32_t*)0x200000004048 = -1; *(uint32_t*)0x20000000404c = 2; *(uint32_t*)0x200000004050 = 0x10; *(uint32_t*)0x200000004054 = 4; *(uint16_t*)0x200000004058 = 7; *(uint32_t*)0x20000000405c = 0x7f; *(uint64_t*)0x200000004060 = 0xbb; *(uint64_t*)0x200000004068 = 0xf; *(uint64_t*)0x200000004070 = 4; *(uint32_t*)0x200000004078 = 0x800; *(uint32_t*)0x20000000407c = 2; *(uint16_t*)0x200000004080 = 5; *(uint16_t*)0x200000004082 = 0; *(uint64_t*)0x200000004088 = 0x200000002f40; memcpy((void*)0x200000002f40, "\xa0\xfc\x03\x37\xfa\xea\x63\x1f\x70\x4d\x04\xb5\xa5\x94\xdd\x3a\x87\xe2\x74\x7c\x38\x74\x0f\x43\x57\xe5\xcb\x22\x1b\xf4\x40\x57\x95\xc2\x99\x06\x22\x7d\x36\x4e\x04\x46\xeb\xf7\x7d\x11\x1a\xb6\x66\x81\x06\xa0\x02\x14\x0a\x81\x07\x1b\x6d\x28\xcf\xab\xb3\x7a\xea\x4e\x26\xc4\x65\x7d\xb3\x19\x16\xf1\x71\x81\xef\x2f\xbb\xa8\xcf\x19\x4a\x98\xc4\x35\xa1\x00\x7c\x27\x0c\xd6\xef\xf5\xc6\x42\x45\x37\x19\x7a\x13\x02\x02\xf2\x8c\xe2\x58\x6b\xe0\xce\xff\x0d\xb4\x7a\x35\x35\x12\x18\xf4\x9a\x45\x99\xa9\x8e\x93\xfd\x6f\xa6\xbe\x92\x17\x67\x82\xd2\x9c\xcf\xc9\x00\xc7\x67\xf4\xde\x10\x2c\x3a\x77\x79\x57\x7f\xf3\x6f\x42\x7d\xca\xed\x1e\x8d\xd3\x89\x65\x0f\xbe\x9c\xc0\xca\xb5\xb4\x39\x0e\x80\x5e\xc3\x0a\xd6\x41\x1c\xff\x60\x65\xa8\xa5\x76\x10\xab\x7c\x61\x01\x32\xa2\xa1\xbf\x37\xc8\x71\xd0\x6a\x9d\x78\xcc\x27\x68\x8f\x4b\xef\xa7\xbd\x11\x2a\x69\xdf\x64\xb5\x51\xe3", 214); *(uint64_t*)0x200000004090 = 0x200000003040; memcpy((void*)0x200000003040, "\x64\xb9\x52\x0e\xb1\x74\x93\x9e\xc8\x76\x43\xa2\xfd\xaf\xfe\xa4\x52\x7b\xbf\xd5\x1b\x07\xac\x94\x67\x16\x9d\x3c\x7b\xaa\x5d\xc6\x5b\x8a\x38\xd9\x50\xc8\x58\xff\x99\x23\x7e\x6e\xc0\x6b\x46\x56\xa5\x2a\xcb\x76\xc7\x55\xc1\xcf\xf1\xc0\xa6\x5e\x3d\x16\x32\xfa\xbd\x9e\x1b\x38\x18\x52\xb6\xfc\xfc\x05\x87\x44\x85\x6a\x80\xa2\x9f\xb4\xdb\xdd\x71\x5b\x3c\xd0\x8e\x15\xa5\x34\x05\xd0\xfd\x2f\xf7\xea\xc8\x36\x33\x8c\x4e\xca\x04\x56\xff\x78\xcc\x57\x12\x33\x21\x46\xb6\x71\xbc\x42\x86\x1c\xd8\xbb\x43\x20\x09\x85\xa3\x62\xf3\x9f\x15\xbd\x43\x7f\x06\x45\x8b\x86\x7d\x4b\xea\x22\x27\x49\x32\x50\xd8\x3f\xb4\x6f\x72\x97\xb8\xf8\xc2\x73\x51\xcc\xbe\xc4\xff\xd0\x71\x75\xa7\xc5\xe2\x31\x9e\x94\x21\x0d\x4a\xf5\x06\x1e\x74\x3f\x05\x0f\x2e\xa5\x38\xa3\xed\x9d\x03\x59\xf5\xa7\x54\x6c\x3d\x01\x13\xe2\x55\x26\x8c\xd0\x48\x3a\xb1\x86\xf9\xc5\x55\x02\x02\xa9\xfa\x3f\xa0\xc4\xa2\xa5\x80\x52\x41\x81\x9c\xf9\xc3\x45\xce\xcc\x6b\x77\xdd\x7c\x29\x97\x50\xb6\x7f\xf8\xcb\x5d\x9a\x6b\x0d\x3d\x98\x16\xdb\xeb\x6f\xdb\xc5\xea\x9f\xae\x4a\x25\xe1\x9b\x48\xe5\x10\xdd\xb5\xd4\xd1\x27\x1b\xa0\xc4\xa0\x83\xd0\x4c\xc5\x09\xb4\x0f\x1a\x84\x91\x95\xf3\xbc\x3e\x9f\x63\xb7\xcc\x74\x73\xff\xc7\x40\xcf\x1a\x97\x9b\xd1\xd7\xe9\x31\x7f\x6f\xc7\x7a\x62\xe5\xac\xab\x36\xc4\xa0\x63\x06\x9c\xfb\x20\x7d\xcc\x7a\xf7\x0b\x77\xa7\x43\xb3\x62\xd9\xd9\xfa\xe0\xdb\xc6\x80\x92\x3a\x0e\x34\x54\x02\x6b\x6d\xa9\x57\x9f\x35\x2a\xfe\xf7\xab\xbc\xa7\xbf\xc1\x4a\xef\x0f\xb3\xd1\x30\x55\x06\xb9\x79\x40\xea\x12\x7f\xfe\xd1\x3e\xee\xa6\xca\xe0\xbe\x96\xf5\xbe\x73\x85\xe8\xe9\xba\x4f\x00\xfd\xc5\x18\x59\xd8\x25\x19\x27\x18\xdc\xf2\x3e\x0b\x6d\xa4\x13\xaf\xf8\x54\xba\x52\x21\xba\x8d\x27\xff\x02\xb6\xc0\xf9\x66\x7f\x2f\xfe\x72\xf4\x34\xf4\xc7\x08\x5a\x52\xfe\xe5\xf0\x87\x1b\xc2\x0a\xeb\xc8\xef\x87\xc1\x7c\x49\xb2\xa4\x34\x24\x21\x54\x77\x0e\x3a\xe2\x68\xd5\xba\xe1\x1f\x22\xf2\x14\x61\x69\xd7\xa9\xc1\x6b\x5d\xaf\x83\x03\x11\x11\xce\x5c\xe9\x92\xd2\x75\xbb\x9b\xc5\xd1\x29\x0f\x7f\xea\x35\x66\x07\xe8\xdd\x9a\xcc\x55\x84\x9e\xeb\x50\x28\x27\x37\x4c\x45\xdc\x89\xdd\x11\x86\xec\x92\x10\xbf\xf8\xe0\x05\xb7\xcb\x2c\x13\x4a\x92\x2d\x6d\xdc\x51\x22\x81\xe6\xf5\xaa\x9b\x10\x4d\x04\xbc\xc6\x00\x0b\x9f\x95\xf7\x43\x93\xf3\x12\xc9\x90\xf7\xd2\x9d\xee\x0e\xf7\xa4\xb1\x58\xfe\x69\x19\x6b\x06\x83\xf3\x5e\x8b\x4b\xa6\x5b\xb4\x9b\x31\x3d\x92\xd6\xf6\x7f\x72\xf7\xc3\xe7\xde\x4d\xd8\x84\xd7\x2c\x78\x6d\x66\xbd\xf5\x98\xa1\x5f\x9a\xc2\x96\xea\x70\x74\x03\x43\xd9\x45\x91\x18\x64\x48\xae\x73\xee\xa6\x10\x1d\xe1\x3d\xf6\x67\xab\x6e\xa1\xf5\x5a\xba\x4c\x11\x3d\x0a\xc4\x2b\xba\x7e\xc5\xbd\x1d\x56\xb6\xbc\x94\x70\x45\x59\x5c\x76\xc8\xf6\x93\x39\xbd\x2f\x19\x3d\xe2\x46\x53\x30\x10\xf4\x2a\xc9\x3c\xe0\xaf\x99\xf4\x0a\xe8\xbf\x3a\x30\x54\x3d\x68\x61\xb2\xca\x30\x6c\x0c\x08\x1d\xb7\x92\xaf\x44\x88\x20\x40\x9c\x05\x33\x0b\xdb\xe4\x4f\x70\xc5\x56\x1d\xff\x87\x04\xb5\xee\xb7\x12\xac\xd3\x21\xfb\x7b\xd5\x8c\x80\x9f\xb1\x1d\x01\x7c\x34\x87\x98\x54\xf1\x53\x24\x17\x41\xfd\xf8\xde\x35\x35\x6b\xee\x7a\x0c\xb4\x0a\x72\x6c\xc7\x83\x17\x57\x59\xe2\x66\xdd\xbc\x98\xe3\xe5\xf8\x22\x02\x4e\x33\x59\xa7\xfe\xc0\xe0\x9f\x0d\x1e\x21\x42\x62\xea\x20\x9a\x9d\xdf\x12\x28\x0e\x28\x72\x33\x93\x36\x88\x17\xde\x6d\x20\x0a\xc6\xf9\xd1\x4c\xee\x80\xcb\x71\x35\x47\xca\xd5\x53\x33\xac\xaf\xf3\xa3\x2b\x48\x96\x48\x45\x50\x1b\xf1\x08\xe8\xf5\x15\x72\x8b\x36\x72\x62\x90\xb4\x78\xf7\xf3\xda\x9a\x62\xdd\xb1\xd4\x4f\x5e\xd5\x69\xc7\xcf\xf3\x04\x51\xb1\x35\x5d\x34\x91\xeb\x80\x34\x5c\xfd\xb9\x38\x47\x5f\x9d\x16\x18\x1c\xb1\xe3\xd7\x33\xea\x45\xab\xa0\x4c\xbe\x41\x9b\x1f\xe3\x9d\xe5\x14\xe8\xb0\x0d\xb8\x27\xfe\xc1\x95\xae\x77\x31\xb2\xa6\x4a\xd2\x58\xc1\xcf\x2d\x4c\xd9\x7d\xd9\xde\xc3\x56\x4f\x9c\xa7\x4e\xd6\x25\x83\x0e\xd3\x2b\x05\x07\xad\x8c\x97\xf6\x3f\x5a\x2b\x39\xbb\xae\xc0\x4b\x3b\x88\x9b\x6d\x7c\x9f\xb9\x89\x93\xd5\xe5\xae\x40\xcd\x6b\x63\x72\xbc\x63\x1d\x37\xda\xc4\xab\x3d\x48\xb5\x89\x5b\x00\x30\xe0\x02\xe7\xf4\x43\xbe\xad\x14\xa5\x77\x7e\xcf\x5e\xe9\x99\x83\xb3\xc0\xf5\x00\x53\x9d\x02\xba\x11\xcb\x4b\xf3\x25\x99\x06\xbb\xcc\x34\x85\x5e\x6d\x4b\x2c\x49\x31\x68\x16\xd4\xd1\x73\x40\xd8\x93\x8d\xbb\xad\x5f\x2c\xbf\xe8\x3d\xa5\x7f\x59\xe5\x1c\x9e\xb6\xff\x62\x15\xf7\x94\xf6\x82\x28\x20\xb0\x59\x12\xdf\x85\xfe\xa5\x3c\x04\x6d\xd6\xe8\x89\x24\xa1\x8e\x71\xc0\xcd\xa6\x58\xb5\x8a\xff\x26\x19\x4f\x88\xdf\x81\xda\xf0\x6e\xe0\x94\x2c\xda\x0d\xf1\x8b\x41\xb0\xe2\x30\xb3\x05\xb4\xf9\xa4\x7f\xdb\x18\xc6\xd6\x8c\xce\xba\x1f\x24\xf2\x75\x6b\xd9\x6a\x79\x91\x12\xc3\x48\x5e\x39\x4d\x2d\xd9\xfc\x87\xab\x1b\x46\x51\xad\x05\x8a\x3e\x44\x46\x1d\x2c\x72\xf0\x38\xff\x88\x11\x04\xcb\x75\xcc\x79\x68\x3a\x9d\x97\xd8\x81\xcf\xfb\x92\xb0\x5c\x12\xbf\x4d\x3a\xb4\xdb\xe1\x79\x08\xfb\x79\x9e\xaf\xfa\x9c\xaf\xa4\xa6\x1c\xe2\x0a\xa4\xb3\xeb\xc3\xc7\x52\x20\xaa\x65\xc9\x80\x3a\x77\xf1\x81\xda\x39\x24\xcc\xa5\xf6\x05\x96\x12\xe4\x54\x86\x10\x6f\x22\xb8\xc8\x91\xf7\xb1\x46\x62\xab\xd6\x4b\x32\x58\xed\x13\xbd\xcd\x6d\x1a\x77\xc6\xa4\x15\x19\xd6\x60\x63\x74\x3a\x19\x18\xbb\x13\xe9\xb7\x57\x7f\xb6\xbb\x7d\xf2\x3f\xf1\xb9\x6e\x78\x2b\xda\x63\x94\xd4\x86\x1a\x7e\x0a\xc8\x0d\x1c\x6c\xc8\x4a\x30\x3b\x78\x41\xe5\x89\xd6\x6b\xed\x37\xcc\xc0\x5f\x4e\x9b\x4d\xfb\xc5\x3d\x3b\x50\xd5\x0e\x02\xc8\x7d\x41\xf5\x3f\x86\xde\xcb\x39\xc7\x06\xf5\x37\x2e\x9d\x6e\x3d\xde\x53\x05\x96\x20\xd2\x78\x45\xf3\xed\x77\xcd\x58\x99\xe3\x3a\xed\x5c\x4f\xb1\x40\xf8\xe4\x05\xfa\x2e\x0e\x11\x72\xea\xa7\xd4\xe9\x12\x98\x7a\x0a\xa3\xac\xf7\xc2\xd8\xe9\x4d\x16\xc9\x98\xc9\x87\xfd\x40\x4b\x23\x4e\xf7\x36\x1d\x0c\x53\x87\xe6\xb9\xd5\x5f\xb9\x72\xc7\xdc\x21\x72\x26\xce\x13\xd8\x2a\x59\x31\x1f\xe2\x69\xa0\x9c\x38\x4e\x73\x9a\x66\xbe\x43\x54\x79\x1f\x38\x1e\x74\xcc\x5d\xfb\x9a\x92\xfb\xff\xf8\x59\x5d\xf2\x4b\x40\x3e\xaf\xb0\x04\x73\xeb\x0b\x2e\x7f\xee\x36\xdb\xa4\xa9\x08\x93\x8b\xcf\xcc\xe9\x61\xfd\x10\xec\x29\xe5\x6d\xfe\x40\x59\x1e\x13\xd5\xe5\x3f\x16\xc8\x75\x9c\xa2\x7f\x80\xce\x90\x4f\x2d\x7c\x43\x32\x10\x97\x59\x5e\x90\x76\x39\xf2\x0f\x9e\x8d\xce\x70\x0c\x39\xd0\xe4\x42\xda\x88\x7a\x4d\xf0\x82\xeb\x7e\x17\x2f\xaf\xdc\xb0\x0b\x00\x8c\xaf\x55\x23\xd1\xfe\x5f\x24\x0a\xe9\x91\x49\x6d\xb9\x33\x89\xaf\x41\x85\xe9\xc9\xcc\xbd\xcb\x97\x31\xce\x7a\x77\x0a\xe2\xab\xac\x9d\x8c\xdd\xf3\x13\x23\x1a\x55\xe1\x27\x7b\xd3\x6c\x1e\x44\x84\x2b\x38\x72\x55\x5c\xcd\xcb\x3a\x06\x84\x59\x13\x21\xff\x15\xdc\x6d\x2c\xef\xfd\x58\x5d\xbe\xb9\x90\xe4\x05\x4f\xab\xc1\x8a\x9e\x9f\x1d\xe1\x3b\xfa\xd9\xde\x7f\x8d\xeb\x6b\x6c\x47\x2c\x42\x33\x67\xee\xad\x52\x50\x04\xde\xfa\x9e\x17\xc6\x79\x02\x36\x0b\xf1\x63\xa0\x1e\x98\xf6\xe7\x55\xcf\xf6\x28\x2a\xee\xbd\x1e\x8a\x09\x71\x5c\x15\xb9\xed\xaa\x50\x0d\xe0\x74\xc2\x8b\xad\x6d\x03\x57\x8c\x5e\x1c\x87\xbe\x71\x17\xf5\x4e\xef\xc3\x31\x3c\x38\xb6\x1d\x88\xa6\xa5\x0a\x0f\x36\xfd\xbf\x08\x4c\xb4\x14\x47\xc6\x90\xd3\xff\xcc\x83\x14\xe9\x1a\xda\x81\xd3\x4a\xcc\xd3\xe0\x6d\x19\xbc\xa2\x8f\xb4\x9b\xed\x5e\x32\xf4\xeb\xd5\x49\x29\xe4\xab\x51\xa6\x59\xb8\x1c\x1c\x35\xdf\x9e\x51\x47\x69\xb9\xeb\x31\xd7\x1d\x43\x78\x64\xf5\x4e\x99\x2a\x2b\x9b\x15\xe2\xfd\x32\x07\x81\x77\x56\xb4\x86\xd0\x81\xaf\x39\x7b\x21\xa2\x58\x44\x3d\x86\xa2\x0a\x82\xda\xb3\x09\x4a\x48\x83\x32\x47\x91\xd6\x7c\xea\x91\x8b\xec\x79\x94\xab\xce\xc1\x80\xf8\xfb\xd4\xae\x90\xad\x2c\x78\x5d\xe7\x74\x73\x08\xd8\x0a\x73\x31\x86\x4b\xd1\xa9\xbf\xfb\x51\x44\x07\x78\x51\x93\x92\x74\x05\xf7\x78\xa1\x66\x51\x4a\x33\x9b\xfe\x16\xf5\xcb\x8e\xe3\x49\xa0\x8e\x25\xb9\x4d\xc3\x51\xc7\x2e\x98\xc6\xba\xf1\x86\x02\x50\x60\xcd\x98\xd7\xd1\x4b\xf8\xee\x06\x02\x40\x40\x5a\x1c\x10\x20\x2c\xb3\x48\x57\xab\x67\x4e\xff\x41\xcd\x46\xc0\x3d\x2f\xfc\xca\xbf\x19\x4e\x0f\x35\x16\x58\xab\x02\xd9\xa1\xf9\x28\x30\x61\x7d\xe6\x91\x35\x50\x95\x34\x64\x7b\xc4\xcc\x20\x52\x87\xb2\x51\x55\x3f\xcc\x76\x89\xd5\xe6\x69\xf9\xba\x4b\xdb\x40\x36\xe0\x64\xb2\xa7\x91\xea\x5d\xe9\x3c\x66\x91\x8a\xd6\x1c\xf1\x0b\xe4\xf5\x56\x4a\x07\x1b\x02\xb9\x36\x5b\xc5\x87\x31\x6e\x65\xbd\x12\x64\xfe\x1f\x8d\xc7\xd2\x44\xab\x33\x19\xe9\xa9\x05\xe2\x44\xa0\xd0\x00\xbf\x3c\x56\x68\x11\xf7\x29\xd1\x0f\x9d\x81\xb0\x60\xcb\x7f\xf9\x3d\xa8\x05\x6d\x64\x1f\x93\x12\x1c\x50\xb9\x87\xe4\x14\x9d\x44\xc2\x34\x91\xe9\xde\x6a\x5c\x1d\x6b\x26\xf6\x44\xb3\xb0\x20\x62\x7c\xaf\x32\xd4\x7f\x95\xa4\x85\x7b\x36\x53\x0f\xf5\xc5\xbe\x38\xca\x37\xb9\x0d\xec\x3b\xde\x10\x75\x61\x58\xd6\xdb\x91\xbc\xbb\xea\x66\x65\xfa\x14\x08\xae\xc0\x02\x5d\x9d\xfe\x3d\xe8\xa5\x7b\x8a\xf3\x00\x17\x9b\xff\x26\x03\x2e\x61\xdb\x60\xd6\xe2\x0a\xcb\x67\x15\x95\x05\x6f\xd6\x5e\x84\x03\x80\x40\xf0\x7d\x46\xdb\xd4\xcb\x8c\x0d\x3c\xe9\xfd\xa0\x02\xd2\x2e\x24\x75\x0f\x14\x58\x01\xaf\x85\xd7\x82\x68\x1b\xb9\xb1\x22\x8f\xb2\x81\xc5\x43\xe5\xdc\xde\xf8\x4b\x7a\x26\x26\xde\x59\xe1\xec\x79\xe4\x4d\x1a\x23\x0f\xed\xda\x6e\x30\x37\xb0\xe9\xc4\xca\x47\x5d\xcd\x31\x9b\x86\xbd\x4a\xb2\xcc\x3c\xd5\xee\x47\x85\x7a\xda\xa8\x8e\x7e\x77\xaf\xaa\xb3\xfd\x85\x07\x6e\xdb\x36\x15\xba\x44\xe9\x7b\x5e\x18\x1b\x5e\x8c\x86\x11\x78\x48\x54\xa8\xae\xbd\xcc\x09\x83\xe0\xb8\x37\x45\x5a\x29\x01\xb9\x19\x80\xb0\x5e\xfc\x92\x23\xd2\x06\xdc\xaa\x5b\xe6\x74\x5c\xbd\xfb\x6f\x9a\xf1\x38\x73\xb3\x77\x3f\x5a\x59\xbe\xaa\x0f\x4a\x36\xdd\xd3\x83\xd6\x3e\x12\xf5\x0e\x0f\x7c\x53\x3e\x6a\x55\x9e\x54\x5d\x28\x51\xd0\x4b\xd3\x6e\x41\x2d\x89\x1e\xac\x7b\xbf\xf3\x99\x36\x93\x7f\xa3\xe4\xfb\xfa\xf5\x10\x37\xc5\x0a\x7d\x57\x30\x05\x1e\x4c\x69\x84\xf3\x94\xf3\xf5\x9f\xaa\x61\xac\x96\xfc\x2b\xa4\xe3\x35\x64\xc2\xbb\xc6\x07\xb1\x8e\xf8\xae\xf1\x9b\x88\xb7\xac\x63\xce\xf3\xe0\x97\x1f\xa1\x15\x62\x33\x37\x3f\xa5\xb5\x8f\x16\xfa\x99\x31\x2d\x84\xa6\xb7\x90\xe7\xa6\x63\xba\x05\xe2\x37\x38\x5e\xb4\x13\xe4\x26\x0e\x02\x1b\xa3\x87\x91\x23\x57\xfe\xd3\x9f\x13\x66\xe7\x31\x8e\xbe\xa7\xb9\x21\xde\xd5\xd9\xf9\xab\x5a\x86\x12\x16\x48\x31\x0f\x09\x04\x25\x8a\x9e\x4d\x59\x0d\x65\x43\x1d\x23\xe6\x22\x30\x9d\xe9\x64\xcb\x77\xdf\x8f\x28\x07\x66\x7b\xd5\x81\x81\xe4\x85\xc2\xe0\x3c\x29\x5c\x15\xe5\x27\x4c\x70\x6c\x1a\x00\x27\xb6\x75\x1e\x40\x95\x9a\x15\x81\xc7\x10\x77\x4b\xd5\x57\x53\x67\xc9\x3c\x17\xfb\x84\x44\x97\x6e\x38\x47\x11\xd4\xde\xbc\xe0\x97\x54\xe9\x7b\x04\x8d\x47\xb3\xdd\x82\xf7\x5f\xa9\x39\x37\xd0\x72\x2c\xb2\x37\x9e\x8b\x4b\x02\x67\x59\x91\xed\x1b\xc5\xf1\xf1\x5f\xea\x5f\xbe\x59\xc6\x3a\x29\x91\xaf\x99\x8a\x21\x99\x1f\x1d\x46\xcd\x3d\x21\x1a\x53\x2c\xee\x73\x2f\xfb\xcf\x55\xb2\x87\x90\xc4\xba\xdb\xa7\x68\xc5\x7a\x26\x23\xdf\x69\xb3\x96\xc2\xac\xcf\x92\x58\x06\xd5\x52\x61\xb7\x08\x74\x35\xe4\x97\x45\x29\x75\xb1\x52\x66\x52\x2e\xf9\x76\x37\x95\x6f\xaa\x20\xe8\xec\x65\x3c\x9c\x0c\x07\x73\x60\x3d\x77\x67\x7d\x0e\xf1\xec\x99\xa0\xf6\x1c\xcc\xf7\xe1\x10\x30\x51\xa7\x85\x2a\x00\x77\xf9\x73\x36\x9f\x6d\x80\x56\xb7\x9c\x53\x7a\xea\x6b\x41\x07\x09\xdf\x69\x37\xb6\xb7\xce\x03\x39\x8e\x1a\x7a\x1e\xf8\xe0\x62\xbf\x5b\x5a\x11\x0b\xc0\xda\xf2\x76\x5c\x92\xe6\x95\x83\x4a\xdd\x9a\xc0\x3f\x5e\xa5\x6f\x8e\xc1\xd6\x4a\x8f\xad\x07\x41\x0e\x30\x19\xd8\x4c\x0e\x7c\xdf\x1c\x49\xe9\x50\x91\x79\x4a\x3a\xad\x82\xab\xf6\x3e\x9c\x6c\xeb\xab\xdf\x05\xe8\x05\x03\xd1\xba\x70\x37\xe9\xb0\xb3\x5a\xad\x55\x17\xa0\x29\x88\xa3\x43\xb6\xa4\xaf\x6d\x82\x77\x96\x4f\xcd\x3e\x72\x0c\x19\xeb\xcb\xca\x7c\x4a\x87\x7c\x4b\x17\x40\x5d\x4e\x04\xe2\xbf\xf0\x36\xd6\xf5\xe8\xda\x62\xd6\xec\x70\xd1\xcd\xd9\x70\xe8\xba\x36\xf7\xfa\x95\x6c\xbd\xe7\x89\x25\xa4\x43\xb9\x57\x9b\xe0\x39\xe5\x65\x39\x66\xe7\x45\xb1\xd9\x3c\x62\x97\x0f\x29\x07\xfb\x53\x5c\x88\x82\x0b\x95\xb2\x44\x09\xd1\xbb\x81\xe0\xcd\xfb\xdc\x39\x72\x78\xa8\xb1\xeb\xa6\x32\x5e\x69\x3a\x93\xb5\x50\xdc\x2d\x7f\xf0\x55\x98\xf8\x24\x67\x94\xb2\xd0\x1b\x58\xf3\x03\x24\xe4\x4c\x43\x9e\xc6\xe1\x70\xb6\x92\xef\x2d\x55\x2f\x33\x22\x42\x10\x1f\xe2\x45\x86\x56\x4b\x87\xe4\xd0\x4c\x5c\x41\x37\xf4\x53\x45\x1d\xc8\x2c\xe4\x9f\x93\xd5\x0e\x49\xac\xf2\xb9\x66\xd0\xd5\x00\xff\xf9\x9b\x98\x4d\x70\xfa\xa2\x06\x11\x87\x36\x9a\x3d\xd5\x03\x37\x87\x2c\x23\x0e\x6f\xbd\xa2\x42\x0e\x56\x58\x86\xb6\xee\xf5\x3e\xb5\x32\x23\x9a\x98\x23\x7b\xf8\xcf\x35\x49\xf6\x0b\x08\x3d\x81\xa1\x6e\x6a\x30\xc2\x6a\x74\x45\x6f\xbf\x8d\xdc\x24\x76\x78\x4e\x77\x6d\xf7\x49\x0a\x31\xe1\x11\x3c\xb0\xd8\x76\xd5\xca\x9f\xbf\xc3\x2c\xf6\x08\x1f\x75\x42\x01\x5b\x41\xae\x86\xf9\xc0\xbb\xfe\xd2\xb8\x47\x4b\xfc\xd7\x82\x84\x46\x7c\x22\xf1\xd6\xdf\x54\xbb\x3e\x28\xf5\xcf\xf0\x07\xe9\xd5\xd5\x59\x7c\x83\x7a\x72\xeb\x04\xef\x8d\x1f\x3a\xc0\x60\xb9\xf1\xff\xf3\xd7\x4d\xa3\x5b\xf1\xcc\x3f\xf9\xd8\x36\xbf\xc8\xd2\xcc\xb0\x72\x14\xaf\xd3\x57\xc2\x96\xae\x04\xa5\xce\x01\xfd\xc7\x79\xe9\xb4\xae\x6d\x67\x7c\x6f\xc4\x8f\x73\x83\x06\x4f\x2d\x21\x7d\x51\xe3\x90\x60\x9d\xad\x93\x30\x22\xed\x7c\x35\xf8\x9e\x83\xb5\x55\xc8\xe3\xcc\xec\x20\x4e\x59\x32\x28\xf3\x24\x44\x27\xcf\xed\x43\xbd\x37\x1e\xe5\xf5\x84\xce\xab\x01\xf8\x8d\x1c\x99\x47\x41\x89\xb8\x76\xc9\x53\x40\x89\xdd\x5d\x04\x60\xda\x83\x3a\xfb\x14\xcb\x1c\xb1\xf4\xbf\x85\x17\xff\xf8\x6f\x94\xa9\x19\xb9\xf8\xee\xb3\x60\x88\x7b\x13\x9f\x67\x59\x05\xce\xee\xfa\x05\x78\x6f\xd7\xea\xa8\xcc\x60\x10\xee\x28\x69\x89\xb6\x26\x9a\x45\x05\x2d\x4c\x62\xf7\x42\xbd\xc2\x52\xfb\xfd\xb2\x16\x6f\x9b\x02\x15\x31\x6c\xe5\x69\xd5\x3f\x12\xd7\xff\x1e\x92\xd2\xbf\x11\xb6\xed\x6a\xec\x3f\xe3\xf6\x2c\x49\xa4\xcd\x2f\xeb\xca\xe8\xe1\xb4\x4b\x38\xea\xf1\xa6\xe7\x8f\x2d\xa3\xcd\xd9\x4e\xde\xa7\x15\x00\x00\xd7\x01\x5c\xb6\x52\xba\x46\xd3\xb2\x31\x5b\x64\x9e\xdc\xcf\x47\xb5\x1d\x45\x85\xdb\xc7\x60\x64\xa1\x2b\x05\xce\xd6\xfd\x11\xfe\x37\x03\xad\x22\x67\xf9\x62\x97\xbc\xd4\x55\x81\x07\x69\x74\x6e\xe2\x64\xe7\x3d\x90\x43\x38\x4e\x3a\xf7\xb4\x45\xfd\xa9\xf1\x2f\xff\xbc\x7d\x63\xcd\xc1\x05\xeb\xf8\xec\x1f\x52\x47\x5c\x73\xb0\x6b\x4a\xf0\x80\x03\x7b\xab\xda\x88\x88\xb0\x5b\x3d\x00\x51\xd7\xaa\x6c\x94\x91\x40\xdf\x65\x80\x6c\x83\x66\xf8\xe3\x64\x0f\x5a\x74\x70\x26\x26\x96\xbd\x3c\xd4\xdb\x85\x50\x2c\xbd\x5f\xe2\x2b\xb0\xf5\x92\x87\x76\x8f\xb9\xc5\x2e\x69\x33\xe5\x68\xe0\xd3\xce\x72\x83\xa4\x20\xc8\x9f\xd0\x4e\x93\xe5\x65\xdf\x0f\xf6\x8c\xc7\x43\xcd\xcf\x4d\xfc\x7f\xf0\x9c\xbe\x8a\x77\xa0\x20\x80\x4f\x4c\x17\x61\x28\x46\x16\xd9\x58\x40\x1f\x57\xaf\x9d\xc7\x13\x62\x99\x2b\x3f\xf3\x43\x9c\xcf\x85\xf4\x3b\x6c\x08\x50\x98\x96\x50\xd8\xf5\x5b\xa1\x92\x2a\x65\x00\xd2\x72\xdd\x42\x38\x6c\xbb\x23\xe6\xe6\x7e\xc9\x26\xa1\xca\x93\x57\xf4\xc8\x4b\x76\x71\x52\xe6\xc4\x36\x17\xde\xf9\x4a\xc6\x01\x4a\xa3\xc6\xca\x84\x18\x59\xdc\x57\x52\x4a\x72\x27\x41\x24\x65\x30\xda\x55\x06\x71\xec\x17\xd2\xa3\x42\xe5\x57\xb4\x3c\x08\xa9\x3c\x12\x67\x63\x7f\xff\x37\xff\x4a\x40\x85\x52\x8e\x7c\xe6\xd0\x9d\xe6\x42\x99\x6f\xff\x98\x68\x85\x44\xa7\xc2\x3b\xff\x8b\x6f\xdb\xe5\x33\x42\x4c\xcb\x11\x9a\x56\x7f\x1f\x15\xc0\xb4\x65\x0e\xd8\x0e\xfe\x24\xab\x4d\x1c\x1e\x33\x30\x5a\xfd\x2c\xea\xc6\x82\xc0\xea\xca\xa5\x66\x9e\x44\x34\xf6\x34\xb1\xc6\x12\x71\xd9\x5b\x00\x95\xc7\xb1\xa6\x2a\x2d\x07\x3a\xad\x80\xc5\x10\x15\xbb\x51\x50\x84\x5c\x11\x86\x33\xa3\xc4\xc9\x4b\x74\x63\xfe\x73\x39\x18\x2e\xa0\x1a\x7e\x28\x63\x7c\x27\xb5\xf8\x60\x68\xa7\x37\x4a\xe7\x7c\x5c\xdd\x6d\xd9\xb4\x69\xdd\x9a\x47\x5c\x37\x52\x8e\x2f\x1c\x40\x13\x23\x59\xe9\xe6\x5e\x23\xad\x45\x95\xb1\x60\xad\x9a\x2d\x83\xcc\xe0\x78\xf4\xd6\x18\x1f\xd3\x02\x6c\x2a\x0b\x13\x02\xfa\xa6\x9a\x51\x80\xa2\xc2\x0b\x3a\x32\x87\x6e\xfc\x2a\x62\x81\xc4\x09\xc2\xe6\x6e\x00\xde\xb5\x30\x98\x19\x7f\x13\x18\x5b\x7d\xa5\x89\xb0\xcf\xe2\xa3\x12\xf0\xf6\x1e\xfa\xb2\x9a\x7b\x1b\x61\x4f\xaa\x57\xed\x37\xe0\x1f\x8b\x0c\xdf\xb2\xea\x78\x67\x74\x5d\x66\x69\xa4\xa8\x95\xb9\x7e\x1e\xd2\x4c\x2f\x3c\xf2\x3e\x88\x51\x13\x8d\x9a\x64\x0c\x2c\x0b\x32\x1d\x00\xf0\xa4\xdd\x9a\x72\xfe\x5b\xa4\x3a\xc4\x7d\xd3\x1a\x01\x4d\x31\xb7\x25\xee\x28\xcd\x8f\xbe\xd0\xbc\x78\x14\x59\x80\xb5\x86\xd3\x71\x84\x8b\xb9\x67\x48\x30\x3d\x0a\xd1\xfe\x2a\x2e\x7f\x5d\xd3\x40\x70\xc6\xfc\x50\xe1\x09\xdb\xb1\x5c\xdd\xcb\xc0\x4e\x1c\xf6\x35\x8d\x10\x50\xe6\x31\x9a\x34\xf1\x45\x2f\x44\x43\x6d\x8c\xea\x13\x7a\x37\xa1\xda\xd1\x3e\xfc\x2b\x9a\x95\x87\xa4\x3c\x2c\x3f\x3d\x5a\xa3\x2c\x09\x78\x52\x0d\x24\xda\xdd\x18\xef\xa8\x12\xa7\x2d\x33\xb2\xf4\x41\xac\x88\x52\x26\x55\x5f\x7c\xd2\x54\xab\x27\x71\x75\xc4\x35\x68\x3c\x36\xdf\x69\x7c\x2f\xb5\x36\x27\x19\x48\xe5\x38\xdd\x3b\xce\x39\x09\xa5\xc8\xc3\x7e\x97\xea\x37\x36\xcd\x1a\xda\x26\xf1\x3f\x12\x1a\x99\x06\x33\xd9\x5b\x59\xe6\x73\x93\x43\x29\x93\xc0\xc8\x4f\xd6\xd5\x2b\xeb\x7e\x3d\x02\xa4\x37\xeb\x28\x1a\xf5\x73\xba\x1c\x47\xf3\x73\xf6\xcc\xd6\xe0\xb1\x83\xa2\x1c\xbe\x9f\xdb\xb8\x2c\xcc\x39\x6f\x16\xaf\xf1\x99\x9f\xb8\x39\xeb\xca\xff\x97\xfa\x0b\xfd\x0d\x34\xcf\x8e\x57\x60\x6f\xd8\x23\x41\xdb\x31\x8e\x40\xcd\x9e\x85\xc1\x54\x46\x5d\xcc\xe1\xb7\xfd\x8b\x22\x80\x8f\x0e\x0d\x45\x4e\xf9\xa2\xb5\xa4\xc3\x5c\x0a\x12\x5b\x92\x37\x07\x00\x72\xd1\xcd\x82\x7c\xfd\xea\x8e\x3d\xe8\x33\xb0\x81\x4c\x8f\xf2\x60\xe6\xb3\x98\x07\xef\x86\xac\x67\x7a\xbd\xeb\x50\x7d\xd5\x7f\x69\x93\xd3\x03\xd5\x55\x17\x84\x0b\xd7\xaf\x1d\xb3\x98\x08\x21", 4096); res = syscall(__NR_shmctl, /*shmid=*/2, /*cmd=*/6, /*buf=*/0x200000004040ul); if (res != -1) r[14] = *(uint32_t*)0x200000004048; break; case 23: *(uint32_t*)0x2000000042c0 = 2; *(uint32_t*)0x2000000042c4 = 0; *(uint32_t*)0x2000000042c8 = 0; *(uint32_t*)0x2000000042cc = 3; *(uint32_t*)0x2000000042d0 = 0x44; *(uint32_t*)0x2000000042d4 = 7; *(uint16_t*)0x2000000042d8 = 0xff00; *(uint32_t*)0x2000000042dc = 0x80; *(uint64_t*)0x2000000042e0 = 0xe5; *(uint64_t*)0x2000000042e8 = 0; *(uint64_t*)0x2000000042f0 = 8; *(uint32_t*)0x2000000042f8 = r[7]; *(uint32_t*)0x2000000042fc = r[4]; *(uint16_t*)0x200000004300 = 0x800; *(uint16_t*)0x200000004302 = 0; *(uint64_t*)0x200000004308 = 0x200000004180; memcpy((void*)0x200000004180, "\xb8\x47\x2d\xa7\x63\xb7\xf2\x33\xe5\xd2\x38\x7c\x99\x8e\xd4\x35\x56\x57", 18); *(uint64_t*)0x200000004310 = 0x2000000041c0; memcpy((void*)0x2000000041c0, "\x10\xf1\x21\x59\x35\x43\xac\x48\x3e\xe5\xd9\xfc\x00\x93\xe2\x03\xb9\x27\xb4\x4b\xb5\x34\xa8\x71\x1a\x28\xdf\x30\xc8\x75\x70\xf2\x5d\x8d\xd6\x43\x46\x7a\x2c\x9e\x53\x1e\x8a\x4a\xa6\xe0\x33\xf5\x71\xb9\xfe\xea\xe8\xb6\x5d\x09\x3f\x91\x56\x28\x88\x5d\x3f\x02\x8c\x3f\x44\x47\x63\x2b\x36\xf2\x2e\x16\xc1\xfc\xb5\xe7\xbd\x69\x92\xc0\x89\xdf\x96\x1f\xee\x65\xda\x52\x26\x3c\x86\x54\x31\xc8\x32\x4d\x25\x20\x54\x27\x65\x39\x02\x00\x0e\xe5\xf2\x31\xb0\x3d\xf0\x0c\xf5\xb4\xff\x9f\x87\x79\xd3\x31\xa8\xb5\x11\xc4\xdd\xf3\xba\x9b\x68\xb4\x81\x33\xa4\xcd\x4f\x26\xe7\x37\x66\x50\xcb\xa6\x10\xc6\x2a\x68\xf4\x81\x02\x20\x00\x97\x06\xa8\x5a\x06\x31\x03\xdc\x90\xdf\x67\x13\x7a\x34\xa2\xdc\x60\xea\xcd\x86\x8a\x66\xd7\xf6\x8e\x69\xc0\x4c\xc1\x95\xfd\xc8\x08\x1c\x4b\xe4\x14\x86\x03\x24\x2c\xaf\x94\x67\x0f\x9e\x25\x55\x7e\xf9\xad\xa0\xf2\x3c\x59\x61\xfc\x07\xfe\x58\xc7\x8b\xff\x01\x3f\x83\x44\xdd\x96\x11\xe2\x31\x49\x63\xbf\x51\xdf\x6c\x98\x4c\x56\xb9\xaf", 236); res = syscall(__NR_shmctl, /*shmid=*/0x10000, /*cmd=*/2ul, /*buf=*/0x2000000042c0ul); if (res != -1) { r[15] = *(uint32_t*)0x2000000042c4; r[16] = *(uint32_t*)0x2000000042c8; } break; case 24: *(uint32_t*)0x200000004540 = 0x9732; *(uint32_t*)0x200000004544 = 0xee01; *(uint32_t*)0x200000004548 = 0xee01; *(uint32_t*)0x20000000454c = 5; *(uint32_t*)0x200000004550 = 4; *(uint32_t*)0x200000004554 = -1; *(uint16_t*)0x200000004558 = 5; *(uint32_t*)0x20000000455c = 0x80000000; *(uint64_t*)0x200000004560 = 9; *(uint64_t*)0x200000004568 = 5; *(uint64_t*)0x200000004570 = 0x8001; *(uint32_t*)0x200000004578 = r[7]; *(uint32_t*)0x20000000457c = 2; *(uint16_t*)0x200000004580 = 0xffc; *(uint16_t*)0x200000004582 = 0; *(uint64_t*)0x200000004588 = 0x200000004440; memcpy((void*)0x200000004440, "\xae\xb6\xd5\x07\x3a\xfa\xa3\x1c\x2e\x2b\x2c\x26\x91\x12\xdf\xff\x49\x39\x37\x39\x22\x07\xd1\x3f\xcd\x1a\x8e\xba\xa9\x97\xfd\x97\x6c\xcf\x81\x7f\x42\x90\xa8\x95\x65\xf4\x5f\x54\x38\x2b\x31\x3d\x34\x98\xe2\xa6\x76\xfb\x90\x8e\xe4\xd8\x92\x13\x1f\x01\xb8\x3d\xed\xd0\x94\x98\xc8\xc2\xc5\x6d\xf4\xef\x1c\x82\x32\x32\x0b\x42\xd5\x83\xcc\x60\x61\xc9\x2c\xc0\x6c\x76\x4f\xb0\xd4\x46\xa8\xb9\xa5\xf1\x90\x3c\x9b\x2b\x2b\xa4\x5c\x1e\xce\x47\xcd\x24\x9f\x20\x1b\x45\x7e\xe0\x3c\x79\xfb\xe2\x6f\xee\xa6\xde\xc1\x42\x68\x9a\xe2\x1b\x9c\xed\x84\x39\xf1\x0a\x2e\x3b\x65\x7a\x1e\x3a\xb7\x38\x54\xc1\x33\x8b\x6d\xb9\x05\x24\x8a\xe4\xbc\xee\x97\x3d\x06\x8e\x9b\xd4\x9b\xf4\xf9\xe8\xd0\x17\x7c\x72\x61\x2b\xce\x4e\xf6\xb4\xd7\x6c\x09\x39\x96\xde\x65", 183); *(uint64_t*)0x200000004590 = 0x200000004500; memcpy((void*)0x200000004500, "\x24\xa7\x29\x1c\x4a\xbc\x17\xba\x4a\xcd\xe1\xc6\xfb\xdb\x58\x89\x6a\xd2\x7d\xad\x25\x64\x40\x20\x7f\xf6\xa5\xe4\x8f\xf2\xa6\x18\x5f\x2c", 34); res = syscall(__NR_shmctl, /*shmid=*/0xfa95, /*cmd=*/0xbul, /*buf=*/0x200000004540ul); if (res != -1) { r[17] = *(uint32_t*)0x200000004544; r[18] = *(uint32_t*)0x200000004578; } break; case 25: memcpy((void*)0x200000000700, "\x2b\xce\x17\x78\xfe\xc9\xa1\x28\x6b\xf6\xab\xa5\x3c\x3a\xc4\x02\x86\xad\x6a\xa7\x11\x2d\x6f\x2f\xca\xbf\xd2\xba\x71\x3e\xaa\xdc\x81\x39\xe1\x4f\x61\x80\x70\x12\x6a\xc3\xa3\x8a\xd9\xcd\x7b\x5c\x94\xb1\x78\x3b\x26\x11\x52\x07\x29\x35\x3d\x56\xfc\x5b\xd5\xcb\xd4\xf1\x1d\x01\x35\x9c\xa9\xeb\x2e\x0c\x4c\xc6\x60\x95\x84\x6c\x2b\x10\xd4\x1e\xb8\x46\x77\xf1\xc3\x52\xbd\x90\xeb\xfa\x66\x12\x3a\x7a\x19\xf4\x5c\xae\xa8\x4f\x12\xe7\x76\x57\x93\x32\x46\xc4\x4a\x20\x9a\x4b\x9f\x15\x56\x87\xe2\xa4\xfd\x90\x2f\x57\xea\x49\x08\x5f\xaa\x76\x01\x19\x40\x68\x27\xdb\x2e\x6a\xde\x20\x29\xf8\x20\x1d\xe4\x7e\x97\xb1\x33\x85\x3a\xe7\x32\x14\xa7\x96\xe4\x81\x8d\x39\xcf\x10\xa8\xe6\xa6\xf1\x1a\x88\xe0\x82\xc9\xaa\x25\x85\x7a\x67\xa3\x2f\x35\xbc\x8f\x86\x7f\x04\x4d\x0f\x32\x99\x53\xdc\x06\x02\x24\x9d\x83\x19\x7e\x0e\xf5\xc9\x83\xb9\xd5\x56\xbd\x52\x7a\x6a\x59\x9f\x52\xa2\x11\xf9\xc7\x11\x3e\xdc\xc0\xe9\x3f\xc1\x8e\x79\xed\x69\xfb\x2a\x7f\xde\x97\xc9\xc3\x5e\x31\xe3\x5f\x07\x71\x37\xc8\xfd\x8b\xec\x40\x18\x14\xfb\x99\x81\x6d\x1e\xe5\xa5\xe7\xed\xc2\x10\xc6\x10\x97\x0d\xaf\x8a\xea\x89\xac\xbb\x75\x40\x82\xd8\xf6\x8e\xb4\xa0\x01\x06\x53\xc7\x06\x84\xa8\xdd\x7c\x00\x2b\xa7\xe4\x61\xc8\xdc\xc4\x5c\x22\x86\xda\x34\x27\x35\x14\x18\xcb\x24\xa9\x4d\x65\x56\xd6\x9e\x2a\x31\x9b\x5c\x0e\x69\xe6\xbf\x11\x1a\x9c\x45\x46\x7c\x41\x57\x5f\xdb\xfc\x26\x46\xda\xfd\xa3\x17\x9b\x0f\xca\xcc\x14\x9b\x45\xef\x10\xdc\x13\xf5\xfc\xe2\xe4\xa2\xc2\x2c\x2a\xe9\x92\xbc\x6b\xd5\x13\x23\xe7\x24\xe4\x66\xc7\x36\xdb\x1d\x34\x57\xee\x0f\x7d\xe1\x47\x66\x1d\xba\xdc\x94\x2b\xf0\xdf\x2f\x08\x9e\x98\x03\x81\xae\x88\x8a\xb0\x22\xfb\x54\x5c\x03\x43\xc4\x08\x7f\x2c\x1b\x6a\xe0\xcd\x21\xd0\xfd\x65\x65\x79\x09\x58\xc9\x3a\x67\x59\xa5\x75\x4b\x70\x0a\x6f\x53\xab\xbc\xa7\xd2\x2c\xdd\xcd\xd7\x09\xb2\x79\xd1\x11\xd6\xce\x1f\xd7\x91\xeb\xca\xf2\x60\x48\x09\x86\xb3\x21\xce\xcc\xf9\x55\x61\x8b\xbe\xa2\x78\x1d\x33\x14\x90\xcd\xe5\x73\x47\x93\xab\x07\x5f\x5a\x72\x93\x21\xae\xe1\x77\xfc\x3c\x20\xef\xd0\x79\x74\x46\xe5\x12\xc6\x25\xa3\xbc\x1a\x56\xf4\xc0\x18\x89\xf5\x74\x93\x3b\x72\x6f\x74\x37\xee\x04\x94\x91\xbc\xb9\x1f\x1c\x63\xa0\xb1\x75\xe2\xce\x56\x75\x07\xdd\x35\x4b\xf2\x6b\x08\x05\x9a\xc2\x29\x04\x6a\x6e\x75\xd3\xd3\x21\xee\x63\xc5\xab\xc1\xa7\x40\x9e\x20\x7e\x6f\xc5\x16\x79\xdf\x37\xbc\x7b\xa3\x39\xcb\xce\x32\xd4\x5a\x96\x09\x06\x88\x51\xb0\xa7\xf5\x81\xaa\xed\x7e\x99\x5c\x36\x77\x9d\x07\xc3\x57\xe5\xd9\x76\xf6\xde\xee\x4f\x36\x84\xf9\x7e\x7c\x61\x9d\x3c\xcc\x28\x72\x2f\x13\x0d\x93\x6d\x3c\x07\x3b\x9b\xb5\x19\x4e\xb9\xff\x69\x91\x0c\x6a\x3d\x58\x58\xc2\x86\x2b\xa8\xce\x94\x25\xce\xc1\xe8\x01\x18\x2a\x7f\xb5\xc7\x01\x7a\x41\x85\xd1\x3f\xeb\x35\x38\x29\xdc\x68\x1a\x56\x19\xf0\xa0\x2d\xb6\xeb\xde\x86\x0c\xf7\xc6\x29\x4d\x21\x45\xf9\xa5\x29\x18\x49\x76\x2d\x93\x81\x66\x82\xd1\x91\x89\xdd\x76\x82\x80\xdf\x4a\x68\xc8\x08\x01\xf6\x6a\xba\xbd\xf7\x22\xec\x21\x3a\x7b\x7f\x58\xc4\x61\x48\x68\x69\x00\x66\x9b\xdb\x0c\x64\x3d\x00\x5d\x60\x0d\x95\xc5\xcb\x5d\x28\xac\x4c\xd4\xc7\x02\x22\x94\x35\x2e\xd1\x35\x0c\x4e\x75\xfe\x89\x27\x89\x53\x92\xb0\x06\x2c\x78\x29\x2f\xc1\x5a\xd7\x03\x8d\x1b\xdd\xc9\x94\x53\x5e\x73\xcc\xc3\x3c\x9a\xb2\x33\x11\xd6\xf6\x5d\xe5\x98\xf5\xee\x9f\x91\x34\xca\x4e\x4b\x40\x9f\x21\xb0\xb0\xe4\x0f\x36\xaa\x5c\x78\x2b\x7b\xb8\x64\x70\x7a\xfd\xce\x1e\x7c\xfe\x5a\x27\xc1\xef\x3d\x2d\xc1\x41\x05\xd6\xa4\x89\xb8\x7e\x7a\xe1\x67\xae\x87\xa5\xf3\xcd\xa0\xb8\xa6\x22\x17\x62\x97\xf5\x32\x8b\x79\x69\x0d\xf9\x89\x79\xa4\x80\x6d\xea\x06\x93\x95\xf5\xb8\xe5\xbc\xec\x68\x3f\xd3\x9b\x86\xbc\xef\x86\x5d\xe6\x0f\xe4\x07\x29\x1d\x12\x7c\x4f\x00\x68\xbe\xc8\xae\x95\x73\x8f\xce\x42\x20\x5e\xf7\xcb\xba\x2a\x10\x76\x6e\x32\x19\x1c\xb4\xe5\x0c\x06\xdc\xf6\xca\x3a\xe7\x8c\x0c\xaa\x65\x8f\xd5\x8b\x65\x2c\xab\xdd\xe1\xdf\xa9\xd1\xf5\x4a\x44\x79\xad\x61\xd2\x5a\x47\xff\x08\xb3\x12\x25\x60\x09\x9b\xde\xc5\x5d\xeb\x11\x0e\x40\x6e\x08\x59\x53\x40\x88\x7e\x49\x67\x74\x54\xb6\x08\x60\x15\x3c\x4b\x1f\x7c\xeb\xef\x25\xda\xd0\x82\xf4\xd3\x40\x20\x78\x29\x8b\xfd\x39\x0b\xc7\x66\x23\x45\x95\x91\x8c\xbb\x3b\x6c\xdb\x99\x61\xe1\xbb\x1d\x4f\x7c\x7f\x24\x01\xa8\xd8\x0a\xc6\x2b\x14\x62\x4a\x3b\x16\xd9\x70\x46\xfc\xef\x8d\x02\x5d\xeb\x79\x40\x94\xd2\xce\xa5\x0c\xcb\xe2\x72\xe1\xc7\x9a\x71\x67\x80\x3c\x40\xa4\xcc\xee\x13\x84\x44\xe7\xa4\x15\x34\x77\x83\xbf\xe0\xff\xda\x3d\x50\x01\x6d\x0f\x6b\x1b\x06\x12\x6f\xcd\xd9\x23\x7a\xac\x40\x0b\x85\x49\xe4\xc1\x91\x7a\x25\xdb\x59\xcd\xba\xe2\x9d\x1e\xa5\xbd\x7d\x25\xc5\x75\x02\x2d\xc5\x5f\xf3\x2e\xd4\x2a\x61\x0e\x23\x94\x79\xbe\xab\x0d\xd6\x2a\x30\xa4\xfb\xed\xa0\xfc\xfe\x1d\x0b\x61\x3a\x8d\x06\x69\x33\x46\x6a\x9a\xb3\x12\x62\x70\x1d\x08\xe7\x79\x28\xf8\x8c\xf8\xa8\x38\xe9\x72\x98\x93\xe5\x50\x70\xef\xcc\x83\x73\x6f\x3c\xb3\x2e\xef\xc0\x8f\x24\x0d\x44\x9a\x61\xcd\xf2\x11\x6c\xe4\xea\xe7\xb9\x66\x9c\xe6\xfc\x52\x8b\x98\x34\x01\x2b\x0f\x7c\x54\x25\xc2\x62\x23\x7a\xe8\xa3\x01\xb6\xcf\xc0\x3a\x57\x9c\xb1\x09\xdf\x41\x7d\x85\x14\xaf\x61\x2d\x32\x0d\x0e\xd9\x6b\x7f\x7e\x4a\x48\xaa\xa3\x0f\x6c\x8f\x42\x7d\xb2\xf9\x81\xbe\xf3\x60\xb9\xd8\xc2\x77\xc8\x4a\x80\x15\xf4\x9b\xb8\x84\x0d\xfd\xbf\xd5\x40\x2a\x05\x3f\xbe\xdc\x07\x51\x58\x7e\xbf\x6d\xf4\xd6\x92\x85\xcc\x39\x8e\x98\xa7\xfc\xd6\x88\x76\xeb\x2b\xf6\xf9\x4f\xc0\xd0\x3d\x7a\x93\xb1\x44\x6c\xf2\xac\x7e\xc1\x1f\x8c\x3b\x62\xfc\xc0\x74\x1c\x37\x6d\x15\xcc\xd8\xdc\x9c\x85\x92\x94\x53\xa1\x77\xbc\x24\x24\xb3\x74\xcc\xad\x51\xa5\x7b\xd0\x52\x90\x24\x1e\x00\x38\x9e\x5d\x97\x33\xda\xc8\x43\xb2\x5f\x43\x94\xdb\x45\x0f\xe1\x6f\xdc\xbb\x56\x33\x37\x90\x04\x4d\x65\xad\x60\x6a\xe8\xca\x97\xce\xec\x3f\x80\x9d\x78\x90\x49\xa3\x29\x88\x81\x33\x9d\x2e\xd1\x60\x2f\x2b\xf2\xbd\xe3\xcc\x87\x16\x3c\xf1\xdc\x3f\x8e\x32\xe8\x59\xac\x7b\x2d\x27\x1a\xe4\x2a\x7a\xd0\x5e\x6f\xda\x9b\x98\xc1\x4b\xe9\xa3\xf6\x5b\x16\x25\x37\x43\x99\x59\x82\x23\x7d\x31\x30\xd1\x5a\x18\xf8\xf5\x32\xa8\xd0\x27\x3e\xab\xb3\x38\x67\x02\x85\x98\x33\x84\x47\x81\xdc\xeb\xf2\x16\x4f\x0a\x4b\x14\x11\xd8\x82\x99\xfa\x82\xe7\xba\xb7\x1a\x08\x36\xd5\x0b\x41\x8a\x6a\x47\xf7\x47\x22\x0f\xef\xee\x26\x85\xaf\x32\xc2\xde\x7c\x33\x75\xcc\xa1\x19\x14\xf2\xda\x17\xec\xc4\x6e\x63\x5a\xfd\xa8\xc3\x6f\xef\xf1\x0c\x7d\x6e\xbd\xcf\x7d\xa4\x41\x4b\x4f\xdb\x28\xc4\x2f\x73\x8c\x95\x61\xa6\x56\xb0\x1c\xa0\xbc\xb0\x22\x4e\xc8\x03\xe6\xa2\x38\x64\xe0\x14\x38\x97\x4b\xba\x22\x36\x92\x12\xca\xf0\x53\xe5\x60\xcf\x11\xac\x83\xec\x04\x85\xf5\x70\xf6\xe5\x36\x74\x42\x43\xc2\x11\xfd\xc0\x3c\xb3\x59\x04\xf1\xb3\xad\x1e\x79\x65\xd4\x73\x1a\xa0\x48\x21\x5d\xbe\x3b\x33\xd0\x96\x3b\x0d\x5c\x0e\xcc\x90\xfa\x99\x99\x7f\x19\xb5\x83\x57\x48\x68\xb4\x08\x1c\x9e\xa2\x71\x23\x43\xb9\x18\xd2\x2f\xa3\x7e\x8d\xf4\xdb\x67\x0a\x4b\xe4\x29\x5f\x69\x9c\x92\x4c\x4b\x7f\xeb\x71\x10\x3d\x9a\xef\x02\x70\xde\xd2\x9d\x4f\x42\xaf\x37\xa4\x87\xe2\xbc\x8d\xc0\xb0\xbd\x3f\x68\x70\x38\x5a\x1a\x8a\x98\x42\x20\xf7\x9a\x47\xa9\x81\xe9\x87\xdc\xa4\x46\x95\xce\x64\x87\xd5\x3c\x01\x90\x10\x54\x3b\x20\x42\x22\xef\xae\xf7\x20\x8d\xfa\x23\xf8\x08\xc4\x56\x13\xd5\x14\x46\x8b\x97\xfe\x57\xdf\x91\x1e\xac\x0c\x90\xed\x04\xf0\x06\x49\x32\x1c\x3a\xbd\x27\x01\xec\x1a\x01\x22\xb4\xbb\x48\x37\x7b\x5e\x92\x51\xc0\x20\x3f\xaf\x08\x98\x26\x0f\xf7\x47\xc5\xa8\x2e\xed\x23\x42\x50\x15\x88\x51\xa5\x09\x06\xac\x54\x92\x71\x9f\x97\x0a\x90\x62\x00\x5e\xf1\x67\x55\x76\x35\x1a\x8b\x3d\x9d\xda\x73\x5c\xc6\x5b\x82\x09\xe9\x86\x68\xb8\xd4\x97\x88\x5f\xb1\xd9\x1d\x89\x3e\x3e\x3f\xe9\x6d\xbf\x56\xb6\x1c\x60\x6a\x84\x63\xc4\x1f\xd8\xc9\xbe\x64\xdf\x1a\x59\x56\x27\xfc\x71\x14\x38\xee\xa8\xdf\xb7\x32\x35\xa4\x7b\xe9\xc0\x37\x04\xfe\xda\x19\xe5\x4f\x65\xa2\x87\x62\x94\x49\x5a\xca\x4d\x61\x1c\x9b\x43\x84\x29\x15\xfa\x7a\x51\xe4\x5e\x16\xc7\xd2\x28\x17\xc1\xb1\x59\xe0\xbf\x53\xdf\xfe\x16\xed\x63\x41\x61\xbe\x4c\xc9\x16\x9c\x95\x2b\x0b\xb5\xfb\xf4\x45\xae\xe0\xe9\xd3\x86\xd3\x00\x61\x18\x57\xc7\x0e\x95\xcf\x2e\x42\xa3\xe7\x9b\xf7\xc2\x02\xb7\x7c\xe4\xf5\x2d\x5e\x8d\xdf\x50\xd5\xdb\x3f\xa1\x0e\x95\xf2\x4d\x65\x61\x86\xd3\x56\xde\xdc\x85\xc6\xf8\x68\x4b\x81\x02\xeb\x01\x9c\x18\xda\x8a\x66\x3d\x70\xbe\x24\xea\xd9\xf1\xdc\xed\x78\xbd\x06\x8a\x6c\x9b\x32\x4d\xd7\x47\x73\x43\x18\xeb\xc6\x2a\x4a\x9c\x74\xeb\x34\x22\xcc\xde\xe0\x2f\x94\x7c\x1a\x76\xe7\x38\x54\x28\x06\xff\x2c\x9c\x85\x1a\xb7\x12\x17\xf7\x53\x9d\xa9\xc3\x35\x0a\x1f\xbd\x5e\x53\x90\xa0\x48\xcc\xac\x1f\x54\x13\xab\x2d\x81\x47\xd7\xb2\xd7\xd4\x93\x3e\x24\xd7\xff\x0d\x16\xfa\x34\xe2\x38\xe9\x31\x62\x27\x30\xda\x47\xe8\xee\x85\x35\x49\xf5\x7d\x8c\xd0\x41\x1f\xd3\xdd\xcd\x5d\x6b\xf3\x63\x88\xd0\x36\x86\x62\xf9\x5d\xae\x7d\x3b\xcb\x93\x2d\x62\xe0\xf8\x95\xa5\x6b\xd8\x79\xd1\xf5\x70\x43\xeb\x6a\xd4\x6e\x35\x97\x6c\x4f\xa6\x24\x42\x21\xe9\xa6\x8f\xb5\xa9\x3f\x25\x68\xc1\x77\x2a\xd1\xfa\xef\x2a\xab\x00\x21\xfe\x7d\xbc\x57\xf3\xa7\x77\xdd\xfe\x61\xf4\x1c\xc3\xf7\xdb\x0b\xbf\x63\x7b\xd4\x8f\x72\xd1\x1d\xd0\x52\xfb\x4e\x32\x52\x0d\x41\x39\xce\x9b\x92\x06\x21\xf1\xeb\x6f\x37\x88\x71\xf1\xe7\x94\xc3\x87\x59\x65\x0a\x0a\x74\x2c\x0e\x34\x03\xb6\xbe\x88\xe3\x19\x20\xc0\xf3\xaf\xb5\x8c\x68\x6b\xea\xee\x1d\x65\xd6\xd8\x3b\x8e\xaf\xa7\xd0\xbc\xaa\xef\x87\x5e\xfa\x7a\x27\x37\x1c\xac\x05\x99\xd4\x1b\xa5\x1a\xa5\xce\x65\xce\x48\xbc\xa2\x4d\x4a\x43\x8e\x6e\x3a\xc3\x3c\xf1\xfc\x7c\xd8\xcc\x3c\xd9\xb7\x51\x16\xb5\x3a\x09\xd9\x81\x41\xfc\xcd\xf0\xb0\x8d\x8f\x9d\x6e\xfd\xed\x52\xd1\x01\xc3\xed\x6b\x27\xf6\xc6\xe4\x2f\x9b\xa1\x99\xf3\x9c\x9a\x33\x77\x28\xbd\xe0\x5b\xbe\xee\x63\xe4\xdc\x68\x0e\xcf\x0f\x02\x0b\xcb\xbb\x7b\x6a\xd0\xba\x9b\x2a\xa6\x14\x39\x1e\x8a\xa4\x15\x52\x13\x73\x56\x95\x3e\xf2\x15\x35\xca\x4e\x32\x20\xa2\x6f\x06\x1c\x7e\x78\xeb\x42\x42\x88\x98\x16\x95\xe6\x51\xf6\xda\x90\x57\xc6\x11\x02\xf5\xd5\x8d\x33\x13\x58\xd6\x91\xce\x1b\xd7\xf6\x81\x60\xcb\x76\xfe\x77\xf0\x3f\xfd\x46\x0e\xcd\xa1\xfd\xb1\xa7\x83\x33\x89\x3f\x1d\xc5\xd0\x35\x7d\xc2\x43\x35\xd3\xf1\x2d\x7d\xf9\x13\x31\x69\xd9\xd2\x14\x45\xb6\xa5\x81\x95\x66\x3d\xa0\x33\x06\x31\xb7\x32\xc1\xdc\xc3\xe6\x58\xf2\x37\xf0\xf6\x9a\x11\x60\x2d\x4c\xac\x64\x68\x35\x3f\xaf\xcb\xf4\xca\xd1\xa3\xa2\x6d\x2d\xed\xdb\xa7\xcc\xc8\x86\x34\x7f\xf0\x59\xda\xcf\x96\x96\x98\x00\x18\x53\x30\x7a\x3c\x5b\x36\x34\xde\xa1\x62\xe6\x3b\xd2\x7b\x7c\x9d\xab\x63\xa6\x70\x59\x29\x9d\x69\x42\x67\x5d\x10\x68\x8a\x79\x7d\x6b\x51\x63\xea\xb8\x3b\x45\xb1\x84\x60\xc2\x8d\x6a\x83\x37\x1e\xca\x62\x6e\x9b\xdb\x94\xb9\x0a\x11\xa7\xfb\x7f\x7d\x9f\xec\x0d\x77\x3c\xc0\x56\x66\x36\x29\x2c\x7d\x90\xde\x64\x79\xae\x9f\xfc\xe8\xc3\x4e\x28\x4f\xf2\xfb\x4d\xa4\xc0\xb4\x62\x9a\x02\x3f\x1e\x9c\x1e\x79\xc5\xd6\xba\xe6\x25\x2c\xd4\xa3\x01\x53\xe8\xc1\xeb\xf0\x83\x89\xc2\x06\xd6\x6b\xec\xe9\x02\xed\x87\x7c\x36\x75\x6b\x3f\x9c\xaf\xe8\x41\xca\x61\xbf\xf3\x15\xfa\xe3\xaf\x3a\x18\x56\x3f\x71\xa7\x7e\xeb\x6f\xde\x0d\xb2\xce\xa7\xfe\x49\x4a\x78\x39\x1a\xfc\x1b\x21\xb2\x33\xe0\xc4\xb4\xa1\xa2\x3e\xee\x6f\xeb\xa1\xae\xe1\x12\x4e\xb0\x4e\xc4\xd2\x3b\x6a\xe5\xcc\xaf\x13\xac\xdb\x65\x6c\x72\x70\x7f\xed\x01\x0f\xc4\xab\x31\xba\x09\x3a\x22\xfa\x85\xe4\x73\x89\xac\xaf\xe2\xa2\x22\x98\xe5\x1d\x36\x73\x26\x95\x00\x8e\x65\xaf\xfd\xa7\x56\x13\xbb\xd2\x2f\x86\x9b\x05\xe9\xda\xfe\x41\x1d\xa8\x54\x9f\x14\x1e\x01\x8b\x36\x20\x49\xc6\xaf\x4e\xd7\x82\x37\x81\x72\xc5\x5a\xe7\xb1\xd0\x05\xa1\x90\x86\xc2\xab\x19\x74\x2f\xf7\xf9\xb3\x29\xdc\x56\x7f\x61\x47\x30\xef\x3e\x74\x78\xb6\x22\x09\xec\x2d\xb9\x0f\x3a\x60\x37\xaf\x0c\xb7\xbd\xcc\x8b\xad\x8b\x32\x86\x4a\x41\x67\xa3\x70\xd0\xf9\x16\xdc\x75\x1f\xb2\x8e\xe9\xc8\x00\xe5\x9e\x2e\x37\x20\xdb\xff\x36\x3b\x28\xcf\x26\x98\xfd\xb3\x06\x1b\xc3\x91\x97\x67\x7e\xfb\xca\x4f\x86\xda\x8a\x97\x6a\x1f\xe5\xf9\xe1\x83\xab\x9f\x3b\xdc\x9a\xb6\xae\x44\xb8\x71\x3a\x1e\xe0\x7b\x89\x4b\xf3\x74\x90\x46\x4f\x9d\x2c\x4f\x5a\x2a\x46\xc6\xb3\x03\x53\x43\xb9\x26\xdc\xa5\xd9\x93\xec\xb0\x74\x19\x1d\xf0\xe5\x0f\xbb\x11\x4c\x82\xb3\x69\xe1\x9d\x8c\xe9\x58\x02\x5e\x12\xa6\xe1\x35\xc3\x3c\x4e\x70\x40\xf2\xe5\xe4\xab\xb1\x43\xba\xfb\x7c\x71\x21\x44\xa9\x91\x09\xb0\x0d\xfd\x72\xf6\x6d\x6a\x5d\x7d\x1e\x6a\xea\xef\x79\x4f\xa4\x04\x57\x53\x28\xfe\xef\xd9\xc2\x08\xae\x71\x02\x36\xda\x12\xde\x52\x5c\x78\x40\x3e\x78\xfd\xcf\xb5\xcb\x34\x48\xf9\x38\x09\xea\xdb\xf8\xc6\xca\xec\xa7\x02\x83\x3a\x3d\x30\xbb\xaf\xe9\x4c\xa1\x4b\x5e\x91\x86\x4a\xa5\x75\x40\x94\x98\x93\x9c\x5b\x2c\xce\x2d\x33\xd1\xf1\x4a\xe3\xd7\x16\x9f\xfd\x51\xa7\x42\x1d\x2b\xe6\xa4\xf6\xce\x0d\x7f\xd5\xdd\x83\x4e\x02\x0c\x3e\x69\xcf\x5d\xeb\xe6\x9e\xe8\x63\xf5\x70\x2b\xab\x78\xfe\xcc\xd2\x85\xab\x47\x2b\x56\xd1\xc0\x6c\xe4\x0a\x79\xef\x15\xc0\x72\x36\x16\x36\x31\x74\x13\x72\x66\x43\xc9\x50\xc6\x7e\x57\x6f\xfd\x80\xd5\xf8\x08\x07\xb6\x72\x97\x36\x54\x7b\x00\xa0\xd4\x58\xe9\x3b\xf9\x64\xf4\x7d\xa3\x50\x77\x47\xec\x32\x3d\x31\x08\xc4\x49\x82\x62\x24\xea\x09\xaf\xa3\x66\x13\x33\x1a\x96\x1c\x5c\xf2\x59\x25\x2d\x0d\xac\xb5\x02\xfb\xc9\x87\xbb\xf6\xb1\xc8\xc6\x22\x5a\x6c\x0e\x65\xeb\xb5\xa5\x59\x45\xc5\xa0\x64\xec\x34\x6f\x84\x27\x0e\x3b\x38\xa1\x2a\xe7\x2c\x17\x80\x99\x75\xad\xa7\x2b\xad\x05\xa1\x2f\xda\x83\xf1\xb0\x0a\x42\x31\x04\x81\xca\x2a\x09\x90\xb6\x63\x96\x4e\x19\x4c\x92\x5c\x99\xce\xe8\x62\x79\xf6\x2c\x64\x54\x8a\x57\xd3\xf1\x67\xd6\x21\x3a\xcc\xbe\x67\x9a\x9f\xc2\x04\xd2\x10\x31\xf6\x4b\xd5\xf6\x8e\x8c\x75\xcf\x80\xaf\x20\x7c\xba\x25\xaa\x42\xfb\xc7\xdf\x07\x34\x25\x70\x00\xe5\xe9\xc2\x23\x36\x6d\x1d\xf4\x6f\x50\x8b\x8a\x8f\xba\x49\x33\x35\x2c\xb7\xc3\xf0\xe2\x5d\x66\xd8\xc5\x12\x9b\xdc\x46\x7d\xcd\xaf\x4f\x4a\x87\x1f\xea\x52\xb7\x07\xc8\x5c\xa1\xad\x30\xf0\x08\x04\xba\x50\x0c\xfb\xb2\xee\xe1\x8c\x68\x42\x09\x1c\x12\x0f\xf9\xf5\xfe\x91\x5a\x75\xa6\x23\xe5\x40\x7e\x77\xb2\xf2\xd7\xaa\x46\xe2\x4c\x96\x98\x6a\x60\x86\x55\x17\xc2\x67\x94\x5d\x39\x16\x92\xa1\xd3\xfe\xff\xc9\x35\x57\x67\x87\xc9\x0d\xa8\x46\xf9\x59\xe2\x6e\xef\x2f\x98\xce\x0b\x13\x17\x4f\xe4\x56\xc5\xd3\x3f\xb6\xbb\x65\xe8\x60\x3a\xf4\xf1\x02\x92\x9d\x84\x22\xb8\xbb\x5a\x24\xe0\xbe\xc7\x21\x4e\xe2\x3d\x9b\x8d\xd0\x7e\x7d\xaf\x18\xd8\x3f\xa6\x6d\x84\x9b\x91\xc7\x08\xf9\x9b\x46\x85\xc7\xb5\xdc\x95\x6d\x95\xc7\xfc\xea\xe7\x75\x9f\xea\xa0\xd2\xa0\x1f\x26\xb1\x7b\x9e\x5a\x23\x0c\x18\xc6\x10\xa7\xe7\x24\xdb\x79\xbe\xcd\x4a\xc0\xf1\x76\xbc\xf2\x04\x49\xe9\x0c\x3f\xae\x89\xc3\xa9\x93\xe2\xf9\xc5\x1e\x42\x8d\xc0\xbd\xdf\x67\xa7\xcd\x11\xf9\xce\x0d\xaf\xb4\x27\x7c\x32\x81\xb8\x8f\xa7\x13\x8d\x21\x7d\x79\xfe\x3e\xd7\x2b\x19\x5f\x27\x82\x0e\x33\x22\x9c\x5a\x6d\x7f\x49\x37\x20\xf9\x19\x0a\x1c\xb2\x29\xa3\xbe\xa0\xa7\x8f\x62\x9d\x00\x59\x3c\x98\x8c\x2d\x3f\xa0\x9f\x89\x35\xe2\x5b\xcd\x4c\xe0\x27\x6a\x16\xf2\x30\x6f\x7c\xbc\x89\x12\x52\x35\x91\xed\x88\x92\x1a\xa7\xae\xfe\x26\x71\x2f\x81\x02\x89\x06\xd7\x30\xfb\xe8\x19\x95\x52\x1e\x02\xe3\xdd\xfc\xa0\xf8\x81\xcb\x98\xa6\x61\xd2\xcf\x8d\x1f\xc3\x10\x84\x5d\xf4\xec\x58\x8c\x2b\x30\xfd\xfc\xe1\x81\xe6\xef\x9a\x65\x4e\x83\xfa\x69\xb7\x73\xfb\x51\x71\x77\x74\x93\x6e\x6d\x03\x77\x54\x78\x2f\xbf\xf1\x3d\x32\xa5\x0c\x75\xe2\x75\x3b\xca\xf4\xae\x37\x35\x26\xe6\x10\x60\x5f\x07\xc6\x77\xae\xda\xc8\xda\xf3\x79\x28\x3f\x2e\x59\xae\xdd\xe2\xc0\x19\x53\xd1\xbe\x45\x91\xef\x16\x5c\xa1\x90\x6d\xeb\xdc\x0b\x8e\x47\xde\xf1\xa3\x4d\x3c\x3a\x4c\x12\xea\xe8\x96\x68\xd1\x43\xd1\xb0\x98\x4f\x94\x50\x44\x70\x9d\xf8\x68\xd0\x97\x55\x14\xdc\x10\x93\x09\x0b\x0f\xe4\x29\x62\x34\x5e\xf4\x0b\x0d\xd8\x4f\xf7\xa2\x0f\x39\x4d\x5b\x3f\xc5\xa5\x5d\x69\xb4\xbb\xd0\x0b\x53\xe3\x17\x4c\x76\x0c\xb9\xc7\x9f\x27\x52\x75\x55\x8c\x69\x67\xf0\x3c\xb7\xb5\x4e\xc6\xc2\xa8\x60\x2a\x55\x57\xc4\x8e\x0c\xce\xae\xbc\x38\xc4\xcb\x35\xf1\x71\xfa\x42\x62\x2b\x1e\x8b\xe6\xdd\x32\x33\x75\x03\x3e\xde\x7b\xea\x93\xb6\xd6\x67\x75\x8f\xb9\x97\xcc\xee\x89\x6c\xb3\xa0\x3e\x47\xfe\x8b\x51\xbf\xef\xd7\x16\x5b\x4b\x16\x25\x46\xc2\xe4\xd4\x67\x10\x35\x3b\x73\xf6\xf1\xde\xa1\x7e\x44\x2b\x82\x72\xf6\xaf\xf9\x9c\x86\x43\x72\xe4\xc3\xe5\x63\x1b\xb7\x39\xb5\x9a\xd1\x23\x5a\x18\xaf\x7d\x59\xb7\x93\x20\xa4\x1b\x7c\x0e\x8d\x64\xd5\xa7\x94\x81\xcc\xe1\xe3\x1b\x33\x4a\xb3\x3e\x92\xe6\xa4\x29\x7f\x3d\xef\x0f\x1b\x34\x67\x5c\x7d\xe9\x10\xfe\x38\xe4\x94\xee\x01\x4b\xb8\x44\xe7\x07\xbd\x30\x2b\x24\x78\x6b\xd6\x06\x2b\xac\xb8\x2d\x52\x7a\xcd\xca\x23\x6f\x21\x7b\xf0\x47\x47\x42\x47\x6e\x6a\x93\x25\xd9\xee\x28\x2d\xee\x43\x63\x6b\xeb\xa5\x41\xe6\xaf\x65\xba\xb1\xf5\x82\x33\xa6\xf5\x58\xd8\xc6\x01\x9f\x4e\xe4\xc8\xe8\x33\xea\x16\x18\xb0\x53\xb3\xcd\xb8\xf8\x8f\x09\xce\x12\x25\xa6\x8f\x31\x9d\xe5\xbc\x58\x3e\xb3\xd2\x2f\x27\x32\x34\x3e\x9c\x0a\xcb\xd8\xef\xde\x7d\x9c\x0f\x22\x40\x6b\x9d\x1b\xeb\x10\xe7\xbc\x92\x80\x7c\x7b\xbd\xc0\x0b\x1d\x88\x53\x4e\x65\xdb\xa2\x56\x21\x67\xe2\xcf\x12\xa6\xf4\xb1\xe8\x9b\x24\x95\xbe\x63\x1f\xe9\xa7\xaf\xaf\x3e\x44\x02\x54\xa2\xda\x7e\xeb\x26\x1b\x40\xb4\xb2\xc8\xa2\x25\x7d\x75\xb0\x9b\x85\xb8\x1d\x79\x54\xac\x55\x31\x3a\xc4\x99\x0c\x54\xae\x40\x79\x3c\x21\x58\xcf\xeb\xf3\x29\xb2\x67\x40\x5d\xd2\xa5\xe7\x61\x54\xd2\x1d\x74\xed\xd4\xa1\xe0\x86\xf0\xf2\x40\xe7\x19\x96\xa0\x4e\x8f\x96\xec\x88\x22\xbc\x5f\xc9\x18\x38\xd1\x7d\x97\xb0\x3c\xab\x99\x58\x33\xaa\xd9\xfe\xd8\xdb\xd9\x44\xfc\x11\xab\x74\xfc\x51\x5f\xd8\xbc\x5c\x06\x74\x24\xd3\x2d\xbb\x99\xe4\x9e\x0d\x42\xa5\x97\xdd\x80\x73\x17\xd6\x69\xdf\x7c\x08\x97\x9d\xd6\x47\xca\xe4\xb9\xd1\x23\xa6\x44\x03\x7c\x68\xfd\x7b\x45\x4d\x15\x8b\x51\x28\x18\x5b\x7a\x07\x1b\x77\x45\x3e\x29\xef\x51\x83\xc0\x3f\x3d\xac\x27\x58\xfa\xd6\x67\x3d\x17\xb9\x5a\x42\xd4\x28\xb5\x6d\xd7\xac\xd6\xb4\x4a\x15\xf8\xa6\xac\xc4\xc7\x3d\x23\xfd\xdf\xc4\x4f\xe5\x7a\x9a\xdd\x19\x57\x96\xcf\x45\xc0\x00\x6f\x6a\x24\x16\x0d\xfb\x87\x98\x62\xb0\x11\xe7\x4b\x88\x0f\x5a\x4f\x5d\xc8\x05\x3a\x1f\x2c\x7d\x0e\x1d\x77\x2c\x62\xca\x02\x8b\x09\xce\xba\xc8\x8e\xa7\xa8\xa1\x85\x59\x96\x20\x16\x74\xf2\xeb\x71\xac\x52\x6c\x0a\x0e\xc4\x49\x3d\xaf\x01\xa5\x51\x6d\x2b\xf8\x8b\xd8\x11\x72\xa2\xf7\x5f\xaf\xb3\xcd\xe2\xc9\x2b\x7a\x02\x0e\x07\x67\xcb\xda\xdf\x65\x57\x55\xc3\x71\x5c\x6b\xf9\xcc\x3d\xf3\x8c\x38\x34\xa7\x24\x95\x05\xa6\x89\x48\x0c\xa3\xa9\x78\x79\x2a\xe9\xbe\xfd\xfb\x3f\x25\xe3\xdf\xec\x22\xa9\x0d\x66\xac\xbc\xe1\x63\x3a\x29\x7c\xc2\xbe\xd9\x75\x73\x1f\xbc\x97\xc0\x9d\xa8\x94\x22\x65\x33\x6d\x17\xb1\x3a\x52\xef\xff\x98\x62\x6a\x8b\x7b\x18\x8c\xfb\x9d\xfd\x33\xeb\x28\x76\x34\x08\x73\x2b\xba\xe7\xb8\x01\x22\xa9\x1a\xd9\x81\x38\x97\x75\x7e\xff\xb8\x43\x58\xdb\xd6\x2b\x01\x33\x24\x1a\xb9\xaf\xa7\x9e\x35\x3f\x5e\x7d\xb9\x16\x39\x21\xd6\x5e\xfc\x93\xe4\x08\xbc\x38\xff\x95\x84\x29\x05\xa9\x13\xd0\x84\xd2\x4f\xa2\x23\x59\xdf\x71\x0b\x39\x69\x4d\xe2\x40\x38\x98\x31\xe3\x44\xe9\xd5\x33\x2a\xc0\xc5\x48\x4e\xdc\x3a\x9a\xc6\x12\xf6\x68\xe4\xe7\x81\x80\x10\x9e\x12\x49\xef\x5d\xc2\x7c\xfd\xed\x52\xea\x37\xef\x3a\x7d\x1d\x02\x88\xa9\xf7\x53\x2f\xb9\xf3\xa3\x80\x29\x4c\xf0\x33\x29\x62\x8f\xe8\xfa\xc3\xb8\x12\x11\x30\xbc\x3d\xff\x51\xed\x6f\x83\x00\x80\x67\x86\xf9\xe5\x05\xde\x5d\x25\xd6\x87\xc4\x02\xc0\xbe\xdb\x7d\x41\xcd\xb9\xcf\xb8\x77\x14\xba\x29\x28\xbe\xce\xcb\xe1\xaa\x32\xdf\xda\x00\x17\x07\xc7\x84\xce\xe7\xf6\x46\x48\x77\xef\x87\x98\xc1\x60\x8c\x48\x7c\xe0\x88\xd0\x73\x08\xb4\xf1\x67\x2f\xb2\x8e\xfa\xd8\xae\xe8\x45\xff\x99\xe0\x0d\xb8\xd0\xa4\xef\xf1\x0e\x7e\x04\x82\xe1\x0d\x2d\x4f\x53\x6b\x90\xa1\x7f\x2c\xd0\x64\x99\x58\x61\x9a\x3b\xfc\x4c\x72\x65\x4a\xb9\xa0\xda\xe3\x09\x9d\x69\x58\xcc\x43\xac\xee\x94\xa4\x50\x15\x24\xe0\xa9\xdd\x76\x70\x0d\x81\x46\x1f\xfc\x9c\xde\x22\x27\x15\xd4\xc8\x91\x7c\x2e\x53\x56\x0b\x63\x53\xa0\x98\xc9\x48\xce\x16\x13\x1b\xca\xc5\x69\x48\x46\x94\x26\x57\xfb\xbd\x47\xd1\x4f\x0b\x9e\x6e\x0e\x38\x3e\x7d\x60\xef\xe2\xd9\x93\x5c\x04\xdf\xee\x10\xe2\x2f\x47\x4c\xf3\x82\x32\x9c\xce\x12\xae\x8d\x21\x0f\xfb\xd1\x7d\xd0\xf1\x86\x8f\x6c\x10\xaa\x34\xdc\x1f\xb7\xbb\xb7\xa2\x5d\xb0\xcd\xb0\xaf\xcb\x3a\x52\x34\x45\x56\x4c\x6b\xc6\xc0\xf8\x43\x3a\x67\x75\x88\x18\x52\xd9\x97\x0a\xa4\x20\x3c\x92\x58\xa9\x44\x27\x41\x68\x89\x9d\x5a\x81\x5d\x66\x50\x37\xda\x71\x6d\x53\x04\xe4\xf2\x6c\x28\x9a\x46\x38\x4b\x96\x5f\x2c\xa5\xaa\xcc\x1c\x81\x23\xb5\x4c\x14\xe8\x3a\x59\xb9\x97\x99\x64\x88\x14\x79\x77\x84\x25\x4e\x3f\xcc\xca\x53\x79\x0c\xe3\xf0\xc2\x4b\xa0\x17\x22\xd4\x2b\xaf\xfc\x81\x68\xa3\x6c\x95\xb5\x38\x8d\xef\x13\x7e\x6c\x92\x9e\x2e\xd1\x42\x99\x10\xd1\x38\xe7\x91\xf8\xc4\x5c\x37\xea\x0b\x8d\x5f\x25\xdb\xb2\xb4\x3a\x4c\x2e\x05\x27\x32\x7a\x58\x47\xdf\x44\xa2\x14\x22\x23\x30\x14\x4d\x26\x44\x63\x66\x76\x4f\x81\x6d\xb2\x84\x7b\xba\x48\x60\xf2\x2d\xca\x28\xae\xa5\xba\xd2\x98\xdc\x4e\x58\x88\xce\x73\x7b\x16\x96\xc9\x52\xc2\xa5\x15\x57\x4d\x10\xd4\xd2\xc3\xd0\xa2\x12\x32\x42\x2d\x0d\x60\x07\x45\x86\x2a\x31\x51\x3c\x97\x8c\x84\x42\xbe\xba\xb3\xe3\xef\xbc\x5b\xf0\x65\x72\x70\xd1\xdb\x26\xe9\x79\xcf\x50\xef\x7a\x3c\xfe\xe8\x80\xf7\x7a\x0b\x80\x2c\x7b\x37\x1b\xf9\x66\xa5\x41\x3d\x68\x74\xd9\x11\x1e\x7b\x98\xa9\x72\xbe\x26\xe2\x8f\xa9\xec\x1f\x77\x93\x91\xe3\xa4\x91\xd5\xe8\x69\x5f\x73\xd8\x87\x73\xa3\xd4\x06\x82\xff\xe1\xce\xa2\x37\xfa\x5a\x91\xd4\x8b\xd8\x2d\x8e\xcd\x25\xe6\xa6\x29\x2d\x17\x77\xe3\x8b\xe3\x7c\xcc\x8d\x96\xcf\x9d\x19\x1b\xa9\x05\x85\xe7\x28\xdc\x41\x5b\xc4\x06\xfd\x94\xe5\x3c\x67\x40\x71\xdf\x12\xea\x08\x9d\xcd\x94\xf9\xd9\x6b\x03\x86\xf7\x26\x05\x12\x67\xc9\x6e\x5c\x3d\x79\x49\xe8\x55\x02\xb5\xda\x43\xf1\x04\x93\xba\xa2\xfd\x77\xa0\x2f\xaa\xca\x33\x55\x8f\x78\xf0\x9f\x00\x43\x3b\xa9\x91\xef\x1b\x40\xc5\x99\x90\x39\xbe\xe1\x77\xfd\xa3\xba\x5d\xc0\x92\x51\x62\xe5\x9a\x8e\x32\x7c\x19\xe7\xd4\xe0\xaa\x8f\x13\x71\x07\x02\x71\xe0\x03\xce\x63\xf4\x27\x26\x5b\x6a\x2d\xfb\x1d\x68\x64\xf8\xcd\xf2\xa9\xd0\xf8\xb3\x8e\x57\x71\x2b\x85\x43\xa2\x0b\xe5\x02\x4a\xef\xfd\x25\x0a\x10\x6e\x78\x3a\x08\xa5\xae\x38\x5a\xc9\xa5\x76\xb3\xc1\xb0\x90\x36\xc5\x0f\x1a\x8d\x56\x99\xf1\xba\xd3\xd1\x69\x68\xf1\x1e\x9b\x1f\x54\xef\xdf\x3c\x2e\xc0\x3a\x1f\x12\x4a\xb5\xe5\xc4\x53\xd1\x9b\x93\x9b\x68\xd0\xa3\x39\x95\x1b\x5b\xb5\x5d\xa3\xeb\x45\x9c\x3f\x86\xa1\xde\x1b\x8b\x9c\xef\xe6\xe6\x0d\x14\xd8\xc6\x14\x31\x45\xe2\x4a\x85\xe9\xc0\x62\xa8\xf6\xbf\x5c\x9a\x51\xb2\xa5\x07\xff\xdf\x6f\x60\x1c\xd7\xd1\x0a\x7f\x3c\xb1\x6f\x38\xd7\xf2\xc4\x6e\xb2\xc1\xeb\xd2\x05\xd5\xb6\x0c\x5d\x5e\xc3\xd6\x0e\x15\x18\x9b\x9f\x44\x5c\xbf\x29\x17\x7b\x83\x55\xd8\xaf\x6b\xad\x6c\x6e\x3a\xda\xb3\x9d\xf7\x1e\xe2\xcf\x90\xdf\x9a\xb8\x68\x08\xe6\x2d\x1e\xc2\x4f\xf2\xbd\xe6\xfd\x56\xa2\x31\xe4\xe5\x56\xcc\x22\x7f\x5f\xa6\xd6\x17\xd5\x49\xae\xd8\xe2\xe3\x66\x01\x3d\x8a\x2c\x28\x99\xa5\xc7\x52\x62\x0d\x54\x47\x1f\x9c\xfe\x17\xb6\x87\xfe\xe4\x27\x99\xeb\x86\x21\xca\xbf\x3b\x81\x76\xdf\x65\x4b\x20\xf3\x48\xc9\x16\x7d\x70\xe9\x59\x22\x13\x38\xbf\x47\xcf\x3b\x34\x7d\xdb\x46\xe4\xea\x71\xfc\x82\x50\xcf\x48\x18\x60\x7a\x35\x95\x16\x65\xae\xec\x1b\x46\x84\xa9\xf2\xd5\x40\x39\xb6\x44\xe3\xff\xcf\x5e\xf2\xa2\x67\x3d\x97\x40\x8f\xb9\xc5\xb9\xee\x80\x28\x67\xfc\xfc\xbf\x3c\xed\x42\x95\xe5\x9e\x78\x36\x5d\xe8\xf3\x8d\x98\x06\x6b\xc1\x63\xb7\x55\x56\x8b\xb0\x2e\xec\xa3\x8e\x04\xfe\x45\xb7\x80\x9c\xc4\x42\x40\x23\xa2\x3b\x15\xe3\x74\xe3\x83\xd0\x1e\x02\xdc\x66\x92\x48\x47\xf3\x72\xd8\xad\xc3\xb8\xaa\xdd\xb6\xea\xf9\x57\x5f\x52\x42\x51\xca\x6f\xea\x93\xfa\x33\x57\xe8\x1e\x94\x71\x5f\xbb\xe3\xce\x2b\xbc\x0c\x3d\x44\x7a\x51\x18\xd8\x59\xb1\xa7\x43\xb3\xe8\xee\xbf\xd3\x52\xfc\x50\xc2\x8c\x89\xd9\xfb\xf2\x08\x7c\xbe\xdc\xdd\xad\xd1\x99\x3a\x35\xf7\x1b\xff\x4b\x6e\x91\x90\xfb\x18\x26\xfa\x2b\x30\x89\x01\x87\x61\x65\xc7\x04\x17\xdc\xe1\x6e\xa0\xc1\x97\x55\x74\xbd\xc7\xcc\xf8\xd9\x2b\x3e\x77\x2b\x57\xfb\xad\xee\x74\xfc\xfe\x7b\x73\xdb\xef\x59\xc7\xf2\xe5\xba\x57\xb9\xbe\x68\x43\xe0\x6d\x0c\x13\xda\x2f\x48\x78\x40\x73\x7a\x8d\xfc\x79\x0c\xd5\x53\xc6\x93\xa9\xd1\x26\x8a\x13\xac\xfa\x44\xfa\x5e\x4b\x4f\x0d\xa3\x76\xfc\xc0\xec\x82\x94\xfd\xc0\x18\x23\x89\x7f\x91\x21\x27\xdb\x76\x90\x3d\xf2\xcd\xbf\xb9\x90\x24\x00\xc8\x6b\xf5\x26\xdd\xbb\x47\xc8\xe4\x9b\x67\x30\x55\xf7\x0a\x7d\x90\x08\x1c\xd3\x19\x64\xe0\x51\x9d\x50\x4c\x17\x1c\xd4\x1a\xb7\x99\x79\x16\xa7\x11\xcd\xec\x24\xf8\x0f\x80\x39\xce\xc9\xf6\x5b\xfb\xfa\x93\xe7\xbf\x22\x83\x51\xa8\x18\x92\xe5\x71\x80\xae\xce\x3e\x6b\x0f\xf3\x36\x6d\xc6\x66\x44\x47\xfa\xe5\xbe\xd3\x81\xf6\x29\x13\x4a\xdf\xcc\x51\xec\xa2\xab\x32\x76\x68\x2e\x5d\x9f\x67\x7b\x30\x1d\x6e\x6d\xcf\xa8\x64\x61\xa5\x67\xcb\x9c\xbf\xda\x3d\x2f\x91\xb3\xab\xc2\x0a\x5a\x7d\x46\x5d\x57\xc5\x07\xfe\x9c\xad\x83\x43\xd6\x4f\x51\xbe\x63\x0c\xe8\x18\xab\x78\xe9\x2c\xc5\x40\x8f\x48\x02\x5f\xbb\xf8\x39\x6d\x88\x20\x1c\x04\x2f\xd7\x11\x82\xc3\xd5\xdd\x62\xac\xe3\xec\x92\x31\xf8\x47\xbd\xff\x19\xb7\xbc\xe4\xe0\x4d\x10\x22\xb3\x2d\x46\xc7\x47\x09\xaa\x49\x63\x16\x6a\xef\xc5\xad\x6e\xd9\x47\x01\xd4\x32\x7f\x39\x4e\x1c\x9d\x01\xfb\xd3\xf2\x59\x03\xc5\x02\x0a\x84\x87\x96\x30\x08\xf8\xe4\xee\xdf\xe9\xc8\xd6\x2c\xa9\xcd\x72\xa9\x62\x39\xb1\xc0\x42\x7c\xb4\xe1\x71\x18\x21\x9b\x42\xcb\x89\x73\x53\x62\x1d\x66\x7a\x53\x8d\x3b\xa3\xe9\x26\x67\x38\xfd\x25\x24\x68\x1f\xd6\x33\xc1\xf7\x1a\x51\x28\x62\x10\xbc\x79\x3f\xc8\x9c\x0f\x04\x38\x66\x48\x0b\x7e\x08\x62\xb7\xa1\x08\x59\x3b\x2e\x9f\x8d\x1f\xc6\x2b\x7c\x67\xf5\x0d\xff\x63\x8f\x93\x18\xfa\x26\x0f\x37\x30\xce\xc7\x08\x0a\xfd\x74\x36\x41\xde\x7d\x59\xbc\xa4\xd3\x21\xf0\x31\xf3\x5f\xa6\x16\xc4\x33\xed\x57\x2a\x39\xbb\x17\xb9\x3c\x85\x81\xb1\x2a\xa1\xd2\x51\x54\x1b\xb5\xb2\x1c\x63\x91\x7c\x5b\x70\xec\x65\xe9\x57\xc5\x9c\x64\x3a\x6c\x0a\xb0\x02\xb5\x46\xdd\x97\x03\x50\xbe\x2a\x57\xe1\xa8\xf0\xf4\x6b\x01\x19\x95\x0a\xab\x33\x01\xe5\xca\x05\x43\x53\x2e\x1f\x08\x19\x90\x75\x60\x9f\x22\xcb\x8c\x8f\xfc\xba\x4b\xc8\x1d\xf5\xda\x4b\xa7\xae\x6b\x11\x1b\x4c\xd9\xc6\xe2\xe6\xc2\x0a\xda\x23\x28\x20\xb4\x77\x53\xd6\x26\x2c\x2b\x9e\xa6\x1e\xad\x28\x1b\xa0\xc3\x1c\x3b\xdf\xc0\x6b\x8a\x42\x98\x22\x82\xa2\x15\xbe\xad\xa3\xae\x9b\x2e\xad\x9a\xfd\x24\xf5\x0b\xc2\x28\x18\x90\x09\x77\x91\xcf\x37\xb1\x96\x9b\x45\xba\x7e\xb1\x30\x53\x66\x76\x7e\xda\x01\xef\xd0\x57\xda\x56\x74\x31\xc4\x9e\x79\xc5\x5a\x58\x95\x4f\x12\xda\xb8\xf1\xb6\x88\x51\x3f\x4c\x3c\x49\xa5\xf2\x7e\xe5\x37\x50\xd8\x9b\x63\x37\x79\x98\x00\x58\x78\x9d\x26\xa6\xb1\x72\x0b\xe7\xca\x54\x9d\xe7\x4b\xdb\x76\x3f\x4d\xb1\xa6\xbb\x86\x0b\x05\xdb\xc4\x77\x5b\x20\xce\xd8\x71\xb4\xa9\xd9\xd8\x77\xab\xef\x6c\x4b\xb3\x9d\x36\x8e\xf7\xe7\xfb\xba\xc5\xcb\x88\x21\x2d\x87\xf3\xc7\x62\x06\x59\xcf\x4c\xe1\xc6\xee\xb0\xea\x83\x84\xa6\xdf\x2f\x29\x13\x34\xe5\x80\x84\xfc\x55\xa3\xb6\xd7\xa8\x35\x1f\x62\x5a\x71\xee\xce\x16\xfc\xb5\x2f\xcc\xa8\x88\x09\x3a\x04\x0f\x5f\x15\x7a\xe2\x7d\xd7\x9d\x26\xae\x55\x5d\xd0\xd2\x19\xb5\x85\x53\xdb\x3b\xd8\xb4\x8d\x85\x6b\x3e\x23\x3d\x19\x72\x65\x78\xd3\x82\xbe\x3d\x12\x3f\x86\x56\xdb\xa5\xe6\x1d\xb1\x4b\x62\x7e\xb0\x74\xdb\x68\xd5\xa6\x9c\x93\x51\x17\x44\x92\xb5\x08\x24\x82\x4d\x3d\x3a\xf7\x92\x95\xf0\x5c\xdb\xb4\x7c\x8e\xf7\xc8\x5d\x81\x5b\xdc\xba\xcf\x4b\x86\x27\x96\x5c\x07\xc8\xe1\x07\x9f\x20\x1e\x50\x98\x02\x84\xf2\x00\x5a\x92\xba\x82\x15\xd0\x6e\xf5\xef\xed\x59\x1f\x52\x79\xf1\x8a\x2f\xea\x04\x24\x66\xd7\x83\xe1\x08\x64\xe9\x3a\x54\xb8\x64\x9b\xb4\x43\x6d\x88\x6c\x78\x81\x9e\x92\x7c\x16\x3c\x76\x9c\x22\xfd\x6c\x1f\xfc\x50\x98\x49\xf6\x85\xac\xbc\x5c\x6e\xab\xe4\xbf\xb2\xe2\x65\x0b\xab\x17\x39\xa6\x95\x3b\x27\xa1\x84\x64\x64\xea\x8f\x56\xa7\x6c\xd3\x71\xa7\x47\x45\x95\x94\x9b\x6f\xd4\xdb\x07\x6d\x44\xce\xca\x31\x12\x22\x74\xec\x56\x8c\x58\x1d\x08\x8e\xe7\xf5\x68\xc0\x02\x4a\x49\x19\x20\x40\x1f\x16\x5d\xd1\x71\x1a\x2f\x9b\x03\x7e\xf4\xb4\x01\x9d\x22\x72\xe1\x9e\xd5\xcf\x41\x40\xe5\x8d\x74\xae\x1d\x93\x01\x8d\x09\xfe\xe3\x26\x3e\x81\x19\xfc\x7a\x48\x09\x45\x9c\x43\x4e\x93\xd3\x04\x70\x2f\x11\x0f\xc3\xa4\x0d\xfa\x78\xfd\xac\x5e\xdf\x24\x25\xd8\xdc\x16\x29\xbc\x95\xba\xb9\x32\x70\x32\x59\x8c\x2f\x55\x30\x78\x18\x7c\x3d\x07\x6f\x15\x67\x4c\xfb\x9e\x0f\x18\x2b\x68\xce\xdc\xec\x34\xcf\x04\x90\x90\x1a\xf1\x0a\x2d\x10\xac\x87\x31\xf7\x9e\x60\xea\x1e\xb1\x78\xa6\x01\x42\x97\xa5\xa3\xb8\x4b\x80\xde\xb5\xf3\xb5\x62\x04\xcd\xaf\x3a\x4c\xa0\xbc\xa0\x08\x3a\xca\xc6\xd2\xa5\x63\x71\x7e\xb7\x0b\x9d\x82\x75\xbb\x31\xdd\x4d\xa2\x5f\x6a\xaf\x3b\xb5\x76\x15\x2c\xc5\x98\x39\x9b\xfc\x1f\x70\x3f\x9d\x65\xc7\xca\x6f\xc4\x5d\x7c\xd8\x19\x12\x07\x1a\x94\xb4\x98\x17\x28\xbd\x3f\xa5\x32\xdd\x3a\xb9\x5e\xdc\x2c\x8a\x87\x92\x31\x6b\x78\x28\xc1\x7a\x0a\x11\x5a\x80\xee\x5f\x7c\x63\x2f\xa1\x23\xfc\xce\xae\xcb\x31\x19\x15\x34\x9c\x9b\x26\xf2\xed\x27\x52\x23\xd7\x9b\xac\x0c\x13\x76\x71\xc3\xac\x5f\x48\x9b\x42\xfb\xf5\xb1\x9b\x3a\x46\xae\x22\xa7\x2f\xe3\x47\xd8\xab\xf1\x11\x42\x96\x85\x62\xc6\x32\x9d\xfb\x94\x22\x49\xb5\x93\xd3\x7d\x17\xf4\x0d\x79\x3a\x48\x18\x92\x10\xe0\xb6\x0b\x95\x83\x75\xc0\x89\x93\xd3\x4e\x3e\xb0\xba\x69\x32\x43\x5c\xde\x73\xd5\x68\xd8\x1e\x0d\xf7\xf7\x6d\xab\x7c\x1c\x1f\x7e\x5b\x76\x41\x44\x89\x6f\xe5\xa8\x19\xa4\xf0\xae\xfa\x09\x9e\x1d\x84\xf8\xc1\x12\x02\xbc\x14\x1f\x7a\xe0\x3f\xb4\xfd\xbf\x5b\x6c\x30\x83\x4a\x4d\xcc\x7f\x9a\x64\xbb\xe1\x40\x76\x11\x0b\x97\x29\x76\x7e\x5f\x31\xed\xbf\x5d\xdc\x54\x0f\x3a\x31\xa3\x6f\x4a\x33\x2b\x5a\x24\xd9\xe0\xbe\x54\xf8\x16\x1b\x52\xf7\x6b\x78\x08\x3e\x40\xa6\x63\xc8\xd2\x0b\xfb\xc4\x46\x53\x3c\x2c\x4b\x78\xe6\x30\xbb\xc9\x4a\x24\xd9\x51\x60\x18\xfa\xff\xed\xc2\xe8\x5f\xb0\x91\xde\xea\xd3\x61\x2c\x8a\xb2\x41\xb1\x26\x47\xc2\xe7\x14\x07\xa9\xbb\xef\x11\xc9\x75\xed\xbb\x97\x22\xab\x61\x74\xa9\x19\x1c\x5f\x01\x28\xc1\xe0\xf4\x39\x33\x53\x68\x9a\xd1\x8b\x96\x78\x5a\x7d\x8e\x04\x5a\xdb\x80\x1a\xfe\x79\x00\x0f\x18\xec\xbc\x07\xea\x83\x93\x06\xbe\xcb\x86\x2b\x17\x53\xfe\xd5\x04\xdf\x00\x95\x46\x67\x2f\xd6\x5e\x60\xa2\xb5\x23\xae\x74\x77\x50\x2d\xb7\x5d\xeb\x99\x44\x52\xe0\xb3\xf7\xa8\x41\xa9\x8b\x8c\x0b\x0e\x82\x8f\x0c\xa6\x79\xe1\xfb\x97\xf8\xdf\x29\x2e\x2d\xb3\x0f\x75\x6f\xba\x17\x75\x45\xa0\x9b\xeb\x2b\xe1\x93\xfb\x3a\x1a\x94\xd3\x44\x56\xd9\x07\x1e\x63\x4b\xb8\xa4\x33\x09\x30\x2f\x6c\xe4\xc3\x38\xd4\x39\x27\x0c\x42\x6b\xaa\x04\x8b\xb9\x2e\xc1\x39\xe5\x0f\xc4\x57\xdb\x0f\x37\xb4\x94\xc5\x91\xf6\x71\x15\xbc\x9c\x52\x21\x52\xd2\x8f\x9c\xad\x16\x10\xbf\xfc\xea\x13\x9b\xf2\xc5\xe0\x23\x9d\x4f\x8d\xb1\x25\xf0\xc6\x68\x76\x8a\x02\xab\x70\x28\x14\xab\x61\xb5\x7e\x0d\xd8\x39\x54\x9c\xd7\x8c\x1d\x33\x1d\x3c\xf4\x2e\x0e\x94\x35\x9d\xf9\xf9\xd8\xd4\xfa\x2b\x98\x2a\x19\x77\xcc\x55\xa8\x88\x80\x56\x46\x23\x15\x45\xc2\xe9\x6a\x8b\x80\xc9\xdb\xda\xf7\xb7\x64\x40\x21\xf8\xdb\xdd\x8f\x3c\x37\x3a\x72\xa9\xc5\xa8\xad\x05\xc6\x7f\x50\xbd\x32\xa9\x6e\x19\xa6\x06\x17\x00\x61\x54\x2a\x0b\x1e\xe9\x0e\x3c\x75\x61\x9d\x95\x41\x6e\x1d\x2f\x6c\x76\xef\x08\xf6\x11\x88\x2c\x87\xd0\x96\xb2\xf8\x4c\x1b\x5f\x79\xc7\x28\x72\x7e\x00\xb0\x58\x9f\xf8\x67\x82\x4b\x88\x93\x9c\x3a\xcb\xa9\x6f\x59\xa3\xe3\x08\xef\x70\x68\xbd\x4a\xd8\x47\x8b\x9f\x0d\x6d\x5c\x90\xc8\xd3\xfd\xb1\xbc\xe0\x82\x2f\xd4\xdb\xf6\x04\x33\xd0\xfd\x9a\x1d\x00\xfa\xd0\x5b\x13\x5b\x0f\xca\x52\x29\x82\xbd\x41\xa1\xd3\x2c\xa9\xe1\x3c\xc2\xde\x18\x09\xe5\x1e\x12\xb5\x40\xdf\x58\xcc\x4b\xca\xcb\xc3\x94\x53\xe6\x2e\xff\xe1\xcb\xa6\x2a\x72\x5b\x7b\x69\x0a\x53\x1a\x16\x9b\x16\xcd\x4f\xb4\x23\x00\x18\xad\xbf\xeb\xfd\x58\xec\x47\x67\x42\xa8\xea\x7e\x8f\xf7\xe5\x6a\xb4\x63\xb3\x45\xa8\x42\x99\x86\x7f\x85\x7d\xe6\xea\x30\x75\x9a\x8d\xd0\x93\xe9\x8f\x99\xc6\x2f\x40\x95\x97\xf9\xa3\xdd\xd4\x90\xc8\x81\x33\xd9\x83\x1a\x7d\xdd\x0b\xbc\x35\x36\xd8\x0d\xea\xee\x38\xac\xb1\xba\x95\xba\x0c\xda\x91\x0f\x4b\x12\x0a\x59\x2b\xc9\x15\x04\xf4\xb0\xd9\x91\x71\xe2\xc4\x5d\x4e\x25\x6d\xc0\x3f\xed\xe6\x8e\xe1\xda\xbf\x80\x29\xc9\x9d\xec\x19\x8c\x4a\xad\xdb\x68\x17\xf8\x39\xf1\xda\x74\x97\x12\x67\xc2\x12\xbd\x22\x69\xf8\xcc\xcd\x32\x49\x5e\x8f\x72\x04\x48\x6d\x98\x59\x87\xc2\x5a\x5c\xb7\xef\xd6\x39\xb1\xdb\xd2\x50\x60\x22\xf6\xca\xf2\x4b\x09\x22\x62\x27\xd8\x03\x5c\xea\x83\xb9\xcb\x82\x1a\xc3\xfd\xae\xda\x5f\x22\xdf\xb1\x19\x15\x93\xf4\xd1\x65\x5e\x23\x54\x6c\x84\xa8\xff\x48\x27\x89\xbc\x92\xf1\x94\xdd\xa5\xf6\x14\xd6\x98\x6e\xac\x82\x9b\xab\x2b\x7a\x29\x22\x5b\xd5\x51\x76\x12\xd4\x0f\xda\x6a\x15\x3f\xc5\x2b\x24\x66\x33\x68\xad\xc2\xed\xf5\x6b\x07\xbb\x22\xf1\xb5\xd5\x26\xbf\xfb\x21\x28\x2c\x65\x4a\x77\x95\xa2\x76\x31\xf9\x5d\x88\x5d\xf4\xc0\xbc\xeb\x07\x12\xbf\xdd\xc0\x58\xdc\xbf\x32\x83\xa8\xb9\x66\x64\xdf\x54\x83\x40\x46\x6b\xd7\x17\x32\x9e\x6d\x54\x25\xcb\xd8\xf9\xe6\x44\x2e\xc4\x67\x13\x81\xb8\x01\x7e\x04\xba\xf1\x66\xd7\xb1\x4d\xdb\x51\x6a\x62\x4a\xc5\xc7\x65\x87\xa0\x0c\x65\x02\xa9\x40\x1c\xee\xc4\x82\x69\xc4\xeb\xf6\x70\xbd\x1c\xaf\x46\x13\xbc\xe8\x6e\x29\x7f\x9d\xd0\x02\x24\x08\xaf\x5c\x7a\x7e\x9c\xa4\xa1\xa2\xc7\xea\x50\x6d\xcc\xd7\xf8\x40\xeb\x4d\xe4\xdd\x3c\x73\x40\x06\xcb\x85\xe9\xa0\x53\x9f\x98\x8a\xb4\x5f\x59\x3d\x1d\x96\x06\x12\x2a\x2f\x10\x6e\x9f\x84\xf5\x2f\xf9\x17\x97\x07\x61\x03\xd0\x42\x58\x68\x46\xff\x73\x05\xc2\x73\xfe\x8e\xaf\x05\x3f\x6f\x2c\x7f\xd4\xf1\x18\x13\x4a\x8c\x82\x4b\xbb\x27\xe3\x19\x1a\x8b\x19\x25\x55\xc6\x61\x49\x08\xba\x54\x36\xa6\x73\x83\x0c\x27\xa6\x31\x69\xd3\xc6\x9d\x3f\x7e\x05\x2a\x6b\x6d\xe6\xfd\x2a\x54\x45\x72\xcb\xce\x67\xf6\x7a\x3b\x37\x83\xf4\xc8\xdb\x22\x71\xa4\xa1\x3c\x03\x55\xa9\x2c\x6b\x03\x6e\x5e\xf0\x6f\x53\x32\x3d\xb1\x43\x2b\xd5\xbe\xd2\x60\x15\x44\x38\x7d\xfe\xa3\xf5\xed\x9b\x25\x2f\xc9\xa2\x04\x11\x99\x94\x23\x94\x4f\xdc\x2d\x16\x3f\x66\xba\x18\x26\xc7\xbd\x6d\xa8\xe8\x95\xef\xb1\x9b\x4f\xe0\xf2\x03\x81\x42\xd7\x66\x5f\xaf\xaf\x97\x9c\x56\x35\x29\x40\xb5\x5c\xae\xf5\xf8\xf8\x81\xdb\x23\x06\x0d\xdd\x71\xf9\x9f\xca\xb6\xbf\xe4\x12\xbe\xb2\xa1\x7d\x10\x6f\xa4\x50\x91\x4a\xa7\x92\x0c\xb2\x12\x67\xe1\x6c\xb4\x94\x36\x05\x60\x98\x36\x14\x9f\x19\x70\xd5\xca\x6f\x31\x10\x14\xd5\xb6\x91\xc1\x45\xba\x81\xb4\xff\x94\xc7\x2f\xe1\x50\xea\x49\xe5\x60\x70\xcf\xf3\x4a\xbe\xe3\x70\x61\xe8\x71\xae\xcf\x5d\xcf\x9f\x91\xb5\x2a\x36\xeb\x99\x3c\x67\x89\xf0\x21\xbe\x51\x70\x89\x2c\xa8\x0d\x1c\x2a\xd5\xbb\xce\x3c\xe4\x06\xcf\xb4\x12\xbd\x66\xfd\x64\x42\xd7\x0e\xbe\x18\xcd\xcc\x29\x58\xc5\x09\x34\x1f\x05\x10", 8192); *(uint64_t*)0x200000004700 = 0x200000002700; *(uint32_t*)0x200000002700 = 0x50; *(uint32_t*)0x200000002704 = 0xfffffff5; *(uint64_t*)0x200000002708 = 6; *(uint32_t*)0x200000002710 = 7; *(uint32_t*)0x200000002714 = 0x2d; *(uint32_t*)0x200000002718 = 2; *(uint32_t*)0x20000000271c = 0x400000c; *(uint16_t*)0x200000002720 = 7; *(uint16_t*)0x200000002722 = 0x6b; *(uint32_t*)0x200000002724 = 0x80; *(uint32_t*)0x200000002728 = 3; *(uint16_t*)0x20000000272c = 0; *(uint16_t*)0x20000000272e = 0; *(uint32_t*)0x200000002730 = 1; *(uint32_t*)0x200000002734 = 4; memset((void*)0x200000002738, 0, 24); *(uint64_t*)0x200000004708 = 0x200000002780; *(uint32_t*)0x200000002780 = 0x18; *(uint32_t*)0x200000002784 = 0xfffffffe; *(uint64_t*)0x200000002788 = 4; *(uint64_t*)0x200000002790 = 5; *(uint64_t*)0x200000004710 = 0x2000000027c0; *(uint32_t*)0x2000000027c0 = 0x18; *(uint32_t*)0x2000000027c4 = 0; *(uint64_t*)0x2000000027c8 = 8; *(uint64_t*)0x2000000027d0 = 0x101; *(uint64_t*)0x200000004718 = 0x200000002800; *(uint32_t*)0x200000002800 = 0x18; *(uint32_t*)0x200000002804 = 0xfffffffe; *(uint64_t*)0x200000002808 = 4; *(uint32_t*)0x200000002810 = 0x50bf; *(uint32_t*)0x200000002814 = 0; *(uint64_t*)0x200000004720 = 0x200000002840; *(uint32_t*)0x200000002840 = 0x18; *(uint32_t*)0x200000002844 = 0; *(uint64_t*)0x200000002848 = 3; *(uint32_t*)0x200000002850 = 0xffff; *(uint32_t*)0x200000002854 = 0; *(uint64_t*)0x200000004728 = 0x200000002880; *(uint32_t*)0x200000002880 = 0x28; *(uint32_t*)0x200000002884 = 0; *(uint64_t*)0x200000002888 = 6; *(uint64_t*)0x200000002890 = 0xfffffffffffffff7; *(uint64_t*)0x200000002898 = 0; *(uint32_t*)0x2000000028a0 = 0; *(uint32_t*)0x2000000028a4 = r[4]; *(uint64_t*)0x200000004730 = 0x2000000028c0; *(uint32_t*)0x2000000028c0 = 0x60; *(uint32_t*)0x2000000028c4 = 0; *(uint64_t*)0x2000000028c8 = 0xa2; *(uint64_t*)0x2000000028d0 = 0xfffffffffffffffb; *(uint64_t*)0x2000000028d8 = 0; *(uint64_t*)0x2000000028e0 = 0x2867; *(uint64_t*)0x2000000028e8 = 0xd7f; *(uint64_t*)0x2000000028f0 = 2; *(uint32_t*)0x2000000028f8 = 0x28; *(uint32_t*)0x2000000028fc = 0xafb; *(uint32_t*)0x200000002900 = 7; *(uint32_t*)0x200000002904 = 0; memset((void*)0x200000002908, 0, 24); *(uint64_t*)0x200000004738 = 0x200000002940; *(uint32_t*)0x200000002940 = 0x18; *(uint32_t*)0x200000002944 = 0; *(uint64_t*)0x200000002948 = 0; *(uint32_t*)0x200000002950 = 0xb; *(uint32_t*)0x200000002954 = 0; *(uint64_t*)0x200000004740 = 0x200000002980; *(uint32_t*)0x200000002980 = 0x13; *(uint32_t*)0x200000002984 = 0; *(uint64_t*)0x200000002988 = 0x80000000; memcpy((void*)0x200000002990, "&,\000", 3); *(uint64_t*)0x200000004748 = 0x2000000029c0; *(uint32_t*)0x2000000029c0 = 0x20; *(uint32_t*)0x2000000029c4 = 0; *(uint64_t*)0x2000000029c8 = 0x41f; *(uint64_t*)0x2000000029d0 = 0; *(uint32_t*)0x2000000029d8 = 0; *(uint32_t*)0x2000000029dc = 0; *(uint64_t*)0x200000004750 = 0x200000002b80; *(uint32_t*)0x200000002b80 = 0x78; *(uint32_t*)0x200000002b84 = 0xfffffff5; *(uint64_t*)0x200000002b88 = 5; *(uint64_t*)0x200000002b90 = 0; *(uint32_t*)0x200000002b98 = 0x30; *(uint32_t*)0x200000002b9c = 0; *(uint64_t*)0x200000002ba0 = 0; *(uint64_t*)0x200000002ba8 = 0; *(uint64_t*)0x200000002bb0 = 0x9cb; *(uint64_t*)0x200000002bb8 = 6; *(uint64_t*)0x200000002bc0 = 0x45ff; *(uint64_t*)0x200000002bc8 = 8; *(uint32_t*)0x200000002bd0 = 0x7fffffff; *(uint32_t*)0x200000002bd4 = -1; *(uint32_t*)0x200000002bd8 = 2; *(uint32_t*)0x200000002bdc = 0x8000; *(uint32_t*)0x200000002be0 = 0xffff0001; *(uint32_t*)0x200000002be4 = r[10]; *(uint32_t*)0x200000002be8 = r[11]; *(uint32_t*)0x200000002bec = 0xb; *(uint32_t*)0x200000002bf0 = 7; *(uint32_t*)0x200000002bf4 = 0; *(uint64_t*)0x200000004758 = 0x200000002c40; *(uint32_t*)0x200000002c40 = 0x90; *(uint32_t*)0x200000002c44 = 0xffffffda; *(uint64_t*)0x200000002c48 = 0xfffffffffffffc00; *(uint64_t*)0x200000002c50 = 3; *(uint64_t*)0x200000002c58 = 0; *(uint64_t*)0x200000002c60 = 6; *(uint64_t*)0x200000002c68 = 4; *(uint32_t*)0x200000002c70 = 7; *(uint32_t*)0x200000002c74 = 6; *(uint64_t*)0x200000002c78 = 6; *(uint64_t*)0x200000002c80 = 0x5d; *(uint64_t*)0x200000002c88 = 8; *(uint64_t*)0x200000002c90 = 0; *(uint64_t*)0x200000002c98 = 0xfffffffffffffffc; *(uint64_t*)0x200000002ca0 = 1; *(uint32_t*)0x200000002ca8 = 3; *(uint32_t*)0x200000002cac = 8; *(uint32_t*)0x200000002cb0 = 8; *(uint32_t*)0x200000002cb4 = 0xa000; *(uint32_t*)0x200000002cb8 = 2; *(uint32_t*)0x200000002cbc = 0xee01; *(uint32_t*)0x200000002cc0 = r[12]; *(uint32_t*)0x200000002cc4 = 6; *(uint32_t*)0x200000002cc8 = 7; *(uint32_t*)0x200000002ccc = 0; *(uint64_t*)0x200000004760 = 0x200000002d00; *(uint32_t*)0x200000002d00 = 0xc8; *(uint32_t*)0x200000002d04 = 0xfffffffe; *(uint64_t*)0x200000002d08 = 1; *(uint64_t*)0x200000002d10 = 6; *(uint64_t*)0x200000002d18 = 5; *(uint32_t*)0x200000002d20 = 5; *(uint32_t*)0x200000002d24 = -1; memset((void*)0x200000002d28, 170, 5); *(uint64_t*)0x200000002d30 = 2; *(uint64_t*)0x200000002d38 = -1; *(uint32_t*)0x200000002d40 = 6; *(uint32_t*)0x200000002d44 = 7; memset((void*)0x200000002d48, 255, 6); *(uint64_t*)0x200000002d50 = 5; *(uint64_t*)0x200000002d58 = 5; *(uint32_t*)0x200000002d60 = 6; *(uint32_t*)0x200000002d64 = 0xc828; memset((void*)0x200000002d68, 2, 6); *(uint64_t*)0x200000002d70 = 3; *(uint64_t*)0x200000002d78 = 0xa; *(uint32_t*)0x200000002d80 = 0x1f; *(uint32_t*)0x200000002d84 = 2; memcpy((void*)0x200000002d88, "bpf_lsm_kernel_create_files_as\000", 31); *(uint64_t*)0x200000002da8 = 5; *(uint64_t*)0x200000002db0 = 0x100; *(uint32_t*)0x200000002db8 = 5; *(uint32_t*)0x200000002dbc = 9; memset((void*)0x200000002dc0, 170, 5); *(uint64_t*)0x200000004768 = 0x2000000040c0; *(uint32_t*)0x2000000040c0 = 0xb0; *(uint32_t*)0x2000000040c4 = 0; *(uint64_t*)0x2000000040c8 = 0xffffffffffff51c6; *(uint64_t*)0x2000000040d0 = 0; *(uint64_t*)0x2000000040d8 = 1; *(uint64_t*)0x2000000040e0 = 0x7fffffff; *(uint64_t*)0x2000000040e8 = 4; *(uint32_t*)0x2000000040f0 = 0x80; *(uint32_t*)0x2000000040f4 = 0xe; *(uint64_t*)0x2000000040f8 = 5; *(uint64_t*)0x200000004100 = 6; *(uint64_t*)0x200000004108 = 9; *(uint64_t*)0x200000004110 = 0; *(uint64_t*)0x200000004118 = 0x80; *(uint64_t*)0x200000004120 = 3; *(uint32_t*)0x200000004128 = 7; *(uint32_t*)0x20000000412c = 0xffffff01; *(uint32_t*)0x200000004130 = 5; *(uint32_t*)0x200000004134 = 0x6000; *(uint32_t*)0x200000004138 = 5; *(uint32_t*)0x20000000413c = r[13]; *(uint32_t*)0x200000004140 = r[14]; *(uint32_t*)0x200000004144 = 9; *(uint32_t*)0x200000004148 = 4; *(uint32_t*)0x20000000414c = 0; *(uint64_t*)0x200000004150 = 1; *(uint64_t*)0x200000004158 = 0x7fffffff; *(uint32_t*)0x200000004160 = 6; *(uint32_t*)0x200000004164 = 7; memset((void*)0x200000004168, 2, 6); *(uint64_t*)0x200000004770 = 0x200000004340; *(uint32_t*)0x200000004340 = 0xa0; *(uint32_t*)0x200000004344 = 0xfffffffe; *(uint64_t*)0x200000004348 = 0x4f4; *(uint64_t*)0x200000004350 = 0; *(uint64_t*)0x200000004358 = 3; *(uint64_t*)0x200000004360 = 0x58be8e49; *(uint64_t*)0x200000004368 = 0x88; *(uint32_t*)0x200000004370 = 0x80; *(uint32_t*)0x200000004374 = 2; *(uint64_t*)0x200000004378 = 0; *(uint64_t*)0x200000004380 = 7; *(uint64_t*)0x200000004388 = 0x8000000000000000; *(uint64_t*)0x200000004390 = 6; *(uint64_t*)0x200000004398 = 2; *(uint64_t*)0x2000000043a0 = 0; *(uint32_t*)0x2000000043a8 = 0x81; *(uint32_t*)0x2000000043ac = 0xb; *(uint32_t*)0x2000000043b0 = 0xfff; *(uint32_t*)0x2000000043b4 = 0x8000; *(uint32_t*)0x2000000043b8 = 0xc093; *(uint32_t*)0x2000000043bc = r[15]; *(uint32_t*)0x2000000043c0 = 0; *(uint32_t*)0x2000000043c4 = -1; *(uint32_t*)0x2000000043c8 = 0x9e9; *(uint32_t*)0x2000000043cc = 0; *(uint64_t*)0x2000000043d0 = 0; *(uint32_t*)0x2000000043d8 = 4; *(uint32_t*)0x2000000043dc = 0; *(uint64_t*)0x200000004778 = 0x200000004400; *(uint32_t*)0x200000004400 = 0x20; *(uint32_t*)0x200000004404 = 0xfffffffe; *(uint64_t*)0x200000004408 = 4; *(uint32_t*)0x200000004410 = 0x1000; *(uint32_t*)0x200000004414 = 4; *(uint32_t*)0x200000004418 = 7; *(uint32_t*)0x20000000441c = 3; *(uint64_t*)0x200000004780 = 0x2000000045c0; *(uint32_t*)0x2000000045c0 = 0x130; *(uint32_t*)0x2000000045c4 = 0; *(uint64_t*)0x2000000045c8 = 6; *(uint64_t*)0x2000000045d0 = 7; *(uint32_t*)0x2000000045d8 = 0xf; *(uint32_t*)0x2000000045dc = 0; memset((void*)0x2000000045e0, 0, 16); *(uint32_t*)0x2000000045f0 = 4; *(uint32_t*)0x2000000045f4 = 0xfffffffb; *(uint64_t*)0x2000000045f8 = 0xc3f; *(uint32_t*)0x200000004600 = 0xc6; *(uint32_t*)0x200000004604 = r[17]; *(uint32_t*)0x200000004608 = 0xee01; *(uint16_t*)0x20000000460c = 0x1000; memset((void*)0x20000000460e, 0, 2); *(uint64_t*)0x200000004610 = 0xc42b; *(uint64_t*)0x200000004618 = 0xfffffffffffffffb; *(uint64_t*)0x200000004620 = 8; *(uint64_t*)0x200000004628 = 0xfffffffffffff3f4; *(uint64_t*)0x200000004630 = 7; *(uint32_t*)0x200000004638 = 9; *(uint32_t*)0x20000000463c = 0; *(uint64_t*)0x200000004640 = 0x893b; *(uint32_t*)0x200000004648 = 0xc160; *(uint32_t*)0x20000000464c = 0; *(uint64_t*)0x200000004650 = 3; *(uint32_t*)0x200000004658 = 0x6a48; *(uint32_t*)0x20000000465c = 0; *(uint64_t*)0x200000004660 = 0x40; *(uint32_t*)0x200000004668 = 6; *(uint32_t*)0x20000000466c = 0; *(uint32_t*)0x200000004670 = 5; *(uint32_t*)0x200000004674 = 0; *(uint32_t*)0x200000004678 = 9; *(uint32_t*)0x20000000467c = 3; memset((void*)0x200000004680, 0, 112); syz_fuse_handle_req(/*fd=*/r[9], /*buf=*/0x200000000700, /*len=*/0x2000, /*res=*/0x200000004700); break; case 26: res = syscall(__NR_pidfd_getfd, /*pidfd=*/r[6], /*fd=*/r[9], /*flags=*/0ul); if (res != -1) r[19] = res; break; case 27: memcpy((void*)0x2000000047c0, "SEG6\000", 5); syz_genetlink_get_family_id(/*name=*/0x2000000047c0, /*fd=*/r[19]); break; case 28: syz_init_net_socket(/*domain=*/0x24, /*type=*/2, /*proto=*/0); break; case 29: res = -1; res = syz_io_uring_complete(/*ring_ptr=*/0); if (res != -1) r[20] = res; break; case 30: *(uint32_t*)0x200000004804 = 0x87d1; *(uint32_t*)0x200000004808 = 0x200; *(uint32_t*)0x20000000480c = 3; *(uint32_t*)0x200000004810 = 0x92; *(uint32_t*)0x200000004818 = r[19]; memset((void*)0x20000000481c, 0, 12); res = -1; res = syz_io_uring_setup(/*entries=*/0x70d3, /*params=*/0x200000004800, /*ring_ptr=*/0x200000004880, /*sqes_ptr=*/0x2000000048c0); if (res != -1) { r[21] = *(uint64_t*)0x200000004880; r[22] = *(uint64_t*)0x2000000048c0; } break; case 31: *(uint8_t*)0x200000004980 = 0x1c; *(uint8_t*)0x200000004981 = 0x40; *(uint16_t*)0x200000004982 = 0; *(uint32_t*)0x200000004984 = r[20]; *(uint64_t*)0x200000004988 = 0x200000004900; *(uint64_t*)0x200000004900 = 0x8000; *(uint64_t*)0x200000004908 = 0x190; *(uint64_t*)0x200000004910 = 0x10; *(uint64_t*)0x200000004990 = 0x200000004940; memcpy((void*)0x200000004940, "./file0\000", 8); *(uint32_t*)0x200000004998 = 0x18; *(uint32_t*)0x20000000499c = 0; *(uint64_t*)0x2000000049a0 = 0x23456; *(uint16_t*)0x2000000049a8 = 0; *(uint16_t*)0x2000000049aa = 0; memset((void*)0x2000000049ac, 0, 20); syz_io_uring_submit(/*ring_ptr=*/r[21], /*sqes_ptr=*/r[22], /*sqe=*/0x200000004980); break; case 32: memcpy((void*)0x2000000049c0, "*(z,\000", 5); memcpy((void*)0x200000004ac0, "\xce\xfa\x0b\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x8a\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf7\x7e\xf6\xbf\x4c\x19\xc0\x4a\xa5\x7c\x4c\x2f\xf9\x2e\xe1\x46\x0e\xbf\x0e\x57\x59\x5c\xc3\x55\xaa\x22\x67\x95\x47\xef\x84\x49\x9e\xf9\x9d\x9b\xdd\x69\x1a\x9a\x0e\xe1\x9f\xba\x5f\xee\x97\xd9\xa9\x2b\xb7\xae\x3d\x75\x4a\x98\x45\x6c\xdb\xfd\x27\xda\x20\xf9\x77\xf4\xbf\x46\x30\xc3\xca\x42\x1a\x6a\xcf\x8d\x9f\x81\xd2\x93\xd3\xa0\xb0\x23\x27\xe4\x06\x32\x3e\x77\x3c\x64\xb8\x65\xc2\xc7\xa1\x02\x36\xfb\xbb\xb9\xc9\xea\xc5\xd1\x4f\x18\x75\x2a\x03\x89\xa5\x81\x59\x64\x04\x1b\x84\x4f\x71\x45\x5e\xa1\x2d\xdc\x9d\xcf\xb6\xe9\x00\xa3\x66\x57\x58\xcb\xa3\xc7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 192); syz_kfuzztest_run(/*name=*/0x2000000049c0, /*data=*/0x200000004a00, /*len=*/0xc0, /*buf=*/0x200000004ac0); break; case 33: *(uint64_t*)0x200000014f40 = 0; *(uint64_t*)0x200000014f48 = 0x200000014ac0; *(uint64_t*)0x200000014ac0 = 0x17d; *(uint64_t*)0x200000014ac8 = 0x20; *(uint64_t*)0x200000014ad0 = 0x25000; *(uint64_t*)0x200000014ad8 = 0x5591; *(uint64_t*)0x200000014ae0 = 0x64; *(uint64_t*)0x200000014ae8 = 0x18; *(uint32_t*)0x200000014af0 = 8; *(uint32_t*)0x200000014af4 = 0x57; *(uint64_t*)0x200000014af8 = 0x12d; *(uint64_t*)0x200000014b00 = 0x18; *(uint64_t*)0x200000014b08 = 3; *(uint64_t*)0x200000014b10 = 0x64; *(uint64_t*)0x200000014b18 = 0x18; *(uint32_t*)0x200000014b20 = 0; *(uint32_t*)0x200000014b24 = 2; *(uint64_t*)0x200000014b28 = 0x69; *(uint64_t*)0x200000014b30 = 0x20; *(uint64_t*)0x200000014b38 = 0xc003; *(uint64_t*)0x200000014b40 = 1; *(uint64_t*)0x200000014b48 = 0x64; *(uint64_t*)0x200000014b50 = 0x18; *(uint32_t*)0x200000014b58 = 0x10; *(uint32_t*)0x200000014b5c = 0xc; *(uint64_t*)0x200000014b60 = 0x12d; *(uint64_t*)0x200000014b68 = 0x18; *(uint64_t*)0x200000014b70 = 0; *(uint64_t*)0x200000014b78 = 0x12e; *(uint64_t*)0x200000014b80 = 0x7e; *(uint64_t*)0x200000014b88 = 1; memcpy((void*)0x200000014b90, "\x36\x2e\x36\x3e\x66\x43\x0f\x57\xa9\x00\x98\x00\x00\x66\xba\xf8\x0c\xb8\x28\x8f\xc6\x86\xef\x66\xba\xfc\x0c\xed\xb9\x71\x03\x00\x00\xb8\xc7\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x30\x42\x0f\x01\xc8\x66\xb8\x78\x00\x0f\x00\xd0\x40\x0f\x01\xc5\x66\xba\x43\x00\x66\xed\x40\x1d\x03\x00\x00\x00\xc7\x44\x24\x00\x00\x00\x00\x00\xc7\x44\x24\x02\x49\x3a\x56\x64\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\x0f\x32", 102); *(uint64_t*)0x200000014bf6 = 0x64; *(uint64_t*)0x200000014bfe = 0x18; *(uint32_t*)0x200000014c06 = 0xf; *(uint32_t*)0x200000014c0a = 4; *(uint64_t*)0x200000014c0e = 0x12e; *(uint64_t*)0x200000014c16 = 0x60; *(uint64_t*)0x200000014c1e = 0; memcpy((void*)0x200000014c26, "\xc4\x21\xf8\x10\x7a\xf0\x0f\xe7\x64\x9a\x4f\x47\xfb\x0f\x01\xca\x46\x0f\x08\xb9\x80\x00\x00\xc0\x0f\x32\x35\x00\x80\x00\x00\x0f\x30\x0f\x01\xcb\x40\x0f\x01\xcb\xc7\x44\x24\x00\x8d\x00\x00\x00\xc7\x44\x24\x02\x07\x00\x00\x00\xc7\x44\x24\x06\x00\x00\x00\x00\x0f\x01\x1c\x24\x0f\x52\x4b\x00", 72); *(uint64_t*)0x200000014c6e = 0; *(uint64_t*)0x200000014c76 = 0x18; *(uint64_t*)0x200000014c7e = 2; *(uint64_t*)0x200000014c86 = 0x12d; *(uint64_t*)0x200000014c8e = 0x18; *(uint64_t*)0x200000014c96 = 3; *(uint64_t*)0x200000014c9e = 0x17f; *(uint64_t*)0x200000014ca6 = 0x10; *(uint64_t*)0x200000014cae = 0; *(uint64_t*)0x200000014cb6 = 0x18; *(uint64_t*)0x200000014cbe = 4; *(uint64_t*)0x200000014cc6 = 0x12f; *(uint64_t*)0x200000014cce = 0x18; *(uint64_t*)0x200000014cd6 = 2; *(uint64_t*)0x200000014cde = 0x12e; *(uint64_t*)0x200000014ce6 = 0x56; *(uint64_t*)0x200000014cee = 3; memcpy((void*)0x200000014cf6, "\x0f\x01\xdf\x0f\xa8\x66\xba\xf8\x0c\xb8\x82\xca\xa9\x8f\xef\x66\xba\xfc\x0c\x66\xed\x67\x0f\x01\xca\x0f\xfd\xca\x46\x0f\x01\xb3\x90\x4e\x00\x00\x66\xba\x20\x00\x66\xb8\xb7\xea\x66\xef\x0f\x01\x32\xc4\xe1\x61\xeb\x58\x00\xb9\x81\x05\x00\x00\x0f\x32", 62); *(uint64_t*)0x200000014d34 = 0x180; *(uint64_t*)0x200000014d3c = 0x38; *(uint64_t*)0x200000014d44 = 1; *(uint64_t*)0x200000014d4c = 0x17; *(uint64_t*)0x200000014d54 = 4; *(uint64_t*)0x200000014d5c = 4; *(uint64_t*)0x200000014d64 = 0; *(uint64_t*)0x200000014d6c = 0x183; *(uint64_t*)0x200000014d74 = 0x18; *(uint64_t*)0x200000014d7c = 3; *(uint64_t*)0x200000014d84 = 0x65; *(uint64_t*)0x200000014d8c = 0x20; *(uint64_t*)0x200000014d94 = 0x32c; *(uint64_t*)0x200000014d9c = 0x10; *(uint64_t*)0x200000014da4 = 0x68; *(uint64_t*)0x200000014dac = 0x20; *(uint64_t*)0x200000014db4 = 7; *(uint64_t*)0x200000014dbc = 2; *(uint64_t*)0x200000014dc4 = 0xa; *(uint64_t*)0x200000014dcc = 0x56; memcpy((void*)0x200000014dd4, "\xf3\x41\xaf\x66\xb8\x3e\x00\x8e\xd0\xc4\xe1\x35\x73\xfa\xe7\x66\x0f\x74\xa6\x00\x00\x00\x00\x47\xdb\xc1\x45\x0f\x08\x66\x41\x0f\x38\x82\x94\x1f\x0e\x58\x39\xba\x47\x0f\x79\x55\x00\xc4\x01\x56\x51\xaf\x41\x04\x00\x00\x66\xba\xf8\x0c\xb8\xe2\x7f\xf4\x8d\xef\x66\xba\xfc\x0c\xec", 69); *(uint8_t*)0x200000014e19 = 0xc3; *(uint64_t*)0x200000014e1a = 0x12d; *(uint64_t*)0x200000014e22 = 0x18; *(uint64_t*)0x200000014e2a = 3; *(uint64_t*)0x200000014e32 = 0x12c; *(uint64_t*)0x200000014e3a = 0x18; *(uint64_t*)0x200000014e42 = 0; *(uint64_t*)0x200000014e4a = 0x12e; *(uint64_t*)0x200000014e52 = 0x6f; *(uint64_t*)0x200000014e5a = 3; memcpy((void*)0x200000014e62, "\xf3\x41\x0f\x22\x17\x66\xba\xf8\x0c\xb8\x61\x8e\xa1\x84\xef\x66\xba\xfc\x0c\xb0\x00\xee\x36\x64\x0f\x21\x39\xc4\x62\x41\x40\x32\x66\xba\x43\x00\x66\xb8\x0b\x00\x66\xef\x66\xba\x43\x00\xec\x40\x0f\x23\x38\x3e\x0f\xc7\x32\xc7\x44\x24\x00\xac\x00\x00\x00\xc7\x44\x24\x02\x90\x7c\x03\xe6\xff\x2c\x24\xb8\x05\x00\x00\x00\xb9\x97\x00\x00\x00\x0f\x01\xd9", 87); *(uint64_t*)0x200000014eb9 = 0x69; *(uint64_t*)0x200000014ec1 = 0x20; *(uint64_t*)0x200000014ec9 = 0xc3e5; *(uint64_t*)0x200000014ed1 = 2; *(uint64_t*)0x200000014ed9 = 0xc8; *(uint64_t*)0x200000014ee1 = 0x20; *(uint64_t*)0x200000014ee9 = 0xa1; *(uint64_t*)0x200000014ef1 = 2; *(uint64_t*)0x200000014ef9 = 0x65; *(uint64_t*)0x200000014f01 = 0x20; *(uint64_t*)0x200000014f09 = 0x12f; *(uint64_t*)0x200000014f11 = 2; *(uint64_t*)0x200000014f19 = 0x12c; *(uint64_t*)0x200000014f21 = 0x18; *(uint64_t*)0x200000014f29 = 0; *(uint64_t*)0x200000014f50 = 0x471; res = -1; res = syz_kvm_add_vcpu(/*vm=*/0, /*text=*/0x200000014f40); if (res != -1) r[23] = res; break; case 34: res = syscall(__NR_mmap, /*addr=*/0x200000fff000ul, /*len=*/0ul, /*prot=PROT_GROWSDOWN|PROT_SEM*/0x1000008ul, /*flags=MAP_PRIVATE*/2ul, /*cpufd=*/r[23], /*offset=*/0ul); if (res != -1) r[24] = res; break; case 35: syz_kvm_assert_syzos_kvm_exit(/*run=*/r[24], /*exitcode=*/2); break; case 36: syz_kvm_assert_syzos_uexit(/*cpufd=*/r[20], /*run=*/r[24], /*exitcode=*/0x10); break; case 37: *(uint64_t*)0x200000015140 = 0; *(uint64_t*)0x200000015148 = 0x200000014f80; memcpy((void*)0x200000014f80, "\x04\xea\xa0\xef\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x04\x01\x63\x60\x14\xc2\x80\x3c\xd1\xc0\x84\x60\x04\x00\x84\x78\x83\x0a\x84\x64\xbe\x01\x84\x60\x27\x3b\xa0\x3c\x00\x3c\xa5\x60\x04\x00\xa5\x78\x27\x72\xa5\x64\x9d\x4f\xa5\x60\x7c\x62\xc0\x3c\xdf\xa5\xc6\x60\x04\x00\xc6\x78\x78\x11\xc6\x64\x30\xb5\xc6\x60\xf2\xd6\xe0\x3c\xac\xca\xe7\x60\x04\x00\xe7\x78\x51\x98\xe7\x64\xfb\x3b\xe7\x60\x02\x00\x00\x44\x00\x00\xe0\x3f\x00\x00\xff\x63\x04\x00\xff\x7b\x00\x00\xff\x67\x00\x48\xff\x63\x60\x7b\xff\x1b\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\xfc\xf4\x63\x60\x76\x09\x80\x3c\x6c\xdf\x84\x60\x04\x00\x84\x78\x7c\xb5\x84\x64\x5d\x85\x84\x60\xf3\xc8\xa0\x3c\x84\x98\xa5\x60\x04\x00\xa5\x78\xa1\x6b\xa5\x64\x7c\x44\xa5\x60\x02\x00\x00\x44\x00\x00\x20\x3e\x00\x00\x31\x62\x04\x00\x31\x7a\x00\x00\x31\x66\x98\x00\x31\x62\x00\x00\x40\x3f\x00\x00\x5a\x63\x04\x00\x5a\x7b\x00\x00\x5a\x67\xe5\x13\x5a\x63\xaa\xfe\xf9\x7d\x00\x00\x80\x3c\x00\x00\x84\x60\x04\x00\x84\x78\x00\x00\x84\x64\x00\x80\x84\x60\xdc\x39\x00\x7c\x00\x00\x40\x3d\x00\x00\x4a\x61\x04\x00\x4a\x79\x00\x00\x4a\x65\x71\x99\x4a\x61\xa7\x5f\xc0\x7f\x00\x00\x60\x3c\x00\x00\x63\x60\x04\x00\x63\x78\x00\x00\x63\x64\x08\xef\x63\x60\x09\xc6\x80\x3c\x1c\x64\x84\x60\x04\x00\x84\x78\xb4\xf7\x84\x64\x66\xcc\x84\x60\x03\x80\xa0\x3c\x45\x8f\xa5\x60\x04\x00\xa5\x78\xcf\x35\xa5\x64\x75\x97\xa5\x60\xae\x5a\xc0\x3c\x19\x31\xc6\x60\x04\x00\xc6\x78\xa9\x6d\xc6\x64\x6f\x30\xc6\x60\x22\x00\x00\x44\x00\x00\x00\x3c\x00\x00\x00\x60\x04\x00\x00\x78\x00\x00\x00\x64\x12\x00\x00\x60\x24\x01\x00\x7c\x00\x00\xe0\x3f\x01\x00\xff\x63\x04\x00\xff\x7b\x00\x00\xff\x67\x00\x00\xff\x63\xa7\xff\xa0\x7e", 420); *(uint64_t*)0x200000015150 = 0x1a4; *(uint64_t*)0x200000015180 = 1; *(uint64_t*)0x200000015188 = 1; syz_kvm_setup_cpu(/*fd=*/r[20], /*cpufd=*/r[5], /*usermem=*/0x200000fe8000, /*text=*/0x200000015140, /*ntext=*/1, /*flags=*/0, /*opts=*/0x200000015180, /*nopt=*/1); break; case 38: syz_kvm_setup_syzos_vm(/*fd=*/r[5], /*usermem=*/0x200000c00000); break; case 39: *(uint32_t*)0x2000000151c0 = 1; syz_memcpy_off(/*ring_ptr=*/r[21], /*flag_off=SQ_FLAGS_OFFSET*/0x114, /*src=*/0x2000000151c0, /*src_off=*/0, /*nbytes=*/4); break; case 40: res = syscall(__NR_ioctl, /*fd=*/r[5], /*cmd=*/0xb704, /*arg=*/0x200000015280ul); if (res != -1) r[25] = *(uint32_t*)0x200000015280; break; case 41: memcpy((void*)0x200000015200, "adfs\000", 5); memcpy((void*)0x200000015240, "./file0\000", 8); memcpy((void*)0x2000000152c0, "gid", 3); *(uint8_t*)0x2000000152c3 = 0x3d; sprintf((char*)0x2000000152c4, "0x%016llx", (long long)r[16]); *(uint8_t*)0x2000000152d6 = 0x2c; memcpy((void*)0x2000000152d7, "uid", 3); *(uint8_t*)0x2000000152da = 0x3d; sprintf((char*)0x2000000152db, "0x%016llx", (long long)r[17]); *(uint8_t*)0x2000000152ed = 0x2c; memcpy((void*)0x2000000152ee, "uid", 3); *(uint8_t*)0x2000000152f1 = 0x3d; sprintf((char*)0x2000000152f2, "0x%016llx", (long long)r[13]); *(uint8_t*)0x200000015304 = 0x2c; memcpy((void*)0x200000015305, "othmask", 7); *(uint8_t*)0x20000001530c = 0x3d; sprintf((char*)0x20000001530d, "%023llo", (long long)7); *(uint8_t*)0x200000015324 = 0x2c; memcpy((void*)0x200000015325, "ftsuffix", 8); *(uint8_t*)0x20000001532d = 0x3d; sprintf((char*)0x20000001532e, "%020llu", (long long)0x100); *(uint8_t*)0x200000015342 = 0x2c; memcpy((void*)0x200000015343, "othmask", 7); *(uint8_t*)0x20000001534a = 0x3d; sprintf((char*)0x20000001534b, "%023llo", (long long)8); *(uint8_t*)0x200000015362 = 0x2c; memcpy((void*)0x200000015363, "fowner<", 7); sprintf((char*)0x20000001536a, "%020llu", (long long)r[25]); *(uint8_t*)0x20000001537e = 0x2c; memcpy((void*)0x20000001537f, "func", 4); *(uint8_t*)0x200000015383 = 0x3d; memcpy((void*)0x200000015384, "FIRMWARE_CHECK", 14); *(uint8_t*)0x200000015392 = 0x2c; memcpy((void*)0x200000015393, "smackfsdef", 10); *(uint8_t*)0x20000001539d = 0x3d; memset((void*)0x20000001539e, 0, 1); *(uint8_t*)0x20000001539f = 0x2c; memcpy((void*)0x2000000153a0, "hash", 4); *(uint8_t*)0x2000000153a4 = 0x2c; *(uint8_t*)0x2000000153a5 = 0; memcpy((void*)0x2000000153c0, "\x78\x9c\x6a\x9b\xe0\xf0\xd7\x80\xc9\x48\xed\x7f\x7b\xc9\xbd\xed\xdf\xf6\x00\x02\x00\x00\xff\xff\x38\xa7\x08\x1f", 28); syz_mount_image(/*fs=*/0x200000015200, /*dir=*/0x200000015240, /*flags=MS_PRIVATE|MS_NODIRATIME|MS_NODEV|MS_DIRSYNC*/0x40884, /*opts=*/0x2000000152c0, /*chdir=*/0, /*size=*/0x1c, /*img=*/0x2000000153c0); break; case 42: memcpy((void*)0x200000015400, "/dev/i2c-#\000", 11); syz_open_dev(/*dev=*/0x200000015400, /*id=*/0xe, /*flags=__O_TMPFILE|O_TRUNC|O_NOFOLLOW*/0x420200); break; case 43: memcpy((void*)0x200000015440, "net/mcfilter6\000", 14); syz_open_procfs(/*pid=*/r[18], /*file=*/0x200000015440); break; case 44: syz_open_pts(/*fd=*/-1, /*flags=*/0); break; case 45: syz_pidfd_open(/*pid=*/r[8], /*flags=*/0); break; case 46: res = syscall(__NR_pkey_alloc, /*flags=*/0ul, /*val=PKEY_DISABLE_ACCESS*/1ul); if (res != -1) r[26] = res; break; case 47: syz_pkey_set(/*key=*/r[26], /*val=PKEY_DISABLE_WRITE*/2); break; case 48: memcpy((void*)0x200000015480, "\x78\x9c\x00\x43\x00\xbc\xff\x1a\xa5\x3b\x2d\x97\x22\x56\x58\x64\x62\x48\x11\x35\x5b\x94\xa0\xd2\xd7\x8d\x09\xd2\x09\x51\xdf\x3c\x2c\x1a\x49\x88\xca\x48\xd4\x52\x61\xcc\x47\x3e\x4f\x65\xf6\x76\xe4\xe9\xb3\x8c\xde\x4a\xab\xa0\x5c\x20\xea\x6f\x37\xa5\x29\x42\x97\xe2\xc2\xa7\x6d\x7e\x55\x2d\xca\xd8\x01\x00\x00\xff\xff\xd6\x63\x1f\xa5", 83); syz_read_part_table(/*size=*/0x53, /*img=*/0x200000015480); break; case 49: syz_socket_connect_nvme_tcp(); break; case 50: *(uint8_t*)0x200000015500 = 0x12; *(uint8_t*)0x200000015501 = 1; *(uint16_t*)0x200000015502 = 0x310; *(uint8_t*)0x200000015504 = 0x99; *(uint8_t*)0x200000015505 = 0x45; *(uint8_t*)0x200000015506 = 0xdf; *(uint8_t*)0x200000015507 = -1; *(uint16_t*)0x200000015508 = 0x19d2; *(uint16_t*)0x20000001550a = 0xfff8; *(uint16_t*)0x20000001550c = 0xcd35; *(uint8_t*)0x20000001550e = 1; *(uint8_t*)0x20000001550f = 2; *(uint8_t*)0x200000015510 = 3; *(uint8_t*)0x200000015511 = 1; *(uint8_t*)0x200000015512 = 9; *(uint8_t*)0x200000015513 = 2; *(uint16_t*)0x200000015514 = 0xd8d; *(uint8_t*)0x200000015516 = 4; *(uint8_t*)0x200000015517 = 0xc; *(uint8_t*)0x200000015518 = 0xd4; *(uint8_t*)0x200000015519 = 0xb0; *(uint8_t*)0x20000001551a = 8; *(uint8_t*)0x20000001551b = 9; *(uint8_t*)0x20000001551c = 4; *(uint8_t*)0x20000001551d = 5; *(uint8_t*)0x20000001551e = 0xe; *(uint8_t*)0x20000001551f = 6; *(uint8_t*)0x200000015520 = -1; *(uint8_t*)0x200000015521 = -1; *(uint8_t*)0x200000015522 = -1; *(uint8_t*)0x200000015523 = 5; *(uint8_t*)0x200000015524 = 0xa; *(uint8_t*)0x200000015525 = 0x24; *(uint8_t*)0x200000015526 = 2; *(uint8_t*)0x200000015527 = 2; *(uint16_t*)0x200000015528 = 0x82; *(uint16_t*)0x20000001552a = 0x97; *(uint8_t*)0x20000001552c = 9; *(uint8_t*)0x20000001552d = 9; *(uint8_t*)0x20000001552e = 7; *(uint8_t*)0x20000001552f = 0x24; *(uint8_t*)0x200000015530 = 1; *(uint8_t*)0x200000015531 = 0x91; *(uint8_t*)0x200000015532 = 0x10; *(uint16_t*)0x200000015533 = 1; *(uint8_t*)0x200000015535 = 0xa; *(uint8_t*)0x200000015536 = 0x24; *(uint8_t*)0x200000015537 = 2; *(uint8_t*)0x200000015538 = 2; *(uint16_t*)0x200000015539 = 0x64; *(uint16_t*)0x20000001553b = 5; *(uint8_t*)0x20000001553d = 5; *(uint8_t*)0x20000001553e = 9; *(uint8_t*)0x20000001553f = 0xa; *(uint8_t*)0x200000015540 = 0x24; *(uint8_t*)0x200000015541 = 2; *(uint8_t*)0x200000015542 = 2; *(uint16_t*)0x200000015543 = 9; *(uint16_t*)0x200000015545 = 1; *(uint8_t*)0x200000015547 = 1; *(uint8_t*)0x200000015548 = 0x18; *(uint8_t*)0x200000015549 = 0xa; *(uint8_t*)0x20000001554a = 0x24; *(uint8_t*)0x20000001554b = 2; *(uint8_t*)0x20000001554c = 2; *(uint16_t*)0x20000001554d = 5; *(uint16_t*)0x20000001554f = 0x100; *(uint8_t*)0x200000015551 = 0; *(uint8_t*)0x200000015552 = 0x1f; *(uint8_t*)0x200000015553 = 0xa; *(uint8_t*)0x200000015554 = 0x24; *(uint8_t*)0x200000015555 = 2; *(uint8_t*)0x200000015556 = 2; *(uint16_t*)0x200000015557 = 0x200; *(uint16_t*)0x200000015559 = 2; *(uint8_t*)0x20000001555b = 6; *(uint8_t*)0x20000001555c = 6; *(uint8_t*)0x20000001555d = 9; *(uint8_t*)0x20000001555e = 0x24; *(uint8_t*)0x20000001555f = 2; *(uint8_t*)0x200000015560 = 1; *(uint8_t*)0x200000015561 = 0; *(uint8_t*)0x200000015562 = 9; *(uint8_t*)0x200000015563 = 4; *(uint8_t*)0x200000015564 = 1; *(uint8_t*)0x200000015565 = 0xdc; *(uint8_t*)0x200000015566 = 0xb; *(uint8_t*)0x200000015567 = 0x24; *(uint8_t*)0x200000015568 = 2; *(uint8_t*)0x200000015569 = 2; *(uint16_t*)0x20000001556a = 5; *(uint16_t*)0x20000001556c = 9; *(uint8_t*)0x20000001556e = 6; memcpy((void*)0x20000001556f, "\x42\xe9", 2); *(uint8_t*)0x200000015571 = 0x12; *(uint8_t*)0x200000015572 = 0x24; *(uint8_t*)0x200000015573 = 2; *(uint8_t*)0x200000015574 = 2; *(uint16_t*)0x200000015575 = 2; *(uint16_t*)0x200000015577 = 0xaecb; *(uint8_t*)0x200000015579 = 0; memcpy((void*)0x20000001557a, "\xe0\xff\x89\xcc\x39\xb2\x42\xb2\xb0", 9); *(uint8_t*)0x200000015583 = 7; *(uint8_t*)0x200000015584 = 0x24; *(uint8_t*)0x200000015585 = 1; *(uint8_t*)0x200000015586 = 0xc; *(uint8_t*)0x200000015587 = 2; *(uint16_t*)0x200000015588 = 2; *(uint8_t*)0x20000001558a = 9; *(uint8_t*)0x20000001558b = 5; *(uint8_t*)0x20000001558c = 1; *(uint8_t*)0x20000001558d = 0x1d; *(uint16_t*)0x20000001558e = 0x20; *(uint8_t*)0x200000015590 = 5; *(uint8_t*)0x200000015591 = 9; *(uint8_t*)0x200000015592 = 0xf; *(uint8_t*)0x200000015593 = 9; *(uint8_t*)0x200000015594 = 5; *(uint8_t*)0x200000015595 = 4; *(uint8_t*)0x200000015596 = 0x10; *(uint16_t*)0x200000015597 = 0x10; *(uint8_t*)0x200000015599 = 5; *(uint8_t*)0x20000001559a = 7; *(uint8_t*)0x20000001559b = 1; *(uint8_t*)0x20000001559c = 0x49; *(uint8_t*)0x20000001559d = 1; memcpy((void*)0x20000001559e, "\xbe\xdb\xdc\x40\xb6\x57\x91\x5a\xee\xa3\x6b\xef\xa7\x43\xbb\xf4\x76\xbb\xcc\x3a\x55\x77\x74\x37\xfd\x0c\x08\x62\xa5\x59\x1f\x0b\x80\x91\x62\x6c\x65\x64\xa6\x2b\x69\x95\xd0\xb1\xac\x34\x99\x5d\x44\x2d\xe5\x0d\x21\xf3\x0d\xa0\x8f\x64\xd3\xbb\x0e\x86\x08\x6e\x62\x96\x82\x16\xd8\xcb\xfe", 71); *(uint8_t*)0x2000000155e5 = 0xc; *(uint8_t*)0x2000000155e6 = 0xe; memcpy((void*)0x2000000155e7, "\x1c\xca\x42\xd0\xd4\xc1\x24\x78\xdb\xc7", 10); *(uint8_t*)0x2000000155f1 = 9; *(uint8_t*)0x2000000155f2 = 5; *(uint8_t*)0x2000000155f3 = 0xc; *(uint8_t*)0x2000000155f4 = 0xd; *(uint16_t*)0x2000000155f5 = 0x10; *(uint8_t*)0x2000000155f7 = 4; *(uint8_t*)0x2000000155f8 = 0xef; *(uint8_t*)0x2000000155f9 = 0xd; *(uint8_t*)0x2000000155fa = 9; *(uint8_t*)0x2000000155fb = 5; *(uint8_t*)0x2000000155fc = 0; *(uint8_t*)0x2000000155fd = 2; *(uint16_t*)0x2000000155fe = 0x40; *(uint8_t*)0x200000015600 = 1; *(uint8_t*)0x200000015601 = 0x92; *(uint8_t*)0x200000015602 = 1; *(uint8_t*)0x200000015603 = 7; *(uint8_t*)0x200000015604 = 0x25; *(uint8_t*)0x200000015605 = 1; *(uint8_t*)0x200000015606 = 8; *(uint8_t*)0x200000015607 = 0xf; *(uint16_t*)0x200000015608 = 9; *(uint8_t*)0x20000001560a = 0x9c; *(uint8_t*)0x20000001560b = 0x24; memcpy((void*)0x20000001560c, "\x94\x62\xe7\x8d\x67\xa7\x93\x83\x09\xf8\x93\x38\x8b\x58\x5f\x99\xed\x3c\xae\x5a\xeb\x24\x1e\x37\xea\xcc\x73\xfb\x04\x0b\x91\x7d\x69\x75\x87\xfd\x88\x85\xdc\xc8\x92\xbf\xee\x22\x87\x19\x88\xc7\x01\x88\xe9\xe8\x45\x46\xa7\x96\xe5\x6e\xa4\x83\x70\xdf\xca\x68\x9a\xaa\x0f\xfd\x08\x41\xc7\xe2\x8c\xbc\xec\xbc\x3b\xee\xb2\x54\xd9\x02\x49\x8d\xde\x37\x3f\x5e\x92\x09\x32\xac\xdf\x32\x22\xa5\x61\x17\x4a\x85\xce\x36\xd5\xf5\xc7\x09\x82\x9a\x04\x29\xf4\x8d\xe3\x26\x62\x11\xe3\x53\x22\x35\xca\xcb\x3a\x64\xff\xf3\xe3\x01\x82\xcd\x02\x7e\xa6\x60\xbc\xe2\x4c\xc1\x97\xbf\x35\x8f\x77\x95\x3c\x96\x4d\xe4\x53\x04\x16\x90\x7f\xa1", 154); *(uint8_t*)0x2000000156a6 = 9; *(uint8_t*)0x2000000156a7 = 5; *(uint8_t*)0x2000000156a8 = 6; *(uint8_t*)0x2000000156a9 = 0; *(uint16_t*)0x2000000156aa = 0x400; *(uint8_t*)0x2000000156ac = 4; *(uint8_t*)0x2000000156ad = 0; *(uint8_t*)0x2000000156ae = 6; *(uint8_t*)0x2000000156af = 9; *(uint8_t*)0x2000000156b0 = 5; *(uint8_t*)0x2000000156b1 = 0x1f; *(uint8_t*)0x2000000156b2 = 0xc; *(uint16_t*)0x2000000156b3 = 0x20; *(uint8_t*)0x2000000156b5 = 8; *(uint8_t*)0x2000000156b6 = 0x80; *(uint8_t*)0x2000000156b7 = 4; *(uint8_t*)0x2000000156b8 = 7; *(uint8_t*)0x2000000156b9 = 0x25; *(uint8_t*)0x2000000156ba = 1; *(uint8_t*)0x2000000156bb = 4; *(uint8_t*)0x2000000156bc = 0x40; *(uint16_t*)0x2000000156bd = 0xfff; *(uint8_t*)0x2000000156bf = 0x4a; *(uint8_t*)0x2000000156c0 = 9; memcpy((void*)0x2000000156c1, "\x13\xdf\x6f\x0c\x72\x3d\x23\x38\x80\xc0\x86\x9f\x46\xc9\x39\x9e\x14\x8e\xf0\xd9\x87\x29\x76\x35\xb6\xbf\x6f\x36\x9c\xbf\x8f\x07\xb3\x4b\x93\x76\xff\x57\xdc\xbd\xf2\x74\x65\xeb\x51\x53\xfb\x8d\xd7\xca\x2f\xab\x27\x37\xdd\x51\x5e\xde\xf1\xc9\x66\x91\x5e\x06\x76\xdb\x83\x1f\x2b\x91\x8d\x82", 72); *(uint8_t*)0x200000015709 = 9; *(uint8_t*)0x20000001570a = 4; *(uint8_t*)0x20000001570b = 0xe4; *(uint8_t*)0x20000001570c = 0xb; *(uint8_t*)0x20000001570d = 0xd; *(uint8_t*)0x20000001570e = -1; *(uint8_t*)0x20000001570f = 0xde; *(uint8_t*)0x200000015710 = 0x55; *(uint8_t*)0x200000015711 = 3; *(uint8_t*)0x200000015712 = 0xa; *(uint8_t*)0x200000015713 = 0x24; *(uint8_t*)0x200000015714 = 1; *(uint16_t*)0x200000015715 = 3; *(uint16_t*)0x200000015717 = 0xa; *(uint8_t*)0x200000015719 = 2; *(uint8_t*)0x20000001571a = 1; *(uint8_t*)0x20000001571b = 2; *(uint8_t*)0x20000001571c = 9; *(uint8_t*)0x20000001571d = 5; *(uint8_t*)0x20000001571e = 1; *(uint8_t*)0x20000001571f = 3; *(uint16_t*)0x200000015720 = 0x20; *(uint8_t*)0x200000015722 = 1; *(uint8_t*)0x200000015723 = 0x66; *(uint8_t*)0x200000015724 = 7; *(uint8_t*)0x200000015725 = 0x8c; *(uint8_t*)0x200000015726 = 0x23; memcpy((void*)0x200000015727, "\xc3\x44\xbd\x7f\x69\x0e\x11\x22\xd6\x52\x4c\xcd\x02\x57\xc1\x18\x5e\x61\xc3\xab\x3c\xcb\x36\x6e\xf9\x03\x7a\x58\x03\x54\x18\x72\x8d\x9a\xab\x96\x71\x7e\x22\x0d\x72\x20\xfb\x96\x4b\x7e\x92\x8d\x75\xef\x45\x85\x91\x31\x15\x90\x97\xfa\x85\xb2\xd2\x4e\xeb\x7f\xc5\x90\xe0\x48\xeb\x1b\xa8\x30\xac\x34\x3b\xfd\x9a\x3c\x32\xdf\xc9\x3f\xad\xcb\x90\xf9\x3a\x63\xc7\x37\x83\x4f\x5e\x2d\x4e\x73\x68\xe0\x2e\xc5\xf2\x10\x6b\xef\x93\x5e\x5e\x74\xc3\xe7\xd2\xd3\xd1\x6e\xbf\xfa\x13\xa8\x29\x49\x9d\xa4\x42\xf0\x17\x26\xd0\x7a\x33\x8f\xeb\x61\x2c\x3b\x6e\x51\x93\xb8", 138); *(uint8_t*)0x2000000157b1 = 9; *(uint8_t*)0x2000000157b2 = 5; *(uint8_t*)0x2000000157b3 = 1; *(uint8_t*)0x2000000157b4 = 0xc; *(uint16_t*)0x2000000157b5 = 0x10; *(uint8_t*)0x2000000157b7 = 6; *(uint8_t*)0x2000000157b8 = 0x73; *(uint8_t*)0x2000000157b9 = 2; *(uint8_t*)0x2000000157ba = 9; *(uint8_t*)0x2000000157bb = 5; *(uint8_t*)0x2000000157bc = 0xe; *(uint8_t*)0x2000000157bd = 1; *(uint16_t*)0x2000000157be = 0x40; *(uint8_t*)0x2000000157c0 = 0; *(uint8_t*)0x2000000157c1 = 0; *(uint8_t*)0x2000000157c2 = 0xe; *(uint8_t*)0x2000000157c3 = 7; *(uint8_t*)0x2000000157c4 = 0x25; *(uint8_t*)0x2000000157c5 = 1; *(uint8_t*)0x2000000157c6 = 8; *(uint8_t*)0x2000000157c7 = 8; *(uint16_t*)0x2000000157c8 = 0x9df1; *(uint8_t*)0x2000000157ca = 7; *(uint8_t*)0x2000000157cb = 0x25; *(uint8_t*)0x2000000157cc = 1; *(uint8_t*)0x2000000157cd = 4; *(uint8_t*)0x2000000157ce = 3; *(uint16_t*)0x2000000157cf = 0x84; *(uint8_t*)0x2000000157d1 = 9; *(uint8_t*)0x2000000157d2 = 5; *(uint8_t*)0x2000000157d3 = 7; *(uint8_t*)0x2000000157d4 = 0x10; *(uint16_t*)0x2000000157d5 = 8; *(uint8_t*)0x2000000157d7 = 0xd; *(uint8_t*)0x2000000157d8 = 6; *(uint8_t*)0x2000000157d9 = 6; *(uint8_t*)0x2000000157da = 0x9c; *(uint8_t*)0x2000000157db = 0x11; memcpy((void*)0x2000000157dc, "\x61\xc2\xc5\x81\xbc\xf0\xdc\x3a\x09\xec\x54\x65\xd8\xb3\x95\x93\xb5\x1c\xb5\x68\xad\x67\xbf\x21\x9f\x28\xa6\x37\xf8\xb8\xf3\xaa\xe7\xb6\xcf\x31\x06\x9d\xa5\x51\xc5\xd9\x0a\x29\x7a\xb0\xcf\xed\xa5\x43\xa0\xf7\x62\xc8\x18\x5b\xab\xc4\x3a\x4c\x9b\xb3\xb0\x95\xc0\xee\x13\x96\xf8\xb1\xfd\x62\x19\xb3\x16\x13\xb7\x56\x0d\x30\x9f\x17\x3c\x80\x67\x3f\xb0\x85\x29\xfc\x8f\x17\x52\x91\xf9\x98\x56\xaf\x19\x8c\xf4\x7a\x32\xc7\x6d\xf6\xbe\x44\x94\x93\xe5\xa6\x6e\xb4\x66\x4b\x84\x22\x6c\xa1\xe2\xc8\xf2\x02\x9a\xde\x7d\x75\x31\x6b\x10\x4a\x34\x80\xfb\xf7\xd4\x50\x9d\x74\x8c\x36\xf6\x59\xf8\xf5\x27\x43\xfd\x07\x7f\xc7\xdf\x42", 154); *(uint8_t*)0x200000015876 = 0x4e; *(uint8_t*)0x200000015877 = 4; memcpy((void*)0x200000015878, "\x57\xfa\xd1\x47\xfa\x12\xcd\x27\x89\x6e\x4e\x92\xba\x1a\xd4\x05\x8c\x8d\x43\xec\x21\x50\xd8\x73\x2f\xc5\xae\x10\x5a\x17\x4e\xd8\x39\x42\xdc\xb7\x9a\x05\xb1\x0f\xd4\x95\x7d\xbc\x1a\xc0\x27\xa2\xdf\x57\x28\xb2\xb2\xbb\x9b\x5b\xc5\x1f\x9a\x8c\x88\xe9\xfa\x85\x11\x38\xc7\xcd\xd7\x62\x66\x41\x91\x1c\xbe\x0c", 76); *(uint8_t*)0x2000000158c4 = 9; *(uint8_t*)0x2000000158c5 = 5; *(uint8_t*)0x2000000158c6 = 0; *(uint8_t*)0x2000000158c7 = 0xc; *(uint16_t*)0x2000000158c8 = 8; *(uint8_t*)0x2000000158ca = 8; *(uint8_t*)0x2000000158cb = 0x20; *(uint8_t*)0x2000000158cc = 0xc; *(uint8_t*)0x2000000158cd = 7; *(uint8_t*)0x2000000158ce = 0x25; *(uint8_t*)0x2000000158cf = 1; *(uint8_t*)0x2000000158d0 = 4; *(uint8_t*)0x2000000158d1 = 6; *(uint16_t*)0x2000000158d2 = 0x101; *(uint8_t*)0x2000000158d4 = 7; *(uint8_t*)0x2000000158d5 = 0x25; *(uint8_t*)0x2000000158d6 = 1; *(uint8_t*)0x2000000158d7 = 8; *(uint8_t*)0x2000000158d8 = 0xfd; *(uint16_t*)0x2000000158d9 = 2; *(uint8_t*)0x2000000158db = 9; *(uint8_t*)0x2000000158dc = 5; *(uint8_t*)0x2000000158dd = 0xb; *(uint8_t*)0x2000000158de = 0xc; *(uint16_t*)0x2000000158df = 0x10; *(uint8_t*)0x2000000158e1 = 0xf0; *(uint8_t*)0x2000000158e2 = 3; *(uint8_t*)0x2000000158e3 = 9; *(uint8_t*)0x2000000158e4 = 9; *(uint8_t*)0x2000000158e5 = 5; *(uint8_t*)0x2000000158e6 = 2; *(uint8_t*)0x2000000158e7 = 2; *(uint16_t*)0x2000000158e8 = 0x7b7; *(uint8_t*)0x2000000158ea = 9; *(uint8_t*)0x2000000158eb = 2; *(uint8_t*)0x2000000158ec = 0x78; *(uint8_t*)0x2000000158ed = 7; *(uint8_t*)0x2000000158ee = 0x25; *(uint8_t*)0x2000000158ef = 1; *(uint8_t*)0x2000000158f0 = 4; *(uint8_t*)0x2000000158f1 = 2; *(uint16_t*)0x2000000158f2 = 0x6e8; *(uint8_t*)0x2000000158f4 = 9; *(uint8_t*)0x2000000158f5 = 5; *(uint8_t*)0x2000000158f6 = 0xe; *(uint8_t*)0x2000000158f7 = 0; *(uint16_t*)0x2000000158f8 = 8; *(uint8_t*)0x2000000158fa = 0xb6; *(uint8_t*)0x2000000158fb = 0x47; *(uint8_t*)0x2000000158fc = 1; *(uint8_t*)0x2000000158fd = 0xea; *(uint8_t*)0x2000000158fe = 0xd; memcpy((void*)0x2000000158ff, "\xd7\xee\xf8\xad\xff\x59\x3f\xef\x60\x12\x57\xeb\x29\xf1\x12\x3c\x0f\x04\xcf\x50\xd2\xf0\x65\xa5\x2a\xb8\x35\xd4\x04\x54\xac\x46\xb6\x63\x87\x38\xe9\x75\x3c\x66\x06\x2b\x76\xd4\x57\xd6\xb3\x63\xf7\xb7\x63\x4f\xea\xac\x71\x9c\x3e\x90\x0c\xce\xb8\xd9\x69\x21\x0b\x57\x3a\x62\xd4\x51\x64\x98\xd5\x98\xa6\x1e\x6f\xa5\xbb\xd0\xfd\x38\x6f\x9f\x1d\x7a\xfe\xf4\xdd\xbe\x39\x49\x5d\x6e\x55\x5d\x24\x55\x5b\xf1\xbf\xfe\x21\xfc\x47\x2a\xb2\xa8\xd5\xd0\xf8\xa6\x11\xab\x5a\x46\xae\x9b\x23\xbb\x6a\x6b\x36\x39\x46\xda\xfb\xb2\xe7\x41\xd3\x4f\xe4\x56\xf5\x81\x63\x32\xd7\x2d\x43\x5f\xbd\x1f\xae\x47\x63\x32\x5d\xac\x58\xc2\xde\x0a\x67\x27\x7e\x2d\x74\xfe\xf5\xd8\xba\x6d\xe1\x7c\x31\xd5\xc7\xfb\x01\xa1\x3d\x3b\xf0\x0c\x31\x13\x41\x6b\x72\xb3\xe2\xe0\xb8\x0b\x4a\xb9\xcd\xa7\x7d\x2d\xe3\xed\x36\x8f\xab\x48\x41\xfd\x62\xac\xf6\x6e\x43\x21\x21\xb5\xf5\xd7\xc8\xc0\x36\x66\x0d\x7a\x35\x10\x33\x15\x5e\x3e\xef\x2f\xf2\x0f\x2a\xed\x82\x41\xd1\x76", 232); *(uint8_t*)0x2000000159e7 = 9; *(uint8_t*)0x2000000159e8 = 5; *(uint8_t*)0x2000000159e9 = 0xe; *(uint8_t*)0x2000000159ea = 3; *(uint16_t*)0x2000000159eb = 0x200; *(uint8_t*)0x2000000159ed = -1; *(uint8_t*)0x2000000159ee = 0x62; *(uint8_t*)0x2000000159ef = 5; *(uint8_t*)0x2000000159f0 = 0x55; *(uint8_t*)0x2000000159f1 = 0x23; memcpy((void*)0x2000000159f2, "\xd5\x22\xb5\x6c\x6d\xde\x6a\x69\x8a\x23\xe1\x0e\x4f\xc0\x79\x8f\x87\xc9\x46\xfa\x28\x48\xc7\x17\xa9\xa3\x31\x38\xfd\xb3\x47\x57\x93\xc1\xb4\xd1\x72\x2b\x3b\xcc\x36\x38\x4d\x25\x89\xa2\x7e\x5f\x22\xb2\x89\x72\x7e\x23\xf0\x39\xff\xdf\x2a\xb2\x5d\xa6\x2c\x09\x2e\xd0\x1c\xb1\x51\xb0\xad\x8b\xa7\x75\x8c\x32\xab\xd0\x7f\x79\x51\x4e\xba", 83); *(uint8_t*)0x200000015a45 = 0x96; *(uint8_t*)0x200000015a46 = 8; memcpy((void*)0x200000015a47, "\x70\xf4\xe5\xb8\x33\x74\xf7\xb0\xde\x44\xec\x45\x10\x5a\xc3\x14\x02\x14\x0e\x17\x62\x14\x64\x1e\x37\x97\xba\x0a\xea\x40\x13\xe3\xe7\xc2\x87\x1f\x78\x52\x8a\x25\x6a\x22\x49\xdc\xad\x68\x4f\xd5\x77\xa4\x28\xa1\x4f\x44\x6c\xe9\xd7\xde\x49\x36\x4a\xa1\x63\xc6\x8d\xd1\xe4\xe2\x0c\x0a\xa9\x8a\x26\x35\x47\xf0\x7d\xae\x9c\x3e\x45\xff\xec\x5b\xdc\xcf\xb9\x0b\x1a\xd9\x05\x4d\xa6\x28\x66\x62\x6b\xfb\xc3\x94\xa1\xe9\xae\xc6\xb3\x00\x42\x0a\x61\x67\xe6\xe6\xef\x43\x96\xdf\xfb\x6b\xfc\x18\xd3\xb2\x53\x77\x89\x27\x04\x23\x86\x75\x35\xf7\x5b\x14\x54\xcc\x3b\x8a\x6a\xef\x5b\x65\xb9\x77\x41\x39\xad\xcf", 148); *(uint8_t*)0x200000015adb = 9; *(uint8_t*)0x200000015adc = 5; *(uint8_t*)0x200000015add = 0xc; *(uint8_t*)0x200000015ade = 0x10; *(uint16_t*)0x200000015adf = 0x20; *(uint8_t*)0x200000015ae1 = 8; *(uint8_t*)0x200000015ae2 = 1; *(uint8_t*)0x200000015ae3 = 8; *(uint8_t*)0x200000015ae4 = 9; *(uint8_t*)0x200000015ae5 = 5; *(uint8_t*)0x200000015ae6 = 0xd; *(uint8_t*)0x200000015ae7 = 0x10; *(uint16_t*)0x200000015ae8 = 0x400; *(uint8_t*)0x200000015aea = 3; *(uint8_t*)0x200000015aeb = 0x6d; *(uint8_t*)0x200000015aec = 7; *(uint8_t*)0x200000015aed = 0x85; *(uint8_t*)0x200000015aee = 0xe; memcpy((void*)0x200000015aef, "\x1a\x54\xb4\xa0\x79\x76\xe1\x6c\xec\x50\x7f\x7c\xfe\x00\xc9\x35\x99\xf9\xfd\xef\xaf\x8b\xf8\x6c\xb9\xae\x60\xf5\xe7\x42\x6c\x78\xb3\xe0\x1c\xc8\xca\xb0\xaa\xf0\x9d\xeb\xba\xcd\x78\x5c\x9d\xe3\xbb\x89\x55\x1d\x0a\x24\x1f\x2d\x65\x83\x0f\x53\x64\x75\x49\x91\xfe\xea\xd8\x7f\xe8\xc8\xb9\x28\xac\x16\x85\x3a\xe9\x59\xea\xc2\x7b\x59\xcc\xc8\x6d\x22\x44\x2c\xa6\x29\xd1\x20\xb1\xa0\x9c\xf1\x41\x84\xa9\xc4\x87\x3f\x74\xae\x74\x82\x01\xf5\xf4\xe6\x49\xe3\x72\x4c\x7d\xdb\x89\xf4\x58\x47\x2b\x28\x5f\x9c\x10\xea\x40\x39\x3f\x30\x60", 131); *(uint8_t*)0x200000015b72 = 9; *(uint8_t*)0x200000015b73 = 5; *(uint8_t*)0x200000015b74 = 9; *(uint8_t*)0x200000015b75 = 0; *(uint16_t*)0x200000015b76 = 8; *(uint8_t*)0x200000015b78 = 0xa; *(uint8_t*)0x200000015b79 = 7; *(uint8_t*)0x200000015b7a = 2; *(uint8_t*)0x200000015b7b = 7; *(uint8_t*)0x200000015b7c = 0x25; *(uint8_t*)0x200000015b7d = 1; *(uint8_t*)0x200000015b7e = 0; *(uint8_t*)0x200000015b7f = 4; *(uint16_t*)0x200000015b80 = 0x4fb3; *(uint8_t*)0x200000015b82 = 9; *(uint8_t*)0x200000015b83 = 5; *(uint8_t*)0x200000015b84 = 7; *(uint8_t*)0x200000015b85 = 0x10; *(uint16_t*)0x200000015b86 = 0x3ff; *(uint8_t*)0x200000015b88 = 1; *(uint8_t*)0x200000015b89 = 0x88; *(uint8_t*)0x200000015b8a = 6; *(uint8_t*)0x200000015b8b = 9; *(uint8_t*)0x200000015b8c = 4; *(uint8_t*)0x200000015b8d = 0x10; *(uint8_t*)0x200000015b8e = 8; *(uint8_t*)0x200000015b8f = 0x10; *(uint8_t*)0x200000015b90 = -1; *(uint8_t*)0x200000015b91 = 0x5d; *(uint8_t*)0x200000015b92 = 0x81; *(uint8_t*)0x200000015b93 = 3; *(uint8_t*)0x200000015b94 = 0xb7; *(uint8_t*)0x200000015b95 = 0; memcpy((void*)0x200000015b96, "\xbe\xa8\xfd\xb5\x0e\x62\x4b\x76\x3d\xdd\xda\xf5\xed\x85\xd8\x17\x0c\xa8\x58\xcf\x74\xac\x67\x8e\xb5\x4d\x20\x45\xe5\xfb\xb2\x77\x21\x40\xe2\xcf\x18\x95\xcb\x69\x3a\x91\x4f\xfb\x89\x1c\xd2\xc9\x0d\x48\x27\xbc\xd3\x43\x59\xd7\x01\x07\x46\x2e\xad\x88\x9a\x6e\x4e\xd6\x96\x89\x35\xa8\x1a\x14\x7a\xc0\xcc\xc8\x1c\x38\xd6\x2d\x6a\x84\xcf\x50\x45\x52\xec\x37\xd6\x09\xb5\x47\x50\x18\xbd\xa1\x24\xc0\x9e\xa9\xf2\x13\x03\x86\x5f\xe4\x64\xab\xc3\x8c\xd8\x4a\xe4\x2d\xe3\x3e\x46\x91\x12\x7e\x2b\x85\x53\x83\x7d\x58\xcd\xa5\x1f\x11\xa0\x5a\x15\x38\xec\xff\x55\xe9\x0f\x34\xa1\xc5\x66\xc2\x34\xc0\x06\xd0\x0b\x50\xb4\xb2\x9e\x49\xb8\xd0\x90\xf5\xa2\x74\xae\x37\xe0\x3e\x49\x68\x2c\x44\xc2\xb1\xd9\xdb\x62\xf6\x32\x33\xf9\x67\x0c\xb2\xac", 181); *(uint8_t*)0x200000015c4b = 9; *(uint8_t*)0x200000015c4c = 5; *(uint8_t*)0x200000015c4d = 0xc; *(uint8_t*)0x200000015c4e = 0x10; *(uint16_t*)0x200000015c4f = 0x40; *(uint8_t*)0x200000015c51 = 9; *(uint8_t*)0x200000015c52 = 8; *(uint8_t*)0x200000015c53 = 2; *(uint8_t*)0x200000015c54 = 9; *(uint8_t*)0x200000015c55 = 5; *(uint8_t*)0x200000015c56 = 6; *(uint8_t*)0x200000015c57 = 2; *(uint16_t*)0x200000015c58 = 8; *(uint8_t*)0x200000015c5a = 3; *(uint8_t*)0x200000015c5b = 0x18; *(uint8_t*)0x200000015c5c = 0x1c; *(uint8_t*)0x200000015c5d = 0xf6; *(uint8_t*)0x200000015c5e = 0xc; memcpy((void*)0x200000015c5f, "\xd7\x72\x97\x11\x23\x6e\xb7\x89\x69\x91\xe6\xff\xe3\xdd\x76\x22\xe9\x6e\x2e\x7d\x17\x60\xab\x64\x52\x47\x2b\xba\xc1\xd0\x68\x61\xd9\xd4\x9e\x41\x00\x60\x6a\x22\x7d\x34\x2c\x61\x75\x94\x5a\xde\x9c\xc3\xf4\x6e\xc4\x62\x7f\x92\xca\xa5\xd7\x32\x27\xfa\xe7\xa3\x60\xd2\x5f\xac\x9e\x57\x44\x07\x3f\x0c\x05\x4c\x9a\x5b\x82\x58\xdd\x27\x9b\x73\x68\x76\x58\x4b\x90\x4d\x94\x3b\x23\xc2\x6d\x9e\x6b\xc2\xdd\x3b\x98\xf3\x62\x44\x15\x8c\x76\x0f\x0b\xf9\x75\x02\x91\x42\xb3\xf5\x8b\xb6\x3e\xc3\x76\xd7\xf5\xd9\x61\x18\x20\xd3\x80\xef\xd7\xde\x61\x63\xac\x8d\xc2\x71\x44\xe2\x1d\x92\xc9\x3f\xfe\xcc\x2d\x8c\x7b\x3b\xc5\xea\xd1\x81\x86\x3c\xd9\x6a\x0a\xbf\x28\x89\xeb\x10\xb6\x87\x91\x3f\xa8\x21\x4b\x89\xde\x11\xf5\x2b\x7d\x19\x36\xad\x9c\x1c\x45\xda\x86\xa1\x5e\x86\xb6\xc9\x06\x02\x91\xd8\x5b\x48\xeb\xc2\x34\x4d\xb8\xad\x8c\xc5\x2f\x79\xd4\xf0\x37\x7a\x89\x3b\x3d\xa6\x1c\xfc\x15\x13\xd2\xba\x95\x36\xd6\x19\x0d\xe8\x86\xa2\xd1\x8f\xf8\xab\x1f\x46\x3f\x15\x47\x1d\x7f\x96\xdc\x92\xd0\xac", 244); *(uint8_t*)0x200000015d53 = 9; *(uint8_t*)0x200000015d54 = 5; *(uint8_t*)0x200000015d55 = 7; *(uint8_t*)0x200000015d56 = 4; *(uint16_t*)0x200000015d57 = 0x20; *(uint8_t*)0x200000015d59 = 9; *(uint8_t*)0x200000015d5a = 2; *(uint8_t*)0x200000015d5b = 0x37; *(uint8_t*)0x200000015d5c = 9; *(uint8_t*)0x200000015d5d = 5; *(uint8_t*)0x200000015d5e = 0xf; *(uint8_t*)0x200000015d5f = 0x12; *(uint16_t*)0x200000015d60 = 8; *(uint8_t*)0x200000015d62 = 0xd; *(uint8_t*)0x200000015d63 = 6; *(uint8_t*)0x200000015d64 = 0xf; *(uint8_t*)0x200000015d65 = 0x40; *(uint8_t*)0x200000015d66 = 5; memcpy((void*)0x200000015d67, "\x71\xaf\xb2\x61\x7a\x61\xe7\x55\x29\xdd\xe0\xf3\x2f\xa6\xca\x4b\x85\x7a\x84\xb3\x12\x0b\x93\x61\x68\x64\x2c\x34\x04\x8f\x29\x2f\xc2\x7a\x3a\x8f\x1f\x74\x58\x0c\xdc\x36\xe9\xa4\x0b\x4f\xf6\x92\xf1\x32\x24\xb9\x14\xa8\x9f\xb7\x30\x85\x79\x3a\x5c\x22", 62); *(uint8_t*)0x200000015da5 = 9; *(uint8_t*)0x200000015da6 = 5; *(uint8_t*)0x200000015da7 = 0xd; *(uint8_t*)0x200000015da8 = 0xc; *(uint16_t*)0x200000015da9 = 0xf5f1; *(uint8_t*)0x200000015dab = 4; *(uint8_t*)0x200000015dac = 1; *(uint8_t*)0x200000015dad = 0; *(uint8_t*)0x200000015dae = 0x50; *(uint8_t*)0x200000015daf = 3; memcpy((void*)0x200000015db0, "\x17\xff\xd4\x73\xba\x28\xc3\x60\x59\x1f\x57\x1d\xc6\x0f\x13\x24\xd4\xa3\x4a\xb8\xd9\xd3\xc0\x68\x6c\x13\xa6\x1b\xda\x24\x64\xe1\x63\x54\x23\xeb\xf4\xed\x34\x03\x7b\xab\x62\xfd\x30\xa8\xdd\x0a\x89\xf1\xbc\xbf\xf3\xaf\x4f\x0c\x98\x9d\xdb\x6f\x03\x76\x0a\xe7\x6f\x63\xff\xdc\xbf\xbb\xfe\xe9\xa1\x35\x25\x73\x14\xaa", 78); *(uint8_t*)0x200000015dfe = 9; *(uint8_t*)0x200000015dff = 5; *(uint8_t*)0x200000015e00 = 6; *(uint8_t*)0x200000015e01 = 0; *(uint16_t*)0x200000015e02 = 8; *(uint8_t*)0x200000015e04 = 0x2d; *(uint8_t*)0x200000015e05 = 0x10; *(uint8_t*)0x200000015e06 = 0xba; *(uint8_t*)0x200000015e07 = 9; *(uint8_t*)0x200000015e08 = 5; *(uint8_t*)0x200000015e09 = 0xe; *(uint8_t*)0x200000015e0a = 0; *(uint16_t*)0x200000015e0b = 0x10; *(uint8_t*)0x200000015e0d = 8; *(uint8_t*)0x200000015e0e = 7; *(uint8_t*)0x200000015e0f = 0xac; *(uint8_t*)0x200000015e10 = 9; *(uint8_t*)0x200000015e11 = 5; *(uint8_t*)0x200000015e12 = 0xa; *(uint8_t*)0x200000015e13 = 8; *(uint16_t*)0x200000015e14 = 0x20; *(uint8_t*)0x200000015e16 = 9; *(uint8_t*)0x200000015e17 = 0x7c; *(uint8_t*)0x200000015e18 = 1; *(uint8_t*)0x200000015e19 = 7; *(uint8_t*)0x200000015e1a = 0x25; *(uint8_t*)0x200000015e1b = 1; *(uint8_t*)0x200000015e1c = 8; *(uint8_t*)0x200000015e1d = 9; *(uint16_t*)0x200000015e1e = 4; *(uint8_t*)0x200000015e20 = 9; *(uint8_t*)0x200000015e21 = 5; *(uint8_t*)0x200000015e22 = 0xb; *(uint8_t*)0x200000015e23 = 0x10; *(uint16_t*)0x200000015e24 = 0x3ff; *(uint8_t*)0x200000015e26 = 1; *(uint8_t*)0x200000015e27 = 4; *(uint8_t*)0x200000015e28 = 0xbd; *(uint8_t*)0x200000015e29 = 9; *(uint8_t*)0x200000015e2a = 5; *(uint8_t*)0x200000015e2b = 7; *(uint8_t*)0x200000015e2c = 3; *(uint16_t*)0x200000015e2d = 0x20; *(uint8_t*)0x200000015e2f = 6; *(uint8_t*)0x200000015e30 = 0xf; *(uint8_t*)0x200000015e31 = 0xe; *(uint8_t*)0x200000015e32 = 9; *(uint8_t*)0x200000015e33 = 5; *(uint8_t*)0x200000015e34 = 0xd; *(uint8_t*)0x200000015e35 = 0x10; *(uint16_t*)0x200000015e36 = 0x7f7; *(uint8_t*)0x200000015e38 = 4; *(uint8_t*)0x200000015e39 = 0x1c; *(uint8_t*)0x200000015e3a = 1; *(uint8_t*)0x200000015e3b = 9; *(uint8_t*)0x200000015e3c = 5; *(uint8_t*)0x200000015e3d = 0; *(uint8_t*)0x200000015e3e = 0; *(uint16_t*)0x200000015e3f = 0x5f33; *(uint8_t*)0x200000015e41 = 0x40; *(uint8_t*)0x200000015e42 = 6; *(uint8_t*)0x200000015e43 = 0x81; *(uint8_t*)0x200000015e44 = 0x54; *(uint8_t*)0x200000015e45 = 9; memcpy((void*)0x200000015e46, "\x22\xa0\x3d\x11\x7e\xdd\x7f\xf8\x02\xcd\xb5\x09\xb4\x9c\xf0\x7b\x18\x84\xa5\xd0\x6a\x28\x72\xff\xdd\x1f\x6a\x97\x4c\x05\x74\x87\x1d\x68\xb2\xfd\x80\xb9\xdd\xe5\x57\xda\x7e\xec\x4d\x7f\x27\x78\xa5\xc3\xa4\xbb\xef\x51\x9d\x15\x8a\x59\xf1\x52\xfe\x19\xf5\x98\xe4\x33\x60\xf8\xa2\x4a\xa9\x73\xc5\x6f\x46\xc4\xa6\x8a\x27\x3a\x1f\xc4", 82); *(uint8_t*)0x200000015e98 = 9; *(uint8_t*)0x200000015e99 = 5; *(uint8_t*)0x200000015e9a = 0xf; *(uint8_t*)0x200000015e9b = 0x10; *(uint16_t*)0x200000015e9c = 8; *(uint8_t*)0x200000015e9e = 5; *(uint8_t*)0x200000015e9f = 0x38; *(uint8_t*)0x200000015ea0 = 1; *(uint8_t*)0x200000015ea1 = 9; *(uint8_t*)0x200000015ea2 = 5; *(uint8_t*)0x200000015ea3 = 4; *(uint8_t*)0x200000015ea4 = 0x10; *(uint16_t*)0x200000015ea5 = 0x10; *(uint8_t*)0x200000015ea7 = 4; *(uint8_t*)0x200000015ea8 = 2; *(uint8_t*)0x200000015ea9 = 7; *(uint8_t*)0x200000015eaa = 0xda; *(uint8_t*)0x200000015eab = 0x26; memcpy((void*)0x200000015eac, "\x32\x16\x2d\x9c\xff\xd7\x54\x8d\xdc\x15\x24\xc6\x65\x1f\xa1\x12\xcb\x83\x99\xeb\x7d\xaa\x74\x6a\xf4\xa3\xf4\x58\x15\x9b\xd8\xa4\x87\xda\xde\x32\x17\xae\x32\x24\x61\x5d\x50\xba\x56\x43\x30\x19\x52\xfd\xd0\x82\xab\x52\xf6\x4e\xb3\x8b\xdd\xcf\x02\xb0\x67\x28\xa3\xbf\x4f\x73\xd3\xb7\x80\xa3\xa5\x80\x4b\xad\x04\xec\xc2\x27\x87\x69\x0f\x67\x25\x76\x74\xf7\x28\xb1\x02\x31\xba\x2d\xb8\x3c\xb4\xeb\x84\x1e\x55\x23\xeb\x43\xf3\x48\x2d\x3e\xc3\x3c\xb8\x18\x7b\x87\xaa\x08\xa2\x1e\x94\xe0\x39\x4a\x1e\xe8\xd8\xf0\xcc\x08\x89\x10\xab\xa4\xdb\xe5\xfe\xef\xc2\x45\x38\x0f\xf1\x44\x3e\x3a\x97\xbd\x4d\x5a\xdd\xd0\x1f\x11\x26\xd4\xb7\x0a\xbc\xbb\xe1\x40\x71\x6a\x1c\x66\xda\xc6\x1f\x66\x51\x4f\xce\xbe\x67\x64\x7b\x43\xbb\xd8\xe8\x48\x33\x3f\xf9\x95\x7e\xba\xac\xe9\xd0\x57\xb6\x27\xa6\x67\xe6\xf5\x1d\xae\xac\x30\x2b\x21\x29\xc2\x6d\x41\x5b\xc9\xa2\xee\x74\x95\xb3\x31\xb7\xda", 216); *(uint8_t*)0x200000015f84 = 7; *(uint8_t*)0x200000015f85 = 0x25; *(uint8_t*)0x200000015f86 = 1; *(uint8_t*)0x200000015f87 = 0; *(uint8_t*)0x200000015f88 = 7; *(uint16_t*)0x200000015f89 = 1; *(uint8_t*)0x200000015f8b = 9; *(uint8_t*)0x200000015f8c = 5; *(uint8_t*)0x200000015f8d = 3; *(uint8_t*)0x200000015f8e = 1; *(uint16_t*)0x200000015f8f = 0x40; *(uint8_t*)0x200000015f91 = 8; *(uint8_t*)0x200000015f92 = 7; *(uint8_t*)0x200000015f93 = 5; *(uint8_t*)0x200000015f94 = 9; *(uint8_t*)0x200000015f95 = 5; *(uint8_t*)0x200000015f96 = 0xb; *(uint8_t*)0x200000015f97 = 0x10; *(uint16_t*)0x200000015f98 = 0x40; *(uint8_t*)0x200000015f9a = 0xfe; *(uint8_t*)0x200000015f9b = 0; *(uint8_t*)0x200000015f9c = 0xd; *(uint8_t*)0x200000015f9d = 0xe1; *(uint8_t*)0x200000015f9e = 0x24; memcpy((void*)0x200000015f9f, "\x66\xc9\x68\xf6\x7f\x56\xd0\xab\x89\xd6\x81\x9c\x67\xd1\xd6\xc2\x15\xd2\xf3\xcf\x61\x5b\x37\x02\x8d\xb2\x69\xd9\x36\x08\xcd\xf0\x70\x41\x18\xe0\xdd\xbf\x97\x16\x6c\x27\xaf\xb5\x1a\x13\x2c\xd7\x0f\x0f\xa3\xb7\xad\x5e\xe3\xa4\x41\x02\x7a\x74\x12\x27\x81\xab\x0f\x1c\xe5\xfe\x7b\xd1\x15\x3c\x8f\xfc\xcd\x3e\xf1\x09\x21\x3f\x20\xd2\xba\xfd\x0e\x33\x1a\xbc\x5c\xd1\xfb\x54\x80\x9a\x06\xc8\xfa\x60\xa9\xf0\xfc\x8e\x11\x3f\x31\x8c\x3a\x7f\x7b\xc6\xfa\xbe\x19\x30\x94\xec\x49\x3d\x24\x6c\xbd\x70\x2b\xf0\x19\x79\x6a\x88\x72\xb3\xc4\x02\x34\xd8\xe9\x07\x31\xb2\xdf\xf8\x8a\x1f\x0c\x4f\x17\x86\xa1\x90\xeb\x16\x65\x1e\x3a\xc4\x5e\xdb\x14\xd9\xfb\x89\x86\x44\xbe\xd6\x15\x76\xbd\x7a\x9f\xd9\x0c\x52\x17\x21\x7f\x6b\x9a\xed\x19\xd4\xa2\x2b\xff\x48\x2d\x05\x8e\x60\x3d\x2a\x0c\xdc\x48\xb1\xb2\x71\xb7\x9b\x1e\x25\xd7\xfe\x6b\xb8\x20\x50\x6e\x48\x57\x9a\x78\xaf\x99\xe7\xe9\x42\x9b\xcd\x4b\x07\xbc\x01\x34", 223); *(uint8_t*)0x20000001607e = 0x40; *(uint8_t*)0x20000001607f = 5; memcpy((void*)0x200000016080, "\x8f\x82\xcc\x05\xdf\x67\x73\x41\x41\xe3\x56\xe9\x36\xa6\xe0\xa7\x24\x7a\xc2\x3b\x30\x90\x0c\x5f\xc4\x14\x8a\x14\x99\x0b\x50\x04\x68\x6d\xe6\xca\xce\x04\xad\xe3\x50\xf0\x4a\x3d\x07\x8c\x39\x10\xf7\xdb\xa4\x92\xaf\x85\xda\x64\x94\x32\xe2\x6a\x78\x54", 62); *(uint8_t*)0x2000000160be = 9; *(uint8_t*)0x2000000160bf = 4; *(uint8_t*)0x2000000160c0 = 0x88; *(uint8_t*)0x2000000160c1 = 1; *(uint8_t*)0x2000000160c2 = 8; *(uint8_t*)0x2000000160c3 = 0xeb; *(uint8_t*)0x2000000160c4 = 0x43; *(uint8_t*)0x2000000160c5 = 0x23; *(uint8_t*)0x2000000160c6 = 4; *(uint8_t*)0x2000000160c7 = 9; *(uint8_t*)0x2000000160c8 = 5; *(uint8_t*)0x2000000160c9 = 0xc; *(uint8_t*)0x2000000160ca = 0; *(uint16_t*)0x2000000160cb = 0x40; *(uint8_t*)0x2000000160cd = 8; *(uint8_t*)0x2000000160ce = 8; *(uint8_t*)0x2000000160cf = 5; *(uint8_t*)0x2000000160d0 = 9; *(uint8_t*)0x2000000160d1 = 5; *(uint8_t*)0x2000000160d2 = 0; *(uint8_t*)0x2000000160d3 = 0x10; *(uint16_t*)0x2000000160d4 = 0x20; *(uint8_t*)0x2000000160d6 = 0x9a; *(uint8_t*)0x2000000160d7 = 0x5f; *(uint8_t*)0x2000000160d8 = 7; *(uint8_t*)0x2000000160d9 = 7; *(uint8_t*)0x2000000160da = 0x25; *(uint8_t*)0x2000000160db = 1; *(uint8_t*)0x2000000160dc = 0; *(uint8_t*)0x2000000160dd = 0x81; *(uint16_t*)0x2000000160de = 4; *(uint8_t*)0x2000000160e0 = 7; *(uint8_t*)0x2000000160e1 = 0x25; *(uint8_t*)0x2000000160e2 = 1; *(uint8_t*)0x2000000160e3 = 0xc; *(uint8_t*)0x2000000160e4 = 0xf9; *(uint16_t*)0x2000000160e5 = 2; *(uint8_t*)0x2000000160e7 = 9; *(uint8_t*)0x2000000160e8 = 5; *(uint8_t*)0x2000000160e9 = 0xb; *(uint8_t*)0x2000000160ea = 0x10; *(uint16_t*)0x2000000160eb = 0x40; *(uint8_t*)0x2000000160ed = 7; *(uint8_t*)0x2000000160ee = 1; *(uint8_t*)0x2000000160ef = 2; *(uint8_t*)0x2000000160f0 = 7; *(uint8_t*)0x2000000160f1 = 0x25; *(uint8_t*)0x2000000160f2 = 1; *(uint8_t*)0x2000000160f3 = 4; *(uint8_t*)0x2000000160f4 = 6; *(uint16_t*)0x2000000160f5 = 1; *(uint8_t*)0x2000000160f7 = 7; *(uint8_t*)0x2000000160f8 = 0x25; *(uint8_t*)0x2000000160f9 = 1; *(uint8_t*)0x2000000160fa = 0xc; *(uint8_t*)0x2000000160fb = 0xd; *(uint16_t*)0x2000000160fc = 0x103; *(uint8_t*)0x2000000160fe = 9; *(uint8_t*)0x2000000160ff = 5; *(uint8_t*)0x200000016100 = 0xb; *(uint8_t*)0x200000016101 = 0xc; *(uint16_t*)0x200000016102 = 0x3ff; *(uint8_t*)0x200000016104 = 0xa9; *(uint8_t*)0x200000016105 = 1; *(uint8_t*)0x200000016106 = 6; *(uint8_t*)0x200000016107 = 0xfb; *(uint8_t*)0x200000016108 = 0x2c; memcpy((void*)0x200000016109, "\xdf\x60\xd2\x33\x06\x38\x67\xe6\x38\xf4\xac\x47\x4e\x68\x5f\xef\x8f\x86\x15\x57\xd0\xa3\x15\x66\xd5\x8b\xde\x1f\x04\xa1\x13\xf6\xcb\x64\xc9\x60\x56\xa8\x16\x85\xa6\xdf\xa2\x97\x8a\x60\xc2\xd9\x4e\x45\x0f\x66\x75\xe3\x8b\x44\xc9\x6b\xfb\xff\x6c\x5f\x37\x46\x60\x93\x46\x49\x74\x83\xdf\xc8\xac\x21\x27\x36\x2c\xdb\xda\xa0\x25\x39\x51\xa1\x82\x27\x21\x83\xf4\x56\xaa\xe2\xbd\x12\xb2\x92\xc6\x09\xe8\xe1\x4b\x4f\x8c\x18\x53\xe0\xd8\x7e\x0c\x31\x79\xc8\xbe\x7b\x07\x30\x72\x1b\xb3\x01\x59\x04\x08\x26\xf0\x93\x51\x0c\xe0\x22\x58\x76\x91\x62\x7b\x23\x6a\x66\x21\x56\x20\x41\x8d\xf3\x34\xd2\x8d\x1d\x14\xf0\xca\x3b\x9f\x4f\xcf\xf0\x6b\xa2\x49\xdd\x19\x50\x81\x98\x50\x3a\x2c\x2c\xd4\xf3\xab\xda\xdb\xd4\xf1\xac\xe4\xe6\x27\xbe\xc9\x72\x99\xa0\x02\x28\xe0\x9c\x06\x4e\x5f\x34\x2e\x00\xd8\xc8\xf2\xd5\xb1\xfb\x56\x48\x5e\x73\x6a\x87\xdc\xfe\x51\x0c\x21\x86\x32\x72\x91\x22\xa4\xeb\x5d\x5b\x5d\x81\xdf\x8b\xe5\x85\x27\x18\x3e\x48\xf7\x60\xb8\x5c\x59\x9f\x88\x13\xf8\x9d\x70\x6a\xf7\xb2\x2f\x77\xd6\x8d\xc1", 249); *(uint8_t*)0x200000016202 = 0x6b; *(uint8_t*)0x200000016203 = 4; memcpy((void*)0x200000016204, "\x07\xec\xe0\x65\x86\xe0\x15\x05\xf1\x26\xe0\xdb\x2e\xd1\xac\x18\xb5\x75\x49\xf0\x80\xd7\x41\xf3\x8b\x0c\xce\xc6\xba\x03\x4d\x09\x64\x29\x40\x56\x19\xd0\x1a\xf4\x35\xc8\x09\x2b\xe0\xe9\xc4\xa9\x3c\x1b\x64\x7e\x7c\x7f\x14\xf0\x5e\xff\xf3\x05\xd2\xb8\x5d\x51\xfe\xdf\xf7\x50\xb8\x7e\x59\x90\xd0\x28\xfd\x33\x86\x45\x02\x9b\xd9\xed\x95\xe0\x03\x05\xac\xce\x8b\x89\x9a\x78\x6d\xbf\x30\x89\x5b\xe0\x31\x48\xa7\xa1\xe3\xbf\x25", 105); *(uint8_t*)0x20000001626d = 9; *(uint8_t*)0x20000001626e = 5; *(uint8_t*)0x20000001626f = 6; *(uint8_t*)0x200000016270 = 8; *(uint16_t*)0x200000016271 = 0x400; *(uint8_t*)0x200000016273 = 3; *(uint8_t*)0x200000016274 = 5; *(uint8_t*)0x200000016275 = -1; *(uint8_t*)0x200000016276 = 9; *(uint8_t*)0x200000016277 = 5; *(uint8_t*)0x200000016278 = 0xa; *(uint8_t*)0x200000016279 = 0x10; *(uint16_t*)0x20000001627a = 0x200; *(uint8_t*)0x20000001627c = 6; *(uint8_t*)0x20000001627d = 0x14; *(uint8_t*)0x20000001627e = 6; *(uint8_t*)0x20000001627f = 7; *(uint8_t*)0x200000016280 = 0x25; *(uint8_t*)0x200000016281 = 1; *(uint8_t*)0x200000016282 = 0xc; *(uint8_t*)0x200000016283 = 9; *(uint16_t*)0x200000016284 = 4; *(uint8_t*)0x200000016286 = 9; *(uint8_t*)0x200000016287 = 5; *(uint8_t*)0x200000016288 = 5; *(uint8_t*)0x200000016289 = 8; *(uint16_t*)0x20000001628a = 0x210; *(uint8_t*)0x20000001628c = 0xe8; *(uint8_t*)0x20000001628d = 5; *(uint8_t*)0x20000001628e = 3; *(uint8_t*)0x20000001628f = 9; *(uint8_t*)0x200000016290 = 5; *(uint8_t*)0x200000016291 = 0xa; *(uint8_t*)0x200000016292 = 8; *(uint16_t*)0x200000016293 = 0x10; *(uint8_t*)0x200000016295 = 0x64; *(uint8_t*)0x200000016296 = 8; *(uint8_t*)0x200000016297 = 0xe; *(uint8_t*)0x200000016298 = 7; *(uint8_t*)0x200000016299 = 0x25; *(uint8_t*)0x20000001629a = 1; *(uint8_t*)0x20000001629b = 4; *(uint8_t*)0x20000001629c = 5; *(uint16_t*)0x20000001629d = 2; *(uint32_t*)0x200000016780 = 0xa; *(uint64_t*)0x200000016784 = 0x2000000162c0; *(uint8_t*)0x2000000162c0 = 0xa; *(uint8_t*)0x2000000162c1 = 6; *(uint16_t*)0x2000000162c2 = 0x201; *(uint8_t*)0x2000000162c4 = 3; *(uint8_t*)0x2000000162c5 = 8; *(uint8_t*)0x2000000162c6 = -1; *(uint8_t*)0x2000000162c7 = 0x20; *(uint8_t*)0x2000000162c8 = 0x10; *(uint8_t*)0x2000000162c9 = 0; *(uint32_t*)0x20000001678c = 0x28; *(uint64_t*)0x200000016790 = 0x200000016300; *(uint8_t*)0x200000016300 = 5; *(uint8_t*)0x200000016301 = 0xf; *(uint16_t*)0x200000016302 = 0x28; *(uint8_t*)0x200000016304 = 4; *(uint8_t*)0x200000016305 = 0xb; *(uint8_t*)0x200000016306 = 0x10; *(uint8_t*)0x200000016307 = 1; *(uint8_t*)0x200000016308 = 0xc; *(uint16_t*)0x200000016309 = 1; *(uint8_t*)0x20000001630b = 7; *(uint8_t*)0x20000001630c = 7; *(uint16_t*)0x20000001630d = 6; *(uint8_t*)0x20000001630f = -1; *(uint8_t*)0x200000016310 = 3; *(uint8_t*)0x200000016311 = 0x10; *(uint8_t*)0x200000016312 = 0xb; *(uint8_t*)0x200000016313 = 0xb; *(uint8_t*)0x200000016314 = 0x10; *(uint8_t*)0x200000016315 = 1; *(uint8_t*)0x200000016316 = 2; *(uint16_t*)0x200000016317 = 0x61; *(uint8_t*)0x200000016319 = -1; *(uint8_t*)0x20000001631a = 0xf; *(uint16_t*)0x20000001631b = 6; *(uint8_t*)0x20000001631d = 5; *(uint8_t*)0x20000001631e = 0xa; *(uint8_t*)0x20000001631f = 0x10; *(uint8_t*)0x200000016320 = 3; *(uint8_t*)0x200000016321 = 2; *(uint16_t*)0x200000016322 = 1; *(uint8_t*)0x200000016324 = 3; *(uint8_t*)0x200000016325 = 0xb; *(uint16_t*)0x200000016326 = 0x100; *(uint32_t*)0x200000016798 = 7; *(uint32_t*)0x20000001679c = 4; *(uint64_t*)0x2000000167a0 = 0x200000016340; *(uint8_t*)0x200000016340 = 4; *(uint8_t*)0x200000016341 = 3; *(uint16_t*)0x200000016342 = 0x457; *(uint32_t*)0x2000000167a8 = 0xff; *(uint64_t*)0x2000000167ac = 0x200000016380; *(uint8_t*)0x200000016380 = -1; *(uint8_t*)0x200000016381 = 3; memcpy((void*)0x200000016382, "\x85\xa7\x64\xd8\x29\x53\x29\x17\xb6\x64\x7a\x68\xa2\x49\xb2\x52\xf0\x1a\x99\xf8\x87\x67\xa2\xe9\xf1\x3a\xee\xfa\xb3\x9c\xf6\xa4\x05\x49\x7e\x32\x44\x29\x4b\x1b\xd4\x85\xc0\xec\x99\x33\x86\x40\xa5\x08\xfa\xbb\xf1\x1e\x0f\xd6\xa0\x3b\xcc\x9c\xeb\xaf\x83\x03\x7a\xa7\x73\x97\xcb\xdf\x09\x11\xc8\xdf\xb8\x42\xf6\x2f\x94\x76\x6a\xa4\x45\x92\x57\x73\xc4\xf7\xc6\x70\x1b\xe8\xa0\x56\x73\xaf\xe9\x5c\xf1\x9c\x27\x9a\xc6\x2f\xd2\x72\x0e\xd2\xda\xe6\x89\x37\x1c\x51\x51\xbf\x6b\x9e\x77\x27\xf8\xf4\x97\x09\x1c\x3a\xaa\x90\x2f\x81\xe4\x4c\x51\x73\xac\xf2\x21\x52\xfc\xbc\x4d\x72\xa7\x5e\x9a\xb4\xba\xdc\x67\x88\xb2\xfd\xbb\x7e\x34\xb2\x02\xe0\xe7\x1f\xeb\x1c\xc9\xb1\xca\x79\x1e\x92\x37\x4c\xfc\x63\xcc\x7d\xb5\x64\x85\x91\x77\x8b\xfc\x19\x48\xf9\xda\xd9\xb7\xfe\x74\xa5\x88\xdd\xc9\xad\x49\x99\x93\x06\x26\x66\xb3\xe0\xdf\x0a\xca\xa6\x78\x02\xad\x37\xa8\x6f\xcb\x41\x1a\x22\x30\xbd\xd4\x3f\xe8\x61\x0f\x29\xc1\x51\x79\xbf\x42\x9f\x81\x87\x6e\xe9\x0b\x7d\x35\xa2\x26\x3f\x91\xeb\x8d\x3c\x7c\x87\xc4\x66\x00\xb4\x52\x82\xee", 253); *(uint32_t*)0x2000000167b4 = 4; *(uint64_t*)0x2000000167b8 = 0x200000016480; *(uint8_t*)0x200000016480 = 4; *(uint8_t*)0x200000016481 = 3; *(uint16_t*)0x200000016482 = 0x8406; *(uint32_t*)0x2000000167c0 = 0x49; *(uint64_t*)0x2000000167c4 = 0x2000000164c0; *(uint8_t*)0x2000000164c0 = 0x49; *(uint8_t*)0x2000000164c1 = 3; memcpy((void*)0x2000000164c2, "\xcb\x9d\x5f\x1c\x5f\xbc\x94\x74\xd5\x9f\xfa\x54\xa9\x2b\xa7\xaf\xf9\x7b\x2f\x65\xab\xf4\x8a\xad\x8e\x2b\x09\xb6\x0a\x5d\xc2\x74\x4b\x25\x0f\xe7\x52\x90\x97\xbf\xbb\x2b\xcf\x99\xd0\x54\x8a\x03\x4f\xb7\xae\xca\xf8\xdd\x80\x84\x95\xbe\x13\x2e\x1b\x8c\x84\xab\xe5\x33\x75\xdc\xf5\x40\xd5", 71); *(uint32_t*)0x2000000167cc = 4; *(uint64_t*)0x2000000167d0 = 0x200000016540; *(uint8_t*)0x200000016540 = 4; *(uint8_t*)0x200000016541 = 3; *(uint16_t*)0x200000016542 = 0x407; *(uint32_t*)0x2000000167d8 = 0x102; *(uint64_t*)0x2000000167dc = 0x200000016580; *(uint8_t*)0x200000016580 = 2; *(uint8_t*)0x200000016581 = 3; memcpy((void*)0x200000016582, "\x04\xdd\xeb\x57\xb5\x07\x2b\x0d\xc9\xdc\x62\x4c\xf2\x79\x2d\xaa\xc5\x35\xb0\x25\x70\xdb\xb7\x01\xe1\xdb\x0e\x6c\x25\xd6\x80\xf0\x7b\x51\x7f\x65\x82\x12\x5b\xaa\x7a\x78\x49\xeb\x0b\x11\x13\x0e\x00\x24\xef\xe8\xa1\xc9\x51\x36\x3b\xf4\x7a\x68\xfb\x5b\xd9\xac\xf1\x85\xae\xa1\x62\x73\x81\xf5\x03\x43\xcb\x4b\xb8\xd7\x17\x51\x31\xf2\xae\x52\xa8\x42\xdb\x75\x39\x04\xd3\x05\x1a\x0a\xb0\x82\x60\x85\x60\xe8\xac\x66\xb8\x7d\xdd\xbb\x9f\xa3\x51\x4a\x31\xe5\x59\x51\x70\xe3\xd2\x1c\x01\x8b\x37\x85\x59\x92\xa2\xa4\xb3\x48\xde\x99\x46\x9b\x63\xf5\x43\x8e\x24\x0e\x23\xcf\xe0\xa2\x6d\x30\xa9\x1d\x95\x36\x91\xd7\x41\xb9\xd5\xd8\x5d\xab\x27\xd4\x0d\xa7\x1f\xc9\xd8\x67\x7b\x0d\xc3\xe1\xd6\x06\x0d\x0d\x98\xa7\x13\x00\xd3\x74\xe7\xbd\x55\x0f\x6a\x57\xb6\xfc\xd4\x44\x31\x3f\x37\x36\x7f\x5b\x55\xc2\x0f\x1a\x2d\x44\x86\x1e\x8a\x1a\x36\xbc\xdc\x76\x9f\xfc\x14\x6b\xb7\x1a\xb5\x84\x6d\xcb\x82\x31\x24\x7f\x16\x36\x48\x3d\xab\xb7\x10\xd0\x74\xfd\x2b\x80\x18\xd4\xc3\x56\xd1\x82\x5b\xb1\x7b\xf9\x63\x27\xe9\x6e\xe8\x67\x58\x32\x43\xe8\x25\x4e", 256); *(uint32_t*)0x2000000167e4 = 0x9e; *(uint64_t*)0x2000000167e8 = 0x2000000166c0; *(uint8_t*)0x2000000166c0 = 0x9e; *(uint8_t*)0x2000000166c1 = 3; memcpy((void*)0x2000000166c2, "\xef\x2a\x4e\x82\x9a\x0f\x6c\xdb\x32\xa4\x49\xbb\xa1\xd4\x8f\x5d\xfe\x86\x5e\x51\xf2\x28\x7e\x21\x77\x39\x1a\x43\xf9\xbb\xf1\xca\x78\xd5\x73\xf2\x00\xea\xe4\x0c\x60\xa2\x1d\xdc\x2a\xd4\x82\xdf\x2a\x85\xf2\x75\x59\x81\x5b\xb4\xeb\xca\x56\x05\x30\xb8\x65\x53\x45\x0e\xe3\x8e\xae\xb8\x71\x2f\x6b\x77\xc1\x4d\x47\xf8\x5d\x8b\xbf\x64\x1e\x1d\x9e\x09\xfa\x1e\x2b\xe5\xe9\x2c\x18\x7c\xe5\x6e\xf9\x94\x9a\xe1\xd8\x7c\xfb\xfe\x0e\xa1\xba\x9f\x9b\x2f\xf0\x18\x2d\x4b\x05\xce\x50\x68\x91\xc5\xa3\x47\xee\x33\xcc\xf9\xce\x7d\x86\xd7\xdd\xf2\xbf\x38\x57\x4d\x21\xd9\x65\x4b\xbe\x80\x65\x86\x80\xbe\xf5\x58\x9e\x2d\xb6\x07\x2d\x9f\xd0\xfd", 156); res = -1; res = syz_usb_connect(/*speed=USB_SPEED_LOW*/1, /*dev_len=*/0xd9f, /*dev=*/0x200000015500, /*conn_descs=*/0x200000016780); if (res != -1) r[27] = res; break; case 51: *(uint8_t*)0x200000016800 = 0x12; *(uint8_t*)0x200000016801 = 1; *(uint16_t*)0x200000016802 = 0x200; *(uint8_t*)0x200000016804 = -1; *(uint8_t*)0x200000016805 = -1; *(uint8_t*)0x200000016806 = -1; *(uint8_t*)0x200000016807 = 0x40; *(uint16_t*)0x200000016808 = 0xcf3; *(uint16_t*)0x20000001680a = 0x9271; *(uint16_t*)0x20000001680c = 0x108; *(uint8_t*)0x20000001680e = 1; *(uint8_t*)0x20000001680f = 2; *(uint8_t*)0x200000016810 = 3; *(uint8_t*)0x200000016811 = 1; *(uint8_t*)0x200000016812 = 9; *(uint8_t*)0x200000016813 = 2; *(uint16_t*)0x200000016814 = 0x48; *(uint8_t*)0x200000016816 = 1; *(uint8_t*)0x200000016817 = 1; *(uint8_t*)0x200000016818 = 0; *(uint8_t*)0x200000016819 = 0x80; *(uint8_t*)0x20000001681a = 0xfa; *(uint8_t*)0x20000001681b = 9; *(uint8_t*)0x20000001681c = 4; *(uint8_t*)0x20000001681d = 0; *(uint8_t*)0x20000001681e = 0; *(uint8_t*)0x20000001681f = 6; *(uint8_t*)0x200000016820 = -1; *(uint8_t*)0x200000016821 = 0; *(uint8_t*)0x200000016822 = 0; *(uint8_t*)0x200000016823 = 0; *(uint8_t*)0x200000016824 = 9; *(uint8_t*)0x200000016825 = 5; *(uint8_t*)0x200000016826 = 1; *(uint8_t*)0x200000016827 = 2; *(uint16_t*)0x200000016828 = 0x200; *(uint8_t*)0x20000001682a = 0; *(uint8_t*)0x20000001682b = 0; *(uint8_t*)0x20000001682c = 0; *(uint8_t*)0x20000001682d = 9; *(uint8_t*)0x20000001682e = 5; *(uint8_t*)0x20000001682f = 0x82; *(uint8_t*)0x200000016830 = 2; *(uint16_t*)0x200000016831 = 0x200; *(uint8_t*)0x200000016833 = 0; *(uint8_t*)0x200000016834 = 0; *(uint8_t*)0x200000016835 = 0; *(uint8_t*)0x200000016836 = 9; *(uint8_t*)0x200000016837 = 5; *(uint8_t*)0x200000016838 = 0x83; *(uint8_t*)0x200000016839 = 3; *(uint16_t*)0x20000001683a = 0x40; *(uint8_t*)0x20000001683c = 1; *(uint8_t*)0x20000001683d = 0; *(uint8_t*)0x20000001683e = 0; *(uint8_t*)0x20000001683f = 9; *(uint8_t*)0x200000016840 = 5; *(uint8_t*)0x200000016841 = 4; *(uint8_t*)0x200000016842 = 3; *(uint16_t*)0x200000016843 = 0x40; *(uint8_t*)0x200000016845 = 1; *(uint8_t*)0x200000016846 = 0; *(uint8_t*)0x200000016847 = 0; *(uint8_t*)0x200000016848 = 9; *(uint8_t*)0x200000016849 = 5; *(uint8_t*)0x20000001684a = 5; *(uint8_t*)0x20000001684b = 2; *(uint16_t*)0x20000001684c = 0x200; *(uint8_t*)0x20000001684e = 0; *(uint8_t*)0x20000001684f = 0; *(uint8_t*)0x200000016850 = 0; *(uint8_t*)0x200000016851 = 9; *(uint8_t*)0x200000016852 = 5; *(uint8_t*)0x200000016853 = 6; *(uint8_t*)0x200000016854 = 2; *(uint16_t*)0x200000016855 = 0x200; *(uint8_t*)0x200000016857 = 0; *(uint8_t*)0x200000016858 = 0; *(uint8_t*)0x200000016859 = 0; res = -1; res = syz_usb_connect_ath9k(/*speed=*/3, /*dev_len=*/0x5a, /*dev=*/0x200000016800, /*conn_descs=*/0); if (res != -1) r[28] = res; break; case 52: *(uint32_t*)0x200000016b40 = 0x2c; *(uint64_t*)0x200000016b44 = 0x200000016880; *(uint8_t*)0x200000016880 = 0x20; *(uint8_t*)0x200000016881 = 0xb; *(uint32_t*)0x200000016882 = 0xc8; *(uint8_t*)0x200000016886 = 0xc8; *(uint8_t*)0x200000016887 = 0x21; memcpy((void*)0x200000016888, "\x01\xf4\x8f\xe8\x31\xd8\xd1\x99\x24\x72\x17\x3e\xa8\x19\xa3\xa2\xad\xe9\x61\x21\x34\x13\x54\xe8\x5c\xa1\x98\xec\x1f\xcf\x85\x90\xc9\x39\xf7\x27\xaa\x0e\x85\x85\x6b\x35\x7c\x23\xbc\x06\x8f\x24\xa2\x2c\xc6\xb7\x1b\xd4\xad\xd3\xae\x66\x95\x5e\x3c\xeb\x2a\x8f\x15\x5c\x4f\xea\xf3\x6d\x9c\x48\x02\x96\x8a\x53\xb0\x86\xa4\xa5\x0d\xc3\x54\x75\xe7\x5c\x18\x51\xe7\xd4\x08\x54\x07\x74\xe8\x98\x21\x91\xe5\x06\x06\x99\x1f\x3f\x33\xfa\x70\x8e\xf6\xa9\x40\x41\x51\x10\x98\xb0\x26\x7e\x73\x7b\x9f\x39\x9f\xad\x65\xb7\xcc\x2e\xfa\x80\xea\xfc\x73\x4b\xd5\xab\x1f\xdc\x3d\xec\xc0\x26\xfa\x76\x75\xef\x45\xa1\xd1\x7f\xfe\x1c\x0b\x1e\x00\xb1\x02\x73\xd7\xc5\x7d\x18\x3c\x74\xa3\xd9\xb1\x47\x13\x22\xb5\x9a\x98\xce\xbd\x12\xd1\x6c\x28\x34\xb2\x26\xce\xca\xea\xf9\x60\xe3\xd9\x07\x76\xc2\x39\x23\xea\xe6\x8d\x1e", 198); *(uint64_t*)0x200000016b4c = 0x200000016980; *(uint8_t*)0x200000016980 = 0; *(uint8_t*)0x200000016981 = 3; *(uint32_t*)0x200000016982 = 4; *(uint8_t*)0x200000016986 = 4; *(uint8_t*)0x200000016987 = 3; *(uint16_t*)0x200000016988 = 0x280a; *(uint64_t*)0x200000016b54 = 0x2000000169c0; *(uint8_t*)0x2000000169c0 = 0; *(uint8_t*)0x2000000169c1 = 0xf; *(uint32_t*)0x2000000169c2 = 0xc8; *(uint8_t*)0x2000000169c6 = 5; *(uint8_t*)0x2000000169c7 = 0xf; *(uint16_t*)0x2000000169c8 = 0xc8; *(uint8_t*)0x2000000169ca = 5; *(uint8_t*)0x2000000169cb = 0x14; *(uint8_t*)0x2000000169cc = 0x10; *(uint8_t*)0x2000000169cd = 0xa; *(uint8_t*)0x2000000169ce = 3; STORE_BY_BITMASK(uint32_t, , 0x2000000169cf, 2, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000169cf, 9, 5, 27); *(uint16_t*)0x2000000169d3 = 0xf; *(uint16_t*)0x2000000169d5 = 0; *(uint32_t*)0x2000000169d7 = 0xc0cf; *(uint32_t*)0x2000000169db = 0xf; *(uint8_t*)0x2000000169df = 0x10; *(uint8_t*)0x2000000169e0 = 0x10; *(uint8_t*)0x2000000169e1 = 0xa; *(uint8_t*)0x2000000169e2 = 4; STORE_BY_BITMASK(uint32_t, , 0x2000000169e3, 1, 0, 5); STORE_BY_BITMASK(uint32_t, , 0x2000000169e3, 0x30ec, 5, 27); *(uint16_t*)0x2000000169e7 = 0xf0f; *(uint16_t*)0x2000000169e9 = 0x82; *(uint32_t*)0x2000000169eb = 0xc00f; *(uint8_t*)0x2000000169ef = 7; *(uint8_t*)0x2000000169f0 = 0x10; *(uint8_t*)0x2000000169f1 = 2; STORE_BY_BITMASK(uint32_t, , 0x2000000169f2, 0, 0, 8); STORE_BY_BITMASK(uint32_t, , 0x2000000169f3, 0xb, 0, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000169f3, 8, 4, 4); STORE_BY_BITMASK(uint32_t, , 0x2000000169f4, 0xf, 0, 16); *(uint8_t*)0x2000000169f6 = 0x8d; *(uint8_t*)0x2000000169f7 = 0x10; *(uint8_t*)0x2000000169f8 = 0xa; memcpy((void*)0x2000000169f9, "\x42\x2d\x46\xfc\x73\xf8\x4b\x4d\xd0\xc3\xd2\x4d\x79\xf2\x70\x97\x5a\x97\x8d\x73\x6a\x0a\xa3\xe5\x86\xae\x4e\x9a\x23\x24\x83\xcf\x25\x26\x97\x18\xcb\xb9\xdf\x73\x03\x62\xce\x6b\x7c\xf0\xe3\xd1\x00\x79\xc3\x28\xee\x2b\xe8\xf5\xff\xc2\x42\xa0\x7e\x20\xf7\xc3\xdb\x60\x7c\x73\xe2\xca\xc8\x2f\x1c\x73\xc8\xfc\xac\xeb\x15\x1e\x20\x22\xfe\x0c\x73\xad\x66\x19\xa4\xda\xce\x08\x65\x96\x99\xed\x76\x60\xd4\x52\x02\x74\x9c\xda\x47\xdf\xa1\xe0\xdb\x87\x66\x4d\x1e\xff\x73\xf0\x60\x6d\x30\xb7\x78\xcb\x88\x08\xdf\xa6\xb2\x4c\xc1\x8a\xdd\x57\x9f\x29\xe8\x1b\x12\xe3", 138); *(uint8_t*)0x200000016a83 = 0xb; *(uint8_t*)0x200000016a84 = 0x10; *(uint8_t*)0x200000016a85 = 1; *(uint8_t*)0x200000016a86 = 2; *(uint16_t*)0x200000016a87 = 0x48; *(uint8_t*)0x200000016a89 = 6; *(uint8_t*)0x200000016a8a = 0xf2; *(uint16_t*)0x200000016a8b = 0; *(uint8_t*)0x200000016a8d = 2; *(uint64_t*)0x200000016b5c = 0x200000016ac0; *(uint8_t*)0x200000016ac0 = 0x20; *(uint8_t*)0x200000016ac1 = 0x29; *(uint32_t*)0x200000016ac2 = 0xf; *(uint8_t*)0x200000016ac6 = 0xf; *(uint8_t*)0x200000016ac7 = 0x29; *(uint8_t*)0x200000016ac8 = 1; *(uint16_t*)0x200000016ac9 = 3; *(uint8_t*)0x200000016acb = 0xf6; *(uint8_t*)0x200000016acc = 5; memcpy((void*)0x200000016acd, "\xd7\xdb\x75\x8c", 4); memcpy((void*)0x200000016ad1, "\xcb\x02\x4e\x33", 4); *(uint64_t*)0x200000016b64 = 0x200000016b00; *(uint8_t*)0x200000016b00 = 0x20; *(uint8_t*)0x200000016b01 = 0x2a; *(uint32_t*)0x200000016b02 = 0xc; *(uint8_t*)0x200000016b06 = 0xc; *(uint8_t*)0x200000016b07 = 0x2a; *(uint8_t*)0x200000016b08 = 2; *(uint16_t*)0x200000016b09 = 2; *(uint8_t*)0x200000016b0b = 0x80; *(uint8_t*)0x200000016b0c = 5; *(uint8_t*)0x200000016b0d = 7; *(uint16_t*)0x200000016b0e = 7; *(uint16_t*)0x200000016b10 = 0xff24; *(uint32_t*)0x200000016f40 = 0x84; *(uint64_t*)0x200000016f44 = 0x200000016b80; *(uint8_t*)0x200000016b80 = 0x20; *(uint8_t*)0x200000016b81 = 0x13; *(uint32_t*)0x200000016b82 = 0x2a; memcpy((void*)0x200000016b86, "\xb3\x64\x4b\x33\xa4\x96\xf2\x18\x7a\x58\x63\xe6\x4c\x40\x7c\xec\xd2\xd6\xd1\x3a\xe2\x3e\xcf\x1c\x3c\x53\xf7\x8f\xf2\x17\xcf\xf0\x21\xe4\x71\x8c\xea\x7f\xbe\x4c\x3b\xa3", 42); *(uint64_t*)0x200000016f4c = 0xffffffff81000000; *(uint64_t*)0x200000016f54 = 0x200000016bc0; *(uint8_t*)0x200000016bc0 = 0; *(uint8_t*)0x200000016bc1 = 8; *(uint32_t*)0x200000016bc2 = 1; *(uint8_t*)0x200000016bc6 = 6; *(uint64_t*)0x200000016f5c = 0x200000016c00; *(uint8_t*)0x200000016c00 = 0x20; *(uint8_t*)0x200000016c01 = 0; *(uint32_t*)0x200000016c02 = 4; *(uint16_t*)0x200000016c06 = 2; *(uint16_t*)0x200000016c08 = 1; *(uint64_t*)0x200000016f64 = 0x200000016c40; *(uint8_t*)0x200000016c40 = 0x20; *(uint8_t*)0x200000016c41 = 0; *(uint32_t*)0x200000016c42 = 4; *(uint16_t*)0x200000016c46 = 0x40; *(uint16_t*)0x200000016c48 = 0x20; *(uint64_t*)0x200000016f6c = 0x200000016c80; *(uint8_t*)0x200000016c80 = 0x40; *(uint8_t*)0x200000016c81 = 7; *(uint32_t*)0x200000016c82 = 2; *(uint16_t*)0x200000016c86 = 2; *(uint64_t*)0x200000016f74 = 0x200000016cc0; *(uint8_t*)0x200000016cc0 = 0x40; *(uint8_t*)0x200000016cc1 = 9; *(uint32_t*)0x200000016cc2 = 1; *(uint8_t*)0x200000016cc6 = 3; *(uint64_t*)0x200000016f7c = 0x200000016d00; *(uint8_t*)0x200000016d00 = 0x40; *(uint8_t*)0x200000016d01 = 0xb; *(uint32_t*)0x200000016d02 = 2; memcpy((void*)0x200000016d06, "{*", 2); *(uint64_t*)0x200000016f84 = 0x200000016d40; *(uint8_t*)0x200000016d40 = 0x40; *(uint8_t*)0x200000016d41 = 0xf; *(uint32_t*)0x200000016d42 = 2; *(uint16_t*)0x200000016d46 = 9; *(uint64_t*)0x200000016f8c = 0x200000016d80; *(uint8_t*)0x200000016d80 = 0x40; *(uint8_t*)0x200000016d81 = 0x13; *(uint32_t*)0x200000016d82 = 6; *(uint8_t*)0x200000016d86 = 1; *(uint8_t*)0x200000016d87 = 0x80; *(uint8_t*)0x200000016d88 = 0xc2; *(uint8_t*)0x200000016d89 = 0; *(uint8_t*)0x200000016d8a = 0; *(uint8_t*)0x200000016d8b = 2; *(uint64_t*)0x200000016f94 = 0x200000016dc0; *(uint8_t*)0x200000016dc0 = 0x40; *(uint8_t*)0x200000016dc1 = 0x17; *(uint32_t*)0x200000016dc2 = 6; *(uint8_t*)0x200000016dc6 = 1; *(uint8_t*)0x200000016dc7 = 0x80; *(uint8_t*)0x200000016dc8 = 0xc2; *(uint8_t*)0x200000016dc9 = 0; *(uint8_t*)0x200000016dca = 0; *(uint8_t*)0x200000016dcb = 0xe; *(uint64_t*)0x200000016f9c = 0x200000016e00; *(uint8_t*)0x200000016e00 = 0x40; *(uint8_t*)0x200000016e01 = 0x19; *(uint32_t*)0x200000016e02 = 2; memcpy((void*)0x200000016e06, "\x1a\xc5", 2); *(uint64_t*)0x200000016fa4 = 0x200000016e40; *(uint8_t*)0x200000016e40 = 0x40; *(uint8_t*)0x200000016e41 = 0x1a; *(uint32_t*)0x200000016e42 = 2; *(uint16_t*)0x200000016e46 = 0x100; *(uint64_t*)0x200000016fac = 0x200000016e80; *(uint8_t*)0x200000016e80 = 0x40; *(uint8_t*)0x200000016e81 = 0x1c; *(uint32_t*)0x200000016e82 = 1; *(uint8_t*)0x200000016e86 = 7; *(uint64_t*)0x200000016fb4 = 0x200000016ec0; *(uint8_t*)0x200000016ec0 = 0x40; *(uint8_t*)0x200000016ec1 = 0x1e; *(uint32_t*)0x200000016ec2 = 1; *(uint8_t*)0x200000016ec6 = 0xc8; *(uint64_t*)0x200000016fbc = 0x200000016f00; *(uint8_t*)0x200000016f00 = 0x40; *(uint8_t*)0x200000016f01 = 0x21; *(uint32_t*)0x200000016f02 = 1; *(uint8_t*)0x200000016f06 = 0x4f; syz_usb_control_io(/*fd=*/r[28], /*descs=*/0x200000016b40, /*resps=*/0x200000016f40); break; case 53: syz_usb_disconnect(/*fd=*/r[27]); break; case 54: syz_usb_ep_read(/*fd=*/r[27], /*ep=*/0, /*len=*/4, /*data=*/0x200000017000); break; case 55: memcpy((void*)0x200000017040, "\xdd\x9c\x62\x25\x17\x5b\x3c\x37\xdc\x19\x63\xb4\xd0\xf4\x63\xd6\xe3\x82\xd9\x56\xed\xab\xd1\x31\xd4\x19\xff\x0b\x34\x34\x94\xa2\xc3\xc8\xbd\x5e\x32\x1a\x50\x6b\x68\xc9\x62\x1a\xb5\x44\xdc\x8b\xd1\x7c\x2f\x62\xf3\xc5\x6c\xae\xcb\x39\x08\xa6\x43\x0e\x4d\x9e\xaf\xd0\x2c\xa1\x3d\xfd\xcc\x2d\x07\xc5\x31\x31\x38\x62\xad\x42\x71\xec\xb0\x7f\x10\x14\x3f\x48\xff\x7e\x73\x8a\x4a\x77\x62\x3d\x0d\x4b\x89\x21\x08\x4f\x7c\x7a\x91\x14\x22\x06\x24\xe8\xf1\x22\x87\xc7\x36\x9f\x8b\x91\x93\xde\x6e\x3a\x67\xff\x4b\xf7\x59\x6f\xd6\xc1\x07\xe4\x77\xfc\x1d\xf6\x7c\x16\xfe\xc9\x51\xa2\x12\xd9\x60\xcd\x48\xe3\xa1\x75\x8e\x8e\xc8\xe7", 154); syz_usb_ep_write(/*fd=*/r[28], /*ep=*/4, /*len=*/0x9a, /*data=*/0x200000017040); break; case 56: syz_usbip_server_init(/*speed=USB_SPEED_HIGH*/3); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_fault())) printf("the reproducer may not work as expected: fault injection setup failed: %s\n", reason); if ((reason = setup_swap())) printf("the reproducer may not work as expected: swap setup failed: %s\n", reason); use_temporary_dir(); do_sandbox_none(); return 0; } : In function 'execute_call': :6178:17: error: '__NR_socketcall' undeclared (first use in this function) :6178:17: note: each undeclared identifier is reported only once for each function it appears in At top level: cc1: note: unrecognized command-line option '-Wno-unused-command-line-argument' may have been intended to silence earlier diagnostics compiler invocation: x86_64-linux-gnu-gcc [-o /tmp/syz-executor323323090 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie] --- FAIL: TestGenerate/linux/amd64/0 (1.55s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/11 (1.32s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/18 (1.62s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/5 (1.61s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/17 (1.64s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/3 (1.65s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/23 (1.24s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/2 (0.97s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/26 (1.70s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/4 (1.40s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/7 (1.56s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/19 (1.74s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/9 (0.89s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/22 (1.78s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/32 (1.79s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/16 (1.14s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/8 (1.83s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/1 (1.83s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/20 (1.40s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/24 (1.50s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/10 (1.04s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/15 (1.31s) csource_test.go:155: --- FAIL: TestGenerate/linux/amd64/14 (0.99s) csource_test.go:155: FAIL FAIL github.com/google/syzkaller/pkg/csource 53.896s ok github.com/google/syzkaller/pkg/db (cached) ? github.com/google/syzkaller/pkg/debugtracer [no test files] ? github.com/google/syzkaller/pkg/declextract [no test files] ok github.com/google/syzkaller/pkg/email (cached) ok github.com/google/syzkaller/pkg/email/lore (cached) ok github.com/google/syzkaller/pkg/flatrpc (cached) ok github.com/google/syzkaller/pkg/fuzzer 26.416s ok github.com/google/syzkaller/pkg/fuzzer/queue (cached) ok github.com/google/syzkaller/pkg/gce (cached) ? github.com/google/syzkaller/pkg/gcpsecret [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/gcs/mocks [no test files] ok github.com/google/syzkaller/pkg/gerrit (cached) ok github.com/google/syzkaller/pkg/hash (cached) ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/html/pages (cached) ok github.com/google/syzkaller/pkg/html/urlutil (cached) ? github.com/google/syzkaller/pkg/ifaceprobe [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ok github.com/google/syzkaller/pkg/ifuzz/arm64 (cached) ? github.com/google/syzkaller/pkg/ifuzz/arm64/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/arm64/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/iset [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc/generated [no test files] ok github.com/google/syzkaller/pkg/ifuzz/riscv64 (cached) ? github.com/google/syzkaller/pkg/ifuzz/riscv64/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/riscv64/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86 [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/generated [no test files] ok github.com/google/syzkaller/pkg/image 8.759s ok github.com/google/syzkaller/pkg/instance 4.228s ? github.com/google/syzkaller/pkg/kcidb [no test files] ok github.com/google/syzkaller/pkg/kconfig (cached) ? github.com/google/syzkaller/pkg/kcov [no test files] ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/kfuzztest (cached) ? github.com/google/syzkaller/pkg/kfuzztest-executor [no test files] ? github.com/google/syzkaller/pkg/kfuzztest-manager [no test files] ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/manager 4.984s ok github.com/google/syzkaller/pkg/manager/diff 5.013s ok github.com/google/syzkaller/pkg/mgrconfig 6.555s ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report 13.624s ok github.com/google/syzkaller/pkg/report/crash (cached) ok github.com/google/syzkaller/pkg/repro 9.388s ok github.com/google/syzkaller/pkg/rpcserver 19.268s ? github.com/google/syzkaller/pkg/rpcserver/mocks [no test files] ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest 44.525s ok github.com/google/syzkaller/pkg/serializer (cached) ok github.com/google/syzkaller/pkg/signal (cached) ok github.com/google/syzkaller/pkg/stat (cached) ok github.com/google/syzkaller/pkg/stat/sample (cached) ? github.com/google/syzkaller/pkg/stat/syzbotstats [no test files] ok github.com/google/syzkaller/pkg/subsystem (cached) ok github.com/google/syzkaller/pkg/subsystem/linux (cached) ok github.com/google/syzkaller/pkg/subsystem/lists (cached) ok github.com/google/syzkaller/pkg/symbolizer (cached) ? github.com/google/syzkaller/pkg/testutil [no test files] ok github.com/google/syzkaller/pkg/tool (cached) ? github.com/google/syzkaller/pkg/updater [no test files] ok github.com/google/syzkaller/pkg/validator (cached) ok github.com/google/syzkaller/pkg/vcs (cached) ok github.com/google/syzkaller/pkg/vminfo 11.558s --- FAIL: TestSerializeForExecRandom (22.85s) testutil.go:35: seed=1773146920664022293 encodingexec_test.go:27: failed to serialize: encodingexec: too large program (4392871/4194304) FAIL FAIL github.com/google/syzkaller/prog 42.616s ok github.com/google/syzkaller/prog/test 1.016s ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/darwin [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ? github.com/google/syzkaller/sys/generated [no test files] ok github.com/google/syzkaller/sys/linux 2.578s ok github.com/google/syzkaller/sys/netbsd 0.328s ok github.com/google/syzkaller/sys/openbsd 0.329s ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/syz-agent [no test files] ok github.com/google/syzkaller/syz-ci 11.632s ok github.com/google/syzkaller/syz-cluster/controller (cached) ok github.com/google/syzkaller/syz-cluster/dashboard (cached) ok github.com/google/syzkaller/syz-cluster/email-reporter (cached) ? github.com/google/syzkaller/syz-cluster/pkg/api [no test files] ? github.com/google/syzkaller/syz-cluster/pkg/app [no test files] ok github.com/google/syzkaller/syz-cluster/pkg/blob (cached) ok github.com/google/syzkaller/syz-cluster/pkg/controller (cached) ok github.com/google/syzkaller/syz-cluster/pkg/db (cached) ok github.com/google/syzkaller/syz-cluster/pkg/emailclient (cached) ok github.com/google/syzkaller/syz-cluster/pkg/fuzzconfig 6.005s ok github.com/google/syzkaller/syz-cluster/pkg/report (cached) ok github.com/google/syzkaller/syz-cluster/pkg/reporter (cached) ok github.com/google/syzkaller/syz-cluster/pkg/retest 2.881s ? github.com/google/syzkaller/syz-cluster/pkg/service [no test files] ok github.com/google/syzkaller/syz-cluster/pkg/triage (cached) ? github.com/google/syzkaller/syz-cluster/pkg/workflow [no test files] ? github.com/google/syzkaller/syz-cluster/reporter-server [no test files] ok github.com/google/syzkaller/syz-cluster/series-tracker (cached) ? github.com/google/syzkaller/syz-cluster/tools/db-mgmt [no test files] ? github.com/google/syzkaller/syz-cluster/tools/send-test-email [no test files] ? github.com/google/syzkaller/syz-cluster/workflow/boot [no test files] ? github.com/google/syzkaller/syz-cluster/workflow/build [no test files] ok github.com/google/syzkaller/syz-cluster/workflow/fuzz 3.935s ? github.com/google/syzkaller/syz-cluster/workflow/retest [no test files] ? github.com/google/syzkaller/syz-cluster/workflow/triage [no test files] ok github.com/google/syzkaller/syz-hub (cached) ok github.com/google/syzkaller/syz-hub/state (cached) ? github.com/google/syzkaller/syz-kfuzztest [no test files] ok github.com/google/syzkaller/syz-manager 6.679s ? github.com/google/syzkaller/tools/arm64 [no test files] ? github.com/google/syzkaller/tools/clang [no test files] ? github.com/google/syzkaller/tools/clang/codesearch [no test files] ? github.com/google/syzkaller/tools/clang/declextract [no test files] ? github.com/google/syzkaller/tools/kfuzztest-gen [no test files] ? github.com/google/syzkaller/tools/syz-aflow [no test files] ? github.com/google/syzkaller/tools/syz-base-commit [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-build [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-codesearch [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-covermerger [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ok github.com/google/syzkaller/tools/syz-db 4.135s ? github.com/google/syzkaller/tools/syz-db-export [no test files] ok github.com/google/syzkaller/tools/syz-declextract 7.746s ? github.com/google/syzkaller/tools/syz-diff [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fillreports [no test files] ? github.com/google/syzkaller/tools/syz-fix-analyzer [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-gemini-seed [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ok github.com/google/syzkaller/tools/syz-imagegen 0.313s ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ok github.com/google/syzkaller/tools/syz-kconf 2.333s ok github.com/google/syzkaller/tools/syz-linter (cached) ? github.com/google/syzkaller/tools/syz-lore [no test files] ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-minconfig [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-query-subsystems [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ok github.com/google/syzkaller/tools/syz-testbed 4.752s ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser 0.645s ok github.com/google/syzkaller/tools/syz-trace2syz/proggen 2.729s ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm 26.227s ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/cuttlefish [no test files] ok github.com/google/syzkaller/vm/dispatcher (cached) ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ok github.com/google/syzkaller/vm/isolated 3.262s ok github.com/google/syzkaller/vm/proxyapp 7.206s ? github.com/google/syzkaller/vm/proxyapp/mocks [no test files] ? github.com/google/syzkaller/vm/proxyapp/proxyrpc [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ? github.com/google/syzkaller/vm/starnix [no test files] ? github.com/google/syzkaller/vm/virtualbox [no test files] ok github.com/google/syzkaller/vm/vmimpl 2.306s ? github.com/google/syzkaller/vm/vmm [no test files] ? github.com/google/syzkaller/vm/vmware [no test files] FAIL