? github.com/google/syzkaller/dashboard/app [no test files] ? github.com/google/syzkaller/dashboard/dashapi [no test files] ? github.com/google/syzkaller/executor [no test files] ok github.com/google/syzkaller/pkg/ast (cached) ? github.com/google/syzkaller/pkg/bisect [no test files] ok github.com/google/syzkaller/pkg/build 1.538s ok github.com/google/syzkaller/pkg/compiler 2.380s ok github.com/google/syzkaller/pkg/config (cached) ? github.com/google/syzkaller/pkg/cover [no test files] --- FAIL: TestGenerate (5.93s) --- FAIL: TestGenerate/linux/amd64 (0.07s) csource_test.go:68: seed=1556071195760780357 --- FAIL: TestGenerate/linux/amd64/34 (2.67s) csource_test.go:116: opts: {Threaded:true Collide:false Repeat:true RepeatTimes:0 Procs:0 Sandbox:none Fault:false FaultCall:0 FaultNth:0 EnableTun:false EnableNetDev:false EnableNetReset:false EnableCgroups:false EnableBinfmtMisc:false EnableCloseFds:false UseTmpDir:true HandleSegv:true Repro:false Trace:false} program: ioctl$VT_OPENQRY(0xffffffffffffffff, 0x5600, &(0x7f0000000000)) keyctl$KEYCTL_PKEY_ENCRYPT(0x19, &(0x7f0000000040)={0x0, 0x7, 0x1}, &(0x7f0000000080)={'enc=', 'raw', ' hash=', {'sm3-generic\x00'}}, &(0x7f0000000100)="b5a39140ec2479a52b3e05f96a2844bbf149d25a8d7c219aa7f1d267a0f16fd6199fc24b460bc38a7365e4a5add18ac3a3bbebc759d3052f2e174fae6836af4929f35059ba2a7ef327d89adac4bed3e177243762e36b5651e5834cebca119c69c13fe6b37e9317f96f54c305be7f91b8cecac7bda555e256df0829e077e51568d9a79329fbce6c97c3bad9d10a31a572a7272fb18249882a634f518138e95fc581832a28934dcf6605bfbba7", &(0x7f00000001c0)=""/146) ioctl$FS_IOC_GET_ENCRYPTION_PWSALT(0xffffffffffffffff, 0x40106614, &(0x7f0000000280)) write$binfmt_elf64(0xffffffffffffffff, &(0x7f00000002c0)={{0x7f, 0x45, 0x4c, 0x46, 0x42, 0xfc, 0x8, 0xb1, 0x716b, 0x3, 0x7, 0xdc, 0x1e0, 0x40, 0x18, 0x6a4, 0xfffffffffffffffc, 0x38, 0x1, 0xc3, 0x1f, 0x5}, [{0x0, 0x3f, 0x968, 0x3, 0x9, 0x877, 0x5, 0x41}, {0x60000006, 0x4, 0x0, 0x0, 0x4, 0x8fd8, 0x5, 0x8}], "3976258ba1f37e45d4731ad67259fc44fa6dcc6c4ab9c286337698ed1892d9991445c982f15f70ffc4b8afaf19b3acbbd9aa07eb745aedb2064a229feed334410a0ef8dcb920249db0a76a409270beb9b0788563b29bae73c0662b73e59609fb754b1ef1e2c532944a4a457fd412fe9289a69d9e0f6d1214fc34948014d21ce5bb26012064f6293623a2fa998c8dc20c851ee4110966dee1fb4fa1fba616cd77afb9c1d6e06c8d0ce9995517cf9070b1f434a8646d287b438d780e0ae311ff18a09e39571b0218b5264aaffa5ad9c39c4a67a99e7201", [[], [], [], [], [], [], [], [], []]}, 0xa86) ioctl$sock_ipx_SIOCIPXNCPCONN(0xffffffffffffffff, 0x89e3, &(0x7f0000000d80)=0x6) ioctl$sock_inet6_SIOCDELRT(0xffffffffffffffff, 0x890c, &(0x7f0000000dc0)={@ipv4={[], [], @dev={0xac, 0x14, 0x14, 0x1d}}, @loopback, @mcast2, 0x6, 0x9, 0x3ff, 0x500, 0x9, 0x2210140}) connect$rose(0xffffffffffffffff, &(0x7f0000000e40)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, 0x1, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}}, 0x1c) ioctl$BLKFLSBUF(0xffffffffffffffff, 0x1261, &(0x7f0000000e80)=0x147e) sched_getparam(0x0, &(0x7f0000000ec0)) setsockopt$EBT_SO_SET_ENTRIES(0xffffffffffffffff, 0x0, 0x80, &(0x7f0000001080)=@nat={'nat\x00', 0x19, 0x1, 0x130, [0x20000f40, 0x0, 0x0, 0x20000f70, 0x20001040], 0x0, &(0x7f0000000f00), &(0x7f0000000f40)=[{0x0, '\x00', 0x0, 0xfffffffffffffffe}, {0x0, '\x00', 0x0, 0xfffffffffffffffc, 0x1, [{{{0x0, 0x8, 0x88f8, 'rose0\x00', 'syz_tun\x00', 'eql\x00', 'lapb0\x00', @broadcast, [0x0, 0xff, 0x0, 0xff, 0x0, 0xff], @broadcast, [0xff, 0xff], 0x70, 0x70, 0xa0}}, @common=@CLASSIFY={'CLASSIFY\x00', 0x8, {{0x79}}}}]}, {0x0, '\x00', 0x1, 0xfffffffffffffffc}]}, 0x1a8) syz_emit_ethernet(0x1030, &(0x7f0000000000)={@broadcast, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x3}, [{[], {0x8100, 0x9, 0xffffffffffffffe0, 0x2}}], {@ipx={0x8137, {0xffff, 0x101e, 0x0, 0x15, {@current, @broadcast, 0x9}, {@random, @current, 0x4}, ""}}}}, &(0x7f0000001040)={0x1, 0x4, [0xe72, 0x537, 0x370, 0xa11]}) syz_execute_func(&(0x7f0000001080)="36640fe131c4a37d380ab7660ff577f965f30f4af28f2820b6314d67660f28cdf346a73e440f01832ed70000c4a2f990ac09b32b000042f7fb") syz_extract_tcp_res(&(0x7f00000010c0), 0x6, 0x3) syz_genetlink_get_family_id$SEG6(&(0x7f0000001100)='SEG6\x00') syz_init_net_socket$ax25(0x3, 0x7, 0xf0) syz_kvm_setup_cpu$arm64(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe6000/0x18000)=nil, &(0x7f0000001180)=[{0x0, &(0x7f0000001140)="41bd396cdb001cb140f274c3a4994a92f7ac74c4b9a93e0eaec8e5d933a359da5a6c2d881afcdd1db03fe423ae1a1647a93f", 0x32}], 0x1, 0x0, &(0x7f00000011c0)=[@featur1={0x1, 0x4705}], 0x1) syz_mount_image$bfs(&(0x7f0000001200)='bfs\x00', &(0x7f0000001240)='./file0\x00', 0x500000000, 0x3, &(0x7f00000023c0)=[{&(0x7f0000001280)="47976fbc55a6c7c07482d232666119594e3528e31b59d9eddc10d3a974723a076a8df16b54e3e79774a509356c03bab983a7d4e2c96aa935373a0263f62f2c140914e79d7e657a64e13f36076ca8ca44991766733248ba3f6b37e01e5ed8d89ebb278b46c0a0c96d529b76047e1304bf92c7385501296a12fed5eb15aa94dbe9f2b0b78384ace603a36946716e14e9581837e8bf1b714dc908", 0x99, 0x8}, {&(0x7f0000001340)="", 0x1000, 0x6}, {&(0x7f0000002340)="d783a4eb1e0dd9b2a7f8d259c74cd659c0091fe6c6dcb56b00d8b012029810e8f72bbd0422fc4f9514c66a7e9ac2c811f4e9376ca6b38d0ebe8330236166db77226ed3335e4ba5040549b13eadc710ad773842e83d986a39269319437f0894af67e7e2c031b3", 0x66, 0x40}], 0x40040, 0x0) syz_open_dev$CDROM_DEV_LINK(&(0x7f0000002440)='/dev/cdrom\x00', 0x5d, 0x400) r0 = syz_open_procfs(0x0, &(0x7f0000002480)='net/rfcomm\x00') syz_open_pts(r0, 0x200) syz_read_part_table(0x8000, 0x9, &(0x7f0000002a00)=[{&(0x7f00000024c0)="f7fae01867e6e38d355f226c20779ebaa954e2b32db13453f7edfda386219d7d8f75d7a0c9e404f12cd73e33f411d79baa8550bc6872", 0x36, 0x400}, {&(0x7f0000002500)="c0c0b36adc559a4ac3942901d5d70b7bdfde70487699a13873847f5caf6032f58d47f8aea9e836407a31221269f6feab0fb58211c99bce5ceeeaf72fd42e55567e07ce51c391dd121c2b1daffdac51042d2c6d26f89346e528de6eae5c3b8a826838691e41269fe43293aeaf84b9f28f07d16c0e56e33ab6ad8c5cd719321590f209db3401", 0x85, 0x4}, {&(0x7f00000025c0)="9792cf11aa057453ada5129b1813aaddd17eed78fa9ce92307445112616cfc3de937881a606261afa6aed6df28690842f6e702bc1aa7abcaa14e305bc4d66ab522c863c8e4af7403b950c3dfa0998a486ce729a1b3c13c2188e36f7e37958e8ba1f8c351d5b6dfca75111af078bea37258acd97277d08bb2936d95a29a292fb1f107709845af242c0f62d94309c9bc6c3a5c41f891c14133048f4d60d16f5ab99004fe2007d62fad7e77cb79", 0xac, 0x1000}, {&(0x7f0000002680)="74cec1669009a8bc904b285bb9c1ad20a21add0e91f08aed843948aef50ad8c41127e2fc4e1af94425b40750f0f82620710b4bb9a9bb9e26ec9fa5cc66e1321a2a06ad0d8d35a08e313147f6270bc838ebdc35fb4d85bf0d93bcbd7373473b1182b6865546b6fa", 0x67, 0x1000}, {&(0x7f0000002700)="c00767bdc90d63064aa468e39cc496d8e49385110d894d02963c3ca1428c07c26459ea78685eded3fc1953f3bb329dee78c9b882c2e57347887b4b7a20c4ab35efb41c8d579d95df0f178c54d630cc07d8deef18379d7dec45c5cdbbcf095489d9f8eef9b3fd647e5373a8a600b8a7903f903c93f546667969ec298cb1fafba2e5a3f561b5c3a157bf6cfd3fb2", 0x8d, 0x800}, {&(0x7f00000027c0)="bda64f190ab3cb44adc1edc58b29d835ec0189e7dd76243e826ed40df732a8dbb41f16860e20ba70eab7345a9e7b9d868e7ec482636783e6866e1920b433f0e935d049ff099bca12f0e79d3bcf48dce9238a866005754b7e89cf063ca0c6d860a1ea2b43b969c57875677ea8af1a9c2cdfd901f22eeb8a5137bcf6", 0x7b, 0x9}, {&(0x7f0000002840)="b4fa2822d62ccc6844f2e9684bc437d95e6d566eb6d27f109e985a99ddb5e97baaa9b0e5c3ccdda362cb765e945efd86f1654dca6899bf471f12bb61df69fe01db4d00c4dcf1902f6988859dee17c5e6f587bbb5be8b23fb35a39a3c2a0ec23be80995710ac89c5704434a8d57d5e6ff04b25910b653aebdde072cd9d133fb36e64a0df6020377318f4723e19152f47c4ac272b68c3ebc7e4d9f59f8be7bcf16313bd9e4e6bd833292011c5a0bece57ddc83c06a61b202abf9685e2dc9fe58fdd87d126865a3ed5c9dc69e2cff696210a808b976ade17a65b65ea2605284a6b4d6aebcbe37f89f2ceae34b31b7634e262374f1af749d", 0xf6, 0x5}, {&(0x7f0000002940)="9670048d08431ee3b171a8c84198f249fbd42c965ac68f030846f66ef200769eec52680ba5637e7a7f0b6aedd393a81e9dc27c38", 0x34, 0xfffffffffffffffb}, {&(0x7f0000002980)="e921bd148ef14158a1651b99ec26804f86d0856e427049a643319d8973c974c2ee9992273c195c233229fd42c54e87541f1b039b08e2bf553bfc51a4a8b71420bcc50d72ca1c6e7a4f2c79d561899d71fb95847666120a4e73", 0x59, 0x5}]) r1 = syz_usb_connect(0x0, 0x1114, &(0x7f0000002b00)={0x12, 0x1, 0x6b97, 0x55, 0x78, 0xcb, 0x100000001, 0x4e7, 0x6651, 0xa724, 0x1000, 0x10001, 0x6380000000, 0x1, [{0x9, 0x2, 0x1102, 0x1, 0x9, 0x2, 0x10, 0x4, [{0x9, 0x4, 0x3a, 0xfffffffffffffc00, 0x5, 0x2, 0x2, 0xff, 0x1ef, [@hid_hid={0x9, 0x21, 0x5, 0xc8, 0x1, [{0x23, 0xa25}]}], [{0x7, 0x5, 0x0, 0xc, 0x2, 0x6e15, 0xffffffffffffffff, 0x4, [@generic={0x6c, 0x5, "208ac87c7588dc7ecc1e2ba0f591a1f4f0e4323e3adc60c277d8c9101aaefd044e11a78d996c09c087edc0f2d1e29ca2655c080903bee9f367f333868cef6cd0a81d5f97142d33ae382543ce6507c955dc0e67ac57e4565e1677c97aa1e0d0c1d6ec20afb8f9b885848c"}]}, {0x7, 0x5, 0x400, 0xe08ef397667a78a5, 0xfda, 0x3f, 0x9, 0x2, [@generic={0x1002, 0x23, ""}]}, {0x7, 0x5, 0x1000, 0x2, 0x80000001, 0x100000001, 0xa9, 0x3, [@generic={0x4c, 0x4, "d48c1a5ecafa4f0537e53488572db4ea3809b64ff3fb8b278f81e92e994b4aed323a759a3424b7265831fa7c59078bc7035a6669a41c74a6f5bb7495ede867982b867002794499a86592"}]}, {0x7, 0x5, 0x7fffffff, 0x16, 0x3, 0x0, 0x40, 0x7ff}, {0x7, 0x5, 0x80, 0x0, 0x800000000000, 0xe94b, 0x6, 0x200}]}]}]}, &(0x7f0000003d00)={0xa, &(0x7f0000003c40)={0xa, 0x6, 0xfffffffffffffff9, 0x9d7, 0x5, 0x9, 0x4, 0xfffffffffffffff9}, 0x10, &(0x7f0000003c80)={0x5, 0xf, 0x10, 0x1, [@wireless={0xb, 0x10, 0x1, 0x0, 0x24, 0x5, 0x1, 0x400, 0x46}]}, 0x1, [{0x3c, &(0x7f0000003cc0)={0x3c, 0x3, 0x1c49, "442ebb26bba10fc1028d7a8dad458c4501ad21f893768a644edafb86880c13f5e9edb0aef2624236a96480a29ce0f604990310dbe37f51fc"}}]}) syz_usb_control_io(r1, &(0x7f00000041c0)={0x34, &(0x7f0000003d40)={0x20, 0x2f, 0x77, {0x77, 0x22, "1ccde98b007d7a57527bb5ca128648436b0609db263eed15ae4275a6bfc682222db6dbbbc84423b0e6aaad75270cbf10470f1e800fe0072f2293d54b1190dc8b57d57de44149bcf3999d956d9655190c0eca995211072a0e752967eede5863504d2de44941ccc8f93a51f690d576cbe381b5a31218"}}, &(0x7f0000003dc0)={0x0, 0x3, 0xc0, {0xc0, 0x3, 0xf4ff, "20cdeff1339ff899016b953237ea863e606ff57ddda8f83b38e92da80dbc48066777479ee16caa240d1520bb5cc7db6d4b8b37e7a1736a0b740863e9d3dc8efd9decbbb97a602db0438bfb35bb28c7fbd39a92a4a939667da0f2b6f5e9348beec05fbdb75a36db87b4ddf6b0a97bb782af6d2bc60d0099e06d59c3cc5131823259d0cb5389eb9e49495ca8383e03d72a648a7436da8168d6bf062b34a9c5f91702c01e907d7132edc1f0509c5065d0e2b62b76ffba9b6e9fa06a3e79"}}, &(0x7f0000003ec0)={0x0, 0x22, 0x103, {[@short=@item_4={0x3, 0x0, 0xf, "7e61a1f0"}, @short=@item_012={0x2, 0x1, 0x2, "1276"}, @short=@item_4={0x3, 0x3, 0x7, "05272f66"}, @short=@item_012={0x1, 0x2, 0xe31fc003b208401b, '\\'}, @long={0x4, 0x5, 0xf, 0xed, 0xf, "df2b0ce426a641941e338c5ecb20e8ea7381198d795011152ab64aa4a79abf689bb54fd6a4055496c336e5755fb86f711c083e1331d65b851e9acd951ccafc53dcb869d5f3331ddd4171fa46a520d582ca189f595111ec48e17b1ddc40083ad05d9476ed3df07c57391d7c62a883f64f1494546ac3e7b2598233bc3bef2f5b5046dedec8be9ed27874817e15d4adab8334c48ce33e597462e78874ca19f5b090b44b62d90e065a22a15854b23fbd2f574b79c1a8a260f1794820299e2fdbc77215cf389c1db13e21e1ce2c092e2c5915f53f332bb3771c43653c8990e793b4bca355ecb415b4e103ff5ec5b15a"}, @short=@item_012={0x2, 0x3, 0x9, "48a7"}, @short=@item_012={0x0, 0x2, 0xf}]}}, &(0x7f0000004000)={0x0, 0xf, 0x113, {0x5, 0xf, 0x113, 0x4, [@ssp_cap={0x24, 0x10, 0xa, 0x5, 0x6, 0x7, 0xf000, 0x7fff, [0x3f00, 0x3f00, 0xff00cf, 0xc000, 0xc000, 0xff00]}, @ext_cap={0x7, 0x10, 0x2, 0x18, 0x4, 0x20, 0x6}, @ext_cap={0x7, 0x10, 0x2, 0x8, 0x7, 0x101, 0x4}, @generic={0xdc, 0x10, 0x3, "b756c56eb0478ca59add64858f5ec4e3428978c83e5317f0019ff6fbcf54cdec3e304353182e2dd5dc7cb579584cd8a232c2a0cfe366abfbc05f7dd1fe1e9b4d0614bccfeb99c4403a2238cbbdb5587ce0098f356ed8d303fb7016cd27fe7ae20097f8f3a818a39702916ce904c70d7f187566d6649818cc6a97b628adf6c5cd13499612c85d819c6cee7533455e74324c87a1aa584bc7bcb49307faaf4ecdfb962ca051d09b219ab5427457e93d0ea000c3559bfcb07ae71eb14e7b75f5ce56a820a516c85d6d6df3d8664ea35c4b58ea136b96788ae70948"}]}}, &(0x7f0000004140)={0x0, 0x29, 0xf, {0xf, 0x29, 0x3, 0x13, 0x4, 0x1, "5bb7faa4", "33499b30"}}, &(0x7f0000004180)={0x0, 0x2a, 0xc, {0xc, 0x2a, 0x200, 0x8, 0x5a65, 0x5, 0x7ff, 0xe43, 0xffffffffffffff54}}}, &(0x7f0000004540)={0x54, &(0x7f0000004200)={0x0, 0x0, 0xee, "9a825bfb40a7f4e797aacfafd2579abed3e9d7e27652ad7f4a5511706a19df9ab929461df79f482d3a2d7813b522f7d3d4df898d8685826c276dbe58c827a932361df0c65344eef7825fc0303f6179488c95ec231159995da4afa9f12b8b957f39982c3f46a27da9e3757bf5d055e6b7c9e48b44d101a3c5886456f4f973f86ef79ac50767c4e56b5a37d3f4b279ca0b3ba92eefaeb0f1efad12d2286abeda3258e68fb45ad36bb25a22088c4751a2ba100945cf66f7635bc4e5cb004601eeae310590a882aed529d1648b7acc2852f7fb663911e5a163bdddadc417f031192c50e808a965918464788d4ca1043c"}, &(0x7f0000004300), &(0x7f0000004340)={0x20, 0xa, 0x1, 0x681}, &(0x7f0000004380), &(0x7f00000043c0)={0x20, 0x8, 0x1, 0x1}, &(0x7f0000004400)={0x20, 0x0, 0x4, {0x2, 0x2}}, &(0x7f0000004440)={0x20, 0x0, 0x8, {0x860, 0x8, [0xf0]}}, &(0x7f0000004480)={0x40, 0x1, 0x3, "23d5d4"}, &(0x7f00000044c0)={0x40, 0x9, 0x3, "3582bf"}, &(0x7f0000004500)={0x20, 0x80, 0x1c, {0x6, 0x1, 0x8153, 0x7, 0x60a8, 0x3, 0x3f, 0x1, 0x1, 0x10001, 0x1, 0x1}}}) syz_usb_disconnect(r0) syz_usb_ep_write(r0, 0x17, 0xd3, &(0x7f00000045c0)="74c1b2aad5a6c0f97a241bf8edda6e8e92b9af80687d6deca3bcf879864a23b10f045446c9be5a45c9fbd66184a845a17da27cb755071f48973bd2a6c6d40697abf027b2be200f58ecc5af94ceea445da5e2791dd070df13d8e3640a37f2f7bfbbd40d961b4adc8ffb3f8ce5ff70d4718e1f71c2fff15750f39a45608716fb2f3af949dd268280fa6ef7bb6c960249c1dbeecf58c7328473147cc7c288cf084d60c1279d4e00a3f752312919a7df6c9fe93637fc1045dea69bf8b3b8b54536b000758b1a3c086b08fb4b19f5a89134b7a03e8c") csource_test.go:117: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include unsigned long long procid; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) { __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); if (_setjmp(segv_env) == 0) { __VA_ARGS__; } __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } #define USB_MAX_EP_NUM 32 struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; unsigned config_length; struct usb_interface_descriptor* iface; struct usb_endpoint_descriptor* eps[USB_MAX_EP_NUM]; unsigned eps_num; }; static bool parse_usb_descriptor(char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config) + sizeof(*index->iface)) return false; index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->config_length = length - sizeof(*index->dev); index->iface = (struct usb_interface_descriptor*)(buffer + sizeof(*index->dev) + sizeof(*index->config)); index->eps_num = 0; size_t offset = 0; while (true) { if (offset == length) break; if (offset + 1 < length) break; uint8_t length = buffer[offset]; uint8_t type = buffer[offset + 1]; if (type == USB_DT_ENDPOINT) { index->eps[index->eps_num] = (struct usb_endpoint_descriptor*)(buffer + offset); index->eps_num++; } if (index->eps_num == USB_MAX_EP_NUM) break; offset += length; } return true; } enum usb_fuzzer_event_type { USB_FUZZER_EVENT_INVALID, USB_FUZZER_EVENT_CONNECT, USB_FUZZER_EVENT_DISCONNECT, USB_FUZZER_EVENT_SUSPEND, USB_FUZZER_EVENT_RESUME, USB_FUZZER_EVENT_CONTROL, }; struct usb_fuzzer_event { uint32_t type; uint32_t length; char data[0]; }; struct usb_fuzzer_init { uint64_t speed; const char* driver_name; const char* device_name; }; struct usb_fuzzer_ep_io { uint16_t ep; uint16_t flags; uint32_t length; char data[0]; }; #define USB_FUZZER_IOCTL_INIT _IOW('U', 0, struct usb_fuzzer_init) #define USB_FUZZER_IOCTL_RUN _IO('U', 1) #define USB_FUZZER_IOCTL_EP0_READ _IOWR('U', 2, struct usb_fuzzer_event) #define USB_FUZZER_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_fuzzer_ep_io) #define USB_FUZZER_IOCTL_EP_ENABLE _IOW('U', 4, struct usb_endpoint_descriptor) #define USB_FUZZER_IOCTL_EP_WRITE _IOW('U', 6, struct usb_fuzzer_ep_io) #define USB_FUZZER_IOCTL_CONFIGURE _IO('U', 8) #define USB_FUZZER_IOCTL_VBUS_DRAW _IOW('U', 9, uint32_t) int usb_fuzzer_open() { return open("/sys/kernel/debug/usb-fuzzer", O_RDWR); } int usb_fuzzer_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_fuzzer_init arg; arg.speed = speed; arg.driver_name = driver; arg.device_name = device; return ioctl(fd, USB_FUZZER_IOCTL_INIT, &arg); } int usb_fuzzer_run(int fd) { return ioctl(fd, USB_FUZZER_IOCTL_RUN, 0); } int usb_fuzzer_ep0_read(int fd, struct usb_fuzzer_event* event) { return ioctl(fd, USB_FUZZER_IOCTL_EP0_READ, event); } int usb_fuzzer_ep0_write(int fd, struct usb_fuzzer_ep_io* io) { return ioctl(fd, USB_FUZZER_IOCTL_EP0_WRITE, io); } int usb_fuzzer_ep_write(int fd, struct usb_fuzzer_ep_io* io) { return ioctl(fd, USB_FUZZER_IOCTL_EP_WRITE, io); } int usb_fuzzer_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_FUZZER_IOCTL_EP_ENABLE, desc); } int usb_fuzzer_configure(int fd) { return ioctl(fd, USB_FUZZER_IOCTL_CONFIGURE, 0); } int usb_fuzzer_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_FUZZER_IOCTL_VBUS_DRAW, power); } #define USB_MAX_PACKET_SIZE 1024 struct usb_fuzzer_control_event { struct usb_fuzzer_event inner; struct usb_ctrlrequest ctrl; }; struct usb_fuzzer_ep_io_data { struct usb_fuzzer_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static bool lookup_connect_response(struct vusb_connect_descriptors* descs, struct usb_device_index* index, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length, bool* done) { uint8_t str_idx; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (str_idx >= descs->strs_len) return false; *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: *response_data = descs->qual; *response_length = descs->qual_len; return true; default: exit(1); return false; } break; case USB_REQ_SET_CONFIGURATION: *response_length = 0; *response_data = NULL; *done = true; return true; default: exit(1); return false; } break; default: exit(1); return false; } return false; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int64_t speed = a0; int64_t dev_len = a1; char* dev = (char*)a2; struct vusb_connect_descriptors* descs = (struct vusb_connect_descriptors*)a3; if (!dev) return -1; struct usb_device_index index; memset(&index, 0, sizeof(index)); int rv; NONFAILING(rv = parse_usb_descriptor(dev, dev_len, &index)); if (!rv) return -1; int fd = usb_fuzzer_open(); if (fd < 0) return -1; char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); rv = usb_fuzzer_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) return -1; rv = usb_fuzzer_run(fd); if (rv < 0) return -1; bool done = false; while (!done) { struct usb_fuzzer_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_event*)&event); if (rv < 0) return -1; if (event.inner.type != USB_FUZZER_EVENT_CONTROL) continue; bool response_found; char* response_data = NULL; uint32_t response_length = 0; NONFAILING(response_found = lookup_connect_response(descs, &index, &event.ctrl, &response_data, &response_length, &done)); if (!response_found) return -1; if (done) { int rv = usb_fuzzer_vbus_draw(fd, index.config->bMaxPower); if (rv < 0) return -1; rv = usb_fuzzer_configure(fd); if (rv < 0) return -1; unsigned ep; for (ep = 0; ep < index.eps_num; ep++) { rv = usb_fuzzer_ep_enable(fd, index.eps[ep]); if (rv < 0) exit(1); } } struct usb_fuzzer_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); if (event.ctrl.wLength < response.inner.length) response.inner.length = event.ctrl.wLength; usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response); } sleep_ms(200); return fd; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_io_response(struct vusb_descriptors* descs, struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); int resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; struct vusb_descriptors* descs = (struct vusb_descriptors*)a1; struct vusb_responses* resps = (struct vusb_responses*)a2; struct usb_fuzzer_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); int rv = usb_fuzzer_ep0_read(fd, (struct usb_fuzzer_event*)&event); if (rv < 0) return -1; if (event.inner.type != USB_FUZZER_EVENT_CONTROL) return -1; bool response_found; char* response_data = NULL; uint32_t response_length = 0; NONFAILING(response_found = lookup_control_io_response(descs, resps, &event.ctrl, &response_data, &response_length)); if (!response_found) return -1; struct usb_fuzzer_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); if (event.ctrl.wLength < response.inner.length) response.inner.length = event.ctrl.wLength; usb_fuzzer_ep0_write(fd, (struct usb_fuzzer_ep_io*)&response); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint16_t ep = a1; uint32_t len = a2; char* data = (char*)a3; struct usb_fuzzer_ep_io_data response; response.inner.ep = ep; response.inner.flags = 0; if (len > sizeof(response.data)) len = 0; response.inner.length = len; if (data) memcpy(&response.data[0], data, len); return usb_fuzzer_ep_write(fd, (struct usb_fuzzer_ep_io*)&response); } static volatile long syz_usb_disconnect(volatile long a0) { int fd = a0; int rv = close(fd); sleep_ms(200); return rv; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; NONFAILING(strncpy(buf, (char*)a0, sizeof(buf) - 1)); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static long syz_open_procfs(volatile long a0, volatile long a1) { char buf[128]; memset(buf, 0, sizeof(buf)); if (a0 == 0) { NONFAILING(snprintf(buf, sizeof(buf), "/proc/self/%s", (char*)a1)); } else if (a0 == -1) { NONFAILING(snprintf(buf, sizeof(buf), "/proc/thread-self/%s", (char*)a1)); } else { NONFAILING(snprintf(buf, sizeof(buf), "/proc/self/task/%d/%s", (int)a0, (char*)a1)); } int fd = open(buf, O_RDWR); if (fd == -1) fd = open(buf, O_RDONLY); return fd; } static long syz_open_pts(volatile long a0, volatile long a1) { int ptyno = 0; if (ioctl(a0, TIOCGPTN, &ptyno)) return -1; char buf[128]; sprintf(buf, "/dev/pts/%d", ptyno); return open(buf, a1, 0); } const int kInitNetNsFd = 239; static long syz_init_net_socket(volatile long domain, volatile long type, volatile long proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) exit(1); close(netns); errno = err; return sock; } static long syz_genetlink_get_family_id(volatile long name) { char buf[512] = {0}; struct nlmsghdr* hdr = (struct nlmsghdr*)buf; struct genlmsghdr* genlhdr = (struct genlmsghdr*)NLMSG_DATA(hdr); struct nlattr* attr = (struct nlattr*)(genlhdr + 1); hdr->nlmsg_len = sizeof(*hdr) + sizeof(*genlhdr) + sizeof(*attr) + GENL_NAMSIZ; hdr->nlmsg_type = GENL_ID_CTRL; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; genlhdr->cmd = CTRL_CMD_GETFAMILY; attr->nla_type = CTRL_ATTR_FAMILY_NAME; attr->nla_len = sizeof(*attr) + GENL_NAMSIZ; NONFAILING(strncpy((char*)(attr + 1), (char*)name, GENL_NAMSIZ)); struct iovec iov = {hdr, hdr->nlmsg_len}; struct sockaddr_nl addr = {0}; addr.nl_family = AF_NETLINK; int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (fd == -1) { return -1; } struct msghdr msg = {&addr, sizeof(addr), &iov, 1, NULL, 0, 0}; if (sendmsg(fd, &msg, 0) == -1) { close(fd); return -1; } ssize_t n = recv(fd, buf, sizeof(buf), 0); close(fd); if (n <= 0) { return -1; } if (hdr->nlmsg_type != GENL_ID_CTRL) { return -1; } for (; (char*)attr < buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) return *(uint16_t*)(attr + 1); } return -1; } struct fs_image_segment { void* data; uintptr_t size; uintptr_t offset; }; #define IMAGE_MAX_SEGMENTS 4096 #define IMAGE_MAX_SIZE (129 << 20) #define SYZ_memfd_create 319 static long syz_read_part_table(volatile unsigned long size, volatile unsigned long nsegs, volatile long segments) { char loopname[64], linkname[64]; int loopfd, err = 0, res = -1; unsigned long i, j; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; int memfd = syscall(SYZ_memfd_create, "syz_read_part_table", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } struct loop_info64 info; if (ioctl(loopfd, LOOP_GET_STATUS64, &info)) { err = errno; goto error_clear_loop; } info.lo_flags |= LO_FLAGS_PARTSCAN; if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) { err = errno; goto error_clear_loop; } res = 0; for (i = 1, j = 0; i < 8; i++) { snprintf(loopname, sizeof(loopname), "/dev/loop%llup%d", procid, (int)i); struct stat statbuf; if (stat(loopname, &statbuf) == 0) { snprintf(linkname, sizeof(linkname), "./file%d", (int)j++); if (symlink(loopname, linkname)) { } } } error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile unsigned long size, volatile unsigned long nsegs, volatile long segments, volatile long flags, volatile long optsarg) { char loopname[64], fs[32], opts[256]; int loopfd, err = 0, res = -1; unsigned long i; struct fs_image_segment* segs = (struct fs_image_segment*)segments; if (nsegs > IMAGE_MAX_SEGMENTS) nsegs = IMAGE_MAX_SEGMENTS; for (i = 0; i < nsegs; i++) { if (segs[i].size > IMAGE_MAX_SIZE) segs[i].size = IMAGE_MAX_SIZE; segs[i].offset %= IMAGE_MAX_SIZE; if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size) segs[i].offset = IMAGE_MAX_SIZE - segs[i].size; if (size < segs[i].offset + segs[i].offset) size = segs[i].offset + segs[i].offset; } if (size > IMAGE_MAX_SIZE) size = IMAGE_MAX_SIZE; int memfd = syscall(SYZ_memfd_create, "syz_mount_image", 0); if (memfd == -1) { err = errno; goto error; } if (ftruncate(memfd, size)) { err = errno; goto error_close_memfd; } for (i = 0; i < nsegs; i++) { if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) { } } snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } mkdir((char*)dir, 0777); memset(fs, 0, sizeof(fs)); NONFAILING(strncpy(fs, (char*)fsarg, sizeof(fs) - 1)); memset(opts, 0, sizeof(opts)); NONFAILING(strncpy(opts, (char*)optsarg, sizeof(opts) - 32)); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } if (mount(loopname, (char*)dir, fs, flags, opts)) { err = errno; goto error_clear_loop; } res = 0; error_clear_loop: ioctl(loopfd, LOOP_CLR_FD, 0); error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return res; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; NONFAILING(dt[index] = sd); NONFAILING(lt[index] = sd); } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; NONFAILING(dt[index + 1] = 0); NONFAILING(lt[index + 1] = 0); } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 6: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = 0; const void* text = 0; uintptr_t text_size = 0; NONFAILING(text_type = text_array_ptr[0].typ); NONFAILING(text = text_array_ptr[0].text); NONFAILING(text_size = text_array_ptr[0].size); uintptr_t i; for (i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } NONFAILING(*(host_mem + ADDR_TEXT) = 0xf4); host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); NONFAILING(pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS); sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; NONFAILING(*(host_mem + ADDR_TEXT) = 0xf4); host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); NONFAILING(pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS); sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); NONFAILING(pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr); NONFAILING(pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr); NONFAILING(pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS); sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; NONFAILING(*((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON); NONFAILING(*((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS); NONFAILING(memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1)); NONFAILING(*((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE); text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); NONFAILING(memcpy(tss16_addr, &tss16, sizeof(tss16))); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); NONFAILING(memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16))); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); NONFAILING(memcpy(tss32_addr, &tss32, sizeof(tss32))); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); NONFAILING(memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32))); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); NONFAILING(memcpy(tss64_addr, &tss64, sizeof(tss64))); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); NONFAILING(memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64))); if (text_size > 1000) text_size = 1000; if (text_prefix) { NONFAILING(memcpy(host_text, text_prefix, text_prefix_size)); void* patch = 0; NONFAILING(patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4)); if (patch) NONFAILING(*((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6); uint16_t magic = PREFIX_SIZE; patch = 0; NONFAILING(patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic))); if (patch) NONFAILING(*((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size); } NONFAILING(memcpy((void*)(host_text + text_prefix_size), text, text_size)); NONFAILING(*(host_text + text_prefix_size + text_size) = 0xf4); NONFAILING(memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size)); NONFAILING(*(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4); NONFAILING(*(host_mem + ADDR_VAR_HLT) = 0xf4); NONFAILING(memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3)); NONFAILING(memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3)); NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0); NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0); if (opt_count > 2) opt_count = 2; for (i = 0; i < opt_count; i++) { uint64_t typ = 0; uint64_t val = 0; NONFAILING(typ = opt_array_ptr[i].typ); NONFAILING(val = opt_array_ptr[i].val); switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; NONFAILING(tss16_addr->flags ^= val); NONFAILING(tss16_cpl3_addr->flags ^= val); NONFAILING(tss32_addr->flags ^= val); NONFAILING(tss32_cpl3_addr->flags ^= val); break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff)); NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16)); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) exit(1); if (dup2(netns, kInitNetNsFd) < 0) exit(1); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); if (unshare(CLONE_NEWNET)) { } loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } #define SYZ_HAVE_RESET_LOOP 1 static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } #define SYZ_HAVE_SETUP_TEST 1 static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static long syz_execute_func(volatile long text) { volatile long p[8] = {0}; (void)p; asm volatile("" ::"r"(0l), "r"(1l), "r"(2l), "r"(3l), "r"(4l), "r"(5l), "r"(6l), "r"(7l), "r"(8l), "r"(9l), "r"(10l), "r"(11l), "r"(12l), "r"(13l)); NONFAILING(((void (*)(void))(text))()); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 25; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { long res; switch (call) { case 0: syscall(__NR_ioctl, -1, 0x5600, 0x20000000); break; case 1: NONFAILING(*(uint32_t*)0x20000040 = 0); NONFAILING(*(uint32_t*)0x20000044 = 7); NONFAILING(*(uint32_t*)0x20000048 = 1); NONFAILING(*(uint32_t*)0x2000004c = 0); NONFAILING(*(uint32_t*)0x20000050 = 0); NONFAILING(*(uint32_t*)0x20000054 = 0); NONFAILING(*(uint32_t*)0x20000058 = 0); NONFAILING(*(uint32_t*)0x2000005c = 0); NONFAILING(*(uint32_t*)0x20000060 = 0); NONFAILING(*(uint32_t*)0x20000064 = 0); NONFAILING(memcpy((void*)0x20000080, "enc=", 4)); NONFAILING(memcpy((void*)0x20000084, "raw", 3)); NONFAILING(memcpy((void*)0x20000087, " hash=", 6)); NONFAILING(memcpy((void*)0x2000008d, "sm3-generic\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64)); NONFAILING(memcpy((void*)0x20000100, "\xb5\xa3\x91\x40\xec\x24\x79\xa5\x2b\x3e\x05\xf9\x6a\x28\x44\xbb\xf1\x49\xd2\x5a\x8d\x7c\x21\x9a\xa7\xf1\xd2\x67\xa0\xf1\x6f\xd6\x19\x9f\xc2\x4b\x46\x0b\xc3\x8a\x73\x65\xe4\xa5\xad\xd1\x8a\xc3\xa3\xbb\xeb\xc7\x59\xd3\x05\x2f\x2e\x17\x4f\xae\x68\x36\xaf\x49\x29\xf3\x50\x59\xba\x2a\x7e\xf3\x27\xd8\x9a\xda\xc4\xbe\xd3\xe1\x77\x24\x37\x62\xe3\x6b\x56\x51\xe5\x83\x4c\xeb\xca\x11\x9c\x69\xc1\x3f\xe6\xb3\x7e\x93\x17\xf9\x6f\x54\xc3\x05\xbe\x7f\x91\xb8\xce\xca\xc7\xbd\xa5\x55\xe2\x56\xdf\x08\x29\xe0\x77\xe5\x15\x68\xd9\xa7\x93\x29\xfb\xce\x6c\x97\xc3\xba\xd9\xd1\x0a\x31\xa5\x72\xa7\x27\x2f\xb1\x82\x49\x88\x2a\x63\x4f\x51\x81\x38\xe9\x5f\xc5\x81\x83\x2a\x28\x93\x4d\xcf\x66\x05\xbf\xbb\xa7", 172)); syscall(__NR_keyctl, 0x19, 0x20000040, 0x20000080, 0x20000100, 0x200001c0); break; case 2: syscall(__NR_ioctl, -1, 0x40106614, 0x20000280); break; case 3: NONFAILING(*(uint8_t*)0x200002c0 = 0x7f); NONFAILING(*(uint8_t*)0x200002c1 = 0x45); NONFAILING(*(uint8_t*)0x200002c2 = 0x4c); NONFAILING(*(uint8_t*)0x200002c3 = 0x46); NONFAILING(*(uint8_t*)0x200002c4 = 0x42); NONFAILING(*(uint8_t*)0x200002c5 = 0xfc); NONFAILING(*(uint8_t*)0x200002c6 = 8); NONFAILING(*(uint8_t*)0x200002c7 = 0xb1); NONFAILING(*(uint64_t*)0x200002c8 = 0x716b); NONFAILING(*(uint16_t*)0x200002d0 = 3); NONFAILING(*(uint16_t*)0x200002d2 = 7); NONFAILING(*(uint32_t*)0x200002d4 = 0xdc); NONFAILING(*(uint64_t*)0x200002d8 = 0x1e0); NONFAILING(*(uint64_t*)0x200002e0 = 0x40); NONFAILING(*(uint64_t*)0x200002e8 = 0x18); NONFAILING(*(uint32_t*)0x200002f0 = 0x6a4); NONFAILING(*(uint16_t*)0x200002f4 = 0xfffc); NONFAILING(*(uint16_t*)0x200002f6 = 0x38); NONFAILING(*(uint16_t*)0x200002f8 = 1); NONFAILING(*(uint16_t*)0x200002fa = 0xc3); NONFAILING(*(uint16_t*)0x200002fc = 0x1f); NONFAILING(*(uint16_t*)0x200002fe = 5); NONFAILING(*(uint32_t*)0x20000300 = 0); NONFAILING(*(uint32_t*)0x20000304 = 0x3f); NONFAILING(*(uint64_t*)0x20000308 = 0x968); NONFAILING(*(uint64_t*)0x20000310 = 3); NONFAILING(*(uint64_t*)0x20000318 = 9); NONFAILING(*(uint64_t*)0x20000320 = 0x877); NONFAILING(*(uint64_t*)0x20000328 = 5); NONFAILING(*(uint64_t*)0x20000330 = 0x41); NONFAILING(*(uint32_t*)0x20000338 = 0x60000006); NONFAILING(*(uint32_t*)0x2000033c = 4); NONFAILING(*(uint64_t*)0x20000340 = 0); NONFAILING(*(uint64_t*)0x20000348 = 0); NONFAILING(*(uint64_t*)0x20000350 = 4); NONFAILING(*(uint64_t*)0x20000358 = 0x8fd8); NONFAILING(*(uint64_t*)0x20000360 = 5); NONFAILING(*(uint64_t*)0x20000368 = 8); NONFAILING(memcpy((void*)0x20000370, "\x39\x76\x25\x8b\xa1\xf3\x7e\x45\xd4\x73\x1a\xd6\x72\x59\xfc\x44\xfa\x6d\xcc\x6c\x4a\xb9\xc2\x86\x33\x76\x98\xed\x18\x92\xd9\x99\x14\x45\xc9\x82\xf1\x5f\x70\xff\xc4\xb8\xaf\xaf\x19\xb3\xac\xbb\xd9\xaa\x07\xeb\x74\x5a\xed\xb2\x06\x4a\x22\x9f\xee\xd3\x34\x41\x0a\x0e\xf8\xdc\xb9\x20\x24\x9d\xb0\xa7\x6a\x40\x92\x70\xbe\xb9\xb0\x78\x85\x63\xb2\x9b\xae\x73\xc0\x66\x2b\x73\xe5\x96\x09\xfb\x75\x4b\x1e\xf1\xe2\xc5\x32\x94\x4a\x4a\x45\x7f\xd4\x12\xfe\x92\x89\xa6\x9d\x9e\x0f\x6d\x12\x14\xfc\x34\x94\x80\x14\xd2\x1c\xe5\xbb\x26\x01\x20\x64\xf6\x29\x36\x23\xa2\xfa\x99\x8c\x8d\xc2\x0c\x85\x1e\xe4\x11\x09\x66\xde\xe1\xfb\x4f\xa1\xfb\xa6\x16\xcd\x77\xaf\xb9\xc1\xd6\xe0\x6c\x8d\x0c\xe9\x99\x55\x17\xcf\x90\x70\xb1\xf4\x34\xa8\x64\x6d\x28\x7b\x43\x8d\x78\x0e\x0a\xe3\x11\xff\x18\xa0\x9e\x39\x57\x1b\x02\x18\xb5\x26\x4a\xaf\xfa\x5a\xd9\xc3\x9c\x4a\x67\xa9\x9e\x72\x01", 214)); NONFAILING(*(uint64_t*)0x20000446 = 0); NONFAILING(*(uint64_t*)0x2000044e = 0); NONFAILING(*(uint64_t*)0x20000456 = 0); NONFAILING(*(uint64_t*)0x2000045e = 0); NONFAILING(*(uint64_t*)0x20000466 = 0); NONFAILING(*(uint64_t*)0x2000046e = 0); NONFAILING(*(uint64_t*)0x20000476 = 0); NONFAILING(*(uint64_t*)0x2000047e = 0); NONFAILING(*(uint64_t*)0x20000486 = 0); NONFAILING(*(uint64_t*)0x2000048e = 0); NONFAILING(*(uint64_t*)0x20000496 = 0); NONFAILING(*(uint64_t*)0x2000049e = 0); NONFAILING(*(uint64_t*)0x200004a6 = 0); NONFAILING(*(uint64_t*)0x200004ae = 0); NONFAILING(*(uint64_t*)0x200004b6 = 0); NONFAILING(*(uint64_t*)0x200004be = 0); NONFAILING(*(uint64_t*)0x200004c6 = 0); NONFAILING(*(uint64_t*)0x200004ce = 0); NONFAILING(*(uint64_t*)0x200004d6 = 0); NONFAILING(*(uint64_t*)0x200004de = 0); NONFAILING(*(uint64_t*)0x200004e6 = 0); NONFAILING(*(uint64_t*)0x200004ee = 0); NONFAILING(*(uint64_t*)0x200004f6 = 0); NONFAILING(*(uint64_t*)0x200004fe = 0); NONFAILING(*(uint64_t*)0x20000506 = 0); NONFAILING(*(uint64_t*)0x2000050e = 0); NONFAILING(*(uint64_t*)0x20000516 = 0); NONFAILING(*(uint64_t*)0x2000051e = 0); NONFAILING(*(uint64_t*)0x20000526 = 0); NONFAILING(*(uint64_t*)0x2000052e = 0); NONFAILING(*(uint64_t*)0x20000536 = 0); NONFAILING(*(uint64_t*)0x2000053e = 0); NONFAILING(*(uint64_t*)0x20000546 = 0); NONFAILING(*(uint64_t*)0x2000054e = 0); NONFAILING(*(uint64_t*)0x20000556 = 0); NONFAILING(*(uint64_t*)0x2000055e = 0); NONFAILING(*(uint64_t*)0x20000566 = 0); NONFAILING(*(uint64_t*)0x2000056e = 0); NONFAILING(*(uint64_t*)0x20000576 = 0); NONFAILING(*(uint64_t*)0x2000057e = 0); NONFAILING(*(uint64_t*)0x20000586 = 0); NONFAILING(*(uint64_t*)0x2000058e = 0); NONFAILING(*(uint64_t*)0x20000596 = 0); NONFAILING(*(uint64_t*)0x2000059e = 0); NONFAILING(*(uint64_t*)0x200005a6 = 0); NONFAILING(*(uint64_t*)0x200005ae = 0); NONFAILING(*(uint64_t*)0x200005b6 = 0); NONFAILING(*(uint64_t*)0x200005be = 0); NONFAILING(*(uint64_t*)0x200005c6 = 0); NONFAILING(*(uint64_t*)0x200005ce = 0); NONFAILING(*(uint64_t*)0x200005d6 = 0); NONFAILING(*(uint64_t*)0x200005de = 0); NONFAILING(*(uint64_t*)0x200005e6 = 0); NONFAILING(*(uint64_t*)0x200005ee = 0); NONFAILING(*(uint64_t*)0x200005f6 = 0); NONFAILING(*(uint64_t*)0x200005fe = 0); NONFAILING(*(uint64_t*)0x20000606 = 0); NONFAILING(*(uint64_t*)0x2000060e = 0); NONFAILING(*(uint64_t*)0x20000616 = 0); NONFAILING(*(uint64_t*)0x2000061e = 0); NONFAILING(*(uint64_t*)0x20000626 = 0); NONFAILING(*(uint64_t*)0x2000062e = 0); NONFAILING(*(uint64_t*)0x20000636 = 0); NONFAILING(*(uint64_t*)0x2000063e = 0); NONFAILING(*(uint64_t*)0x20000646 = 0); NONFAILING(*(uint64_t*)0x2000064e = 0); NONFAILING(*(uint64_t*)0x20000656 = 0); NONFAILING(*(uint64_t*)0x2000065e = 0); NONFAILING(*(uint64_t*)0x20000666 = 0); NONFAILING(*(uint64_t*)0x2000066e = 0); NONFAILING(*(uint64_t*)0x20000676 = 0); NONFAILING(*(uint64_t*)0x2000067e = 0); NONFAILING(*(uint64_t*)0x20000686 = 0); NONFAILING(*(uint64_t*)0x2000068e = 0); NONFAILING(*(uint64_t*)0x20000696 = 0); NONFAILING(*(uint64_t*)0x2000069e = 0); NONFAILING(*(uint64_t*)0x200006a6 = 0); NONFAILING(*(uint64_t*)0x200006ae = 0); NONFAILING(*(uint64_t*)0x200006b6 = 0); NONFAILING(*(uint64_t*)0x200006be = 0); NONFAILING(*(uint64_t*)0x200006c6 = 0); NONFAILING(*(uint64_t*)0x200006ce = 0); NONFAILING(*(uint64_t*)0x200006d6 = 0); NONFAILING(*(uint64_t*)0x200006de = 0); NONFAILING(*(uint64_t*)0x200006e6 = 0); NONFAILING(*(uint64_t*)0x200006ee = 0); NONFAILING(*(uint64_t*)0x200006f6 = 0); NONFAILING(*(uint64_t*)0x200006fe = 0); NONFAILING(*(uint64_t*)0x20000706 = 0); NONFAILING(*(uint64_t*)0x2000070e = 0); NONFAILING(*(uint64_t*)0x20000716 = 0); NONFAILING(*(uint64_t*)0x2000071e = 0); NONFAILING(*(uint64_t*)0x20000726 = 0); NONFAILING(*(uint64_t*)0x2000072e = 0); NONFAILING(*(uint64_t*)0x20000736 = 0); NONFAILING(*(uint64_t*)0x2000073e = 0); NONFAILING(*(uint64_t*)0x20000746 = 0); NONFAILING(*(uint64_t*)0x2000074e = 0); NONFAILING(*(uint64_t*)0x20000756 = 0); NONFAILING(*(uint64_t*)0x2000075e = 0); NONFAILING(*(uint64_t*)0x20000766 = 0); NONFAILING(*(uint64_t*)0x2000076e = 0); NONFAILING(*(uint64_t*)0x20000776 = 0); NONFAILING(*(uint64_t*)0x2000077e = 0); NONFAILING(*(uint64_t*)0x20000786 = 0); NONFAILING(*(uint64_t*)0x2000078e = 0); NONFAILING(*(uint64_t*)0x20000796 = 0); NONFAILING(*(uint64_t*)0x2000079e = 0); NONFAILING(*(uint64_t*)0x200007a6 = 0); NONFAILING(*(uint64_t*)0x200007ae = 0); NONFAILING(*(uint64_t*)0x200007b6 = 0); NONFAILING(*(uint64_t*)0x200007be = 0); NONFAILING(*(uint64_t*)0x200007c6 = 0); NONFAILING(*(uint64_t*)0x200007ce = 0); NONFAILING(*(uint64_t*)0x200007d6 = 0); NONFAILING(*(uint64_t*)0x200007de = 0); NONFAILING(*(uint64_t*)0x200007e6 = 0); NONFAILING(*(uint64_t*)0x200007ee = 0); NONFAILING(*(uint64_t*)0x200007f6 = 0); NONFAILING(*(uint64_t*)0x200007fe = 0); NONFAILING(*(uint64_t*)0x20000806 = 0); NONFAILING(*(uint64_t*)0x2000080e = 0); NONFAILING(*(uint64_t*)0x20000816 = 0); NONFAILING(*(uint64_t*)0x2000081e = 0); NONFAILING(*(uint64_t*)0x20000826 = 0); NONFAILING(*(uint64_t*)0x2000082e = 0); NONFAILING(*(uint64_t*)0x20000836 = 0); NONFAILING(*(uint64_t*)0x2000083e = 0); NONFAILING(*(uint64_t*)0x20000846 = 0); NONFAILING(*(uint64_t*)0x2000084e = 0); NONFAILING(*(uint64_t*)0x20000856 = 0); NONFAILING(*(uint64_t*)0x2000085e = 0); NONFAILING(*(uint64_t*)0x20000866 = 0); NONFAILING(*(uint64_t*)0x2000086e = 0); NONFAILING(*(uint64_t*)0x20000876 = 0); NONFAILING(*(uint64_t*)0x2000087e = 0); NONFAILING(*(uint64_t*)0x20000886 = 0); NONFAILING(*(uint64_t*)0x2000088e = 0); NONFAILING(*(uint64_t*)0x20000896 = 0); NONFAILING(*(uint64_t*)0x2000089e = 0); NONFAILING(*(uint64_t*)0x200008a6 = 0); NONFAILING(*(uint64_t*)0x200008ae = 0); NONFAILING(*(uint64_t*)0x200008b6 = 0); NONFAILING(*(uint64_t*)0x200008be = 0); NONFAILING(*(uint64_t*)0x200008c6 = 0); NONFAILING(*(uint64_t*)0x200008ce = 0); NONFAILING(*(uint64_t*)0x200008d6 = 0); NONFAILING(*(uint64_t*)0x200008de = 0); NONFAILING(*(uint64_t*)0x200008e6 = 0); NONFAILING(*(uint64_t*)0x200008ee = 0); NONFAILING(*(uint64_t*)0x200008f6 = 0); NONFAILING(*(uint64_t*)0x200008fe = 0); NONFAILING(*(uint64_t*)0x20000906 = 0); NONFAILING(*(uint64_t*)0x2000090e = 0); NONFAILING(*(uint64_t*)0x20000916 = 0); NONFAILING(*(uint64_t*)0x2000091e = 0); NONFAILING(*(uint64_t*)0x20000926 = 0); NONFAILING(*(uint64_t*)0x2000092e = 0); NONFAILING(*(uint64_t*)0x20000936 = 0); NONFAILING(*(uint64_t*)0x2000093e = 0); NONFAILING(*(uint64_t*)0x20000946 = 0); NONFAILING(*(uint64_t*)0x2000094e = 0); NONFAILING(*(uint64_t*)0x20000956 = 0); NONFAILING(*(uint64_t*)0x2000095e = 0); NONFAILING(*(uint64_t*)0x20000966 = 0); NONFAILING(*(uint64_t*)0x2000096e = 0); NONFAILING(*(uint64_t*)0x20000976 = 0); NONFAILING(*(uint64_t*)0x2000097e = 0); NONFAILING(*(uint64_t*)0x20000986 = 0); NONFAILING(*(uint64_t*)0x2000098e = 0); NONFAILING(*(uint64_t*)0x20000996 = 0); NONFAILING(*(uint64_t*)0x2000099e = 0); NONFAILING(*(uint64_t*)0x200009a6 = 0); NONFAILING(*(uint64_t*)0x200009ae = 0); NONFAILING(*(uint64_t*)0x200009b6 = 0); NONFAILING(*(uint64_t*)0x200009be = 0); NONFAILING(*(uint64_t*)0x200009c6 = 0); NONFAILING(*(uint64_t*)0x200009ce = 0); NONFAILING(*(uint64_t*)0x200009d6 = 0); NONFAILING(*(uint64_t*)0x200009de = 0); NONFAILING(*(uint64_t*)0x200009e6 = 0); NONFAILING(*(uint64_t*)0x200009ee = 0); NONFAILING(*(uint64_t*)0x200009f6 = 0); NONFAILING(*(uint64_t*)0x200009fe = 0); NONFAILING(*(uint64_t*)0x20000a06 = 0); NONFAILING(*(uint64_t*)0x20000a0e = 0); NONFAILING(*(uint64_t*)0x20000a16 = 0); NONFAILING(*(uint64_t*)0x20000a1e = 0); NONFAILING(*(uint64_t*)0x20000a26 = 0); NONFAILING(*(uint64_t*)0x20000a2e = 0); NONFAILING(*(uint64_t*)0x20000a36 = 0); NONFAILING(*(uint64_t*)0x20000a3e = 0); NONFAILING(*(uint64_t*)0x20000a46 = 0); NONFAILING(*(uint64_t*)0x20000a4e = 0); NONFAILING(*(uint64_t*)0x20000a56 = 0); NONFAILING(*(uint64_t*)0x20000a5e = 0); NONFAILING(*(uint64_t*)0x20000a66 = 0); NONFAILING(*(uint64_t*)0x20000a6e = 0); NONFAILING(*(uint64_t*)0x20000a76 = 0); NONFAILING(*(uint64_t*)0x20000a7e = 0); NONFAILING(*(uint64_t*)0x20000a86 = 0); NONFAILING(*(uint64_t*)0x20000a8e = 0); NONFAILING(*(uint64_t*)0x20000a96 = 0); NONFAILING(*(uint64_t*)0x20000a9e = 0); NONFAILING(*(uint64_t*)0x20000aa6 = 0); NONFAILING(*(uint64_t*)0x20000aae = 0); NONFAILING(*(uint64_t*)0x20000ab6 = 0); NONFAILING(*(uint64_t*)0x20000abe = 0); NONFAILING(*(uint64_t*)0x20000ac6 = 0); NONFAILING(*(uint64_t*)0x20000ace = 0); NONFAILING(*(uint64_t*)0x20000ad6 = 0); NONFAILING(*(uint64_t*)0x20000ade = 0); NONFAILING(*(uint64_t*)0x20000ae6 = 0); NONFAILING(*(uint64_t*)0x20000aee = 0); NONFAILING(*(uint64_t*)0x20000af6 = 0); NONFAILING(*(uint64_t*)0x20000afe = 0); NONFAILING(*(uint64_t*)0x20000b06 = 0); NONFAILING(*(uint64_t*)0x20000b0e = 0); NONFAILING(*(uint64_t*)0x20000b16 = 0); NONFAILING(*(uint64_t*)0x20000b1e = 0); NONFAILING(*(uint64_t*)0x20000b26 = 0); NONFAILING(*(uint64_t*)0x20000b2e = 0); NONFAILING(*(uint64_t*)0x20000b36 = 0); NONFAILING(*(uint64_t*)0x20000b3e = 0); NONFAILING(*(uint64_t*)0x20000b46 = 0); NONFAILING(*(uint64_t*)0x20000b4e = 0); NONFAILING(*(uint64_t*)0x20000b56 = 0); NONFAILING(*(uint64_t*)0x20000b5e = 0); NONFAILING(*(uint64_t*)0x20000b66 = 0); NONFAILING(*(uint64_t*)0x20000b6e = 0); NONFAILING(*(uint64_t*)0x20000b76 = 0); NONFAILING(*(uint64_t*)0x20000b7e = 0); NONFAILING(*(uint64_t*)0x20000b86 = 0); NONFAILING(*(uint64_t*)0x20000b8e = 0); NONFAILING(*(uint64_t*)0x20000b96 = 0); NONFAILING(*(uint64_t*)0x20000b9e = 0); NONFAILING(*(uint64_t*)0x20000ba6 = 0); NONFAILING(*(uint64_t*)0x20000bae = 0); NONFAILING(*(uint64_t*)0x20000bb6 = 0); NONFAILING(*(uint64_t*)0x20000bbe = 0); NONFAILING(*(uint64_t*)0x20000bc6 = 0); NONFAILING(*(uint64_t*)0x20000bce = 0); NONFAILING(*(uint64_t*)0x20000bd6 = 0); NONFAILING(*(uint64_t*)0x20000bde = 0); NONFAILING(*(uint64_t*)0x20000be6 = 0); NONFAILING(*(uint64_t*)0x20000bee = 0); NONFAILING(*(uint64_t*)0x20000bf6 = 0); NONFAILING(*(uint64_t*)0x20000bfe = 0); NONFAILING(*(uint64_t*)0x20000c06 = 0); NONFAILING(*(uint64_t*)0x20000c0e = 0); NONFAILING(*(uint64_t*)0x20000c16 = 0); NONFAILING(*(uint64_t*)0x20000c1e = 0); NONFAILING(*(uint64_t*)0x20000c26 = 0); NONFAILING(*(uint64_t*)0x20000c2e = 0); NONFAILING(*(uint64_t*)0x20000c36 = 0); NONFAILING(*(uint64_t*)0x20000c3e = 0); NONFAILING(*(uint64_t*)0x20000c46 = 0); NONFAILING(*(uint64_t*)0x20000c4e = 0); NONFAILING(*(uint64_t*)0x20000c56 = 0); NONFAILING(*(uint64_t*)0x20000c5e = 0); NONFAILING(*(uint64_t*)0x20000c66 = 0); NONFAILING(*(uint64_t*)0x20000c6e = 0); NONFAILING(*(uint64_t*)0x20000c76 = 0); NONFAILING(*(uint64_t*)0x20000c7e = 0); NONFAILING(*(uint64_t*)0x20000c86 = 0); NONFAILING(*(uint64_t*)0x20000c8e = 0); NONFAILING(*(uint64_t*)0x20000c96 = 0); NONFAILING(*(uint64_t*)0x20000c9e = 0); NONFAILING(*(uint64_t*)0x20000ca6 = 0); NONFAILING(*(uint64_t*)0x20000cae = 0); NONFAILING(*(uint64_t*)0x20000cb6 = 0); NONFAILING(*(uint64_t*)0x20000cbe = 0); NONFAILING(*(uint64_t*)0x20000cc6 = 0); NONFAILING(*(uint64_t*)0x20000cce = 0); NONFAILING(*(uint64_t*)0x20000cd6 = 0); NONFAILING(*(uint64_t*)0x20000cde = 0); NONFAILING(*(uint64_t*)0x20000ce6 = 0); NONFAILING(*(uint64_t*)0x20000cee = 0); NONFAILING(*(uint64_t*)0x20000cf6 = 0); NONFAILING(*(uint64_t*)0x20000cfe = 0); NONFAILING(*(uint64_t*)0x20000d06 = 0); NONFAILING(*(uint64_t*)0x20000d0e = 0); NONFAILING(*(uint64_t*)0x20000d16 = 0); NONFAILING(*(uint64_t*)0x20000d1e = 0); NONFAILING(*(uint64_t*)0x20000d26 = 0); NONFAILING(*(uint64_t*)0x20000d2e = 0); NONFAILING(*(uint64_t*)0x20000d36 = 0); NONFAILING(*(uint64_t*)0x20000d3e = 0); syscall(__NR_write, -1, 0x200002c0, 0xa86); break; case 4: NONFAILING(*(uint16_t*)0x20000d80 = 6); syscall(__NR_ioctl, -1, 0x89e3, 0x20000d80); break; case 5: NONFAILING(*(uint8_t*)0x20000dc0 = 0); NONFAILING(*(uint8_t*)0x20000dc1 = 0); NONFAILING(*(uint8_t*)0x20000dc2 = 0); NONFAILING(*(uint8_t*)0x20000dc3 = 0); NONFAILING(*(uint8_t*)0x20000dc4 = 0); NONFAILING(*(uint8_t*)0x20000dc5 = 0); NONFAILING(*(uint8_t*)0x20000dc6 = 0); NONFAILING(*(uint8_t*)0x20000dc7 = 0); NONFAILING(*(uint8_t*)0x20000dc8 = 0); NONFAILING(*(uint8_t*)0x20000dc9 = 0); NONFAILING(*(uint8_t*)0x20000dca = -1); NONFAILING(*(uint8_t*)0x20000dcb = -1); NONFAILING(*(uint8_t*)0x20000dcc = 0xac); NONFAILING(*(uint8_t*)0x20000dcd = 0x14); NONFAILING(*(uint8_t*)0x20000dce = 0x14); NONFAILING(*(uint8_t*)0x20000dcf = 0x1d); NONFAILING(*(uint64_t*)0x20000dd0 = htobe64(0)); NONFAILING(*(uint64_t*)0x20000dd8 = htobe64(1)); NONFAILING(*(uint8_t*)0x20000de0 = -1); NONFAILING(*(uint8_t*)0x20000de1 = 2); NONFAILING(*(uint8_t*)0x20000de2 = 0); NONFAILING(*(uint8_t*)0x20000de3 = 0); NONFAILING(*(uint8_t*)0x20000de4 = 0); NONFAILING(*(uint8_t*)0x20000de5 = 0); NONFAILING(*(uint8_t*)0x20000de6 = 0); NONFAILING(*(uint8_t*)0x20000de7 = 0); NONFAILING(*(uint8_t*)0x20000de8 = 0); NONFAILING(*(uint8_t*)0x20000de9 = 0); NONFAILING(*(uint8_t*)0x20000dea = 0); NONFAILING(*(uint8_t*)0x20000deb = 0); NONFAILING(*(uint8_t*)0x20000dec = 0); NONFAILING(*(uint8_t*)0x20000ded = 0); NONFAILING(*(uint8_t*)0x20000dee = 0); NONFAILING(*(uint8_t*)0x20000def = 1); NONFAILING(*(uint32_t*)0x20000df0 = 6); NONFAILING(*(uint16_t*)0x20000df4 = 9); NONFAILING(*(uint16_t*)0x20000df6 = 0x3ff); NONFAILING(*(uint32_t*)0x20000df8 = 0x500); NONFAILING(*(uint64_t*)0x20000e00 = 9); NONFAILING(*(uint32_t*)0x20000e08 = 0x2210140); NONFAILING(*(uint32_t*)0x20000e0c = 0); syscall(__NR_ioctl, -1, 0x890c, 0x20000dc0); break; case 6: NONFAILING(*(uint16_t*)0x20000e40 = 0xb); NONFAILING(*(uint8_t*)0x20000e42 = 0xbb); NONFAILING(*(uint8_t*)0x20000e43 = 0xbb); NONFAILING(*(uint8_t*)0x20000e44 = 0xbb); NONFAILING(*(uint8_t*)0x20000e45 = 1); NONFAILING(*(uint8_t*)0x20000e46 = 0); NONFAILING(*(uint8_t*)0x20000e47 = 0xa2); NONFAILING(*(uint8_t*)0x20000e48 = 0xa6); NONFAILING(*(uint8_t*)0x20000e49 = 0xa8); NONFAILING(*(uint8_t*)0x20000e4a = 0x40); NONFAILING(*(uint8_t*)0x20000e4b = 0x40); NONFAILING(*(uint8_t*)0x20000e4c = 0x40); NONFAILING(*(uint8_t*)0x20000e4d = 0); NONFAILING(*(uint32_t*)0x20000e50 = 1); NONFAILING(*(uint8_t*)0x20000e54 = 0xbb); NONFAILING(*(uint8_t*)0x20000e55 = 0xbb); NONFAILING(*(uint8_t*)0x20000e56 = 0xbb); NONFAILING(*(uint8_t*)0x20000e57 = 1); NONFAILING(*(uint8_t*)0x20000e58 = 0); syscall(__NR_connect, -1, 0x20000e40, 0x1c); break; case 7: NONFAILING(*(uint64_t*)0x20000e80 = 0x147e); syscall(__NR_ioctl, -1, 0x1261, 0x20000e80); break; case 8: syscall(__NR_sched_getparam, 0, 0x20000ec0); break; case 9: NONFAILING(memcpy((void*)0x20001080, "nat\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 32)); NONFAILING(*(uint32_t*)0x200010a0 = 0x19); NONFAILING(*(uint32_t*)0x200010a4 = 1); NONFAILING(*(uint32_t*)0x200010a8 = 0x130); NONFAILING(*(uint64_t*)0x200010b0 = 0x20000f40); NONFAILING(*(uint64_t*)0x200010b8 = 0); NONFAILING(*(uint64_t*)0x200010c0 = 0); NONFAILING(*(uint64_t*)0x200010c8 = 0x20000f70); NONFAILING(*(uint64_t*)0x200010d0 = 0x20001040); NONFAILING(*(uint64_t*)0x200010d8 = 0); NONFAILING(*(uint32_t*)0x200010e0 = 0); NONFAILING(*(uint64_t*)0x200010e8 = 0x20000f00); NONFAILING(*(uint64_t*)0x200010f0 = 0x20000f40); NONFAILING(*(uint32_t*)0x20000f40 = 0); NONFAILING(memcpy((void*)0x20000f44, "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 32)); NONFAILING(*(uint32_t*)0x20000f64 = 0); NONFAILING(*(uint32_t*)0x20000f68 = 0xfffffffe); NONFAILING(*(uint32_t*)0x20000f6c = 0); NONFAILING(*(uint32_t*)0x20000f70 = 0); NONFAILING(memcpy((void*)0x20000f74, "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 32)); NONFAILING(*(uint32_t*)0x20000f94 = 0); NONFAILING(*(uint32_t*)0x20000f98 = 0xfffffffc); NONFAILING(*(uint32_t*)0x20000f9c = 1); NONFAILING(*(uint32_t*)0x20000fa0 = 0); NONFAILING(*(uint32_t*)0x20000fa4 = 8); NONFAILING(*(uint16_t*)0x20000fa8 = htobe16(0x88f8)); NONFAILING(memcpy((void*)0x20000faa, "rose0\000\000\000\000\000\000\000\000\000\000\000", 16)); NONFAILING(memcpy((void*)0x20000fba, "syz_tun\000\000\000\000\000\000\000\000\000", 16)); NONFAILING(memcpy((void*)0x20000fca, "eql\000\000\000\000\000\000\000\000\000\000\000\000\000", 16)); NONFAILING(memcpy((void*)0x20000fda, "lapb0\000\000\000\000\000\000\000\000\000\000\000", 16)); NONFAILING(*(uint8_t*)0x20000fea = -1); NONFAILING(*(uint8_t*)0x20000feb = -1); NONFAILING(*(uint8_t*)0x20000fec = -1); NONFAILING(*(uint8_t*)0x20000fed = -1); NONFAILING(*(uint8_t*)0x20000fee = -1); NONFAILING(*(uint8_t*)0x20000fef = -1); NONFAILING(*(uint8_t*)0x20000ff0 = 0); NONFAILING(*(uint8_t*)0x20000ff1 = -1); NONFAILING(*(uint8_t*)0x20000ff2 = 0); NONFAILING(*(uint8_t*)0x20000ff3 = -1); NONFAILING(*(uint8_t*)0x20000ff4 = 0); NONFAILING(*(uint8_t*)0x20000ff5 = -1); NONFAILING(*(uint8_t*)0x20000ff6 = -1); NONFAILING(*(uint8_t*)0x20000ff7 = -1); NONFAILING(*(uint8_t*)0x20000ff8 = -1); NONFAILING(*(uint8_t*)0x20000ff9 = -1); NONFAILING(*(uint8_t*)0x20000ffa = -1); NONFAILING(*(uint8_t*)0x20000ffb = -1); NONFAILING(*(uint8_t*)0x20000ffc = -1); NONFAILING(*(uint8_t*)0x20000ffd = -1); NONFAILING(*(uint8_t*)0x20000ffe = 0); NONFAILING(*(uint8_t*)0x20000fff = 0); NONFAILING(*(uint8_t*)0x20001000 = 0); NONFAILING(*(uint8_t*)0x20001001 = 0); NONFAILING(*(uint32_t*)0x20001004 = 0x70); NONFAILING(*(uint32_t*)0x20001008 = 0x70); NONFAILING(*(uint32_t*)0x2000100c = 0xa0); NONFAILING(memcpy((void*)0x20001010, "CLASSIFY\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 32)); NONFAILING(*(uint32_t*)0x20001030 = 8); NONFAILING(*(uint32_t*)0x20001038 = 0x79); NONFAILING(*(uint32_t*)0x20001040 = 0); NONFAILING(memcpy((void*)0x20001044, "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 32)); NONFAILING(*(uint32_t*)0x20001064 = 1); NONFAILING(*(uint32_t*)0x20001068 = 0xfffffffc); NONFAILING(*(uint32_t*)0x2000106c = 0); syscall(__NR_setsockopt, -1, 0, 0x80, 0x20001080, 0x1a8); break; case 10: NONFAILING(*(uint8_t*)0x20000000 = -1); NONFAILING(*(uint8_t*)0x20000001 = -1); NONFAILING(*(uint8_t*)0x20000002 = -1); NONFAILING(*(uint8_t*)0x20000003 = -1); NONFAILING(*(uint8_t*)0x20000004 = -1); NONFAILING(*(uint8_t*)0x20000005 = -1); NONFAILING(*(uint8_t*)0x20000006 = 1); NONFAILING(*(uint8_t*)0x20000007 = 0x80); NONFAILING(*(uint8_t*)0x20000008 = 0xc2); NONFAILING(*(uint8_t*)0x20000009 = 0); NONFAILING(*(uint8_t*)0x2000000a = 0); NONFAILING(*(uint8_t*)0x2000000b = 3); NONFAILING(*(uint16_t*)0x2000000c = htobe16(0x8100)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x2000000e, 9, 0, 3)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x2000000e, 0xffe0, 3, 1)); NONFAILING(STORE_BY_BITMASK(uint16_t, , 0x2000000e, 2, 4, 12)); NONFAILING(*(uint16_t*)0x20000010 = htobe16(0x8137)); NONFAILING(*(uint16_t*)0x20000012 = htobe16(-1)); NONFAILING(*(uint16_t*)0x20000014 = htobe16(0x101e)); NONFAILING(*(uint8_t*)0x20000016 = 0); NONFAILING(*(uint8_t*)0x20000017 = 0x15); NONFAILING(*(uint32_t*)0x20000018 = htobe32(0)); NONFAILING(*(uint8_t*)0x2000001c = -1); NONFAILING(*(uint8_t*)0x2000001d = -1); NONFAILING(*(uint8_t*)0x2000001e = -1); NONFAILING(*(uint8_t*)0x2000001f = -1); NONFAILING(*(uint8_t*)0x20000020 = -1); NONFAILING(*(uint8_t*)0x20000021 = -1); NONFAILING(*(uint16_t*)0x20000022 = htobe16(9)); NONFAILING(*(uint32_t*)0x20000024 = htobe32(0)); NONFAILING(*(uint8_t*)0x20000028 = 0); NONFAILING(*(uint8_t*)0x20000029 = 0); NONFAILING(*(uint8_t*)0x2000002a = 0); NONFAILING(*(uint8_t*)0x2000002b = 0); NONFAILING(*(uint8_t*)0x2000002c = 0); NONFAILING(*(uint8_t*)0x2000002d = 0); NONFAILING(*(uint16_t*)0x2000002e = htobe16(4)); NONFAILING(memcpy((void*)0x20000030, "\xec\xf2\xf0\xe4\x25\x11\x07\xbb\xb0\x2a\xa5\x5b\xb5\x2d\x70\x03\x0e\x6d\x90\x4a\x3a\x83\x0e\xb9\x75\xf1\x3d\x4e\x59\x4a\x03\x0e\x93\x00\x05\xd5\x75\x9e\x6e\x2b\x7a\x6f\xcd\xca\x59\x51\x0b\x8a\xc7\xde\x6a\xdd\xb6\x54\x13\xa1\x03\x39\x93\x43\x66\x6c\x3d\x2c\x74\xa2\xe8\xd4\xac\x28\x7d\x99\x16\x94\x16\x81\xe8\xa2\x36\x08\xf9\x98\x1c\x21\xb6\xeb\x25\x4f\xde\x96\x89\x72\x6b\xb6\x51\x60\x82\xa8\xe2\xed\x14\x89\xfb\xd5\x34\x4e\x29\x8d\xc3\xfe\x4b\xf7\xa0\xf0\xd8\xd4\x15\x28\xde\x17\xa4\xb0\xd7\xbb\x04\xff\x70\x2a\x40\xb3\x73\x2b\xd0\x80\x8a\x19\x01\xdd\x29\xaa\x17\xd4\x91\x0a\xed\xf6\x74\x7b\xee\x04\x5e\xc6\x76\x5f\x22\x34\xd9\x60\x16\x25\xf5\x0b\x85\xb9\xb0\x91\x26\xb4\x05\x61\xf6\xda\x40\xe7\xc2\x1f\xbc\x73\xf7\xa6\xbe\xc7\x86\xb7\x06\xd7\x16\x15\x3d\x5d\x62\xa5\x6f\x2a\x3a\x1e\x70\xca\x3a\x2b\x12\xed\x37\x25\x25\x15\x0b\x42\xdc\xa4\x6d\x26\x5b\xe3\x7f\x88\xad\x68\xba\x8b\xae\x65\x25\x0e\x7c\x54\x5c\x01\x0a\xa9\xc0\xea\x1a\x6c\x21\xf7\x18\xba\xbf\x3a\x65\x3a\x94\x48\x0e\x77\xb1\xdc\x6e\xac\xde\x7b\x6a\x5b\x04\xf8\xc5\xc8\x6e\x02\xa3\xc0\x4e\x61\x9b\x10\xfa\xb1\x44\x2d\x1e\x0e\x11\xcd\xed\x3f\x86\x20\xb7\x1e\x88\x28\xd9\x5e\x1d\x8b\x0e\xdc\x91\x1b\x57\x29\x9f\x51\x53\x9e\x2a\x26\xe6\x71\xf7\xbe\xb7\x2c\x89\xd7\x8e\x7d\xe3\x80\x81\x7f\x2b\x92\x10\x6b\x03\xb0\x6d\x0e\xa2\x7c\x04\xb4\x8c\xb0\xaf\xec\x65\xa0\x83\xfb\xed\x04\xde\x3f\xff\x69\x64\xc4\x9b\xf3\xe6\xf1\x1f\x46\xf3\xc4\xe4\x69\x88\x4f\x24\x36\xd8\x3e\x64\xa0\xff\xb8\xec\x25\x44\xc5\x8c\x30\xa0\x74\xf1\x55\x7f\x50\x6b\xe9\x61\x11\x8e\x46\xec\x95\xa1\x41\x15\xce\x50\x9a\x2c\x0e\xf7\x13\xcc\xf3\x28\x4e\xf6\xe8\x4b\xc9\x4d\x5d\x64\xca\xbd\xd2\x12\x50\x3b\xa2\x20\xcf\xac\xe8\xbc\x9f\x2b\xa2\x1d\x83\x82\xd7\x20\x9d\x41\x25\xc1\x85\xa8\x80\xa2\x96\x33\x61\x3e\x90\x88\x3d\x98\x38\xdc\x1a\x2d\x70\xef\xb1\xfd\x6c\x0a\x98\x5c\x15\x7b\x4f\xd7\x64\xb3\x60\x56\x4c\xb6\x8b\xe5\x74\x1f\xcf\x44\x27\xdf\xe4\x35\x30\xce\xd2\x5a\x4f\x39\x9f\x6d\x75\x40\x7b\x83\xe1\xfb\x83\x6c\x8f\x80\x45\x96\x9c\x78\x99\xb0\x73\xeb\x31\xcf\x7d\x55\x3e\x0e\x0b\x02\x66\x06\x4a\xa4\x1d\x46\xdd\x88\x80\x2a\xc1\xd6\xbc\xe0\xf2\x48\x47\xe7\x75\xf1\x5f\x24\xef\xa6\x90\x81\x3c\xce\xf7\xaa\x5e\x15\x82\xe8\x47\xaf\xac\x09\xeb\x5b\x4e\xbb\xd0\xfd\x5c\xd9\x77\xc4\x24\x63\xc8\xb7\x4e\xa2\x65\xd5\xcd\xef\x48\xe0\x81\x15\x77\x6d\x2d\x36\x7b\xa1\x02\x21\xc3\x10\xdd\xc4\x9d\x51\x85\x1a\xed\xd1\x48\xa2\x80\xfb\x4c\x0b\x06\x4d\xff\x59\x02\x26\x2c\x76\x61\x89\xb2\x61\xf7\x00\xa0\x10\x95\x37\xca\x31\xef\x4e\x89\xd5\xa2\xaf\x97\x1c\xc5\xa1\xa8\xf1\x55\x6c\x97\xbc\xb4\x80\x13\xc1\x72\x59\x74\xaa\x29\x73\x9e\x0f\x90\x3f\x33\x75\xf6\x2b\xf4\xee\xd9\x14\xdb\x81\x5b\x10\x45\xe7\xad\xcb\xdc\xad\xba\x77\xe2\x63\x0b\xb5\xcf\x2c\xbc\x91\x5c\x54\x89\xf5\xc1\x00\x4c\x9f\x6a\xfb\x8f\xea\x51\x37\x36\x51\x94\x8b\xf2\xa8\x25\x3b\x3a\xa4\x38\xc2\x46\xec\x1f\xbc\x4b\xf8\x13\x36\xf3\xf7\xb6\x09\x21\x7d\x9c\xc6\x94\x0e\x10\x68\x56\xfd\xb2\xb0\x48\x64\xaa\x89\x35\xea\x91\x78\xb5\x7b\x58\x11\x2e\x08\xba\x8b\x56\x9f\x60\x83\xb7\x52\xaf\x64\xc0\x49\xcf\xaf\x83\xfa\x51\x73\xfe\x80\x2e\x72\xf8\x5c\xe9\x88\xcb\x55\xf6\xa5\xb9\xd1\x52\xfa\xc6\x99\xe1\x3c\x54\x36\x06\xcf\x34\xc0\x07\xc7\xfd\x25\xe4\x04\x08\xfc\x44\xf4\x21\x68\x95\x83\x67\xaa\x4f\x1f\xfe\x8a\x2e\xbc\x86\x95\x15\xba\xbb\x5a\x3f\xc1\xe4\x89\x27\x70\x20\x6d\xd4\xc2\x14\x2e\x38\xf3\x28\xf6\x59\x40\x58\x00\x72\x8d\x1e\x53\x66\xb4\xc8\x74\x52\x21\x4b\x49\xeb\x2a\xd5\x61\x88\x9a\x58\x73\xba\xbc\xe0\xfd\x76\x18\x59\xe5\x60\xfc\xcb\xc9\x40\xf4\x81\xfc\x66\xa8\x10\xfe\x12\xc7\xc7\x05\xca\xed\xc4\xc2\x24\xc2\x5c\xa9\x45\xcd\x2e\xa3\x48\x98\x1f\x2f\xd4\xa9\x8d\xc1\x37\xbf\xf5\x24\xbe\x34\x00\x32\xfe\xb2\x14\xde\x20\x65\x15\x11\x84\x9a\x90\x9b\x6a\x5c\xc6\xbc\xc9\x0a\x03\x74\x0f\x74\x70\x58\x3f\x6e\x92\xc7\x14\xf6\x54\xbb\x6e\x59\xb1\x6f\x04\x92\x12\xf8\x1a\x6f\xb0\xb8\x7f\x61\x32\xc8\xf5\x2b\x64\x10\x3a\x5d\xe2\x81\x0a\x97\x2a\xfa\x36\xfd\x13\x41\xcc\x5b\x14\x78\x09\xd8\xc1\xff\xd9\x44\x01\x10\x84\x44\xd7\x68\xe8\x0c\x88\x72\xe8\x85\x28\xa6\x9c\x57\x55\xec\x9f\xf4\xc5\x16\xb4\x45\xb5\x44\xe2\xa4\x44\xa8\xa4\xa7\x07\x16\x53\x83\xd8\xb3\x03\x2b\x41\x8a\x65\x00\x9f\x62\x69\x9f\x5b\x6c\xb6\xf1\x9e\xa1\x9d\xb2\xf4\xd0\x7c\x87\xc9\xf0\x16\x7c\x4d\x3a\x73\xe9\x2d\x27\xd7\x71\xc5\x91\xcf\x3e\xab\x4e\xed\x78\xb7\xaf\x22\x51\x0e\xa1\x59\x5a\x70\x70\x3f\xf9\x37\xc8\x00\x9b\xd5\x89\x6f\xa3\xdc\x56\xd9\x3c\x9a\x9f\x90\x6f\x90\xb7\xe3\x77\xa9\xbf\xda\x4a\x02\x90\xb2\x19\xee\xab\x62\xe8\xc0\x9e\x96\x0f\x06\xb7\x04\xd9\x9f\xfa\x43\xcf\x77\x8a\x57\xf7\x2c\x3c\x68\xd3\x3f\x75\xb9\x98\x45\x61\x28\x37\xee\x15\xc5\x52\x45\x12\xb1\xb5\xe6\xe0\x20\x55\x4e\xa0\x80\x4f\x95\xbf\xaf\x28\x02\x46\xab\x6c\x71\x08\xb2\x31\x29\x7d\x5e\x19\x96\x7c\x08\x4c\x6e\xb1\x24\x00\x77\x44\xc6\x24\x0a\xcd\x21\x46\x93\x95\xf3\x98\xd3\x43\x48\x00\x3c\x93\xbc\x2e\x6d\xa4\x81\x66\x5c\x88\x8e\xfc\x46\xb9\xfb\xc0\x6a\xde\xd3\x1a\x43\x54\x14\x70\x7f\xdd\xe5\x65\x1b\xc4\x59\x12\x70\x50\xc8\x14\x99\xfd\xfa\xe5\x79\xee\xe6\xdc\x0d\x79\x9d\xcf\x39\xd3\xec\x8b\x6a\xaa\xfe\x80\xdc\x28\x39\x7c\x32\x36\xa9\x03\xb8\x9f\x1f\x14\x83\x0a\xdd\xde\x38\x7d\x61\xc1\x9a\x04\x28\xf8\x67\x9a\xd4\x4c\xbf\xa2\xc3\x6e\xbc\x98\xa7\xed\x5a\x14\xd5\x60\x39\x63\x6a\xdd\x79\x99\xb4\x50\xca\xab\x85\xf4\xea\xf0\x99\xa0\xf0\xf0\xf7\xa9\x99\xc4\xdd\xd7\x56\x2d\x92\xc3\x74\xe9\xad\x61\x74\x61\x71\x66\xe0\xe4\x31\xf9\xee\x62\x58\x63\x4d\xbc\xb7\x44\x75\x69\x60\x6a\xb5\xb9\x2b\x8e\x45\x01\xe9\xf4\x75\x90\xda\x2e\xa3\x8f\x14\xc5\x42\x3d\xd9\x91\x8f\x4a\x03\x50\xb9\x60\x66\x67\x71\xfa\x33\xd9\xca\x30\x02\xab\x76\xd8\x34\x2e\x3d\xb7\x43\x50\xe0\x58\xb1\xca\x72\x80\x36\x98\x05\x7d\x59\x8c\xb7\x34\x03\x66\xf8\x23\x7a\xc2\x94\x8a\x55\x49\x9f\x83\x99\x2d\xfd\x94\x31\xaf\x40\x14\x9d\xa6\xeb\x64\x5b\x3c\xaa\xd4\x81\x93\xb1\x29\xb6\xcb\xd9\x46\xca\xc7\x5f\x62\x70\x86\x0f\xef\xbc\x60\x4c\xe1\x3f\x43\x53\xdd\xf8\x8f\x99\x5c\xef\x6d\x90\x7e\xbf\xc9\xf9\x5b\xdd\xa0\x73\xf7\x4f\x9d\x2c\xe3\xbc\xda\x4b\xbc\x84\x59\xc6\x87\xae\x7c\xbc\xd0\x86\xe3\x19\x56\x1b\xdc\x76\x49\xca\xa9\x28\x40\x87\xb5\xbb\xb5\x1e\xf7\xb7\xe2\x96\x19\x14\x4e\x98\x73\x9d\x44\x38\x93\xf4\xf7\x08\xec\xbd\x68\x5d\x13\x5f\xfd\x8d\x4f\x8e\xb7\xd0\x3a\x9e\x22\xfc\xe6\xd1\x4c\x15\xe1\x52\x47\xf2\xd1\x1a\xda\x72\xba\xc0\x7c\x91\x28\x07\x2d\xfb\x75\xdd\xc1\x2a\xb9\xe5\x74\x84\x85\x18\xb8\xc5\x9d\xa5\x6f\xc5\x18\x61\x04\x09\x67\x76\xf4\x87\xc4\x9b\x26\xee\x0b\xeb\x65\x1f\xf2\x4f\x60\x06\x54\xc2\x4d\x2e\xae\x72\xf9\xa5\x48\xce\xc8\xf0\xba\x6b\xd6\xe8\x81\x0a\xea\x14\x0c\x31\x15\x5d\x25\x81\x6a\xff\xe1\xd2\x27\xa6\x2e\x9d\x19\x37\xe1\x44\xf7\x13\xec\x79\x45\x68\x1a\x1c\xf4\x4a\xa3\xb3\x23\xff\xc2\xd3\x28\xeb\xd2\x7b\x68\xe2\xf6\x7b\xf3\x5f\xfd\x1e\x54\x33\x91\x8a\x54\x41\xdf\xf2\x4a\xf1\xfc\x2a\xd4\xbc\x05\xdb\xa5\xac\xba\x15\x1b\x75\x89\x63\xed\xe5\xc6\xba\xde\x7d\xd1\xf6\xfe\x2f\x07\x38\xb0\xb7\x79\xfc\xc5\xa1\xf6\xdb\x3a\x44\x12\x4a\x94\xa0\x60\x8b\xb4\x90\xcd\x57\x12\x7c\x5f\x32\x72\xd7\x7d\xff\xe3\xf1\x45\xfa\x57\xb7\x97\x89\xdc\x2b\x66\xf7\xe7\x75\xec\x05\x62\x2f\x1c\x16\x2d\x8f\x95\xfe\x54\x1a\xab\xf0\x11\x0f\xca\x6c\x77\x3c\x94\x5d\xdd\x26\xd5\x84\x9a\xa5\xb1\x9c\x25\x72\xcd\xef\xd3\xac\xf8\xbe\x6e\xe7\x48\x75\x16\xfb\x2c\x95\x1d\x9a\x06\x25\xc2\x44\xaf\xd7\xba\x1c\x12\xba\xdf\xaf\xf0\xa8\x53\x95\x60\x92\xd6\xb7\x0c\xcd\x5b\x50\x6a\x8a\x52\xb2\x72\x6a\xe0\x44\x38\x8a\x16\x9b\xdd\x99\x93\x97\xd5\x7d\x1c\x9e\x7b\x53\xc3\x26\x46\x7d\x3f\x87\xf4\xd5\xe1\xcc\x5e\x9b\xa0\x55\x3f\x06\x47\xe1\x16\xe1\x13\xc4\xc1\x98\x87\xb1\x59\xb6\xea\xe6\xfc\x1b\x89\xdc\x38\x8b\x6b\x51\xe6\x4e\x91\x0e\x28\x52\xac\xa7\x28\x37\xcc\x98\x82\x85\x32\xe3\x7b\xa7\x05\x61\x1d\xc8\x45\xd9\xbb\x79\x79\x15\x00\x42\x72\x79\x71\x45\xaf\xd4\x8d\x86\x2d\x96\x33\xc6\xa2\xe9\x35\x93\x4c\xc3\xef\xb3\xcb\xd2\x84\x96\x59\x3f\x39\x24\x0e\xb6\xd4\xe7\xcc\xb5\xa8\xf2\xfc\xbb\x22\xc4\x23\x44\xe0\x5e\x83\x38\x0a\xc2\x92\xea\x22\x24\x75\x86\x2b\x43\x8e\x7c\x2a\xc7\xa4\xd3\xf2\x61\xd0\x2c\xd3\x97\x4d\x75\xf9\xb7\xd6\x57\x30\x40\xdf\x8b\xfd\x72\xb1\xfc\x12\x5b\xbe\x8d\x5a\xfe\x5a\xbd\xf2\x37\x66\xa0\x15\x34\x43\x34\xd2\x9d\xac\x22\x2a\x18\xbf\x75\x30\xe4\x51\x74\x2d\x20\x09\xc8\x27\x40\x90\xef\x23\x20\x54\x9e\xba\x2e\x89\x3f\x0c\x5e\x9e\x27\x7d\xa8\xfa\x84\x11\x39\xe0\xd6\x4f\x86\x1e\xb9\x23\xf6\xa6\x9f\x86\x3f\x89\x36\x47\xaa\xe6\x9c\x0a\x1c\x51\x7e\xe7\xe8\x64\x05\x98\x8d\xcf\x4a\xb5\x6e\xa9\x4c\x3f\x6f\x68\x1c\x8e\xbc\x70\x77\x2b\x04\x1d\xf8\x7c\x4d\x46\x2d\xfe\x2e\xef\x3a\x0b\xbf\x38\x93\x58\xad\x1f\x77\xb1\x2b\x98\xf9\x14\xc5\x1d\x6c\x4e\x86\x04\xf5\x43\xaa\xf4\xd9\x84\x40\x31\xba\x6a\x8d\x9e\xba\x7f\x5b\x19\xa7\xb8\xb8\xa0\x74\x6f\xc1\x13\xfd\x45\xf9\xa8\xd9\x6a\xf0\x5b\xa6\xef\x09\x4a\x77\xdf\x75\x68\x8d\xfa\x70\x29\x9d\xb3\x5d\xf8\xec\xa3\xf8\x38\x2e\x69\x4a\xc4\xbb\xb7\x7d\xa4\x32\xfb\x75\xc7\xf7\x92\x2a\x0a\x4c\x7a\xfc\x4c\x46\xf7\x37\xcf\x0a\x5f\x2a\x1b\x11\x5e\x16\xa1\xd6\xbd\xea\xb6\x4b\x8f\x9a\x2a\x63\x78\x22\x16\x7a\x27\xa1\x98\x44\x8a\xea\xb5\xdd\xaf\xb7\x46\x04\x42\xf4\xd6\x9e\x1b\x37\x82\x9b\x08\x95\x42\x70\x4e\x52\x6d\xd2\x70\x0b\x99\xb1\x71\xca\xaa\x3a\xef\x3f\x1f\xf1\x73\x25\x8b\x83\x3f\x21\x71\x74\xcf\x3b\x46\x91\x08\xc3\xe1\x51\x39\xe5\x97\x64\xbf\x69\x68\xd5\xbf\x26\xdf\x8c\x14\x75\x0a\xbc\xa0\x05\xa1\x57\x4f\xd2\xcc\xc4\xde\x43\xb6\x19\x53\x11\x05\x1a\x59\x99\xac\x5b\x35\x0a\x8e\xa5\x5f\x2d\x60\x74\x80\xd7\xda\xd6\xb2\x8a\xca\x30\x04\xb8\x97\x06\x2a\x3a\xcf\x56\x8e\x59\x26\x45\xce\x7c\xf4\xce\x7d\xcb\xd9\xa9\x00\xf0\x44\x67\xd3\x92\x9a\x10\x43\x27\xe5\x54\x22\xf1\xeb\x8d\x8e\x58\x93\xb3\xf6\xd0\x68\xf1\x1d\x10\x3d\xb9\xa6\x82\xfc\xcc\xf0\x35\xd4\xf4\xfb\x4b\xd1\x4a\x96\x3a\x37\xeb\x5c\x22\x33\xfd\xb4\xb1\x91\x3c\x4e\x9a\x3b\x5e\x4f\x87\x28\xa5\xdf\x42\xa0\xc9\x7e\x73\xd5\xb2\x2e\x4e\x71\x04\xa5\x98\x8e\x09\x6b\x41\xa7\x68\x73\x4a\x59\xb4\x02\x32\x28\xda\xf7\xdb\xb5\x62\x28\xc9\xf8\xd5\x86\x37\x8f\x0e\xab\x86\xe9\x3f\x0e\x7a\xa3\xea\xb0\x3a\xfc\xbc\xcd\x74\xf7\x68\xe7\x1a\x51\x8b\x4d\x3e\x19\xe5\xeb\x73\xee\xdc\xa9\xe6\xc8\xfa\x8c\xa7\xd1\xb3\x67\x19\x76\x63\xee\xe4\x73\xfc\xc8\xb9\xaf\xc1\x97\x36\x92\xdd\x15\x7c\x4f\xc9\x8a\x75\xd7\x52\x45\x20\x99\x9f\x64\x4e\x6e\xfe\xe9\xc8\x68\x6d\x14\xe3\x85\x0a\xf7\x20\x9e\x37\xc1\x1d\xd5\x52\xb7\x15\x0e\xc1\x16\x8b\xe4\x61\x28\x9b\x0e\xcb\x27\x61\x02\x1b\x75\x47\x9b\x6c\x4b\x8b\x1f\x10\xc7\xbb\xe1\x01\x50\x38\xb9\xea\x1a\x23\x3d\xab\x19\xe1\xbc\xef\xe8\x54\xc9\xe1\x5c\xe2\x8d\x30\xe1\xfd\x6c\x9e\xbc\x05\x37\x61\x3c\xad\xa3\x5a\x2b\x57\x2e\x0a\x17\x92\x16\xc8\xa2\xb6\xb5\xaa\x62\xe9\xc7\x2a\x54\xe8\x17\x18\x7d\x35\x1d\x09\x03\xc1\xff\xab\x46\xac\x13\x6e\x80\x93\x08\xcb\xf4\x95\x9b\x12\x74\x2c\xba\x13\xce\x1e\x48\xb6\xd3\x4b\x6f\x23\x20\xa7\x4f\x4a\x17\x44\xa9\x7a\x75\xeb\xb9\xe6\x2e\xdb\x21\x21\xd0\xb4\xf4\x5b\xe2\x02\xc1\xb9\x3c\x3d\xe7\xd8\xe6\x34\x37\x45\x7a\xa1\x05\x0f\x8e\x43\x47\x38\x56\x4e\xbd\x8b\x21\xd8\x9b\xb1\x73\x0d\xb5\x1d\xc5\xdc\xb8\xd2\x6c\x91\x43\xd6\x02\x48\x5f\x26\x09\xe6\x15\xc0\x22\x61\x5d\x50\x83\xa5\xae\x40\x3a\x44\x80\xfe\x05\x2c\xe6\xf2\x71\xb5\x30\x3f\x66\xc1\x4e\x7b\xa9\x19\xd4\xbb\x18\xec\xf8\x99\x40\x05\x1a\xa7\x95\x49\x5b\x37\xbc\xa0\xa5\x16\xac\x10\xf2\xe1\x53\x49\x8a\x63\x05\x12\x31\x8f\x36\xff\xc4\x8c\x4e\x3f\x1a\x03\x26\x83\x62\x7a\x4a\x7d\x4f\x03\xea\x28\x09\x25\x7b\x8d\xfb\x63\xe3\xdc\xdb\x18\x34\x01\x6d\x18\x34\x0d\x63\xcc\x8a\x87\x20\x6e\xeb\x32\x9d\x43\x77\xc9\x71\xcb\xb6\xde\xad\x92\xb5\x9f\xaa\x14\x8e\x61\x05\x47\xb1\x60\xff\x6c\xec\x05\x16\x69\xa1\x61\x28\x80\x9f\xf0\x7f\xd8\x27\x6b\xf0\xd2\x76\x9f\x52\xdc\x83\x4f\xcf\xdd\xaa\x56\xb7\xa8\x2c\xe6\xe7\x93\x99\x4b\x49\xa1\x30\xa3\x15\x55\xe9\x14\x2a\x84\xe6\xa8\x7a\xd0\xed\x36\x39\x50\xfe\x14\x99\xdd\x72\x6b\x96\xbe\xd2\x26\x39\x28\xe3\x8a\x4f\xa8\xd0\x95\xec\xeb\xe5\x41\xf0\x98\x56\x84\x38\x9b\xc7\xd9\x65\xc8\xbc\xcd\x02\x84\x54\xa6\xe9\x09\xa7\xd5\x60\x3a\xbd\x08\xb2\xd4\xac\x9b\xe5\xf8\x14\x7a\x09\xec\xf4\x0c\x93\x75\x32\x0d\x7a\x05\xc2\x6e\x70\x83\xda\x67\xec\x48\x29\x9a\xb6\x90\x1d\xbb\xe8\xdf\xd8\x58\x62\xd8\x0f\xb1\x69\x47\x2b\xff\x44\x39\xa7\x6b\x3a\x7d\x36\x46\x9f\xbc\x43\x1f\x2d\x4d\x86\x58\x9a\xa9\x8c\x0b\x8e\x16\x39\x3c\x17\x42\x15\xa4\xb3\xe4\xf1\xf8\xfe\x9c\x16\xe4\x77\x24\x42\x41\x91\xd8\xdb\xe0\xce\x99\x1a\x6b\xfc\x8a\x86\x2e\xa4\x4b\xaf\x3b\x19\x5e\x23\xfa\xb2\xfe\xae\x5f\xc7\x33\xc1\x5e\xda\xbb\x67\x03\xa1\x42\xcd\x1e\x59\xe8\xb1\xda\x8c\xfa\x89\xd4\x68\x17\x9f\x1e\x78\xac\x9e\xdf\x98\xa8\x8d\x2b\x6a\x55\x33\x85\x98\xb0\x0b\xa4\x6c\x0b\xe1\xd9\x0e\x46\x2a\x3f\xc4\xfd\x73\x87\x91\x15\xac\x2c\x02\x98\xf8\x02\x5e\xce\x00\x60\x21\x96\xa2\x7e\xe3\x2b\xe5\xf1\x2a\xb3\xf5\x77\x42\xc4\xf9\xc1\x0b\x54\x20\xe4\x9d\x3c\xa4\xeb\xbd\xe4\xc1\x30\x60\xae\xc9\xcb\x1e\xa8\xb0\x6f\x9e\x00\xb7\x3f\x64\x2c\xe1\xce\x75\x52\x1f\xf4\x74\xa1\x32\xf0\x51\xae\x97\x9a\x81\xe5\x68\x92\x7b\x5e\x79\xb3\x27\x89\x60\x9d\x75\x6a\xcc\x0e\x41\x06\xcc\xa2\x30\xd9\xed\x20\x65\x95\x7e\x55\x09\x47\xc5\x28\x6b\xbf\x89\x8b\x08\x26\xb6\x4a\x30\x8c\x92\xeb\x13\xc9\x66\xc2\x63\x87\xae\xc9\x24\x6b\xd5\xbc\x36\xe8\x5d\x49\x26\xf7\x3b\xe0\x77\x73\x44\xd9\x13\x33\xf5\x3c\x09\x36\x23\x25\x87\xdd\x74\x74\x6a\xd6\x05\xc9\xc4\x38\x65\x74\xb6\x18\x85\x16\x8e\x5a\x25\x85\x91\xb7\x00\xed\x99\xa3\x39\x3f\x3e\xc8\x85\xad\x2d\x5e\xca\x2d\x98\xf9\x45\xd6\x5e\xf0\x21\xd8\xd1\xe5\xd1\x4d\x2a\xf1\xc6\x48\x50\x20\x1b\x23\x19\x25\xe8\xd8\xf6\x1d\x62\x22\xdf\x17\x59\x65\x59\xdf\x3a\xdc\xcd\x1e\x90\xf1\x35\xc9\x7c\x21\x84\xe3\xa2\x7d\xc4\xc3\xa3\x2a\x6f\xdc\x8d\x60\x1b\xc6\x3e\x0a\xd2\x6d\x44\x86\x11\xe9\x62\xce\x1f\xfe\x6a\xdb\xa7\x13\x6e\x08\x41\xb1\x9d\x03\x3d\xad\x11\xfc\x81\xa4\x90\x85\x77\x81\x9d\x18\x9e\x3d\x25\x9e\x0d\x55\xe2\x83\x65\x64\xe1\x32\xef\x57\x96\x67\x0a\x32\x6b\xff\xf4\x50\x36\x57\xf2\x8d\x42\x48\xc4\xf5\x7c\x29\x0a\x18\xca\xa0\x4e\xa0\xc0\x9c\x49\x95\xb0\x37\xe4\x52\xb6\x14\x3c\x29\x88\xd7\xad\x4f\x5e\x7e\x12\xec\x1c\x91\xc0\x2b\x80\xe0\x83\x06\x4d\x42\xae\x0f\x47\x6e\xd9\x2d\xbe\x78\x1f\x13\x8f\x77\x06\x16\xcb\xf4\x8e\xe1\xf6\x4c\x7a\x58\x45\xdd\xf2\xdb\x34\xd0\x31\x8c\x96\x94\x06\x16\x15\x40\x34\x34\x0d\x9e\xdd\xc9\xd7\xdb\x8d\x43\x6c\x7c\x18\x4d\x9c\xd9\x4e\x0b\x14\x4f\x8c\x24\x1e\x97\x9a\x24\x0c\xd4\xbd\xea\xdf\xda\x98\xe5\x59\x2e\x64\xec\xc1\x73\xce\x57\x73\x61\x60\x50\x17\xf6\x62\x1b\xbc\x9e\x10\x7e\xf1\xea\xde\x4a\x27\x28\x09\xe5\x5d\xea\xf6\x40\x79\x99\x7a\xfb\xd0\x37\x82\xd9\xf9\xaf\x25\xad\x73\x4f\xc3\x52\xfc\xb5\x4e\x04\xf2\x4c\x53\xec\x60\x36\xcb\x2b\x87\x08\x6b\x42\xbf\x9e\x69\x14\xd9\x4b\x01\xb8\x70\xbb\x3e\x68\x90\xa4\x23\xf8\x1e\xd4\x2b\xdc\x34\xb6\x9e\xbb\x2a\x42\x39\x07\xe2\xd1\x77\xf5\x34\x28\x09\xa7\xd1\xcc\x20\x0b\xaa\x5b\xc8\x26\x8e\x15\xb3\x10\xf7\x68\x78\xbd\xf7\xe6\x2c\x84\xf3\x2e\xdb\x18\x8e\xdf\x95\x9c\x0f\x8c\x10\xfd\xaf\x42\x63\x4e\x79\x3e\xfd\x30\x50\x94\x82\x14\xc4\xa8\x65\xb1\xb6\x70\x22\x72\x36\x0c\x42\xc1\x6f\x8f\x3f\xa3\x67\xce\x43\x4e\xca\xe5\x41\xa9\x37\x42\x4c\xec\x80\x58\x45\xd6\xc1\x1a\x8d\x17\xd8\x4f\xc5\x47\xcd\xf4\xe3\x8f\x29\x6d\xc5\x3d\x2c\xe0\x8f\x33\xb2\x11\xf5\x2f\x32\x50\xda\xa7\x12\xa5\x3c\xda\x8e\xdf\x0f\xc2\x92\x73\xa3\xec\x08\xf5\xa8\x84\x58\x38\x11\x74\x19\x50\x32\x12\xc0\xd1\x0d\xd5\x78\x53\x79\xc7\x47\x76\xef\xfe\xff\x2b\x46\x8e\x39\x76\xdc\x44\x82\xd1\xa8\xfa\x1c\x11\x2c\x6e\xff\x89\xf1\xbf\x14\x70\x45\x32\xbf\x8d\xb9\x26\x7c\x5b\x38\x11\x99\x81\xb8\xc5\x89\x36\xdd\x9a\x66\xb4\x67\x2c\xf2\x48\xcf\x4f\x3c\x21\x33\x8e\xd3\xfb\x31\xa4\x72\x93\xe7\x93\x71\x65\x11\xad\x8b\xa9\x25\x0c\xe7\xe3\x00\xe9\x9c\x5d\x37\xd4\x76\x98\xbb\x98\x0e\x33\x9e\xac\x4e\x18\x43\x8e\xcd\xd8\xaa\x10\x05\x9b\x3b\x60\x7f\xc8\xd5\x8d\x3a\x60\x28\x76\x2d\xdb\x91\x43\x31\x55\xdc\x88\x6d\xd5\xec\xb0\xf2\xc2\x11\xc4\x41\xbb\xfa\x3a\xf4\x7b\x74\xb0\x35\x73\xf1\x8f\x54\xfe\x2b\xeb\x38\x42\x55\x0e\xfd\xed\x05\xd5\xe9\xc9\x4d\x49\x0b\x22\xd8\xf2\xcd\x43\x4e\xf7\x3b\xa7\x04\x7d\x74\x05\xa9\x73\x1f\x8e\x59\xbd\xb3\xd2\x1d\x38\x0d\x1d\xb3\x12\x05\xf9\x72\xe2\xd2\x3b\x54\xc5\xef\xfa\xd0\xe6\xeb\xde\x6c\xcd\x03\x82\x94\x82\x58\x9c\x52\x85\x2f\x48\x2c\xae\xbb\x9f\x57\xaf\xb1\x69\x2e\xfb\x1f\x1a\x01\x62\x4b\x0a\xa2\xf4\x8b\xaa\x11\x55\xc3\xa3\x62\x2d\x4c\x51\x4f\x1a\xce\x40\xa5\xbc\x2a\x78\x0a\x1e\x0d\x7d\x37\xa5\x29\x9c\xa5\x0e\xec\xfc\x45\xde\xdb\x4a\xc6\x54\xbc\xdd\x45\xaf\x3c\xca\xe9\xd7\x76\xc6\xf4\x39\x63\x90\x0c\x9f\x36\xe3\x7e\xfc\xa2\x75\x9f\x64\x1c\x2f\x20\x06\x78\x2f\xfe\x48\xff\xc0\xb4\x72\x9f\x98\x77\x93\x74\x6d\x9d\x00\x94\x56\x88\xf7\x8a\xb9\x95\x47\x3c\x90\x4d\xa8\x8f\xf5\x95\x5d\x79\x6d\xa1\x15\x2d\x2e\xfd\x67\x5f\x05\x88\xc8\x38\x79\xaa\xfd\xd4\xa6\x9a\x1e\x4b\x69\x73\xfd\xe7\x74\x27\x6d\x65\xb4\xab\xd4\xad\xc5\xa3\xd0\xe8\x9b\x57\xbd\x43\xe8\x3d\x50\x63\x8a\xc2\x89\xeb\x9d\x81\x95\x8e\xe4\xb5\x96\x00\x08\xb8\x9b\xd7\x8d\x2b\xa9\x39\x93\x70\x99\x27\x7d\x53\xde\x9b\xd1\x0d\x39", 4096)); NONFAILING(*(uint32_t*)0x20001040 = 1); NONFAILING(*(uint32_t*)0x20001044 = 4); NONFAILING(*(uint32_t*)0x20001048 = 0xe72); NONFAILING(*(uint32_t*)0x2000104c = 0x537); NONFAILING(*(uint32_t*)0x20001050 = 0x370); NONFAILING(*(uint32_t*)0x20001054 = 0xa11); break; case 11: NONFAILING(memcpy((void*)0x20001080, "\x36\x64\x0f\xe1\x31\xc4\xa3\x7d\x38\x0a\xb7\x66\x0f\xf5\x77\xf9\x65\xf3\x0f\x4a\xf2\x8f\x28\x20\xb6\x31\x4d\x67\x66\x0f\x28\xcd\xf3\x46\xa7\x3e\x44\x0f\x01\x83\x2e\xd7\x00\x00\xc4\xa2\xf9\x90\xac\x09\xb3\x2b\x00\x00\x42\xf7\xfb", 57)); syz_execute_func(0x20001080); break; case 12: break; case 13: NONFAILING(memcpy((void*)0x20001100, "SEG6\000", 5)); syz_genetlink_get_family_id(0x20001100); break; case 14: syz_init_net_socket(3, 7, 0xf0); break; case 15: NONFAILING(*(uint64_t*)0x20001180 = 0); NONFAILING(*(uint64_t*)0x20001188 = 0x20001140); NONFAILING(memcpy((void*)0x20001140, "\x41\xbd\x39\x6c\xdb\x00\x1c\xb1\x40\xf2\x74\xc3\xa4\x99\x4a\x92\xf7\xac\x74\xc4\xb9\xa9\x3e\x0e\xae\xc8\xe5\xd9\x33\xa3\x59\xda\x5a\x6c\x2d\x88\x1a\xfc\xdd\x1d\xb0\x3f\xe4\x23\xae\x1a\x16\x47\xa9\x3f", 50)); NONFAILING(*(uint64_t*)0x20001190 = 0x32); NONFAILING(*(uint64_t*)0x200011c0 = 1); NONFAILING(*(uint64_t*)0x200011c8 = 0x4705); syz_kvm_setup_cpu(-1, -1, 0x20fe6000, 0x20001180, 1, 0, 0x200011c0, 1); break; case 16: NONFAILING(memcpy((void*)0x20001200, "bfs\000", 4)); NONFAILING(memcpy((void*)0x20001240, "./file0\000", 8)); NONFAILING(*(uint64_t*)0x200023c0 = 0x20001280); NONFAILING(memcpy((void*)0x20001280, "\x47\x97\x6f\xbc\x55\xa6\xc7\xc0\x74\x82\xd2\x32\x66\x61\x19\x59\x4e\x35\x28\xe3\x1b\x59\xd9\xed\xdc\x10\xd3\xa9\x74\x72\x3a\x07\x6a\x8d\xf1\x6b\x54\xe3\xe7\x97\x74\xa5\x09\x35\x6c\x03\xba\xb9\x83\xa7\xd4\xe2\xc9\x6a\xa9\x35\x37\x3a\x02\x63\xf6\x2f\x2c\x14\x09\x14\xe7\x9d\x7e\x65\x7a\x64\xe1\x3f\x36\x07\x6c\xa8\xca\x44\x99\x17\x66\x73\x32\x48\xba\x3f\x6b\x37\xe0\x1e\x5e\xd8\xd8\x9e\xbb\x27\x8b\x46\xc0\xa0\xc9\x6d\x52\x9b\x76\x04\x7e\x13\x04\xbf\x92\xc7\x38\x55\x01\x29\x6a\x12\xfe\xd5\xeb\x15\xaa\x94\xdb\xe9\xf2\xb0\xb7\x83\x84\xac\xe6\x03\xa3\x69\x46\x71\x6e\x14\xe9\x58\x18\x37\xe8\xbf\x1b\x71\x4d\xc9\x08", 153)); NONFAILING(*(uint64_t*)0x200023c8 = 0x99); NONFAILING(*(uint64_t*)0x200023d0 = 8); NONFAILING(*(uint64_t*)0x200023d8 = 0x20001340); NONFAILING(memcpy((void*)0x20001340, "\x2f\xcd\x8b\xbc\x40\xb8\xd2\xaf\x95\xea\x89\x0b\x3f\x27\xb1\xef\x3e\x94\x0e\x3e\xa5\xc4\x60\xee\x69\x52\xe3\x16\x55\x38\x5c\xdf\x9d\x98\xab\x0e\x7d\x88\x23\x43\x51\xc6\x10\xeb\xa4\x82\x80\x62\xdb\x7d\xc9\x8f\x99\x22\x13\x28\xd6\xd9\x5f\x15\x27\xf7\xe3\x21\x33\x63\x0e\x4c\xfa\x04\xa4\x1c\x8e\x6a\x7b\x1e\x45\x96\x6d\x1b\x38\xd4\xab\x8e\xe6\xd0\x1b\x86\x32\x13\xe5\x9b\x33\x8b\x93\x1e\x10\xdb\xb8\xc2\x6a\x2c\x61\x95\xae\xf9\x78\xd1\xb3\xb9\x57\x54\xe5\xb0\x0a\x6d\xa4\xca\xcd\x35\x26\x29\x2d\xa6\xe0\x2b\x05\xe9\x41\xe9\x8d\xe6\x26\x03\x96\x2a\x50\x66\xd2\x5d\x94\x11\xf3\xd0\x95\x4e\x42\x88\x6c\x5c\x9c\x83\x6e\x01\xd0\xb3\x6f\x00\x74\x53\xe0\x00\xfb\xb2\x7d\x9a\x77\xe3\x21\x82\xdc\x5a\x88\xe2\xeb\x1a\x5e\xb9\x83\xa9\x63\x56\x3d\x9f\xff\x3f\x2f\xff\x65\x2d\xe8\xcd\xce\xd0\xe4\xa6\x09\x91\x57\xf2\x68\x04\xa6\xb7\x1e\x04\xc3\x9d\xba\x99\x41\x0f\x05\xe2\xe7\x93\xe5\x44\xd6\x25\xe1\xaf\x2a\xd6\xa6\xc3\x9e\xe0\xed\x73\x1f\xe9\x1a\x27\xd7\x9e\xcc\x0d\x68\x7c\xdf\xff\xda\x1e\xd2\xfd\x55\xe3\xe4\x9c\xd9\x01\x36\xdd\xc4\x38\x70\x42\x5e\x0f\xa1\x68\x10\x41\x5a\x30\x9a\x2c\xc9\x6b\x3b\xa6\x75\x03\x6e\x9c\x2b\xf0\x57\x9b\x08\x61\x5c\x7f\x5c\xec\xb4\x7f\xb6\xb1\xc3\xfc\x54\xf2\xd3\x3b\x08\x98\x11\x98\x85\x70\x26\x8a\x02\x9e\xc4\xbb\xa2\xfb\xfc\x44\x5d\x14\x79\x85\x7d\x4d\xe9\x4e\x1c\x9e\x79\x20\xdb\x01\xdf\x81\x81\xd6\x98\xaa\x89\x65\x64\x0e\x4b\xc2\x57\x76\xd0\x8f\xcc\x4e\x00\xdd\x7f\x2a\xc4\x16\xc7\x83\xf2\xd2\x50\xd3\x49\xc5\x4d\x70\x24\x69\x8d\xd4\x31\xbe\x6c\x4e\x83\x70\x1c\x76\xfc\xd7\x07\x61\xb2\x60\x3a\x6a\x46\x76\x5e\xf1\x9e\x77\xa8\xb6\xe1\x68\x83\x77\x74\x35\xd7\xf5\x8c\xb9\x5e\xa8\x43\x1c\x44\xf9\x13\xaf\x1e\x93\x07\x6d\x17\x12\x41\xb8\xc0\x0e\xe6\xdc\xf8\x82\x56\x4b\xff\xbb\xd3\xac\xbb\xee\xa6\x79\xe4\x21\x0e\x3b\x0c\x22\x8b\x4a\x10\xf7\xb0\xf5\x61\xef\x18\xbe\x7b\x33\xb2\xce\x75\xd9\x50\x2b\x16\xb2\x21\xd2\x72\x95\x60\x7e\x86\x36\x02\xf7\xb3\x00\xff\xe3\x7e\x33\x02\x3b\xae\x1b\x29\x59\x0b\x2d\x2a\xac\x05\x95\xf3\xec\x79\x5b\x38\xef\x7a\x43\x29\x9c\x68\xad\x7d\x7a\xa5\x67\x4a\x97\xa8\x57\x24\x1d\x8b\xce\xcd\xf9\x22\x71\x91\xc7\x9d\x59\x84\x4d\x61\x36\x22\x1a\xa3\x46\xaa\x01\x22\x5d\x4f\xd7\xb6\x90\x57\x5b\xa7\x7c\x79\x3b\x4f\xf8\x04\xa2\x09\xf7\xcd\x01\x4a\x2f\x3d\xf4\x5d\xaa\x37\x7f\x66\xdb\x93\x60\xac\x46\x47\xef\x06\xc5\x25\xbf\x05\xd1\x11\xf4\xad\xbb\x2c\x60\x59\x18\x3b\xba\x21\x49\x67\x89\xfe\xa0\xae\xa4\x86\xe8\x99\x66\xa5\x02\x85\x05\x5d\x95\x92\x29\xcb\xe8\xf8\x7d\xcb\xe3\x9f\x0f\xf9\x93\xdb\xd6\x7e\x97\x2e\xa3\x3e\x62\x39\x89\xe8\xbf\x52\x76\x06\x05\x17\x00\x10\xf6\x97\xa9\xb3\xb6\xc3\x07\x80\xe2\x0c\x8d\x9d\x0a\xe6\x2f\x7e\x9a\xfe\x1f\x1a\x58\x28\xc3\x4b\xde\xec\xc7\xd9\x39\x6f\x67\x07\x41\xd8\xf5\x90\x59\x51\xd4\x4a\xff\xed\x70\xdb\x92\x0c\x51\x69\x3e\xfe\xb8\xcb\xac\xfd\x82\x8b\x5c\xa8\xae\xd3\xf9\xe3\x92\x6b\xde\x52\x71\xd1\x31\xcf\xb9\x48\xef\x79\x39\x97\xf4\xfd\xc6\xfe\x77\x4f\xed\xe0\xbe\xf0\x28\xc7\x14\xa9\x70\x13\x60\xe3\xbc\x3c\x19\xa4\x1d\x61\x3d\xdb\x4f\x79\x52\xc0\x65\x68\xc8\x20\x90\xdd\xda\x03\x96\x0d\xce\x9a\xd5\x99\x42\x2c\x1d\x29\xa1\x7c\x6d\x35\x72\xf1\x8f\x70\xe7\x5d\x08\xa3\xe9\x43\x9e\xef\x48\xae\x78\x2c\x22\x01\xc1\x7a\xca\xda\x01\x78\x13\xb1\xb9\x14\x81\x2a\x15\x71\x01\xaf\xc2\xed\x61\x76\x51\x19\x09\x73\x92\xce\xf0\x2d\x34\x7e\xc0\x21\xaf\x4d\x0f\x81\x20\xf2\x6d\xfc\xc7\x3f\xc4\x90\x0e\x10\x4f\x11\x24\x87\x43\xef\x0d\xa5\x48\x8a\xbd\x36\x52\x09\xe5\xcf\xf3\x38\x45\xa9\x1f\xf9\xe9\x92\x7a\xc9\x94\xdd\x39\x18\x15\xd8\xf4\x46\xbc\x6c\xe2\x3d\x87\xa5\xbc\xc6\x5d\x9e\x16\x45\xe4\x14\xfe\xfd\xa3\x6a\x26\x18\x92\xa9\x94\x4e\xdb\xb5\x6f\x97\x49\x73\xaa\x87\x86\x3f\x47\xc4\x95\x09\x45\xac\x06\xf5\xbc\xb6\xdb\xfd\x65\xe9\x6a\xe5\xbc\x4e\xd5\xa0\x05\x52\x33\x18\xa0\xa8\xaa\xea\x21\x95\xfb\x63\x78\x6d\xa2\x48\xc8\x2b\xd6\x15\xf6\xd7\xe9\x88\xe3\x43\xb8\x76\x12\x30\xe9\x7f\xd4\x65\x51\x7e\x26\x54\x63\xc7\x39\xce\xca\x06\xcc\x8a\x7d\xad\x50\x73\x6f\x32\xc5\xcb\x34\x66\xb5\xa4\x9f\xe2\xf6\x9b\x5c\x8d\x79\xae\xe5\x88\x1b\x64\x1a\x3d\xfa\x4e\x57\x4e\x93\x1f\x2a\x92\x0e\x8b\x07\x62\xb2\xd8\x8c\x73\x1d\x82\x27\x95\xd6\x73\xb3\x45\x05\x0c\x1f\x0e\xab\xe4\x64\x8a\xf1\x8a\x21\x2a\x15\x3c\xb1\xe7\xda\xfa\xed\x2b\x10\x7e\x74\xf0\x8c\xbd\xf0\x4a\x43\x94\x19\xf7\x49\x62\x27\xc0\xfe\x84\xba\x9b\xb8\x6d\x12\xb8\x2b\xc0\x3c\xf0\x90\xd2\x2d\xec\xc6\x4f\xa0\xee\xc1\x2c\xc6\x74\x0f\x33\xe9\xe7\x7a\x87\xf9\xc8\xd1\xe8\xe1\x34\x7e\xa4\x9f\xe2\x50\x4b\x30\x3b\x1b\xc7\x08\xf5\x6a\x71\x96\xa3\x03\x3c\x8a\x80\xbf\x32\x69\x50\xce\xe4\xf2\x6b\xb4\xcc\xaf\x4c\x19\x8b\xe1\x9d\xce\x3d\x85\xb7\x60\x73\xeb\x06\x6f\x00\xb5\x6e\x5d\x41\xa8\xf3\x8f\xfc\xe0\xcd\x50\xbd\xe9\xba\xee\xed\xfc\x74\x6c\x59\xa4\x20\xe3\x61\x67\x8a\xae\x37\x58\xd3\x83\x70\xe1\x78\xb0\x9f\xe5\x31\x76\xc6\x2a\x70\x9c\xa5\x58\x4c\x3d\xac\xbc\xa1\x23\x25\xee\x3c\xf6\xb1\xfb\x91\xcc\x65\xac\x4c\x53\x5a\xca\xf4\x51\xab\x94\x9c\x11\x1c\xf3\x8b\xe2\x2f\xd1\xd9\x9b\xfb\x34\x7e\x1b\x0c\x0e\xa0\x6e\x90\xfb\xcd\x1e\xe3\x5e\xe5\x5a\xfd\xd3\xfb\xf6\xdc\x0d\x2c\x40\x56\x73\x3d\xff\xc6\x79\x74\x49\xc6\xdb\x2a\xfd\x5f\x58\x56\xa6\xfd\x1b\x3e\x9a\x07\x4c\xf0\x6e\x4a\xe3\xb4\x3b\x1a\x69\xb0\x76\x56\x6a\x09\x7f\xd5\x64\x40\xd1\x1a\xe0\xcd\x4c\x12\x12\x81\xe6\xaa\xbd\xb2\x32\x76\xe8\xb2\x1b\xfd\x4d\xa3\x88\xa9\x56\xce\x28\x98\xc8\x0e\x90\x89\xce\xe6\x0e\xa3\xea\x52\x42\xfd\x8f\x22\x1a\xfd\xdc\x09\x70\x83\xfa\x1c\xbd\xc5\x82\x32\xea\xa5\x4e\xd0\xa9\x53\x87\x50\x99\x00\xe6\x8d\xd0\x82\x8b\xba\x92\xdf\x8e\x04\x50\x5e\xac\x3c\xa8\xe0\xf0\xc2\xe8\x61\xc6\xbc\x38\x14\xb1\x6e\x7c\x25\xe4\x72\x68\x38\xf0\xaa\x71\xd7\xa7\x08\x95\x93\xac\x72\xdd\xc8\xd5\x53\x94\x6c\xd4\x3b\x19\x2c\xf9\xd2\x4e\xda\x05\xab\x78\xcf\xb5\x99\x69\x1a\x87\x6d\x31\x84\x71\xb6\x1e\x1f\x2e\x09\x6a\xe1\x16\xe9\x41\xe2\x8b\xda\xe8\x23\x6b\xbc\x96\x1b\xa7\xb4\xa2\x03\x53\xd5\x87\x76\x77\x1d\x64\x91\x81\x31\x8a\xd5\x26\x28\x20\x84\x6b\x72\xfb\x5a\xdc\xab\x56\x22\x7b\xb0\xd9\x69\xce\x0e\x36\xdf\x44\x76\x5a\x61\x43\xe5\x64\x68\x33\xbe\x3b\x0e\x17\x76\xd9\x99\xc2\xaf\x52\x40\xcd\xe7\x1f\x7f\x10\x33\x7b\xbe\x77\x35\xb8\x01\x3a\x90\x1c\xfa\x99\xce\x7c\xa3\x71\x7d\x83\x7d\x1b\x54\xf1\xd5\x5f\xb8\xe9\x05\xbc\x36\x2b\x25\xc3\x41\x14\x68\x45\x15\xa5\x7b\x9d\x21\x91\xcd\x1f\xec\x98\x19\x34\x05\x4a\x37\x7d\xe1\x1d\x19\x9f\x33\x35\x56\xea\x5b\x18\xbb\xa2\xc4\x11\x04\x89\x25\xb1\xd0\x29\x92\x17\x83\xf4\x0f\x06\x7f\xc5\x87\x72\x53\xb0\x22\x58\xa5\x46\x19\x81\x00\xbc\x93\xb1\x42\x09\xa0\xf7\xe2\xe0\x85\xbd\x76\x8b\x56\xb7\x56\x0b\x16\x81\xd7\x02\x7d\x80\x42\xf4\xe1\xef\xd3\xe6\x95\xdc\xa1\x63\x98\x66\x5c\xf6\xa9\x3c\xba\x74\x64\x77\x03\xa3\xb2\x48\xc8\xee\x9b\xa6\x4d\xeb\xb8\x46\x5a\x3e\xc7\xab\x2e\x0d\xbf\x6d\x55\x64\x01\x28\xe5\xc7\x33\xc6\x85\xdd\xf0\x07\xf7\xbf\x1f\xb6\xbc\x2c\xd2\xc0\xd4\xc8\xb1\x3f\x60\x93\x30\x6b\xb4\xc0\x46\x6b\x96\x06\x4e\xbc\xd1\x73\x32\xe3\xe4\x93\x3e\x3d\x53\xc8\x90\x71\x3b\xab\x5d\xc2\xc9\x58\xe9\x60\x36\xfd\xf7\x00\xd2\x3e\x6f\x9c\x8f\x6c\xe1\x8f\xfa\x35\x84\x6d\x14\x55\xe6\x5b\x8a\xd5\x3a\x57\xee\xc5\x91\x78\x05\x6f\x94\x3b\xbb\x07\x9d\x4c\xbb\x97\xa5\xe9\x46\x68\xb2\xe5\x1a\xd7\x90\xff\xe3\x02\xa7\x73\xba\x66\x12\x6d\x3b\xfa\xbb\xd5\x1b\xf4\x7c\x8c\x20\xdf\x5a\x96\x1f\x8b\xe8\xc7\x74\xcd\x1c\x3f\x5d\x1c\x21\x1c\x68\xae\x92\x1b\x1b\x46\xfc\x5e\x42\x52\xf9\xe2\xe7\xc6\xe7\x66\x02\xa5\x3b\xc6\xa0\x0c\x6a\x87\x3d\x19\x72\x46\x62\x0d\x86\xb0\xde\xd3\x8f\xfe\x10\xa4\x82\x62\x06\x30\x86\x56\x4d\x39\xbe\xd1\x20\xa4\xf8\xb5\xad\x9d\x48\x75\x76\x68\x4e\x0c\xda\x7a\xbb\x64\x7f\x80\xf0\x78\xcc\xe3\x45\xe0\xfb\x75\x06\x59\x8d\x6d\x06\xff\x4f\x39\x86\x83\xd9\xb4\x25\x5e\x03\x46\x7a\x61\x64\x8b\x3e\x97\xe9\xf2\x6b\x37\x5a\xdd\x66\x6b\x40\xe2\x35\xb2\x47\x2a\x42\xbc\x4f\x3c\x5a\x0f\x34\xb5\xd5\x28\x30\x7a\x0a\x99\xf4\xf1\x74\x61\x9c\x28\x67\x60\x73\x3c\x9e\x49\x3b\x3b\x72\xa4\x13\x38\x0a\x31\x55\xa8\xf7\xee\xe4\x00\x30\xa2\xb0\xd9\xea\x98\x42\x07\xb3\x57\x8e\x31\x3c\x84\xf3\x05\x5a\x47\x52\x24\xd7\xd1\x48\x8c\x06\x11\x72\xe8\xe3\x9d\xe9\x8f\x71\x70\x62\xfd\x94\xbe\x89\x86\x90\xfe\x12\xa4\x7a\x1d\xe5\x44\xa7\xa7\x8c\x3a\xdd\xb9\x36\x03\xca\x18\x1a\x87\x33\xaf\x31\xdd\x69\xa7\x2b\x29\xdf\xbd\x71\xd8\xbd\x6f\x40\x66\x7f\x6d\x01\x54\x01\xbf\x71\xb3\x99\x36\x56\xd1\xf5\xaf\x2e\xed\x6c\x88\x89\xa4\xa7\xf5\xf9\x15\xe3\xdf\x40\xd7\x8a\x98\x33\xd4\x81\x5d\xea\xf5\x13\x5f\x3e\x92\x31\xae\xc0\x8e\xa7\xf7\x43\x91\xcf\x16\x87\x8e\x42\x56\x3b\xed\xa8\x1c\x5e\x97\xa0\x50\x35\x11\xdb\x1b\x0a\x17\x67\xcc\xca\x22\x7e\xdb\x79\x21\x48\x95\xc8\x54\xac\x29\xc0\xc0\xf6\xc2\x2f\xed\x4f\x06\x67\x80\xb5\x7d\x48\x55\x5d\xf9\xef\x3d\xb9\x43\x0e\x44\xe4\xf2\x7e\x58\xfd\x39\x7f\xd3\x71\xc6\xd8\x84\xcd\x4b\x9c\x32\xa0\x2b\x1d\xce\x81\x6f\x44\x65\xde\x02\x21\xfa\x45\xf2\x7d\xf0\xdf\x93\x96\x6a\xd6\x75\x15\xcb\x0f\x84\xd7\x8e\x12\xbc\x55\x9b\xfa\xf0\x55\x0b\x3b\x47\x45\x74\xed\x2a\x38\xc7\xcd\x59\x1d\x3f\x81\x89\x5e\x7c\x63\xc7\x12\xbe\x81\x0c\xa6\x8d\xbd\x9e\x05\xcf\xed\xb5\xad\xb3\x2f\xed\x11\xda\x65\x6e\x79\x3a\xb7\x87\xae\xc6\x5a\xc1\x9a\xbf\x87\xf5\x4b\x6f\x21\x10\x6a\x89\xe1\xfb\xaa\xea\x8b\x34\xc7\xf2\xc8\xc0\x86\xd6\x5f\xe7\x40\x9b\xd8\x39\x5f\xfe\xa4\xe1\xa9\x41\xcc\xeb\x3d\xd9\x50\xa9\x2a\xa5\xb2\xfc\x0b\x8e\x62\xc3\x81\x6a\xc9\x50\xf5\x0b\x8e\x2a\x6e\x50\x93\x26\xd4\xfe\xea\xb4\x86\x23\x17\x1e\x03\x71\xd1\x34\x2e\x48\xc0\x97\xc6\xbf\x70\x6b\xa9\x89\xb5\xd9\x43\x6d\x2b\xbf\x50\x19\x16\xe2\xa0\x56\xd7\xad\x37\x2a\x38\xc1\x96\x2b\xd4\x53\x9c\x59\x91\xa2\xcb\x20\x21\x2c\xe3\x45\xfc\xbb\x4c\x2a\xec\x59\xeb\xc1\xe5\x30\x1c\xcc\x65\xad\x8b\xf3\xd2\x5b\x58\xd3\x5d\x97\xb3\xaf\x00\xad\x34\x7c\x07\x99\xb2\x0a\x21\x2c\x97\x6f\xc8\x66\x90\xd3\x2d\x31\xbd\xeb\xc3\x6a\xfb\xe4\x0d\xd5\x5c\xa2\xeb\x7d\x85\xd8\x05\x2e\x11\x2a\x83\x42\x0f\x9f\x74\x66\xe8\x12\xef\x8d\x0d\xd5\xe3\x0f\x9d\x96\x14\x88\xf1\x05\x35\x84\x14\x80\x2b\x7f\x0e\x8b\x81\x83\x0c\xf0\x37\x42\xa0\x1c\x1a\xb5\x49\xa4\xc9\x20\x28\x59\xf0\x18\xec\xdc\xf2\x48\x29\x13\xdd\x5c\xec\x3d\x2a\x9b\xc7\x81\x3c\x43\xc1\x6b\x4c\x5b\x03\x1a\xe0\xe2\x48\x03\x37\x4e\xf0\xeb\x6d\xb9\x13\x0c\x29\x7b\x23\xb3\xb3\x7f\x26\x98\x5e\x3f\x22\x9e\x99\xbb\xcd\x28\x28\xbf\x4d\xd9\x56\x71\xe7\xb6\xa7\x7b\xed\xd0\xf4\x22\xde\xdf\x9d\xd2\x5e\x0a\xae\x17\xfc\xe0\xe5\x94\x9d\x16\xc4\x09\xb3\x69\x97\x98\xd3\x1e\xa3\x68\x14\xa4\x39\xc4\xe5\xc8\xee\xed\x38\x7e\x32\x76\xfb\x8c\x9b\x1f\xf8\xed\xf9\x72\x2a\x9f\xf3\x44\xff\xbe\x96\x2c\xbb\x39\x7a\xa5\x4f\x40\xf6\xc5\x39\x88\x90\x12\xbb\x9d\x91\xb9\xf7\xaf\x9a\x27\xc2\x27\x0a\x14\x4f\xc2\x8a\x78\xe0\x35\x14\x61\x33\xc8\x29\x4a\x65\x10\x48\xba\x98\x43\x00\x1e\xdc\xa9\xd9\x57\x2f\xae\x5d\x17\x43\x7f\xd9\x1d\x36\x55\x68\x11\x5a\xfc\x8a\xd7\x86\x49\x63\x13\xc1\xd7\x40\x5f\xec\xb4\x6f\x72\x61\xce\xb3\x5e\x6b\xa8\xb9\x50\x1a\x04\xf7\x51\x0a\x37\xc8\x26\x46\xa0\xcb\x04\x42\x86\x7c\x41\xa9\xdd\x00\xd5\x72\x98\x38\x44\xc0\x42\xd9\x44\xd1\xb6\x96\xb8\xf7\xb7\x28\x76\x1b\x4f\x2c\x1e\xfd\x45\xb2\x73\x20\x92\x56\x6b\x95\xf0\x9c\x36\x96\x75\x58\x4c\xa5\x8a\xcc\xb1\x63\xe9\xb2\xe2\x0a\xf5\xcd\x8a\xe0\x1e\x1b\x20\x06\x3b\xe3\x5a\xc8\xde\x90\x25\xb1\x49\x37\x1a\xd8\x81\xc4\x4b\x88\xa5\x5e\xca\xb3\x01\x53\x5f\xb6\xba\xca\x0f\xd3\xbd\x36\x0a\xeb\xb3\x37\x46\x49\xa5\x22\xf8\xe4\x04\x9a\x7f\x39\x68\x91\x17\xab\xad\xbb\xbe\x29\x23\x4e\x6b\x3c\xf7\x3a\x7e\x09\x00\x8d\x4a\xbe\xd8\xcf\xf3\xde\x9a\x51\xf4\x8b\xea\x0b\x1e\x5b\x6a\x6f\xe1\x48\x35\xf2\xf6\x15\x36\xe5\xb5\x27\x96\xb1\xdf\x51\xa3\x66\xf4\xbd\x25\x34\xdf\x29\x2b\x79\xad\xfa\x5e\x5b\x72\xad\xe2\x26\xa2\x0a\x59\x7f\x30\xec\x43\x2e\xc6\x15\x70\x50\x60\x4e\x1b\x84\x3b\xfd\x47\xd1\x58\xab\xc0\x70\x20\xfe\x22\x0e\x4b\xb0\x27\xfb\xe9\x76\x84\x17\xbe\xa2\xff\xb3\x66\x24\xb6\xb9\x73\x5f\x4a\x40\x0c\xac\x3f\x6c\x5b\xc1\xf9\xff\x53\x22\xd1\xaa\x48\x6e\xca\x7b\x3d\x0f\x44\xb0\x10\xfa\x9d\x67\x66\x85\x93\x0b\x6e\xa7\xac\x4c\x35\x32\xd1\x3a\x5d\xe7\x20\x82\xfc\xbd\x45\xc3\x48\x6a\x20\x1a\x69\x7d\x1e\x4d\x02\x2e\x7a\x47\x12\x6c\x7e\x31\x9d\x2e\x03\x3a\x04\x64\xe1\x6f\xbd\x89\xcd\x72\xe3\xe3\xe3\x11\x14\x38\x01\x80\x48\xeb\x63\xf3\x3e\x66\xf2\xed\xae\x3e\xf3\x87\x4f\xe6\x97\x23\x8d\xc9\xad\x24\x7e\xbb\x85\x15\x49\x51\xd2\x5c\x5d\x5d\x0d\x50\xd9\x0c\xc9\xa6\xde\x3e\xd5\xb4\xed\xc7\x9d\xc6\xbc\xf3\xde\xaf\xd6\x76\x0b\xe8\x6e\x6a\x28\x67\x3c\x72\xa6\x47\xd8\xe4\xb6\xcc\xd3\xa0\x00\x3b\x29\x4b\x7f\x2a\x37\x79\x10\x83\xa8\x0b\xbb\xec\x9d\x07\xe2\xef\x5c\xdb\x43\xd8\x97\x10\x06\x17\x62\xd8\xfa\x18\x7a\x26\xb1\x21\xf9\x06\xbb\xf6\x3d\x32\xb6\x85\xd3\xa0\x98\xae\x30\x4d\x95\x90\xf6\x10\xf5\x19\x2e\xb9\x5e\xe4\xa1\xcb\xbf\x5d\x7a\x00\xe6\xa0\x57\x92\xdd\xaa\xa0\x45\x58\x9d\x7e\x11\x46\x9d\xf4\xca\x32\x19\xcd\x09\x43\xb4\x16\x7d\xbc\xec\x3e\x31\x42\x3d\x62\x1a\x9a\x19\x30\x63\x5a\xd7\x6d\x01\xe3\xb6\xab\x61\x74\x30\xaf\x52\x0e\x1d\xea\xdc\x45\x68\xc7\x0a\x5d\x7a\x9f\x3b\x4d\x38\x78\x8b\xde\xb5\x68\xe7\x5d\x18\xf8\x41\x1c\x44\xd4\xe7\x61\x0e\x7a\xfb\xa5\x71\x6c\x49\x75\x43\xb7\xa6\x7b\x58\x45\xf7\x38\xbf\x08\xd3\xc3\x8b\x32\x0d\x82\x48\x44\x23\xc7\x5a\x13\x0a\xf4\x99\xfb\x9e\x91\x80\x81\xcb\x58\xc4\xad\x23\xb4\x38\xca\xe1\x2f\x21\x17\xad\x3e\x39\x9f\x6b\xe7\xe5\xb5\x63\xbc\x01\x47\x69\xa1\x12\xda\x44\x75\x3a\x79\x87\xc9\x06\xaf\x86\x7e\x52\x73\x04\x55\x09\x84\x5b\x7c\x0c\x8f\x27\x74\xd5\x2f\x4e\x49\x23\x66\x95\x26\x34\x97\x79\xd7\xcd\xe8\x64\xbb\x16\x5d\xca\xc8\x72\x38\x54\x2b\x22\x70\x19\x4f\x4f\xb9\x25\x01\xe1\x5f\xf3\x9a\x1c\x63\x27\x11\xd5\xca\x19\x53\x73\x5b\xbb\xa1\xea\xbf\x27\x15\x46\x1a\x1e\x63\x07\x92\x28\xd4\x93\x53\x45\x8d\x25\xe2\x8d\xde\x90\xf7\x81\xf3\x1a\x1f\xb6\x09\x0b\xe9\xd8\x97\xe0\xa7\x86\x69\xd0\x5e\x54\x65\xe3\x36\xd6\xac\x60\x44\xf8\x64\x55\xcf\xe8\x83\x6e\xb7\x5e\x02\xca\x48\x2d\x38\x2c\xea\xfd\xb5\xd5\x8e\xa4\xe0\xd7\xd7\xe7\xa2\x5e\x49\xa1\x86\xf1\x42\xf0\x58\xaf\xf1\x0d\xb7\x3a\xf6\x3e\xbf\x8c\xfc\x3b\xea\x8d\xf8\xca\xb5\x4f\x63\x57\x0c\x02\x12\x16\xd1\x56\x79\xe4\x44\x04\x32\x20\xc2\xfb\x8f\x5d\xbc\x3d\xcc\x43\xa2\x42\xf6\x9e\xbf\xbd\xdf\x93\x60\x0a\x12\x57\x9c\x8f\xf2\xb6\x0e\x03\x19\xd4\x7b\xd6\x5d\xaf\x78\x3c\x59\x28\xf7\xdc\xa7\x60\x7b\x73\xbc\x4f\xa4\x1c\x37\xf2\x7d\xa2\x46\x66\x32\x13\x0a\x3b\x05\xde\x0f\x7f\xb5\x50\x22\x81\x7e\xbe\xe8\x63\xdd\x27\x98\x14\x21\x3c\xcd\x57\x1a\x99\xfb\x98\x6b\x3a\x08\x87\x0d\x05\x6f\x12\xe4\xde\x21\x1f\xf5\x86\x35\x17\xef\x2f\x8b\x42\x92\xed\xfa\x20\x50\x8a\x3b\x56\x96\xda\xf3\xaf\xa9\x71\x92\x74\x11\x91\x8e\x87\xb0\x90\xb1\xb5\xc7\xda\xfc\x62\xab\xcd\x83\xdc\xfc\x65\xa1\x3b\x8f\x30\x87\x51\x88\x0c\xd9\x87\x98\xe4\xc4\x42\x04\xae\x55\x64\xa8\x59\xc1\x2d\x0c\x91\xd9\x4e\xa9\x50\x29\xb3\xae\x65\x2c\xb1\x41\xf0\xd0\x3f\x4c\x52\x4e\xd8\x5b\xd7\x77\xb5\xe9\x3c\xee\x05\xd1\xcc\x27\xe8\x5c\xe8\x4a\xbf\x8c\x84\xa8\x44\x4d\x25\xc3\x3c\x04\x3b\x59\x42\xbf\x1a\xca\x6c\x60\xa0\xc7\x75\x2f\x5b\x53\x6d\x2b\xd6\x6a\x48\x69\x61\x78\x6a\x27\xec\x4e\x9e\x28\x89\xe3\x93\xd4\x3f\x66\x2b\x91\xe2\xcc\x85\xc9\xf0\xbf\xf8\x25\x1a\x12\xf1\x57\x39\xb3\xad\x5c\xe4\x94\xb4\xc1\xf2\x81\x19\xdd\xdf\xa2\xab\xc5\x02\xa3\x0f\x75\x3b\x14\x27\x39\xf0\xb4\xee\x42\x5d\x09\x8b\xa0\x1c\x43\xdc\x3f\x17\x50\xbc\x3e\x01\x50\x6a\xf5\x1b\xa0\x39\x54\x02\xce\x4c\xed\x48\xe0\xa1\x63\x8f\xb9\x15\x15\x36\x0e\xe9\x9e\xde\x8d\x57\x69\xd5\x7f\x91\xc9\xeb\xa4\x2a\x1d\xde\x75\x7f\x6b\xb5\x30\x1d\x9d\xa0\x2c\x68\xe9\x46\xc9\x46\xdd\x7c\x63\xe6\x4d\x99\xc7\xac\x0d\x82\x80\x58\xb0\x64\x7b\x24\xcc\xe2\xed\xd1\x20\x5f\xd9\xc7\x90\x61\xd0\xab\x5b\xa6\xd6\x07\x9b\xd7\xe4\x32\xdf\x58\x5d\xff\xe1\xc8\xe7\x75\xf7\xed\x94\x5a\xce\x25\x9c\x83\x20\xac\x2f\x43\x36\x48\xa5\x54\x26\x59\xf0\x37\x15\xc6\x46\xd1\x5d\xa6\xdd\xc5\x8b\x27\x78\xc0\x6c\x4e\x48\x81\x43\x4c\x18\xf6\x77\x82\x9e\x36\x67\x86\x18\xa2\x55\x58\xd6\xa7\x05\x22\x69\x81\xba\xc6\x4c\x4d\x4c\xdb\x7a\xc3\xae\x8a\x25\xc0\xd8\x50\xd2\x14\x39\x68\x46\xfe\xb6\x44\x4c\x05\xd6\xea\x4f\x70\xb7\x85\x79\xef\x5f\x74\x54\xa9\x91\x78\x40\xcb\x4d\xbf\x94\x61\x92\x92\x83\x64\x43\xf5\xef\xbe\xbc\xc5\x1d\x1a\x55\xe7\x13\x63\xe5\x42\xa7\x46\x9b\x66\x67\x3a\xbf\xe5\x28\x59\xab\xac\x7d\x9e\x88\x1d\x9c\x06\x0c\x76\xef\xbd\xb9\x46\xbd\x2c\x95\x69\x79\xeb\xea\x3b\x34\x07\x8e\xfb\xd9\x4f\x6f\xb9\x33\x78\x7c\x09\xd9\x38\x5c\xf9\xbc\x0b\x55\xe8\x4a\x7b\x09\x29\x14\x06\x92\xcd\xa6\x30\x42\xcd\x03\x42\x97\x9d\xa3\x54\x3d\x2f\x38\x38\x50\x55\x9d\x71\x50\x0b\x74\xcd\x76\x9b\x19\x78\xe5\x61\xa0\x34\xe1\x2d\x42\xb0\x2c\x30\xf4\x46\xd5\xe5\x99\x75\x22\xcf\xc0\xef\x63\x79\xa4\x85\x83\xa9\xbf\x06\x28\x43\x38\x87\x69\xed\x16\xe1\x63\xc2\xbb\x18\xb3\xbe\x99\xfb\xd5\x39\x34\x54\x9d\xee\x11\x48\xe7\xb4\xcf\xce\xe3\x42\x38\x60\xa5\x9c\xa7\x02\x1b\x18\xbb\x65\x18\x3e\x54\xc7\x6d\xd9\x60\xa2\x61\x30\x2b\xe5\x93\x58\xca\x24\x13\x0f\xbc\xcd\x5f\xad\xdb\x67\x0d\x2a\xfe\xf8\x5e\x86\xbf\xe4\xfb\x75\xd5\x55\x86\xb3\x5e\xfc\xd5\x98\xa2\x94\xbd\x9c\x9d\x08\xd2\xe1\x9a\x68\x95\xff\x42\xba\x0c\xf6\x1c\xe2\x27\x3f\x8b", 4096)); NONFAILING(*(uint64_t*)0x200023e0 = 0x1000); NONFAILING(*(uint64_t*)0x200023e8 = 6); NONFAILING(*(uint64_t*)0x200023f0 = 0x20002340); NONFAILING(memcpy((void*)0x20002340, "\xd7\x83\xa4\xeb\x1e\x0d\xd9\xb2\xa7\xf8\xd2\x59\xc7\x4c\xd6\x59\xc0\x09\x1f\xe6\xc6\xdc\xb5\x6b\x00\xd8\xb0\x12\x02\x98\x10\xe8\xf7\x2b\xbd\x04\x22\xfc\x4f\x95\x14\xc6\x6a\x7e\x9a\xc2\xc8\x11\xf4\xe9\x37\x6c\xa6\xb3\x8d\x0e\xbe\x83\x30\x23\x61\x66\xdb\x77\x22\x6e\xd3\x33\x5e\x4b\xa5\x04\x05\x49\xb1\x3e\xad\xc7\x10\xad\x77\x38\x42\xe8\x3d\x98\x6a\x39\x26\x93\x19\x43\x7f\x08\x94\xaf\x67\xe7\xe2\xc0\x31\xb3", 102)); NONFAILING(*(uint64_t*)0x200023f8 = 0x66); NONFAILING(*(uint64_t*)0x20002400 = 0x40); syz_mount_image(0x20001200, 0x20001240, 0x500000000, 3, 0x200023c0, 0x40040, 0); break; case 17: NONFAILING(memcpy((void*)0x20002440, "/dev/cdrom\000", 11)); syz_open_dev(0x20002440, 0x5d, 0x400); break; case 18: NONFAILING(memcpy((void*)0x20002480, "net/rfcomm\000", 11)); res = syz_open_procfs(0, 0x20002480); if (res != -1) r[0] = res; break; case 19: syz_open_pts(r[0], 0x200); break; case 20: NONFAILING(*(uint64_t*)0x20002a00 = 0x200024c0); NONFAILING(memcpy((void*)0x200024c0, "\xf7\xfa\xe0\x18\x67\xe6\xe3\x8d\x35\x5f\x22\x6c\x20\x77\x9e\xba\xa9\x54\xe2\xb3\x2d\xb1\x34\x53\xf7\xed\xfd\xa3\x86\x21\x9d\x7d\x8f\x75\xd7\xa0\xc9\xe4\x04\xf1\x2c\xd7\x3e\x33\xf4\x11\xd7\x9b\xaa\x85\x50\xbc\x68\x72", 54)); NONFAILING(*(uint64_t*)0x20002a08 = 0x36); NONFAILING(*(uint64_t*)0x20002a10 = 0x400); NONFAILING(*(uint64_t*)0x20002a18 = 0x20002500); NONFAILING(memcpy((void*)0x20002500, "\xc0\xc0\xb3\x6a\xdc\x55\x9a\x4a\xc3\x94\x29\x01\xd5\xd7\x0b\x7b\xdf\xde\x70\x48\x76\x99\xa1\x38\x73\x84\x7f\x5c\xaf\x60\x32\xf5\x8d\x47\xf8\xae\xa9\xe8\x36\x40\x7a\x31\x22\x12\x69\xf6\xfe\xab\x0f\xb5\x82\x11\xc9\x9b\xce\x5c\xee\xea\xf7\x2f\xd4\x2e\x55\x56\x7e\x07\xce\x51\xc3\x91\xdd\x12\x1c\x2b\x1d\xaf\xfd\xac\x51\x04\x2d\x2c\x6d\x26\xf8\x93\x46\xe5\x28\xde\x6e\xae\x5c\x3b\x8a\x82\x68\x38\x69\x1e\x41\x26\x9f\xe4\x32\x93\xae\xaf\x84\xb9\xf2\x8f\x07\xd1\x6c\x0e\x56\xe3\x3a\xb6\xad\x8c\x5c\xd7\x19\x32\x15\x90\xf2\x09\xdb\x34\x01", 133)); NONFAILING(*(uint64_t*)0x20002a20 = 0x85); NONFAILING(*(uint64_t*)0x20002a28 = 4); NONFAILING(*(uint64_t*)0x20002a30 = 0x200025c0); NONFAILING(memcpy((void*)0x200025c0, "\x97\x92\xcf\x11\xaa\x05\x74\x53\xad\xa5\x12\x9b\x18\x13\xaa\xdd\xd1\x7e\xed\x78\xfa\x9c\xe9\x23\x07\x44\x51\x12\x61\x6c\xfc\x3d\xe9\x37\x88\x1a\x60\x62\x61\xaf\xa6\xae\xd6\xdf\x28\x69\x08\x42\xf6\xe7\x02\xbc\x1a\xa7\xab\xca\xa1\x4e\x30\x5b\xc4\xd6\x6a\xb5\x22\xc8\x63\xc8\xe4\xaf\x74\x03\xb9\x50\xc3\xdf\xa0\x99\x8a\x48\x6c\xe7\x29\xa1\xb3\xc1\x3c\x21\x88\xe3\x6f\x7e\x37\x95\x8e\x8b\xa1\xf8\xc3\x51\xd5\xb6\xdf\xca\x75\x11\x1a\xf0\x78\xbe\xa3\x72\x58\xac\xd9\x72\x77\xd0\x8b\xb2\x93\x6d\x95\xa2\x9a\x29\x2f\xb1\xf1\x07\x70\x98\x45\xaf\x24\x2c\x0f\x62\xd9\x43\x09\xc9\xbc\x6c\x3a\x5c\x41\xf8\x91\xc1\x41\x33\x04\x8f\x4d\x60\xd1\x6f\x5a\xb9\x90\x04\xfe\x20\x07\xd6\x2f\xad\x7e\x77\xcb\x79", 172)); NONFAILING(*(uint64_t*)0x20002a38 = 0xac); NONFAILING(*(uint64_t*)0x20002a40 = 0x1000); NONFAILING(*(uint64_t*)0x20002a48 = 0x20002680); NONFAILING(memcpy((void*)0x20002680, "\x74\xce\xc1\x66\x90\x09\xa8\xbc\x90\x4b\x28\x5b\xb9\xc1\xad\x20\xa2\x1a\xdd\x0e\x91\xf0\x8a\xed\x84\x39\x48\xae\xf5\x0a\xd8\xc4\x11\x27\xe2\xfc\x4e\x1a\xf9\x44\x25\xb4\x07\x50\xf0\xf8\x26\x20\x71\x0b\x4b\xb9\xa9\xbb\x9e\x26\xec\x9f\xa5\xcc\x66\xe1\x32\x1a\x2a\x06\xad\x0d\x8d\x35\xa0\x8e\x31\x31\x47\xf6\x27\x0b\xc8\x38\xeb\xdc\x35\xfb\x4d\x85\xbf\x0d\x93\xbc\xbd\x73\x73\x47\x3b\x11\x82\xb6\x86\x55\x46\xb6\xfa", 103)); NONFAILING(*(uint64_t*)0x20002a50 = 0x67); NONFAILING(*(uint64_t*)0x20002a58 = 0x1000); NONFAILING(*(uint64_t*)0x20002a60 = 0x20002700); NONFAILING(memcpy((void*)0x20002700, "\xc0\x07\x67\xbd\xc9\x0d\x63\x06\x4a\xa4\x68\xe3\x9c\xc4\x96\xd8\xe4\x93\x85\x11\x0d\x89\x4d\x02\x96\x3c\x3c\xa1\x42\x8c\x07\xc2\x64\x59\xea\x78\x68\x5e\xde\xd3\xfc\x19\x53\xf3\xbb\x32\x9d\xee\x78\xc9\xb8\x82\xc2\xe5\x73\x47\x88\x7b\x4b\x7a\x20\xc4\xab\x35\xef\xb4\x1c\x8d\x57\x9d\x95\xdf\x0f\x17\x8c\x54\xd6\x30\xcc\x07\xd8\xde\xef\x18\x37\x9d\x7d\xec\x45\xc5\xcd\xbb\xcf\x09\x54\x89\xd9\xf8\xee\xf9\xb3\xfd\x64\x7e\x53\x73\xa8\xa6\x00\xb8\xa7\x90\x3f\x90\x3c\x93\xf5\x46\x66\x79\x69\xec\x29\x8c\xb1\xfa\xfb\xa2\xe5\xa3\xf5\x61\xb5\xc3\xa1\x57\xbf\x6c\xfd\x3f\xb2", 141)); NONFAILING(*(uint64_t*)0x20002a68 = 0x8d); NONFAILING(*(uint64_t*)0x20002a70 = 0x800); NONFAILING(*(uint64_t*)0x20002a78 = 0x200027c0); NONFAILING(memcpy((void*)0x200027c0, "\xbd\xa6\x4f\x19\x0a\xb3\xcb\x44\xad\xc1\xed\xc5\x8b\x29\xd8\x35\xec\x01\x89\xe7\xdd\x76\x24\x3e\x82\x6e\xd4\x0d\xf7\x32\xa8\xdb\xb4\x1f\x16\x86\x0e\x20\xba\x70\xea\xb7\x34\x5a\x9e\x7b\x9d\x86\x8e\x7e\xc4\x82\x63\x67\x83\xe6\x86\x6e\x19\x20\xb4\x33\xf0\xe9\x35\xd0\x49\xff\x09\x9b\xca\x12\xf0\xe7\x9d\x3b\xcf\x48\xdc\xe9\x23\x8a\x86\x60\x05\x75\x4b\x7e\x89\xcf\x06\x3c\xa0\xc6\xd8\x60\xa1\xea\x2b\x43\xb9\x69\xc5\x78\x75\x67\x7e\xa8\xaf\x1a\x9c\x2c\xdf\xd9\x01\xf2\x2e\xeb\x8a\x51\x37\xbc\xf6", 123)); NONFAILING(*(uint64_t*)0x20002a80 = 0x7b); NONFAILING(*(uint64_t*)0x20002a88 = 9); NONFAILING(*(uint64_t*)0x20002a90 = 0x20002840); NONFAILING(memcpy((void*)0x20002840, "\xb4\xfa\x28\x22\xd6\x2c\xcc\x68\x44\xf2\xe9\x68\x4b\xc4\x37\xd9\x5e\x6d\x56\x6e\xb6\xd2\x7f\x10\x9e\x98\x5a\x99\xdd\xb5\xe9\x7b\xaa\xa9\xb0\xe5\xc3\xcc\xdd\xa3\x62\xcb\x76\x5e\x94\x5e\xfd\x86\xf1\x65\x4d\xca\x68\x99\xbf\x47\x1f\x12\xbb\x61\xdf\x69\xfe\x01\xdb\x4d\x00\xc4\xdc\xf1\x90\x2f\x69\x88\x85\x9d\xee\x17\xc5\xe6\xf5\x87\xbb\xb5\xbe\x8b\x23\xfb\x35\xa3\x9a\x3c\x2a\x0e\xc2\x3b\xe8\x09\x95\x71\x0a\xc8\x9c\x57\x04\x43\x4a\x8d\x57\xd5\xe6\xff\x04\xb2\x59\x10\xb6\x53\xae\xbd\xde\x07\x2c\xd9\xd1\x33\xfb\x36\xe6\x4a\x0d\xf6\x02\x03\x77\x31\x8f\x47\x23\xe1\x91\x52\xf4\x7c\x4a\xc2\x72\xb6\x8c\x3e\xbc\x7e\x4d\x9f\x59\xf8\xbe\x7b\xcf\x16\x31\x3b\xd9\xe4\xe6\xbd\x83\x32\x92\x01\x1c\x5a\x0b\xec\xe5\x7d\xdc\x83\xc0\x6a\x61\xb2\x02\xab\xf9\x68\x5e\x2d\xc9\xfe\x58\xfd\xd8\x7d\x12\x68\x65\xa3\xed\x5c\x9d\xc6\x9e\x2c\xff\x69\x62\x10\xa8\x08\xb9\x76\xad\xe1\x7a\x65\xb6\x5e\xa2\x60\x52\x84\xa6\xb4\xd6\xae\xbc\xbe\x37\xf8\x9f\x2c\xea\xe3\x4b\x31\xb7\x63\x4e\x26\x23\x74\xf1\xaf\x74\x9d", 246)); NONFAILING(*(uint64_t*)0x20002a98 = 0xf6); NONFAILING(*(uint64_t*)0x20002aa0 = 5); NONFAILING(*(uint64_t*)0x20002aa8 = 0x20002940); NONFAILING(memcpy((void*)0x20002940, "\x96\x70\x04\x8d\x08\x43\x1e\xe3\xb1\x71\xa8\xc8\x41\x98\xf2\x49\xfb\xd4\x2c\x96\x5a\xc6\x8f\x03\x08\x46\xf6\x6e\xf2\x00\x76\x9e\xec\x52\x68\x0b\xa5\x63\x7e\x7a\x7f\x0b\x6a\xed\xd3\x93\xa8\x1e\x9d\xc2\x7c\x38", 52)); NONFAILING(*(uint64_t*)0x20002ab0 = 0x34); NONFAILING(*(uint64_t*)0x20002ab8 = 0xfffffffffffffffb); NONFAILING(*(uint64_t*)0x20002ac0 = 0x20002980); NONFAILING(memcpy((void*)0x20002980, "\xe9\x21\xbd\x14\x8e\xf1\x41\x58\xa1\x65\x1b\x99\xec\x26\x80\x4f\x86\xd0\x85\x6e\x42\x70\x49\xa6\x43\x31\x9d\x89\x73\xc9\x74\xc2\xee\x99\x92\x27\x3c\x19\x5c\x23\x32\x29\xfd\x42\xc5\x4e\x87\x54\x1f\x1b\x03\x9b\x08\xe2\xbf\x55\x3b\xfc\x51\xa4\xa8\xb7\x14\x20\xbc\xc5\x0d\x72\xca\x1c\x6e\x7a\x4f\x2c\x79\xd5\x61\x89\x9d\x71\xfb\x95\x84\x76\x66\x12\x0a\x4e\x73", 89)); NONFAILING(*(uint64_t*)0x20002ac8 = 0x59); NONFAILING(*(uint64_t*)0x20002ad0 = 5); syz_read_part_table(0x8000, 9, 0x20002a00); break; case 21: NONFAILING(*(uint8_t*)0x20002b00 = 0x12); NONFAILING(*(uint8_t*)0x20002b01 = 1); NONFAILING(*(uint16_t*)0x20002b02 = 0x6b97); NONFAILING(*(uint8_t*)0x20002b04 = 0x55); NONFAILING(*(uint8_t*)0x20002b05 = 0x78); NONFAILING(*(uint8_t*)0x20002b06 = 0xcb); NONFAILING(*(uint8_t*)0x20002b07 = 1); NONFAILING(*(uint16_t*)0x20002b08 = 0x4e7); NONFAILING(*(uint16_t*)0x20002b0a = 0x6651); NONFAILING(*(uint16_t*)0x20002b0c = 0xa724); NONFAILING(*(uint8_t*)0x20002b0e = 0); NONFAILING(*(uint8_t*)0x20002b0f = 1); NONFAILING(*(uint8_t*)0x20002b10 = 0); NONFAILING(*(uint8_t*)0x20002b11 = 1); NONFAILING(*(uint8_t*)0x20002b12 = 9); NONFAILING(*(uint8_t*)0x20002b13 = 2); NONFAILING(*(uint16_t*)0x20002b14 = 0x1102); NONFAILING(*(uint8_t*)0x20002b16 = 1); NONFAILING(*(uint8_t*)0x20002b17 = 9); NONFAILING(*(uint8_t*)0x20002b18 = 2); NONFAILING(*(uint8_t*)0x20002b19 = 0x10); NONFAILING(*(uint8_t*)0x20002b1a = 4); NONFAILING(*(uint8_t*)0x20002b1b = 9); NONFAILING(*(uint8_t*)0x20002b1c = 4); NONFAILING(*(uint8_t*)0x20002b1d = 0x3a); NONFAILING(*(uint8_t*)0x20002b1e = 0); NONFAILING(*(uint8_t*)0x20002b1f = 5); NONFAILING(*(uint8_t*)0x20002b20 = 2); NONFAILING(*(uint8_t*)0x20002b21 = 2); NONFAILING(*(uint8_t*)0x20002b22 = -1); NONFAILING(*(uint8_t*)0x20002b23 = 0xef); NONFAILING(*(uint8_t*)0x20002b24 = 9); NONFAILING(*(uint8_t*)0x20002b25 = 0x21); NONFAILING(*(uint16_t*)0x20002b26 = 5); NONFAILING(*(uint8_t*)0x20002b28 = 0xc8); NONFAILING(*(uint8_t*)0x20002b29 = 1); NONFAILING(*(uint8_t*)0x20002b2a = 0x23); NONFAILING(*(uint16_t*)0x20002b2b = 0xa25); NONFAILING(*(uint8_t*)0x20002b2d = 7); NONFAILING(*(uint8_t*)0x20002b2e = 5); NONFAILING(*(uint8_t*)0x20002b2f = 0); NONFAILING(*(uint8_t*)0x20002b30 = 0xc); NONFAILING(*(uint16_t*)0x20002b31 = 2); NONFAILING(*(uint8_t*)0x20002b33 = 0x15); NONFAILING(*(uint8_t*)0x20002b34 = -1); NONFAILING(*(uint8_t*)0x20002b35 = 4); NONFAILING(*(uint8_t*)0x20002b36 = 0x6c); NONFAILING(*(uint8_t*)0x20002b37 = 5); NONFAILING(memcpy((void*)0x20002b38, "\x20\x8a\xc8\x7c\x75\x88\xdc\x7e\xcc\x1e\x2b\xa0\xf5\x91\xa1\xf4\xf0\xe4\x32\x3e\x3a\xdc\x60\xc2\x77\xd8\xc9\x10\x1a\xae\xfd\x04\x4e\x11\xa7\x8d\x99\x6c\x09\xc0\x87\xed\xc0\xf2\xd1\xe2\x9c\xa2\x65\x5c\x08\x09\x03\xbe\xe9\xf3\x67\xf3\x33\x86\x8c\xef\x6c\xd0\xa8\x1d\x5f\x97\x14\x2d\x33\xae\x38\x25\x43\xce\x65\x07\xc9\x55\xdc\x0e\x67\xac\x57\xe4\x56\x5e\x16\x77\xc9\x7a\xa1\xe0\xd0\xc1\xd6\xec\x20\xaf\xb8\xf9\xb8\x85\x84\x8c", 106)); NONFAILING(*(uint8_t*)0x20002ba2 = 7); NONFAILING(*(uint8_t*)0x20002ba3 = 5); NONFAILING(*(uint8_t*)0x20002ba4 = 0); NONFAILING(*(uint8_t*)0x20002ba5 = 0xa5); NONFAILING(*(uint16_t*)0x20002ba6 = 0xfda); NONFAILING(*(uint8_t*)0x20002ba8 = 0x3f); NONFAILING(*(uint8_t*)0x20002ba9 = 9); NONFAILING(*(uint8_t*)0x20002baa = 2); NONFAILING(*(uint8_t*)0x20002bab = 2); NONFAILING(*(uint8_t*)0x20002bac = 0x23); NONFAILING(memcpy((void*)0x20002bad, "\x74\xd7\x96\x1c\x4e\x72\x44\xf4\x35\xc1\xfd\xcd\x3b\xcc\xe4\xdc\xfd\x38\x10\x78\xc3\x1b\xb9\x5f\xe1\x2c\x1f\x4c\xec\xa2\x39\xe5\x52\x06\x0d\x5c\xeb\xe6\x87\x72\x69\x01\xc3\x15\xc6\xc4\x13\x1a\x34\xef\x7b\xc7\x9a\x47\xec\xa1\x3c\x61\x77\xcc\xbf\xc8\x80\x13\xe2\xb1\x2e\x4e\xcf\x52\x9b\x39\x5a\x74\x9b\x69\x48\xc3\x76\xd9\xef\x07\x84\x3a\x47\xf5\x65\x54\xb7\x6b\x75\x98\x0a\x9e\x80\xeb\xf9\x75\x55\x3c\x22\xdf\xf1\xe9\x5e\xe9\x6c\x9c\xf5\x5e\x22\x0a\x4e\xd9\x3f\x5a\xa5\x41\xdd\xc1\xed\xb2\x99\x59\xd6\x6a\xf3\xc6\xbd\x51\x67\xa8\x75\xf2\x3e\x8f\x74\x26\xe4\x16\xa3\x72\x1c\x5a\xa6\x42\xd4\x9e\x8d\x60\x07\x76\x4d\x87\x85\xce\x52\xa7\x9c\x30\x39\xf5\xf2\xbf\x51\xd0\x57\xe6\xab\x61\xb2\xa1\x46\x80\xd8\x29\xf4\xbd\xad\x07\x38\x54\x5a\xf8\xf5\xfb\x77\xa5\x70\xa1\xde\x79\x70\x5f\xf8\x8a\x5d\x29\x08\xda\xcf\x7f\x0a\x5d\x69\x0f\x10\x4c\x4b\x00\x67\x23\xf5\xd0\xa9\xc7\x21\x1c\x2d\xf8\x1b\x5f\xdb\x2b\xc3\xbf\xb4\x58\xd7\x96\x7a\x02\xbc\xf4\x86\x2a\x4d\xbe\xfc\xe1\xa5\x03\x02\x54\x2f\xe8\x5d\xb1\xa9\xaf\x39\xe3\xb2\x81\x3a\x14\xf7\x2f\x80\xb2\xcc\xb6\x5e\xbd\x0e\x31\x88\xec\xc0\xef\x9f\x2c\xc1\x62\x71\x28\x43\x8b\x8b\xa0\x18\x67\xea\xfa\x0f\x00\x1a\x6b\x31\x1c\x54\x13\x14\xcc\xfd\x78\xb4\x1d\x29\x70\xf0\x95\x59\x4e\x05\x0e\xcc\x1a\xcf\xb6\x03\xf5\xed\xb9\x2e\x3c\xeb\x27\x4d\xb1\x8b\x30\x84\x00\x3d\x00\x59\xf7\xef\xaf\x00\x5c\xf3\x8e\xd3\xd0\x24\x61\x10\x89\xcd\xde\x92\xd5\x7b\x72\xf2\xdc\x2a\x29\x8b\x0c\x50\x2b\xa0\x91\x31\x6a\xef\x88\xde\x91\x4d\x4e\x35\x98\xeb\x44\xae\xc9\x09\x67\xdd\x94\x45\x40\x53\x63\xf9\xde\x02\x53\xb4\x09\x59\x3c\xa2\x53\x4b\x0f\x96\xf4\x2b\xc3\x6f\x5e\x63\xb7\xbe\x5d\xd1\x2b\x8f\x67\x50\x32\x02\xf1\xb8\x27\xe1\x69\xd1\xfe\x14\x83\x86\xe8\xca\x4f\x34\xcb\xe6\x37\x12\x01\xab\x66\xcb\x0b\x0e\x10\x6a\x1b\x0b\xe5\xcb\xbc\x52\xbc\x92\xdd\xf5\x5e\xc1\xa5\xd5\x49\x0b\x20\x9a\xf0\x8b\xfc\x68\x8f\x7f\xe6\x6c\x3e\xab\xda\xc1\x69\x42\xed\xd4\x81\x66\xdc\xf5\x26\x05\x6f\x75\x9b\xff\x5e\x00\xf4\x7e\x8a\x3b\x43\x84\xb7\x48\x81\x90\x31\x37\xdc\xf5\x20\xae\xec\xd2\x51\x59\x20\x61\x97\x1e\x68\xc2\xae\xc6\x69\xc7\xf0\x24\x58\xea\xae\x07\xc0\x3e\x23\x50\x50\xe5\x30\x3b\x29\x50\x83\x29\x57\x74\x8f\x43\xad\xe5\x7a\xef\x83\x01\xdc\x96\x90\xb5\x16\xcb\xae\x93\x6d\xb9\x55\x7f\xa2\xa1\x02\x6a\x92\x09\xca\xcb\xd0\xd6\x06\x8b\xe1\xd5\x4e\xcc\x99\x51\x8a\xe1\xba\x3e\xe9\x8e\x72\xe0\x73\x2f\x9d\x29\x26\x85\x3f\x07\x11\xca\xb5\xd3\xc3\x50\x80\xd0\xf6\x62\xb8\x8d\xf8\xee\xb2\x69\x47\x4f\x3e\xe7\x7b\x31\xaa\x8d\x48\xa8\xba\x7d\x5f\xfb\x11\xd3\xc7\x96\x78\x3f\x2d\xa9\x0e\x06\x88\x45\x61\xa4\x64\xad\xea\xc9\xd1\xb5\xfd\xdd\x39\xf0\x6e\x7d\x3d\x4b\xbb\x26\xf5\x4e\x64\x06\xae\x42\x16\x79\xc0\xa2\x16\x6d\xe9\xf9\xd5\x04\x3c\x9a\x38\xb1\xd3\x56\xa3\x90\x2f\x27\xe4\xca\xa1\x0e\xff\x79\x5f\xba\xec\x6b\x5d\x65\x54\x91\x29\x2d\x48\xd8\x04\x8b\x0b\x22\x11\x45\x99\x20\x9d\xa2\x88\x99\xb6\x04\x4c\xf6\x08\x86\xbf\x58\x2d\xc5\xbd\xa5\xb1\xa5\xff\x79\xeb\xbd\xe3\xb0\x23\x23\x4a\x7a\x3f\x31\x69\xbd\x56\x42\x19\x40\x42\xa9\x9e\xa1\x7e\xba\xa9\x96\x4a\x74\xa5\x6b\x6a\x4c\xea\x85\x18\x0e\x1b\xb9\xa6\x37\x53\x28\xc8\xa4\x8b\x2e\x96\x09\x15\x00\x89\x84\x92\x50\xe7\xe2\xc5\x10\xaa\xf0\xb8\x7e\xc9\xca\x74\x50\x0d\xe9\x9f\x19\x18\x16\x97\xb5\x40\x14\x98\x1c\x46\x4c\x5c\xd6\xac\xca\x2e\xfd\x9a\xb6\x6c\x19\xa1\xd7\xed\x55\xbe\x02\x0c\x39\x00\xa0\xc6\x62\x16\xaf\xfb\x91\xaf\x26\x28\x69\xc3\x1f\x98\x8a\x24\x2a\xa6\xfc\x9a\xc6\x40\x39\xac\xe5\x46\x9b\x0e\x7e\x68\xe5\x8c\xa8\x8a\x54\x86\x77\x31\xf1\x59\x0f\xe3\xf0\xb1\xc0\x03\x98\x86\x44\x8a\x95\xc8\x25\xe2\x6a\x5a\xaf\x4d\x70\x77\x78\xd8\x2a\xa8\x6a\xd0\xd7\x4e\xaa\x19\xe2\xc0\xea\x86\xb2\xeb\x2f\x81\x73\x4f\x2e\xc4\x79\x37\xa5\x9a\x75\xb8\x31\xab\x62\x7e\xee\xdf\x6d\xce\xce\x4a\xbc\x83\x4c\x17\xd5\xf5\xab\x51\x5a\xf3\x68\x70\x53\x65\xe8\xf0\xc7\xf9\x19\x7d\xd6\x41\x3d\xf4\x30\xa0\x83\x57\xff\x84\xbd\xfa\xb5\xee\x02\x1f\x89\x47\x3d\x4d\xc1\xe6\xcf\x58\x31\xbb\x52\xb9\x54\x28\x2f\x2b\x9c\x53\x7c\x34\x22\xff\x2f\xef\xd6\xcf\x4f\xf0\x90\xa4\xd2\x90\x26\x35\xc2\x0a\xfd\xf9\x15\x9f\xdd\x7c\x3e\x71\xed\x0a\x5f\xc5\x9e\xc6\x4f\xc8\x5e\xe8\x1a\xb1\x78\xa3\xfa\x68\xfb\x73\xaa\x4a\x11\xe6\x7c\x77\x96\x24\x92\x2e\x54\x57\x17\x22\x9e\x3f\x8f\x01\xa3\x5d\x94\x8b\xc3\x41\x97\xb4\x7c\xcb\x95\x93\xa3\xbb\x03\xed\xaa\xdc\x66\x43\x75\x11\xa6\xc0\xd3\x11\xb3\xbe\xe9\x24\x39\xb0\x88\x41\x3c\x7d\x28\x9c\x2d\xb8\x9b\x81\x86\x8b\x97\x40\x87\x8b\xee\x80\x7d\xcd\x13\x5b\x2e\x78\xa7\x38\x5e\xa0\xba\xe1\xa0\xea\x3f\x15\x67\x6f\xa9\xf9\xf5\x57\x75\x80\x45\xd8\x93\xcf\xec\x1f\x60\x9a\x44\x04\xaf\x5e\xbd\x45\xd1\xac\x7d\xcc\xe3\x3e\x35\x7f\xf2\x30\x7c\x60\x33\xd5\xe1\xfc\x2d\xe8\x09\x6e\xe1\x09\x57\x68\x90\x4f\xd5\x9e\xd0\x72\x54\x0f\x68\xe0\xbe\x36\x7f\x6a\xbc\x64\x6f\x61\x62\x8c\x89\x1d\x7d\x38\x4c\x3e\x1f\x05\xcb\x05\x19\x7b\xe8\x41\x52\x82\x35\x44\x39\x2d\xc9\xfc\x41\xaf\xbe\xeb\x20\x76\x3e\x5b\x35\xb3\x62\x24\xa8\x3b\x34\xa3\xe5\xb9\xe7\x29\xb2\xa7\x76\xc4\xf4\xa7\x3b\x7f\xde\x6a\xd3\x31\x2f\x4b\x43\x5d\xa9\x7f\x7f\x84\x59\x10\x14\x58\x5f\x0f\x85\xda\xc9\x58\x42\x99\x89\xd3\x90\x4a\x3d\x46\x05\xd8\xfc\x0c\x29\xc7\x3d\xcd\x2e\xdb\x5f\xf8\x85\x75\x99\xc8\xb9\x40\x0f\x8f\x60\x80\x92\xac\x5a\xe6\xe0\x63\x02\x38\xfe\x00\x9c\xb4\x8c\xaa\xe1\x9f\x88\xc4\x09\x0a\x73\x24\xa9\xcc\xd2\xe7\xd4\xfc\x78\x23\x57\x81\x9f\xef\x26\x29\x4a\xb1\x13\xe8\xf6\xb5\x29\x66\xc9\x31\x6b\x80\x17\x8b\x9b\x29\x7a\x5b\x1b\x70\x99\x0c\xf5\x1b\x10\x20\xab\x90\xf5\x63\xe1\x0c\x6f\xb4\xf0\xba\xaa\xf9\xd3\x6a\xb5\x6d\xfa\x44\x1f\x28\x0a\x52\xea\x1e\xd5\x62\x25\xe9\x37\x5f\x45\xb4\x90\xb5\x54\x17\x47\xf1\x34\xc9\xb3\xe3\xa1\x96\x05\xb3\x0f\xf6\xe1\xf9\x13\x96\xc0\x76\x94\xfd\xca\x51\x53\xc2\xce\x79\xd3\x0d\x52\xba\x4c\x96\xe4\xfa\xd6\xeb\xbf\x07\xc8\x98\xa6\x7f\x32\xb7\xa9\xf8\x16\x07\x08\x98\x76\x71\x09\x67\x3d\x2a\x5d\xd3\x7e\x8e\x10\x09\xa6\x20\x4d\x2e\x66\x4d\x14\x96\x8a\xcb\x4f\xa9\xb5\x08\x5d\x76\xe5\x1c\xa0\x91\x45\x52\x28\xce\x88\xee\x90\xb4\xac\x1e\xba\x71\x86\x95\x36\x35\x1d\x12\xcf\x4d\x3e\x25\x64\x23\x28\x41\xc1\x79\x2d\x7a\x81\x0c\x0c\x1d\x01\x25\x12\x64\x1e\xb4\x58\x09\x12\x3e\x02\x06\x99\xee\x77\x8b\x3f\x69\x0a\x0b\xfc\x44\xd9\xd2\x5e\xb4\x9f\x43\x90\xe7\x34\xfe\x8c\xc2\xf5\xa0\xc4\xf4\xb8\x69\xdb\xf8\x11\xf9\x50\x7b\xf2\x35\xed\x31\xc6\xf3\xbc\x21\xb1\x62\xf4\x48\x71\x5a\xa5\x74\x64\xb6\xa5\x40\x2c\x2e\xa1\x1f\x0c\x8c\x2f\x9f\x9a\x3d\xb3\x0b\x2a\xfc\x6b\xe7\x19\x94\xce\xa4\x54\xaa\xde\xaa\x3b\xf3\x18\x56\x55\xe7\x04\x8f\x1c\x19\xb4\x58\x56\xa0\x00\xba\x71\xa8\x30\x6e\xb9\xa1\x90\xdd\x7a\x97\x05\x0b\xbb\xed\x9c\xea\x01\xe2\x6e\x41\xd2\x0d\x7a\x40\x83\x08\xe2\xed\x1c\x2e\x11\xf4\xac\x1b\x9b\xb5\x9c\xfb\x04\x52\xd9\xbb\x0d\xca\x8d\x9a\x0b\xa8\xd8\xf2\x57\xd6\xf3\xd8\x26\x48\x6e\x64\xd7\x9c\x67\x8b\xc2\x76\x8c\xb6\x51\xc3\x63\x3f\xd9\x30\x95\xc9\xd3\x75\x39\xa6\x1f\x06\x79\x36\xbb\x1d\xaa\x5e\x2d\xfb\x85\xf1\x34\xd4\x38\xcd\x38\x30\x84\xae\x47\x90\x24\x64\xf2\x87\x34\x50\x86\x8b\x4c\x25\xc7\x6e\xa9\x61\x02\xee\x19\xa5\x62\x7b\x05\x34\xc5\x45\x01\x2a\x89\xa2\x4f\x79\xec\x8c\xb1\xa6\xed\x6c\xd2\x37\x4c\x4d\xfa\x7d\xcb\x37\x3d\x6a\xd3\x6b\xb5\x0f\x42\x4c\xae\x72\xfb\x46\x20\x55\x29\xcb\xe7\x0f\x83\xd9\x75\x9d\x6d\xd6\xc3\xe3\xd6\x73\xc4\xc1\xe9\xd0\x74\x81\x71\x55\x52\xe7\xed\xa2\xf6\x94\x28\x7a\x7c\x26\x11\x7e\xb9\x6a\x49\xaa\x63\x1d\x3f\xde\x44\x2b\xe4\xfd\x22\x81\x65\x1c\xa8\xd0\xe4\x71\xf1\x30\x90\x23\xe5\x29\x18\x65\x5c\xe5\x06\xd9\x01\x58\x84\x58\x1b\xda\x7b\x9a\xe7\x68\xae\x80\x89\xdf\xbd\x5e\xea\xdd\x9b\x5c\x8b\xaa\x80\xc4\xf8\x2d\xec\x2d\xb3\xda\x84\xa8\x03\x7d\x8d\xa2\x29\xe6\x31\x42\xd5\x22\xf1\xb1\x65\x7f\x67\x3d\x88\x9f\x83\x90\x66\x3f\x16\x29\xa5\x34\xd8\x15\x9a\x1b\x6d\x2f\x96\x5c\xc9\x4e\xa5\xd4\x46\x79\x41\x1f\xbd\x6f\x98\xfd\xce\x9a\xb9\xb6\x26\x0f\xd9\x46\xc7\xd7\x39\xad\xb8\x86\xed\xe5\x1c\xaa\x97\xff\x1c\xa1\x87\x07\xc0\x1d\xfe\x98\xca\xa1\xce\xd3\x0c\xda\x02\x28\xe0\xcc\x1e\x7e\xaf\x73\x3d\x8b\xe5\xe3\x95\xe5\x36\x14\x69\x5b\x43\x2a\xd2\x9b\x18\xd7\xf5\x59\x5b\xea\x42\x32\x12\x58\x58\x8e\x00\x31\xae\xfa\xc7\x17\x70\x6c\xb0\xcc\x3f\xdc\xdb\x1b\x86\xf0\x52\x36\xb7\xcc\x88\x04\x12\x0a\xe7\xd4\x3b\xe2\x23\x9c\x38\x0f\xef\x80\x89\x7b\xf8\x41\x2f\xa1\xb1\x1f\x5b\x4d\x38\x17\xce\x22\x64\xa9\x57\x74\x17\x0b\xe4\x55\xf1\x2d\xfd\xc9\x4d\x40\xd2\xf0\xa8\xfa\x4b\x7f\x04\xaa\x01\x20\xb7\x54\x01\xd4\xca\x8f\xf1\xc1\xaf\xd7\xa3\x67\x7e\x77\x6e\x45\x3d\xde\x83\xda\x9d\xf7\x9b\x59\xfc\x8e\xfd\x8b\xeb\xc8\xcc\xd5\xdf\x91\x1b\xdd\xf3\xec\xb1\xde\x06\x02\x83\xc1\x7e\xce\x48\x49\x4c\x40\xa6\x1e\x5e\x34\x54\x83\x64\x90\x75\x1d\x00\x8d\xff\x06\x1c\x06\x89\x9c\x1d\xbf\x64\x84\xcb\x12\xe8\xcb\x13\x8b\xd0\xf4\x72\xc6\x00\x12\x8e\x24\xeb\x93\x65\xc1\xa0\xb6\xa8\x27\xe3\x9a\x16\xaa\x1b\x40\x77\x79\x37\xd8\x1a\x76\xc6\x54\x71\xdd\x1d\x62\x55\x89\x77\x8f\x64\xde\x89\x3c\xd0\x2d\x04\x4b\x15\x72\xa8\xe2\x3e\xca\xfb\xc7\x9c\x69\xd7\x6d\xc1\x51\x0b\x44\x2e\xe1\x6b\x08\x52\x0c\x30\xcc\x8f\x57\x9e\xb0\x55\x72\x88\x8c\x97\xdd\x36\xb3\xf0\x20\x41\xcf\x8d\x7d\x82\x33\x96\x9a\x6d\xae\x5c\x2a\x0b\x43\x96\xa0\xd0\x32\xd0\x38\xf7\xd7\x9c\x15\x38\x4c\xdb\x9b\xe0\xd8\x47\x78\x19\x54\x27\xbf\x73\xf4\x43\x9c\x2d\xb3\x4c\xa0\xd3\x7d\x36\x3e\x66\x4a\x84\xb4\x0e\xdd\xc7\x46\x0f\xde\x15\xf7\x68\xe9\xa7\x4e\x60\xfd\x58\xb0\x53\x89\xd2\x53\xc0\x63\xac\x8e\x0b\x03\x16\xeb\xc5\x7a\x53\xb1\x4d\x89\x40\x0e\x08\x84\x70\x9c\xfc\x19\x29\x2a\xfb\x36\xf9\xd2\xee\x1a\x81\xcc\x5f\x3d\x06\x39\xfa\x87\xac\x03\x7a\xc8\x42\x73\xf0\xf3\xaf\xc8\x7c\x06\xe3\x83\xab\x33\x8b\x3e\x08\x0c\x7c\xec\x70\x87\xe6\xae\x35\xeb\xf8\xbe\xff\x18\x23\xd9\x0f\xe6\x15\x30\x56\x85\x4a\xbb\x11\xc6\x0d\x2c\x41\x44\x90\x6d\x95\xcf\xe9\x46\x44\xd8\x5c\xd9\x2d\xe2\xf4\xc4\x70\xd6\x79\xe0\xc8\x72\x6d\x92\x41\xd5\xda\x1e\xfa\xd6\x6d\x09\x1f\xf8\x6e\xee\xec\x11\x91\x48\x8f\x34\x3e\xc8\xdf\xe0\x94\xed\x52\xc8\x97\x39\x2b\x81\x5c\x1f\x49\x1c\x4a\x0c\xa7\x56\x77\x56\x06\x35\xc7\xb2\x6e\x7e\x69\x66\x36\x0e\x94\xec\x08\x7f\xe5\xfc\xda\x57\x62\xc8\xa9\xb8\x26\x86\x47\x72\xca\x4c\xfb\x8c\x09\x26\x0e\x57\x36\x05\xe6\xb4\x74\x92\xd4\x2c\x52\x7f\x58\xba\xcf\x6d\xff\x28\x64\x55\xa0\xa9\x0d\x15\x1d\x06\xc3\xfc\xd9\x84\xd8\x02\x5e\xe3\x58\x31\xbc\x3e\x62\x67\x94\xc0\x25\x42\xea\x7e\xc6\x1d\xbb\x9e\x47\xdf\x75\xe7\xee\xe1\x75\x9a\x04\x1d\xe3\xf5\x8a\x86\x4e\x8b\x03\x24\x23\x82\xf5\x1c\xb3\x2a\x7e\x4f\x4d\xcf\xfc\x13\x8f\x33\x8b\x75\x21\x6c\xd7\x5b\xd8\x33\x56\xf1\xd2\x6f\xd6\xea\x19\xf0\xe6\xac\xd1\xfc\x8f\xbc\x0c\x90\xb4\x12\xaa\x20\x5c\x66\xf5\x58\x04\x6b\x5d\x0d\x8f\x52\x60\xee\x4c\x30\xc6\x26\x54\x77\xa6\xab\x53\xeb\xdf\x56\xe4\xc9\x64\x43\x2a\x67\x95\x05\x0a\xf5\x8e\x92\x08\xc6\x21\x2c\xa9\xb5\xfc\x60\x08\x6f\x2a\x2e\x2c\x27\x5f\xb1\x38\x7e\x26\x47\xfe\xe3\x53\xbb\x2e\xa1\x2f\x29\xd1\xf2\x82\x33\x72\x8d\x36\xe3\x10\xbb\x37\xec\xd2\xa7\x59\x32\x8c\xf5\xe5\x27\x2b\x7b\xb4\x92\x02\x5e\x53\xf0\xac\x7d\x86\x78\x4e\xdc\x4f\x5d\xd7\xf1\xc8\x8a\x08\x2c\xa2\x8c\xc3\x3b\x54\xca\xa8\x61\xc2\x32\x59\xb3\x16\x1e\x6d\x0e\xfe\x4f\x1e\xcd\xcd\x26\x25\xbf\xa0\x53\x76\x6d\xd0\xcd\xb2\xbd\xea\x9b\x9e\x09\x09\x09\x0d\xe4\x02\xf7\x5e\xec\x65\xc7\x78\x8a\x0a\x13\x85\xb3\x18\x0f\x17\xd9\x1b\x80\x1e\x36\x18\x75\xd9\x60\x26\x3a\xee\xf3\x35\x01\xe2\xb2\x07\x16\xd2\x7f\x95\x18\x23\x44\xee\x37\x7c\x89\x50\x4b\x61\xf6\x64\xb4\x6c\xcf\xc1\x21\x1c\xec\xa4\x65\xee\x2a\x8e\xff\xf1\x6e\x00\xfa\x69\x43\xa7\x12\x50\xc5\x4f\x37\xeb\x0f\x62\x11\xd6\xf6\x8e\xa0\x98\x33\xf0\xb3\xd9\x93\xcc\x08\x9d\x07\xdb\xe4\xac\x32\xc7\x80\x54\xcc\x44\xaf\xea\x5a\x8e\x6f\xce\xc4\xa0\x2e\x9a\xe2\x2d\xb0\x91\xb7\xde\xa1\x34\x86\x94\xa9\xa6\xed\x5f\x85\xbc\x3d\x3e\x3c\xd0\x1d\xc0\x84\xcc\x03\x46\xa4\x8b\x7a\xe3\x13\xc7\x28\xf5\xdc\xe9\xb9\x36\x64\x0a\xf2\xa6\x2c\x89\x39\x46\xab\xfc\x72\xdf\x35\xe1\x68\xc4\x79\xdc\xfc\x3f\xce\xb3\xc8\xd2\xd7\xbc\x38\x2a\x75\x9c\xfd\xf9\x7a\xf8\x4c\x6d\x94\xca\x37\x26\xa0\xc5\xcd\x0b\xab\x5d\x6d\xc4\x30\xb5\xfe\xd6\xb8\xb9\x32\xe5\x5f\x6c\x87\x7d\x91\x2a\xa5\x44\xf7\x06\xf3\x52\x03\xb9\x29\x83\x69\xfc\xfa\x0f\xdb\x9b\xdf\xfe\x45\x76\x79\xb3\x88\x3a\xf9\x26\x4c\x89\xa8\x7a\xe5\x0c\x68\x9a\x2b\x4f\xc4\x93\x48\x0b\x30\x93\xda\x53\x66\x04\x30\xc0\x0c\x3d\xb9\x13\xf6\x96\x47\x75\xcc\xec\xfd\xcd\x7e\xba\x7c\xd8\x26\x5e\xd2\x59\xb9\x60\xe4\x31\x7f\x8a\x85\x19\x37\xd2\x8a\x6f\x0b\x48\xa9\xbd\x68\x94\x64\x02\xcd\xd3\xc9\xee\x34\x7a\x9f\x4f\xfe\x01\xf2\x38\x6c\x61\x39\x44\x24\xe0\xc7\xa2\x68\x2c\x2b\x66\xdb\x4e\x2a\x88\x53\xfa\x38\x51\xf7\xaa\x73\xfc\xcc\xc5\x63\xc3\x13\xfc\xce\x98\x97\x37\x1a\x84\xe6\x9c\x6b\x37\xe5\x4e\xc4\xa6\x7e\xe8\x65\x46\xae\xbf\x1e\x87\xf6\xc2\xab\x51\xab\x5b\x2c\xd5\xf5\x76\x51\xc5\x07\x60\x52\x6c\xa7\x48\x78\x30\xf8\xc5\x85\xe2\x4e\xf6\x41\x09\xc8\x47\xba\xec\x90\x6c\x25\xa3\x78\xdc\x86\x1c\x45\x04\xae\x66\x41\x9d\x4a\xc2\x6e\x6f\x6e\x99\x16\xb4\xf8\x01\x0d\x3c\x2c\x81\xbd\x1d\x25\x7b\xd7\x08\x42\xbf\x8c\xa6\x6a\xab\x03\xd5\x9c\xd5\xb5\x30\x95\xbf\x85\x38\xa9\xc1\xd6\x28\x11\x21\x6d\xfa\x89\x36\x05\xdd\x22\xa7\x74\x58\x82\x06\xba\x26\x0f\x17\xba\x7b\x54\x82\x16\xed\x23\xe8\x80\x58\x39\xd6\x12\x32\xd0\x7d\x0a\xfc\x28\xc1\x6a\x36\x7c\x6b\x4f\x2e\x8d\x5e\x8a\x8d\x18\xa1\xbc\x0c\xa7\xfa\x72\xda\xbb\xf8\x65\x27\x53\x73\xe9\x59\xb2\x64\x33\xb0\x99\x0e\xa3\x7f\xc2\xea\x3b\x59\x65\xcc\xd5\x99\x76\xbe\xf7\xf0\x4e\x75\x4b\xe3\x69\xee\xce\xff\x78\xf2\xb2\xa5\xe5\xf7\x8d\xb8\x60\x31\xad\xaa\x0d\x62\xb8\xf8\xd8\x61\x68\x94\xa9\x7c\x38\x95\x50\xd6\x60\xf4\x58\xa0\x56\x97\x7c\x2b\xb0\x67\xd4\x52\x65\x1c\x6e\x00\x36\xbc\x7f\x07\x11\x4a\x05\x87\x42\xbb\xa2\x99\x36\xa9\x00\xe8\x72\xee\x98\x42\x5a\x00\xb7\x58\xff\xc4\x23\x4f\x28\xda\x74\x58\xa3\xaa\xbd\xcd\x9c\xf6\xb3\x45\x53\x66\x6c\xfb\xbf\xf3\xc2\xc6\x6c\xe8\xad\x12\xbd\xf7\xa4\x5d\x59\xc2\x2e\xab\x6b\x0d\x99\x96\xb4\x3f\xdc\xdb\xbd\xf3\xaa\x6f\x94\xac\x32\x55\xa3\x6f\x12\x2d\xad\x2d\x35\xe5\x7a\x90\x5d\x94\xa3\x72\x45\xc9\xc4\x58\x55\x73\xb6\x79\x88\x5a\x24\x7f\x45\x65\x28\xb6\x4c\x2c\xf2\xc0\x16\xbf\x4e\xc6\xba\x2d\x57\xbb\xb5\x75\x86\x0d\xfb\x37\xf0\xb3\xbf\xf6\x63\x25\xfe\x59\x60\xb3\xd2\x8b\xee\x87\xba\xc9\x00\x0f\x2e\x0f\xcb\xae\x83\x0f\x06\xfa\x15\xc0\x45\xf7\xf6\x2c\xd7\x3f\x47\x57\xc9\xbb\x78\x9d\xcc\x93\x20\x62\xcb\xee\x1b\x8a\xb3\x6f\x06\x1a\x68\x96\xc0\xb6\xb2\xfa\x2b\x00\x3e\xc0\x6e\x80\x66\x36\xe9\xa3\x39\x41\x8d\x84\xca\x3c\xe4\x8b\x9d\x5f\xf5\xb0\x5e\xad\xa8\xe5\x7c\x37\x49\xf9\x11\xdb\x1e\x33\xd8\x81\xf6\xe3\x83\x27\xa6\x4c\x4c\x03\x9c\x9b\xd4\x2d\x6b\x00\x70\x44\xd0\x8b\x3b\x85\xbe\x54\x83\xb0\x64\x36\xe5\x21\xf4\xd3\x71\x44\x30\x89\x7a\x7d\x0c\xca\x8a\xe8\x2f\x51\xc6\xa2\x21\x25\xa5\x96\x73\x3d\xed\x91\x6c\x33\x94\x7f\xc8\xb0\x9b\xec\x9d\x6c\x8c\x73\x7c\xae\xd7\xf0\xbd\xf6\x7e\xb9\x63\x65\x2f\x58\xcd\x35\x13\x7b\x9c\x49\xad\xfb\x34\x2e\xb9\x88\xdc\x3d\x58\x21\x0f\xeb\x17\xdd\xd5\x78\x43\x69\xb1\x2a\x5b\xd1\xeb\x7b\xe5\x86\xe5\xd9\xd8\xf8\x11\x2c\xac\x5e\x45\x06\xf7\xed\x83\x01\xbc\x84\x95\x13\x9b\xc0\x13\x0e\xa3\xcd\xf8\x65\x27\xe6\x7e\x2c\x8f\xed\x8c\x2a\x5a\x06\x36\x58\xc5\x92\xf0\xed\xab\xd0\xfd\x6f\xf7\x8f\xb7\x2b\xb3\xec\x5d\xcb\x15\x57\x06\xc4\x7f\x6d\x4e\xb0\xf0\x02\x0d\x61\xd0\xb2\xe2\xf0\xad\x42\x78\xc7\x56\xb5\x91\xa6\xa2\xd9\xe3\xcb\x51\x74\x69\x08\xbf\x42\x18\xf6\x56\x86\x9a\x13\x7c\x2c\x9d\x8d\x9c\xcb\x13\x3c\x31\x85\xa5\x89\xf4\x14\x7e\xe7\x0c\x3b\x2c\x36\x16\xc4\xf0\x28\xc6\xe0\xf1\xc4\x37\x8d\x12\x98\xbf\xf4\xb9\xb8\xa6\xa9\x6b\x72\x56\x02\x0b\x9e\xd4\xcf\x01\x13\xbc\x74\xfd\xbb\xb4\xaf\x81\x63\xaa\xe7\xe4\xae\xc2\x9e\xde\xbe\x51\x93\xe2\xd9\x59\xe8\x98\xb0\x5f\xd7\xaa\xbc\x3a\x6f\xec\x1c\xf4\x0e\x04\x7d\x32\x40\xc1\xdb\x87\x64\x46\x29\x8a\x00\x1c\xb3\x64\x72\x80\x7f\x60\x8a\xe6\xed\x95\x22\x78\x7f\xa4\x46\xe1\x94\x79\x19\x16\x0a\x7e\x57\xfb\xa6\xed\x86\xa0\x0f\xb3\x56\x6a\x03\x09\x00\xb9\x73\x05\x02\x31\x73\x9e\x26\x66\x08\xda\xe7\xa8\x31\x65\xa8\x4b\x80\xdb\xf9\x73\x29\x02\x0e\x2c\xe1\xd9\xc6\xea\x94\x35\x30\x83\x78\x7f\xc1\x59\x0e\x0d\x94\x3f\x11\x1f\xb3\x71\x42\x12\x62\xb2\x96\x41\xad\x4b\x77\x49\x1b\x5f\x7b\xc2\x77\xf4\x94\x4b\xc2\x0c\xd8\xce\x3e\x5a\x4a\xb7\xa4\xb5\x6b\x54\xc0\x29\xd9\x2c\x46\x46\x8b\xee\x7e\x55\x5f\x32\x3a\xeb\x94\x97\x68\x9d\x99\x65\xaa\xd5\x0b\x91\x20\xe8\x1d\xbf\xd7\x1e\x73\xad\x2d\x7f\x0b\xa7\x95\x60\x66\x23\xff\x5e\x4e\xfd\x46\xd8\x2d\x06\x33\x91\x4e\x99\x4d\x48\x78\x77\x84\xca\x0c\x78\xd1\x6f\xc5\x24\x8b\x6b\x15\xa4\xda\xc0\x41\x00\xe1\x95\xd7\x94\x86\xf9\x5c\x02\x7d\x6f\xa2\x67\x52\xa0\x54\xec\x63\xf1\xe2\xe9\xdd\x9f\x40\x8a\xf1\xbb\x69\x54\x74\x6a\x40\xc5\xa2\xe0\x5b\x25\x15\xf8\x6f\xc4\xd2\x28\x61\xc7\x8e\xff\xec\x42\x6e\x78\x81\x72\xd8\xf6\xaf\x5d\x45\xae\xe5\xb8\x66\x54\x27\xd1\x4f\x14\x70\xf0\xa6\x2e\x73\x78\xb2\x0c\xb8\xb0\x14\x70\xd0\x6c\x4d\xcb\x75\x4b\x8e\x7e\xae\xbf\x4b\xb6\xce\xae\x90\x73\xbe\x3f\xcf\x0b\x4c\x23\x7e\xc6\xb2\xc1\x32\xca\xac\xd1\x5e\xa5\xb4\x69\x74\x08\x59\x53\x96\x6b\x1c\x47\xfd\x4f\x7b\xdf", 4096)); NONFAILING(*(uint8_t*)0x20003bad = 7); NONFAILING(*(uint8_t*)0x20003bae = 5); NONFAILING(*(uint8_t*)0x20003baf = 0); NONFAILING(*(uint8_t*)0x20003bb0 = 2); NONFAILING(*(uint16_t*)0x20003bb1 = 1); NONFAILING(*(uint8_t*)0x20003bb3 = 1); NONFAILING(*(uint8_t*)0x20003bb4 = 0xa9); NONFAILING(*(uint8_t*)0x20003bb5 = 3); NONFAILING(*(uint8_t*)0x20003bb6 = 0x4c); NONFAILING(*(uint8_t*)0x20003bb7 = 4); NONFAILING(memcpy((void*)0x20003bb8, "\xd4\x8c\x1a\x5e\xca\xfa\x4f\x05\x37\xe5\x34\x88\x57\x2d\xb4\xea\x38\x09\xb6\x4f\xf3\xfb\x8b\x27\x8f\x81\xe9\x2e\x99\x4b\x4a\xed\x32\x3a\x75\x9a\x34\x24\xb7\x26\x58\x31\xfa\x7c\x59\x07\x8b\xc7\x03\x5a\x66\x69\xa4\x1c\x74\xa6\xf5\xbb\x74\x95\xed\xe8\x67\x98\x2b\x86\x70\x02\x79\x44\x99\xa8\x65\x92", 74)); NONFAILING(*(uint8_t*)0x20003c02 = 7); NONFAILING(*(uint8_t*)0x20003c03 = 5); NONFAILING(*(uint8_t*)0x20003c04 = -1); NONFAILING(*(uint8_t*)0x20003c05 = 0x16); NONFAILING(*(uint16_t*)0x20003c06 = 3); NONFAILING(*(uint8_t*)0x20003c08 = 0); NONFAILING(*(uint8_t*)0x20003c09 = 0x40); NONFAILING(*(uint8_t*)0x20003c0a = -1); NONFAILING(*(uint8_t*)0x20003c0b = 7); NONFAILING(*(uint8_t*)0x20003c0c = 5); NONFAILING(*(uint8_t*)0x20003c0d = 0x80); NONFAILING(*(uint8_t*)0x20003c0e = 0); NONFAILING(*(uint16_t*)0x20003c0f = 0); NONFAILING(*(uint8_t*)0x20003c11 = 0x4b); NONFAILING(*(uint8_t*)0x20003c12 = 6); NONFAILING(*(uint8_t*)0x20003c13 = 0); NONFAILING(*(uint32_t*)0x20003d00 = 0xa); NONFAILING(*(uint64_t*)0x20003d04 = 0x20003c40); NONFAILING(*(uint8_t*)0x20003c40 = 0xa); NONFAILING(*(uint8_t*)0x20003c41 = 6); NONFAILING(*(uint16_t*)0x20003c42 = 0xfff9); NONFAILING(*(uint8_t*)0x20003c44 = 0xd7); NONFAILING(*(uint8_t*)0x20003c45 = 5); NONFAILING(*(uint8_t*)0x20003c46 = 9); NONFAILING(*(uint8_t*)0x20003c47 = 4); NONFAILING(*(uint8_t*)0x20003c48 = 0xf9); NONFAILING(*(uint8_t*)0x20003c49 = 0); NONFAILING(*(uint32_t*)0x20003d0c = 0x10); NONFAILING(*(uint64_t*)0x20003d10 = 0x20003c80); NONFAILING(*(uint8_t*)0x20003c80 = 5); NONFAILING(*(uint8_t*)0x20003c81 = 0xf); NONFAILING(*(uint16_t*)0x20003c82 = 0x10); NONFAILING(*(uint8_t*)0x20003c84 = 1); NONFAILING(*(uint8_t*)0x20003c85 = 0xb); NONFAILING(*(uint8_t*)0x20003c86 = 0x10); NONFAILING(*(uint8_t*)0x20003c87 = 1); NONFAILING(*(uint8_t*)0x20003c88 = 0); NONFAILING(*(uint16_t*)0x20003c89 = 0x24); NONFAILING(*(uint8_t*)0x20003c8b = 5); NONFAILING(*(uint8_t*)0x20003c8c = 1); NONFAILING(*(uint16_t*)0x20003c8d = 0x400); NONFAILING(*(uint8_t*)0x20003c8f = 0x46); NONFAILING(*(uint32_t*)0x20003d18 = 1); NONFAILING(*(uint32_t*)0x20003d1c = 0x3c); NONFAILING(*(uint64_t*)0x20003d20 = 0x20003cc0); NONFAILING(*(uint8_t*)0x20003cc0 = 0x3c); NONFAILING(*(uint8_t*)0x20003cc1 = 3); NONFAILING(*(uint16_t*)0x20003cc2 = 0x1c49); NONFAILING(memcpy((void*)0x20003cc4, "\x44\x2e\xbb\x26\xbb\xa1\x0f\xc1\x02\x8d\x7a\x8d\xad\x45\x8c\x45\x01\xad\x21\xf8\x93\x76\x8a\x64\x4e\xda\xfb\x86\x88\x0c\x13\xf5\xe9\xed\xb0\xae\xf2\x62\x42\x36\xa9\x64\x80\xa2\x9c\xe0\xf6\x04\x99\x03\x10\xdb\xe3\x7f\x51\xfc", 56)); res = syz_usb_connect(0, 0x1114, 0x20002b00, 0x20003d00); if (res != -1) r[1] = res; break; case 22: NONFAILING(*(uint32_t*)0x200041c0 = 0x34); NONFAILING(*(uint64_t*)0x200041c4 = 0x20003d40); NONFAILING(*(uint8_t*)0x20003d40 = 0x20); NONFAILING(*(uint8_t*)0x20003d41 = 0x2f); NONFAILING(*(uint32_t*)0x20003d42 = 0x77); NONFAILING(*(uint8_t*)0x20003d46 = 0x77); NONFAILING(*(uint8_t*)0x20003d47 = 0x22); NONFAILING(memcpy((void*)0x20003d48, "\x1c\xcd\xe9\x8b\x00\x7d\x7a\x57\x52\x7b\xb5\xca\x12\x86\x48\x43\x6b\x06\x09\xdb\x26\x3e\xed\x15\xae\x42\x75\xa6\xbf\xc6\x82\x22\x2d\xb6\xdb\xbb\xc8\x44\x23\xb0\xe6\xaa\xad\x75\x27\x0c\xbf\x10\x47\x0f\x1e\x80\x0f\xe0\x07\x2f\x22\x93\xd5\x4b\x11\x90\xdc\x8b\x57\xd5\x7d\xe4\x41\x49\xbc\xf3\x99\x9d\x95\x6d\x96\x55\x19\x0c\x0e\xca\x99\x52\x11\x07\x2a\x0e\x75\x29\x67\xee\xde\x58\x63\x50\x4d\x2d\xe4\x49\x41\xcc\xc8\xf9\x3a\x51\xf6\x90\xd5\x76\xcb\xe3\x81\xb5\xa3\x12\x18", 117)); NONFAILING(*(uint64_t*)0x200041cc = 0x20003dc0); NONFAILING(*(uint8_t*)0x20003dc0 = 0); NONFAILING(*(uint8_t*)0x20003dc1 = 3); NONFAILING(*(uint32_t*)0x20003dc2 = 0xc0); NONFAILING(*(uint8_t*)0x20003dc6 = 0xc0); NONFAILING(*(uint8_t*)0x20003dc7 = 3); NONFAILING(*(uint16_t*)0x20003dc8 = 0xf4ff); NONFAILING(memcpy((void*)0x20003dca, "\x20\xcd\xef\xf1\x33\x9f\xf8\x99\x01\x6b\x95\x32\x37\xea\x86\x3e\x60\x6f\xf5\x7d\xdd\xa8\xf8\x3b\x38\xe9\x2d\xa8\x0d\xbc\x48\x06\x67\x77\x47\x9e\xe1\x6c\xaa\x24\x0d\x15\x20\xbb\x5c\xc7\xdb\x6d\x4b\x8b\x37\xe7\xa1\x73\x6a\x0b\x74\x08\x63\xe9\xd3\xdc\x8e\xfd\x9d\xec\xbb\xb9\x7a\x60\x2d\xb0\x43\x8b\xfb\x35\xbb\x28\xc7\xfb\xd3\x9a\x92\xa4\xa9\x39\x66\x7d\xa0\xf2\xb6\xf5\xe9\x34\x8b\xee\xc0\x5f\xbd\xb7\x5a\x36\xdb\x87\xb4\xdd\xf6\xb0\xa9\x7b\xb7\x82\xaf\x6d\x2b\xc6\x0d\x00\x99\xe0\x6d\x59\xc3\xcc\x51\x31\x82\x32\x59\xd0\xcb\x53\x89\xeb\x9e\x49\x49\x5c\xa8\x38\x3e\x03\xd7\x2a\x64\x8a\x74\x36\xda\x81\x68\xd6\xbf\x06\x2b\x34\xa9\xc5\xf9\x17\x02\xc0\x1e\x90\x7d\x71\x32\xed\xc1\xf0\x50\x9c\x50\x65\xd0\xe2\xb6\x2b\x76\xff\xba\x9b\x6e\x9f\xa0\x6a\x3e\x79", 188)); NONFAILING(*(uint64_t*)0x200041d4 = 0x20003ec0); NONFAILING(*(uint8_t*)0x20003ec0 = 0); NONFAILING(*(uint8_t*)0x20003ec1 = 0x22); NONFAILING(*(uint32_t*)0x20003ec2 = 0x103); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003ec6, 3, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003ec6, 0, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003ec6, 0xf, 4, 4)); NONFAILING(memcpy((void*)0x20003ec7, "\x7e\x61\xa1\xf0", 4)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003ecb, 2, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003ecb, 1, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003ecb, 2, 4, 4)); NONFAILING(memcpy((void*)0x20003ecc, "\x12\x76", 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003ece, 3, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003ece, 3, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003ece, 7, 4, 4)); NONFAILING(memcpy((void*)0x20003ecf, "\x05\x27\x2f\x66", 4)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003ed3, 1, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003ed3, 2, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003ed3, 0x1b, 4, 4)); NONFAILING(memcpy((void*)0x20003ed4, "\\", 1)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003ed5, 4, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003ed5, 5, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003ed5, 0xf, 4, 4)); NONFAILING(*(uint8_t*)0x20003ed6 = 0xed); NONFAILING(*(uint8_t*)0x20003ed7 = 0xf); NONFAILING(memcpy((void*)0x20003ed8, "\xdf\x2b\x0c\xe4\x26\xa6\x41\x94\x1e\x33\x8c\x5e\xcb\x20\xe8\xea\x73\x81\x19\x8d\x79\x50\x11\x15\x2a\xb6\x4a\xa4\xa7\x9a\xbf\x68\x9b\xb5\x4f\xd6\xa4\x05\x54\x96\xc3\x36\xe5\x75\x5f\xb8\x6f\x71\x1c\x08\x3e\x13\x31\xd6\x5b\x85\x1e\x9a\xcd\x95\x1c\xca\xfc\x53\xdc\xb8\x69\xd5\xf3\x33\x1d\xdd\x41\x71\xfa\x46\xa5\x20\xd5\x82\xca\x18\x9f\x59\x51\x11\xec\x48\xe1\x7b\x1d\xdc\x40\x08\x3a\xd0\x5d\x94\x76\xed\x3d\xf0\x7c\x57\x39\x1d\x7c\x62\xa8\x83\xf6\x4f\x14\x94\x54\x6a\xc3\xe7\xb2\x59\x82\x33\xbc\x3b\xef\x2f\x5b\x50\x46\xde\xde\xc8\xbe\x9e\xd2\x78\x74\x81\x7e\x15\xd4\xad\xab\x83\x34\xc4\x8c\xe3\x3e\x59\x74\x62\xe7\x88\x74\xca\x19\xf5\xb0\x90\xb4\x4b\x62\xd9\x0e\x06\x5a\x22\xa1\x58\x54\xb2\x3f\xbd\x2f\x57\x4b\x79\xc1\xa8\xa2\x60\xf1\x79\x48\x20\x29\x9e\x2f\xdb\xc7\x72\x15\xcf\x38\x9c\x1d\xb1\x3e\x21\xe1\xce\x2c\x09\x2e\x2c\x59\x15\xf5\x3f\x33\x2b\xb3\x77\x1c\x43\x65\x3c\x89\x90\xe7\x93\xb4\xbc\xa3\x55\xec\xb4\x15\xb4\xe1\x03\xff\x5e\xc5\xb1\x5a", 237)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003fc5, 2, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003fc5, 3, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003fc5, 9, 4, 4)); NONFAILING(memcpy((void*)0x20003fc6, "\x48\xa7", 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003fc8, 0, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003fc8, 2, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x20003fc8, 0xf, 4, 4)); NONFAILING(*(uint64_t*)0x200041dc = 0x20004000); NONFAILING(*(uint8_t*)0x20004000 = 0); NONFAILING(*(uint8_t*)0x20004001 = 0xf); NONFAILING(*(uint32_t*)0x20004002 = 0x113); NONFAILING(*(uint8_t*)0x20004006 = 5); NONFAILING(*(uint8_t*)0x20004007 = 0xf); NONFAILING(*(uint16_t*)0x20004008 = 0x113); NONFAILING(*(uint8_t*)0x2000400a = 4); NONFAILING(*(uint8_t*)0x2000400b = 0x24); NONFAILING(*(uint8_t*)0x2000400c = 0x10); NONFAILING(*(uint8_t*)0x2000400d = 0xa); NONFAILING(*(uint8_t*)0x2000400e = 5); NONFAILING(STORE_BY_BITMASK(uint32_t, , 0x2000400f, 6, 0, 5)); NONFAILING(STORE_BY_BITMASK(uint32_t, , 0x2000400f, 7, 5, 27)); NONFAILING(*(uint16_t*)0x20004013 = 0xf000); NONFAILING(*(uint16_t*)0x20004015 = 0x7fff); NONFAILING(*(uint32_t*)0x20004017 = 0x3f00); NONFAILING(*(uint32_t*)0x2000401b = 0x3f00); NONFAILING(*(uint32_t*)0x2000401f = 0xff00cf); NONFAILING(*(uint32_t*)0x20004023 = 0xc000); NONFAILING(*(uint32_t*)0x20004027 = 0xc000); NONFAILING(*(uint32_t*)0x2000402b = 0xff00); NONFAILING(*(uint8_t*)0x2000402f = 7); NONFAILING(*(uint8_t*)0x20004030 = 0x10); NONFAILING(*(uint8_t*)0x20004031 = 2); NONFAILING(STORE_BY_BITMASK(uint32_t, , 0x20004032, 0x18, 0, 8)); NONFAILING(STORE_BY_BITMASK(uint32_t, , 0x20004032, 4, 8, 4)); NONFAILING(STORE_BY_BITMASK(uint32_t, , 0x20004032, 0x20, 12, 4)); NONFAILING(STORE_BY_BITMASK(uint32_t, , 0x20004032, 6, 16, 16)); NONFAILING(*(uint8_t*)0x20004036 = 7); NONFAILING(*(uint8_t*)0x20004037 = 0x10); NONFAILING(*(uint8_t*)0x20004038 = 2); NONFAILING(STORE_BY_BITMASK(uint32_t, , 0x20004039, 8, 0, 8)); NONFAILING(STORE_BY_BITMASK(uint32_t, , 0x20004039, 7, 8, 4)); NONFAILING(STORE_BY_BITMASK(uint32_t, , 0x20004039, 0x101, 12, 4)); NONFAILING(STORE_BY_BITMASK(uint32_t, , 0x20004039, 4, 16, 16)); NONFAILING(*(uint8_t*)0x2000403d = 0xdc); NONFAILING(*(uint8_t*)0x2000403e = 0x10); NONFAILING(*(uint8_t*)0x2000403f = 3); NONFAILING(memcpy((void*)0x20004040, "\xb7\x56\xc5\x6e\xb0\x47\x8c\xa5\x9a\xdd\x64\x85\x8f\x5e\xc4\xe3\x42\x89\x78\xc8\x3e\x53\x17\xf0\x01\x9f\xf6\xfb\xcf\x54\xcd\xec\x3e\x30\x43\x53\x18\x2e\x2d\xd5\xdc\x7c\xb5\x79\x58\x4c\xd8\xa2\x32\xc2\xa0\xcf\xe3\x66\xab\xfb\xc0\x5f\x7d\xd1\xfe\x1e\x9b\x4d\x06\x14\xbc\xcf\xeb\x99\xc4\x40\x3a\x22\x38\xcb\xbd\xb5\x58\x7c\xe0\x09\x8f\x35\x6e\xd8\xd3\x03\xfb\x70\x16\xcd\x27\xfe\x7a\xe2\x00\x97\xf8\xf3\xa8\x18\xa3\x97\x02\x91\x6c\xe9\x04\xc7\x0d\x7f\x18\x75\x66\xd6\x64\x98\x18\xcc\x6a\x97\xb6\x28\xad\xf6\xc5\xcd\x13\x49\x96\x12\xc8\x5d\x81\x9c\x6c\xee\x75\x33\x45\x5e\x74\x32\x4c\x87\xa1\xaa\x58\x4b\xc7\xbc\xb4\x93\x07\xfa\xaf\x4e\xcd\xfb\x96\x2c\xa0\x51\xd0\x9b\x21\x9a\xb5\x42\x74\x57\xe9\x3d\x0e\xa0\x00\xc3\x55\x9b\xfc\xb0\x7a\xe7\x1e\xb1\x4e\x7b\x75\xf5\xce\x56\xa8\x20\xa5\x16\xc8\x5d\x6d\x6d\xf3\xd8\x66\x4e\xa3\x5c\x4b\x58\xea\x13\x6b\x96\x78\x8a\xe7\x09\x48", 217)); NONFAILING(*(uint64_t*)0x200041e4 = 0x20004140); NONFAILING(*(uint8_t*)0x20004140 = 0); NONFAILING(*(uint8_t*)0x20004141 = 0x29); NONFAILING(*(uint32_t*)0x20004142 = 0xf); NONFAILING(*(uint8_t*)0x20004146 = 0xf); NONFAILING(*(uint8_t*)0x20004147 = 0x29); NONFAILING(*(uint8_t*)0x20004148 = 3); NONFAILING(*(uint16_t*)0x20004149 = 0x13); NONFAILING(*(uint8_t*)0x2000414b = 4); NONFAILING(*(uint8_t*)0x2000414c = 1); NONFAILING(memcpy((void*)0x2000414d, "\x5b\xb7\xfa\xa4", 4)); NONFAILING(memcpy((void*)0x20004151, "\x33\x49\x9b\x30", 4)); NONFAILING(*(uint64_t*)0x200041ec = 0x20004180); NONFAILING(*(uint8_t*)0x20004180 = 0); NONFAILING(*(uint8_t*)0x20004181 = 0x2a); NONFAILING(*(uint32_t*)0x20004182 = 0xc); NONFAILING(*(uint8_t*)0x20004186 = 0xc); NONFAILING(*(uint8_t*)0x20004187 = 0x2a); NONFAILING(*(uint8_t*)0x20004188 = 0); NONFAILING(*(uint16_t*)0x20004189 = 8); NONFAILING(*(uint8_t*)0x2000418b = 0x65); NONFAILING(*(uint8_t*)0x2000418c = 5); NONFAILING(*(uint8_t*)0x2000418d = -1); NONFAILING(*(uint16_t*)0x2000418e = 0xe43); NONFAILING(*(uint16_t*)0x20004190 = 0xff54); NONFAILING(*(uint32_t*)0x20004540 = 0x54); NONFAILING(*(uint64_t*)0x20004544 = 0x20004200); NONFAILING(*(uint8_t*)0x20004200 = 0); NONFAILING(*(uint8_t*)0x20004201 = 0); NONFAILING(*(uint32_t*)0x20004202 = 0xee); NONFAILING(memcpy((void*)0x20004206, "\x9a\x82\x5b\xfb\x40\xa7\xf4\xe7\x97\xaa\xcf\xaf\xd2\x57\x9a\xbe\xd3\xe9\xd7\xe2\x76\x52\xad\x7f\x4a\x55\x11\x70\x6a\x19\xdf\x9a\xb9\x29\x46\x1d\xf7\x9f\x48\x2d\x3a\x2d\x78\x13\xb5\x22\xf7\xd3\xd4\xdf\x89\x8d\x86\x85\x82\x6c\x27\x6d\xbe\x58\xc8\x27\xa9\x32\x36\x1d\xf0\xc6\x53\x44\xee\xf7\x82\x5f\xc0\x30\x3f\x61\x79\x48\x8c\x95\xec\x23\x11\x59\x99\x5d\xa4\xaf\xa9\xf1\x2b\x8b\x95\x7f\x39\x98\x2c\x3f\x46\xa2\x7d\xa9\xe3\x75\x7b\xf5\xd0\x55\xe6\xb7\xc9\xe4\x8b\x44\xd1\x01\xa3\xc5\x88\x64\x56\xf4\xf9\x73\xf8\x6e\xf7\x9a\xc5\x07\x67\xc4\xe5\x6b\x5a\x37\xd3\xf4\xb2\x79\xca\x0b\x3b\xa9\x2e\xef\xae\xb0\xf1\xef\xad\x12\xd2\x28\x6a\xbe\xda\x32\x58\xe6\x8f\xb4\x5a\xd3\x6b\xb2\x5a\x22\x08\x8c\x47\x51\xa2\xba\x10\x09\x45\xcf\x66\xf7\x63\x5b\xc4\xe5\xcb\x00\x46\x01\xee\xae\x31\x05\x90\xa8\x82\xae\xd5\x29\xd1\x64\x8b\x7a\xcc\x28\x52\xf7\xfb\x66\x39\x11\xe5\xa1\x63\xbd\xdd\xad\xc4\x17\xf0\x31\x19\x2c\x50\xe8\x08\xa9\x65\x91\x84\x64\x78\x8d\x4c\xa1\x04\x3c", 238)); NONFAILING(*(uint64_t*)0x2000454c = 0x20004300); NONFAILING(*(uint8_t*)0x20004300 = 0); NONFAILING(*(uint8_t*)0x20004301 = 0xb); NONFAILING(*(uint32_t*)0x20004302 = 0); NONFAILING(*(uint64_t*)0x20004554 = 0x20004340); NONFAILING(*(uint8_t*)0x20004340 = 0x20); NONFAILING(*(uint8_t*)0x20004341 = 0xa); NONFAILING(*(uint32_t*)0x20004342 = 1); NONFAILING(*(uint8_t*)0x20004346 = 0x81); NONFAILING(*(uint64_t*)0x2000455c = 0x20004380); NONFAILING(*(uint8_t*)0x20004380 = 0); NONFAILING(*(uint8_t*)0x20004381 = 9); NONFAILING(*(uint32_t*)0x20004382 = 0); NONFAILING(*(uint64_t*)0x20004564 = 0x200043c0); NONFAILING(*(uint8_t*)0x200043c0 = 0x20); NONFAILING(*(uint8_t*)0x200043c1 = 8); NONFAILING(*(uint32_t*)0x200043c2 = 1); NONFAILING(*(uint8_t*)0x200043c6 = 1); NONFAILING(*(uint64_t*)0x2000456c = 0x20004400); NONFAILING(*(uint8_t*)0x20004400 = 0x20); NONFAILING(*(uint8_t*)0x20004401 = 0); NONFAILING(*(uint32_t*)0x20004402 = 4); NONFAILING(*(uint16_t*)0x20004406 = 2); NONFAILING(*(uint16_t*)0x20004408 = 2); NONFAILING(*(uint64_t*)0x20004574 = 0x20004440); NONFAILING(*(uint8_t*)0x20004440 = 0x20); NONFAILING(*(uint8_t*)0x20004441 = 0); NONFAILING(*(uint32_t*)0x20004442 = 8); NONFAILING(*(uint16_t*)0x20004446 = 0x860); NONFAILING(*(uint16_t*)0x20004448 = 8); NONFAILING(*(uint32_t*)0x2000444a = 0xf0); NONFAILING(*(uint64_t*)0x2000457c = 0x20004480); NONFAILING(*(uint8_t*)0x20004480 = 0x40); NONFAILING(*(uint8_t*)0x20004481 = 1); NONFAILING(*(uint32_t*)0x20004482 = 3); NONFAILING(memcpy((void*)0x20004486, "\x23\xd5\xd4", 3)); NONFAILING(*(uint64_t*)0x20004584 = 0x200044c0); NONFAILING(*(uint8_t*)0x200044c0 = 0x40); NONFAILING(*(uint8_t*)0x200044c1 = 9); NONFAILING(*(uint32_t*)0x200044c2 = 3); NONFAILING(memcpy((void*)0x200044c6, "\x35\x82\xbf", 3)); NONFAILING(*(uint64_t*)0x2000458c = 0x20004500); NONFAILING(*(uint8_t*)0x20004500 = 0x20); NONFAILING(*(uint8_t*)0x20004501 = 0x80); NONFAILING(*(uint32_t*)0x20004502 = 0x1c); NONFAILING(*(uint16_t*)0x20004506 = 6); NONFAILING(*(uint16_t*)0x20004508 = 1); NONFAILING(*(uint32_t*)0x2000450a = 0x8153); NONFAILING(*(uint16_t*)0x2000450e = 7); NONFAILING(*(uint16_t*)0x20004510 = 0x60a8); NONFAILING(*(uint16_t*)0x20004512 = 3); NONFAILING(*(uint16_t*)0x20004514 = 0x3f); NONFAILING(*(uint32_t*)0x20004516 = 1); NONFAILING(*(uint16_t*)0x2000451a = 1); NONFAILING(*(uint16_t*)0x2000451c = 1); NONFAILING(*(uint16_t*)0x2000451e = 1); NONFAILING(*(uint16_t*)0x20004520 = 1); syz_usb_control_io(r[1], 0x200041c0, 0x20004540); break; case 23: syz_usb_disconnect(r[0]); break; case 24: NONFAILING(memcpy((void*)0x200045c0, "\x74\xc1\xb2\xaa\xd5\xa6\xc0\xf9\x7a\x24\x1b\xf8\xed\xda\x6e\x8e\x92\xb9\xaf\x80\x68\x7d\x6d\xec\xa3\xbc\xf8\x79\x86\x4a\x23\xb1\x0f\x04\x54\x46\xc9\xbe\x5a\x45\xc9\xfb\xd6\x61\x84\xa8\x45\xa1\x7d\xa2\x7c\xb7\x55\x07\x1f\x48\x97\x3b\xd2\xa6\xc6\xd4\x06\x97\xab\xf0\x27\xb2\xbe\x20\x0f\x58\xec\xc5\xaf\x94\xce\xea\x44\x5d\xa5\xe2\x79\x1d\xd0\x70\xdf\x13\xd8\xe3\x64\x0a\x37\xf2\xf7\xbf\xbb\xd4\x0d\x96\x1b\x4a\xdc\x8f\xfb\x3f\x8c\xe5\xff\x70\xd4\x71\x8e\x1f\x71\xc2\xff\xf1\x57\x50\xf3\x9a\x45\x60\x87\x16\xfb\x2f\x3a\xf9\x49\xdd\x26\x82\x80\xfa\x6e\xf7\xbb\x6c\x96\x02\x49\xc1\xdb\xee\xcf\x58\xc7\x32\x84\x73\x14\x7c\xc7\xc2\x88\xcf\x08\x4d\x60\xc1\x27\x9d\x4e\x00\xa3\xf7\x52\x31\x29\x19\xa7\xdf\x6c\x9f\xe9\x36\x37\xfc\x10\x45\xde\xa6\x9b\xf8\xb3\xb8\xb5\x45\x36\xb0\x00\x75\x8b\x1a\x3c\x08\x6b\x08\xfb\x4b\x19\xf5\xa8\x91\x34\xb7\xa0\x3e\x8c", 211)); syz_usb_ep_write(r[0], 0x17, 0xd3, 0x200045c0); break; } } int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); install_segv_handler(); use_temporary_dir(); do_sandbox_none(); return 0; } : In function ‘syz_usb_control_io.constprop’: :565:6: error: ‘response_found’ may be used uninitialized in this function [-Werror=maybe-uninitialized] cc1: all warnings being treated as errors compiler invocation: gcc [-o /tmp/syz-executor378966483 -DGOOS_linux=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -O2 -pthread -Wall -Werror -Wparentheses -Wframe-larger-than=8192 -m64 -static] FAIL FAIL github.com/google/syzkaller/pkg/csource 11.414s ok github.com/google/syzkaller/pkg/db (cached) ok github.com/google/syzkaller/pkg/email 0.411s ? github.com/google/syzkaller/pkg/gce [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ok github.com/google/syzkaller/pkg/host 6.530s ? github.com/google/syzkaller/pkg/html [no test files] ok github.com/google/syzkaller/pkg/ifuzz (cached) ? github.com/google/syzkaller/pkg/ifuzz/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/generated [no test files] ok github.com/google/syzkaller/pkg/instance 1.366s ok github.com/google/syzkaller/pkg/ipc 6.767s ? github.com/google/syzkaller/pkg/ipc/ipcconfig [no test files] ok github.com/google/syzkaller/pkg/kd (cached) ok github.com/google/syzkaller/pkg/log (cached) ok github.com/google/syzkaller/pkg/mgrconfig 1.029s ok github.com/google/syzkaller/pkg/osutil (cached) ok github.com/google/syzkaller/pkg/report 3.182s ok github.com/google/syzkaller/pkg/repro 1.854s ? github.com/google/syzkaller/pkg/rpctype [no test files] ok github.com/google/syzkaller/pkg/runtest 19.611s ok github.com/google/syzkaller/pkg/serializer (cached) ? github.com/google/syzkaller/pkg/signal [no test files] ok github.com/google/syzkaller/pkg/symbolizer 0.278s ok github.com/google/syzkaller/pkg/vcs 4.405s ok github.com/google/syzkaller/prog 5.730s ok github.com/google/syzkaller/prog/test 4.062s ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/akaros [no test files] ? github.com/google/syzkaller/sys/akaros/gen [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/freebsd/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/gen [no test files] ok github.com/google/syzkaller/sys/linux 1.037s ? github.com/google/syzkaller/sys/linux/gen [no test files] ? github.com/google/syzkaller/sys/netbsd [no test files] ? github.com/google/syzkaller/sys/netbsd/gen [no test files] ok github.com/google/syzkaller/sys/openbsd 0.166s ? github.com/google/syzkaller/sys/openbsd/gen [no test files] ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/test/gen [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/trusty/gen [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/sys/windows/gen [no test files] ok github.com/google/syzkaller/syz-ci 1.949s ? github.com/google/syzkaller/syz-fuzzer [no test files] ok github.com/google/syzkaller/syz-hub 0.223s ok github.com/google/syzkaller/syz-hub/state 0.210s ? github.com/google/syzkaller/syz-manager [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ? github.com/google/syzkaller/tools/syz-db [no test files] ? github.com/google/syzkaller/tools/syz-env [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-imagegen [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-runtest [no test files] ? github.com/google/syzkaller/tools/syz-stress [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ok github.com/google/syzkaller/tools/syz-trace2syz/parser 0.680s ok github.com/google/syzkaller/tools/syz-trace2syz/proggen 2.069s ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ok github.com/google/syzkaller/vm 9.867s ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ? github.com/google/syzkaller/vm/isolated [no test files] ? github.com/google/syzkaller/vm/kvm [no test files] ? github.com/google/syzkaller/vm/odroid [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ok github.com/google/syzkaller/vm/vmimpl (cached) ? github.com/google/syzkaller/vm/vmm [no test files]