// https://syzkaller.appspot.com/bug?id=0b210638616bb68109e9642158d4c0072770ae1c // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static __thread int clone_ongoing; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) { exit(sig); } uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; int valid = addr < prog_start || addr > prog_end; if (skip && valid) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ ({ \ int ok = 1; \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } else \ ok = 0; \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ ok; \ }) static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static void netlink_nest(struct nlmsg* nlmsg, int typ) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_type = typ; nlmsg->pos += sizeof(*attr); nlmsg->nested[nlmsg->nesting++] = attr; } static void netlink_done(struct nlmsg* nlmsg) { struct nlattr* attr = nlmsg->nested[--nlmsg->nesting]; attr->nla_len = nlmsg->pos - (char*)attr; } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static unsigned int queue_count = 2; static void netlink_add_device_impl(struct nlmsg* nlmsg, const char* type, const char* name, bool up) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; netlink_init(nlmsg, RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); if (name) netlink_attr(nlmsg, IFLA_IFNAME, name, strlen(name)); netlink_attr(nlmsg, IFLA_NUM_TX_QUEUES, &queue_count, sizeof(queue_count)); netlink_attr(nlmsg, IFLA_NUM_RX_QUEUES, &queue_count, sizeof(queue_count)); netlink_nest(nlmsg, IFLA_LINKINFO); netlink_attr(nlmsg, IFLA_INFO_KIND, type, strlen(type)); } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static struct nlmsg nlmsg; #define MAX_FDS 30 #define USB_MAX_IFACE_NUM 4 #define USB_MAX_EP_NUM 32 #define USB_MAX_FDS 6 struct usb_endpoint_index { struct usb_endpoint_descriptor desc; int handle; }; struct usb_iface_index { struct usb_interface_descriptor* iface; uint8_t bInterfaceNumber; uint8_t bAlternateSetting; uint8_t bInterfaceClass; struct usb_endpoint_index eps[USB_MAX_EP_NUM]; int eps_num; }; struct usb_device_index { struct usb_device_descriptor* dev; struct usb_config_descriptor* config; uint8_t bDeviceClass; uint8_t bMaxPower; int config_length; struct usb_iface_index ifaces[USB_MAX_IFACE_NUM]; int ifaces_num; int iface_cur; }; struct usb_info { int fd; struct usb_device_index index; }; static struct usb_info usb_devices[USB_MAX_FDS]; static struct usb_device_index* lookup_usb_index(int fd) { for (int i = 0; i < USB_MAX_FDS; i++) { if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd) return &usb_devices[i].index; } return NULL; } static int usb_devices_num; static bool parse_usb_descriptor(const char* buffer, size_t length, struct usb_device_index* index) { if (length < sizeof(*index->dev) + sizeof(*index->config)) return false; memset(index, 0, sizeof(*index)); index->dev = (struct usb_device_descriptor*)buffer; index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev)); index->bDeviceClass = index->dev->bDeviceClass; index->bMaxPower = index->config->bMaxPower; index->config_length = length - sizeof(*index->dev); index->iface_cur = -1; size_t offset = 0; while (true) { if (offset + 1 >= length) break; uint8_t desc_length = buffer[offset]; uint8_t desc_type = buffer[offset + 1]; if (desc_length <= 2) break; if (offset + desc_length > length) break; if (desc_type == USB_DT_INTERFACE && index->ifaces_num < USB_MAX_IFACE_NUM) { struct usb_interface_descriptor* iface = (struct usb_interface_descriptor*)(buffer + offset); index->ifaces[index->ifaces_num].iface = iface; index->ifaces[index->ifaces_num].bInterfaceNumber = iface->bInterfaceNumber; index->ifaces[index->ifaces_num].bAlternateSetting = iface->bAlternateSetting; index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass; index->ifaces_num++; } if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) { struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1]; if (iface->eps_num < USB_MAX_EP_NUM) { memcpy(&iface->eps[iface->eps_num].desc, buffer + offset, sizeof(iface->eps[iface->eps_num].desc)); iface->eps_num++; } } offset += desc_length; } return true; } static struct usb_device_index* add_usb_index(int fd, const char* dev, size_t dev_len) { int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED); if (i >= USB_MAX_FDS) return NULL; if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index)) return NULL; __atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE); return &usb_devices[i].index; } struct vusb_connect_string_descriptor { uint32_t len; char* str; } __attribute__((packed)); struct vusb_connect_descriptors { uint32_t qual_len; char* qual; uint32_t bos_len; char* bos; uint32_t strs_len; struct vusb_connect_string_descriptor strs[0]; } __attribute__((packed)); static const char default_string[] = {8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0}; static const char default_lang_id[] = {4, USB_DT_STRING, 0x09, 0x04}; static bool lookup_connect_response_in(int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, struct usb_qualifier_descriptor* qual, char** response_data, uint32_t* response_length) { struct usb_device_index* index = lookup_usb_index(fd); uint8_t str_idx; if (!index) return false; switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_GET_DESCRIPTOR: switch (ctrl->wValue >> 8) { case USB_DT_DEVICE: *response_data = (char*)index->dev; *response_length = sizeof(*index->dev); return true; case USB_DT_CONFIG: *response_data = (char*)index->config; *response_length = index->config_length; return true; case USB_DT_STRING: str_idx = (uint8_t)ctrl->wValue; if (descs && str_idx < descs->strs_len) { *response_data = descs->strs[str_idx].str; *response_length = descs->strs[str_idx].len; return true; } if (str_idx == 0) { *response_data = (char*)&default_lang_id[0]; *response_length = default_lang_id[0]; return true; } *response_data = (char*)&default_string[0]; *response_length = default_string[0]; return true; case USB_DT_BOS: *response_data = descs->bos; *response_length = descs->bos_len; return true; case USB_DT_DEVICE_QUALIFIER: if (!descs->qual) { qual->bLength = sizeof(*qual); qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER; qual->bcdUSB = index->dev->bcdUSB; qual->bDeviceClass = index->dev->bDeviceClass; qual->bDeviceSubClass = index->dev->bDeviceSubClass; qual->bDeviceProtocol = index->dev->bDeviceProtocol; qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0; qual->bNumConfigurations = index->dev->bNumConfigurations; qual->bRESERVED = 0; *response_data = (char*)qual; *response_length = sizeof(*qual); return true; } *response_data = descs->qual; *response_length = descs->qual_len; return true; default: break; } break; default: break; } break; default: break; } return false; } typedef bool (*lookup_connect_out_response_t)( int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done); static bool lookup_connect_response_out_generic( int fd, const struct vusb_connect_descriptors* descs, const struct usb_ctrlrequest* ctrl, bool* done) { switch (ctrl->bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch (ctrl->bRequest) { case USB_REQ_SET_CONFIGURATION: *done = true; return true; default: break; } break; } return false; } struct vusb_descriptor { uint8_t req_type; uint8_t desc_type; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_descriptors { uint32_t len; struct vusb_descriptor* generic; struct vusb_descriptor* descs[0]; } __attribute__((packed)); struct vusb_response { uint8_t type; uint8_t req; uint32_t len; char data[0]; } __attribute__((packed)); struct vusb_responses { uint32_t len; struct vusb_response* generic; struct vusb_response* resps[0]; } __attribute__((packed)); static bool lookup_control_response(const struct vusb_descriptors* descs, const struct vusb_responses* resps, struct usb_ctrlrequest* ctrl, char** response_data, uint32_t* response_length) { int descs_num = 0; int resps_num = 0; if (descs) descs_num = (descs->len - offsetof(struct vusb_descriptors, descs)) / sizeof(descs->descs[0]); if (resps) resps_num = (resps->len - offsetof(struct vusb_responses, resps)) / sizeof(resps->resps[0]); uint8_t req = ctrl->bRequest; uint8_t req_type = ctrl->bRequestType & USB_TYPE_MASK; uint8_t desc_type = ctrl->wValue >> 8; if (req == USB_REQ_GET_DESCRIPTOR) { int i; for (i = 0; i < descs_num; i++) { struct vusb_descriptor* desc = descs->descs[i]; if (!desc) continue; if (desc->req_type == req_type && desc->desc_type == desc_type) { *response_length = desc->len; if (*response_length != 0) *response_data = &desc->data[0]; else *response_data = NULL; return true; } } if (descs && descs->generic) { *response_data = &descs->generic->data[0]; *response_length = descs->generic->len; return true; } } else { int i; for (i = 0; i < resps_num; i++) { struct vusb_response* resp = resps->resps[i]; if (!resp) continue; if (resp->type == req_type && resp->req == req) { *response_length = resp->len; if (*response_length != 0) *response_data = &resp->data[0]; else *response_data = NULL; return true; } } if (resps && resps->generic) { *response_data = &resps->generic->data[0]; *response_length = resps->generic->len; return true; } } return false; } #define UDC_NAME_LENGTH_MAX 128 struct usb_raw_init { __u8 driver_name[UDC_NAME_LENGTH_MAX]; __u8 device_name[UDC_NAME_LENGTH_MAX]; __u8 speed; }; enum usb_raw_event_type { USB_RAW_EVENT_INVALID = 0, USB_RAW_EVENT_CONNECT = 1, USB_RAW_EVENT_CONTROL = 2, }; struct usb_raw_event { __u32 type; __u32 length; __u8 data[0]; }; struct usb_raw_ep_io { __u16 ep; __u16 flags; __u32 length; __u8 data[0]; }; #define USB_RAW_EPS_NUM_MAX 30 #define USB_RAW_EP_NAME_MAX 16 #define USB_RAW_EP_ADDR_ANY 0xff struct usb_raw_ep_caps { __u32 type_control : 1; __u32 type_iso : 1; __u32 type_bulk : 1; __u32 type_int : 1; __u32 dir_in : 1; __u32 dir_out : 1; }; struct usb_raw_ep_limits { __u16 maxpacket_limit; __u16 max_streams; __u32 reserved; }; struct usb_raw_ep_info { __u8 name[USB_RAW_EP_NAME_MAX]; __u32 addr; struct usb_raw_ep_caps caps; struct usb_raw_ep_limits limits; }; struct usb_raw_eps_info { struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX]; }; #define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init) #define USB_RAW_IOCTL_RUN _IO('U', 1) #define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event) #define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor) #define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32) #define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io) #define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io) #define USB_RAW_IOCTL_CONFIGURE _IO('U', 9) #define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32) #define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info) #define USB_RAW_IOCTL_EP0_STALL _IO('U', 12) #define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32) #define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32) #define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32) static int usb_raw_open() { return open("/dev/raw-gadget", O_RDWR); } static int usb_raw_init(int fd, uint32_t speed, const char* driver, const char* device) { struct usb_raw_init arg; strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name)); strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name)); arg.speed = speed; return ioctl(fd, USB_RAW_IOCTL_INIT, &arg); } static int usb_raw_run(int fd) { return ioctl(fd, USB_RAW_IOCTL_RUN, 0); } static int usb_raw_ep_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP_WRITE, io); } static int usb_raw_configure(int fd) { return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0); } static int usb_raw_vbus_draw(int fd, uint32_t power) { return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power); } static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io); } static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) { return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io); } static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) { return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event); } static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) { return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc); } static int usb_raw_ep_disable(int fd, int ep) { return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep); } static int usb_raw_ep0_stall(int fd) { return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0); } static int lookup_interface(int fd, uint8_t bInterfaceNumber, uint8_t bAlternateSetting) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; for (int i = 0; i < index->ifaces_num; i++) { if (index->ifaces[i].bInterfaceNumber == bInterfaceNumber && index->ifaces[i].bAlternateSetting == bAlternateSetting) return i; } return -1; } static int lookup_endpoint(int fd, uint8_t bEndpointAddress) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; if (index->iface_cur < 0) return -1; for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) if (index->ifaces[index->iface_cur].eps[ep].desc.bEndpointAddress == bEndpointAddress) return index->ifaces[index->iface_cur].eps[ep].handle; return -1; } #define USB_MAX_PACKET_SIZE 4096 struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; char data[USB_MAX_PACKET_SIZE]; }; struct usb_raw_ep_io_data { struct usb_raw_ep_io inner; char data[USB_MAX_PACKET_SIZE]; }; static void set_interface(int fd, int n) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return; if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) { int rv = usb_raw_ep_disable( fd, index->ifaces[index->iface_cur].eps[ep].handle); if (rv < 0) { } else { } } } if (n >= 0 && n < index->ifaces_num) { for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) { int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc); if (rv < 0) { } else { index->ifaces[n].eps[ep].handle = rv; } } index->iface_cur = n; } } static int configure_device(int fd) { struct usb_device_index* index = lookup_usb_index(fd); if (!index) return -1; int rv = usb_raw_vbus_draw(fd, index->bMaxPower); if (rv < 0) { return rv; } rv = usb_raw_configure(fd); if (rv < 0) { return rv; } set_interface(fd, 0); return 0; } static volatile long syz_usb_connect_impl(uint64_t speed, uint64_t dev_len, const char* dev, const struct vusb_connect_descriptors* descs, lookup_connect_out_response_t lookup_connect_response_out) { if (!dev) { return -1; } int fd = usb_raw_open(); if (fd < 0) { return fd; } if (fd >= MAX_FDS) { close(fd); return -1; } struct usb_device_index* index = add_usb_index(fd, dev, dev_len); if (!index) { return -1; } char device[32]; sprintf(&device[0], "dummy_udc.%llu", procid); int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]); if (rv < 0) { return rv; } rv = usb_raw_run(fd); if (rv < 0) { return rv; } bool done = false; while (!done) { struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = sizeof(event.ctrl); rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) continue; char* response_data = NULL; uint32_t response_length = 0; struct usb_qualifier_descriptor qual; if (event.ctrl.bRequestType & USB_DIR_IN) { if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual, &response_data, &response_length)) { usb_raw_ep0_stall(fd); continue; } } else { if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) { usb_raw_ep0_stall(fd); continue; } response_data = NULL; response_length = event.ctrl.wLength; } if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD && event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) { rv = configure_device(fd); if (rv < 0) { return rv; } } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if (event.ctrl.bRequestType & USB_DIR_IN) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } } sleep_ms(200); return fd; } static volatile long syz_usb_connect(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint64_t speed = a0; uint64_t dev_len = a1; const char* dev = (const char*)a2; const struct vusb_connect_descriptors* descs = (const struct vusb_connect_descriptors*)a3; return syz_usb_connect_impl(speed, dev_len, dev, descs, &lookup_connect_response_out_generic); } static volatile long syz_usb_control_io(volatile long a0, volatile long a1, volatile long a2) { int fd = a0; const struct vusb_descriptors* descs = (const struct vusb_descriptors*)a1; const struct vusb_responses* resps = (const struct vusb_responses*)a2; struct usb_raw_control_event event; event.inner.type = 0; event.inner.length = USB_MAX_PACKET_SIZE; int rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event); if (rv < 0) { return rv; } if (event.inner.type != USB_RAW_EVENT_CONTROL) { return -1; } char* response_data = NULL; uint32_t response_length = 0; if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { if (!lookup_control_response(descs, resps, &event.ctrl, &response_data, &response_length)) { usb_raw_ep0_stall(fd); return -1; } } else { if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD || event.ctrl.bRequest == USB_REQ_SET_INTERFACE) { int iface_num = event.ctrl.wIndex; int alt_set = event.ctrl.wValue; int iface_index = lookup_interface(fd, iface_num, alt_set); if (iface_index < 0) { } else { set_interface(fd, iface_index); } } response_length = event.ctrl.wLength; } struct usb_raw_ep_io_data response; response.inner.ep = 0; response.inner.flags = 0; if (response_length > sizeof(response.data)) response_length = 0; if (event.ctrl.wLength < response_length) response_length = event.ctrl.wLength; if ((event.ctrl.bRequestType & USB_DIR_IN) && !event.ctrl.wLength) { response_length = USB_MAX_PACKET_SIZE; } response.inner.length = response_length; if (response_data) memcpy(&response.data[0], response_data, response_length); else memset(&response.data[0], 0, response_length); if ((event.ctrl.bRequestType & USB_DIR_IN) && event.ctrl.wLength) { rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response); } else { rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response); } if (rv < 0) { return rv; } sleep_ms(200); return 0; } static volatile long syz_usb_ep_write(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { int fd = a0; uint8_t ep = a1; uint32_t len = a2; char* data = (char*)a3; int ep_handle = lookup_endpoint(fd, ep); if (ep_handle < 0) { return -1; } struct usb_raw_ep_io_data io_data; io_data.inner.ep = ep_handle; io_data.inner.flags = 0; if (len > sizeof(io_data.data)) len = sizeof(io_data.data); io_data.inner.length = len; memcpy(&io_data.data[0], data, len); int rv = usb_raw_ep_write(fd, (struct usb_raw_ep_io*)&io_data); if (rv < 0) { return rv; } sleep_ms(200); return 0; } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } #define NL802154_CMD_SET_SHORT_ADDR 11 #define NL802154_ATTR_IFINDEX 3 #define NL802154_ATTR_SHORT_ADDR 10 static const char* setup_802154() { const char* error = NULL; int sock_generic = -1; int sock_route = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock_route == -1) { error = "socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) failed"; goto fail; } sock_generic = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock_generic == -1) { error = "socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) failed"; goto fail; } { int nl802154_family_id = netlink_query_family_id(&nlmsg, sock_generic, "nl802154", true); if (nl802154_family_id < 0) { error = "netlink_query_family_id failed"; goto fail; } for (int i = 0; i < 2; i++) { char devname[] = "wpan0"; devname[strlen(devname) - 1] += i; uint64_t hwaddr = 0xaaaaaaaaaaaa0002 + (i << 8); uint16_t shortaddr = 0xaaa0 + i; int ifindex = if_nametoindex(devname); struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL802154_CMD_SET_SHORT_ADDR; netlink_init(&nlmsg, nl802154_family_id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, NL802154_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(&nlmsg, NL802154_ATTR_SHORT_ADDR, &shortaddr, sizeof(shortaddr)); if (netlink_send(&nlmsg, sock_generic) < 0) { error = "NL802154_CMD_SET_SHORT_ADDR failed"; goto fail; } netlink_device_change(&nlmsg, sock_route, devname, true, 0, &hwaddr, sizeof(hwaddr), 0); if (i == 0) { netlink_add_device_impl(&nlmsg, "lowpan", "lowpan0", false); netlink_done(&nlmsg); netlink_attr(&nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); if (netlink_send(&nlmsg, sock_route) < 0) { error = "netlink: adding device lowpan0 type lowpan link wpan0"; goto fail; } } } } fail: close(sock_route); close(sock_generic); return error; } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // socket$inet6_sctp arguments: [ // domain: const = 0xa (8 bytes) // type: sctp_socket_type = 0x1 (8 bytes) // proto: const = 0x84 (4 bytes) // ] // returns sock_sctp6 syscall(__NR_socket, /*domain=*/0xaul, /*type=SOCK_STREAM*/ 1ul, /*proto=*/0x84); // syz_usb_connect$hid arguments: [ // speed: usb_device_speed = 0x0 (8 bytes) // dev_len: len = 0x36 (8 bytes) // dev: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // union ANYUNION { // ANYBLOB: buffer: {12 01 00 00 00 00 00 40 26 09 33 33 40 00 00 00 // 00 01 09 02 24 00 01 00 00 00 00 09 04 00 00 01 03 01 00 00 09 21 // 00 00 00 01 22 01 00 09 05 81 03 08} (length 0x32) // } // } // } // conn_descs: nil // ] // returns fd_usb_hid NONFAILING(memcpy( (void*)0x200000000000, "\x12\x01\x00\x00\x00\x00\x00\x40\x26\x09\x33\x33\x40\x00\x00\x00\x00\x01" "\x09\x02\x24\x00\x01\x00\x00\x00\x00\x09\x04\x00\x00\x01\x03\x01\x00\x00" "\x09\x21\x00\x00\x00\x01\x22\x01\x00\x09\x05\x81\x03\x08", 50)); res = -1; NONFAILING(res = syz_usb_connect(/*speed=*/0, /*dev_len=*/0x36, /*dev=*/0x200000000000, /*conn_descs=*/0)); if (res != -1) r[0] = res; // sendmsg$inet6 arguments: [ // fd: sock_in6 (resource) // msg: ptr[in, msghdr_inet6] { // msghdr_inet6 { // msg_name: nil // msg_namelen: len = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // msg_iov: ptr[in, array[iovec[in, array[int8]]]] { // array[iovec[in, array[int8]]] { // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {} (length 0x0) // } // len: len = 0x0 (8 bytes) // } // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {de 40 10 be 75 5d 29 0b bc cb 16 28 85 00 95 6f c9 // 94 8d 6e b5 1c 70 74 49 b1 42 0d 0f f9 ed 16 49 a6 4e 49 71 // df a4 11 e1 97 32 00 81 12 14 df e8 e9 be e4 3f 06 bd 36 92 // 35 12 50 d3 a1 38 f0 39 0f 4b ce fe 40 39 f9 d6 e8 86 12 98 // a8 b2 9d d3 f6 02 31 35 0f b1 81 97 b5 80 e3 e7 e5 a6 d4 59 // d8 56 43 bb c2 0f 15 74 fe 87 2f a9 c2 88 7a 63 08 17 ad 5d // a8 3f 5e 1c ae 77 45 59 13 d2 60 9c 9c ce 98 76 59 95 d3 4a // 3e b0 83 96 ff 0e ab ea 02 ae 52 d2 eb 3c cb e9 6b 1b be 3c // d9 49 6b e2 87 51 93 e8 45 16 3c 6a dd 97 b8 6c db 17 7c 60 // 74 db 48 42 20 6e cc 2b 5b a2 63 96 46 85 9d c3 30 c5 3f b7 // 65 01 64 c1 3c cd 6c b9 db ae 2d 7b ac 65 db c5 a6 c9 50 01 // 9c f1 59 54 ff 39 29 38 6b e4 93 96 12 79 b8 1b d7 c8 ba 7b // 90 de 00 22 d7 5f da a7 70 cb 77 3b 82 d3 9c e2 84 f6 69 bd // d7 09 2d b5 35 0a 3e 09 62 a4 57 94 97 7e 45 3a 45 dc 98 cf // 65 35 8d 67 ac e4 c4 d1 6e 74 00 0f d9 1f dc 06 30 7c 7b 2d // 53 22 04 67 62 cb ac ac d3 5a 80 ee 22 dd d1 eb c7 3f c6 4d // bd 1d ff 3b 90 98 8c 67 2e fd e6 ed 15 90 19 fc 26 8c 65 72 // 80 5a f1 6c 0e 76 31 66 e2 6e 6f cb 24 99 bc eb 98 ef 33 e1 // 60 5a 0d 13 8d b4 eb 98 b6 50 8e 94 f1 b5 2b 4d 66 9b 43 98 // 5f a0 0f 7e a6 c1 37 c2 d1 9d 17 39 2a 59 86 62 49 5b ff d6 // 04 69 65 3b e0 7e 54 ee 44 f7 89 d9 b5 4b 62 d1 81 d3 f4 73 // 60 89 a5 38 bb 86 2a c1 47 eb 0c 8a d2 09 e3 12 0f 03 9b 96 // 14 8f e9 8c 9d 1e 99 4e 7c e8 81 b2 78 c5 da 15 a3 be 7c d1 // 29 f1 3d fb 8f 6d 0b 4a ac b3 58 58 47 39 4d 3b 56 5c 27 26 // 65 20 53 55 6f a8 5c de 4c 7f 7b 8a 8c 12 9b fd 29 64 8e 46 // 1c 65 ec fe 19 28 12 0e 1b 41 ea 06 06 00 bb 12 2e dc 7a fa // 9e c6 06 46 10 c2 46 47 a5 c3 8b c4 78 6e fb db 66 b5 c5 51 // b2 c7 f0 71 88 a5 8e 98 b2 34 b8 7b 57 89 98 e5 82 f1 57 56 // 05 41 03 4a 30 a4 51 92 a4 27 a0 cc 2a a0 bc 3f a8 0b 6b 90 // 5f 69 68 1e 2e 6c 15 98 19 2a e7 37 e1 89 6e 65 2c 70 a3 4a // b6 3f 20 34 52 4b f2 02 41 57 6b a5 82 3f cf 4f 96 1a 32 fd // 7c 0b f4 6f 61 93 62 50 79 07 a4 4f 52 d5 a4 bf 55 9a c4 e5 // 85 cc 99 35 e3 3a 26 0b f1 78 7c db cb 5f 21 21 93 86 aa 21 // 81 b6 dd 1e f7 60 eb bc 74 9a 2e a1 0f f4 a3 74 86 af 7c 95 // 27 3e cd 72 60 c8 e3 0b 84 1f a7 eb 75 92 be b5 e9 3d 1e e0 // 42 2b d3 f2 31 a7 63 bc 68 53 bf 5e a5 2a 03 e7 14 cc c7 5c // d6 f7 4c 8a ca 26 22 82 55 01 db 2b 49 6e 4a 51 ce ef 09 a8 // 18 45 29 b1 ed 1b 83 8b eb d9 f3 26 34 11 0a 56 04 c2 7a 47 // 1b 18 69 e7 a6 4b 4f 74 47 94 47 15 97 af 4e 31 14 55 93 f0 // a6 d4 ad c6 1e 82 60 2f ee 76 1e 9a 68 6b f1 62 e9 74 58 8c // cd 43 87 bb 8a b7 26 61 dd cb 76 02 1f 1f 80 cc 20 b5 20 3a // fd 8d fa 5e 44 a8 8b 35 d7 dc 45 56 8f 2e 79 6f 2e c3 3b 63 // 0c 5d 43 77 94 e5 1b 4c 1d a9 2d 43 ef 3a 11 d8 e9 a5 a7 98 // 6c b6 0d 6b 2d 4b 47 46 6e 59 26 d8 54 f5 49 82 d8 a9 df 89 // 81 86 91 b1 81 1b 0e 35 84 23 82 df e1 40 dc 63 e4 62 a3 3c // 70 55 0d d4 cc ce 02 f8 e1 5a 01 26 b0 31 79 6d 90 64 29 49 // e8 c2 64 44 1a 91 ad df 3e 92 c2 3a b9 0e 1d 0b 1c dd 4d 01 // 4c 8d 96 55 2d 74 67 24 cf 78 1b 8b 0b 59 a4 b0 e0 cf 94 07 // a4 40 0a 3f da a9 73 1f 10 f7 50 ac 95 2d c3 8a 42 bf 3b 54 // 71 94 a1 25 fa e9 c3 63 87 23 4b 6e 1d 0d ba 1e 27 e1 60 4d // db db 63 24 86 48 45 4e ba 33 2b ea 26 6d 34 6e a8 77 f4 39 // d7 4e ab 75 f9 29 85 6b df aa fb 36 ce 45 d9 b1 d3 b3 d6 22 // 7e 2a a6 57 18 33 45 63 c0 fe e2 30 0e 40 22 29 af 9f 35 d8 // f5 c8 8b c1 59 e5 3c 1b 53 27 70 e7 fa d9 8d 34 6e e2 10 6e // 9a 2a 06 cc 5e 46 45 e6 ec 74 0b 90 e3 59 6c 47 de c0 32 18 // 48 72 d9 6e bb 1d 75 95 d5 1b c2 54 8c 1e 6c 5f b8 7f ec 21 // 4c d8 bc 5b 1f 69 34 b0 9e f0 ec b8 5a b2 fd b2 2f b9 0f bf // b5 6a 35 8c 8d 1a 47 fb 4a c9 1b 68 2f 10 1f 44 e6 39 96 66 // be 1d 09 05 d0 39 96 e1 a5 e7 ac d4 e0 c1 e7 b2 fc 6c 9a 2d // 98 9d 99 aa 31 1b c2 d9 d7 f8 82 57 b5 fe 5b 7d 6e 02 c8 8e // 68 ad f8 ee ab 5d 58 d4 4b 3c 12 9f 4d 3f 90 d7 ac 99 19 ea // 63 9f c7 b1 a6 3e 57 20 bb d5 3e f5 9b 06 91 83 46 7e f9 c6 // f4 b5 b6 a5 46 59 12 49 57 db f5 1e 8f 98 9f 92 9e 76 c4 8e // c3 a9 45 de f5 c8 2f 3c d4 05 00 57 ae c7 98 d8 be b5 e9 54 // 43 5e a7 b2 99 a2 02 5c ac 76 e9 55 02 bb 5a 2f 94 a0 14 fa // fd 9e 5f e5 73 ed 25 1c dc a6 a5 08 c9 e2 e6 0f aa d7 91 eb // 8e c4 e5 f6 fd d6 9c f8 20 fb 2a ff ff 17 4b e1 c3 34 10 86 // 8a 9d 78 3e d7 04 81 a5 79 98 94 fe 89 1e b6 f2 a6 52 6d 7a // f7 f7 ca 0f 53 5e a1 87 5f 47 a8 d9 64 98 e6 21 02 02 32 0c // 45 24 4c d7 aa 1f 0e 13 33 65 46 0a a4 ad 08 aa d1 3e 04 9c // 1b 90 52 d5 2c b3 3e cb f5 b6 74 99 77 db cc 12 57 04 1c 66 // 1b ca 95 3b 1d 4f 4b 1c d2 e0 98 db 0e 4a 53 e0 e1 16 8f 26 // 10 1f 57 db 98 1c 24 f3 0f 40 e4 2f 13 b4 ea b7 54 5e 5f b1 // 13 e8 d1 6c fd 5d 97 c7 33 7b 6d f6 d9 af f3 66 48 d1 35 ad // c9 94 bf ea 49 2c c8 11 5e 3e 4a 9a 05 72 d4 4c d5 28 1e 39 // 61 97 39 23 57 3f 43 01 d9 54 53 c6 94 f7 ae 98 00 48 7f c3 // 7a d1 49 85 83 b8 e1 88 55 02 bb df 1f 70 88 84 71 b7 03 e9 // 4a f2 10 1d 35 fc c8 e4 66 54 0a 17 c9 aa 82 76 2b b5 2d 0e // b5 50 26 ca 24 96 c3 fe 70 9e e0 ee a4 71 be 70 dc c3 99 bb // 49 9f 30 e7 c7 05 37 58 a3 4b fd 8b d4 51 28 6d 1a 48 44 ba // 06 da 19 51 e1 5f 65 26 bd 27 59 96 ce d0 ec 33 71 02 ee a8 // 13 ad 07 3c 75 7e 58 8d 41 52 c7 66 a3 7c 63 aa ba 4e 94 6f // cd 39 f8 7b 8c 3a ba 65 4b a9 59 4b 3f 8b 87 0d d5 8c 4f 1d // 53 56 8f f5 aa d9 85 fd 73 5d 00 5d 82 58 ac a5 fc 9c 9a 39 // a4 82 ea e3 7c 87 49 66 3c 5d d1 7b ad 60 b1 82 b0 29 e0 2e // 76 3e 28 76 9c 41 62 9b 52 bb 84 4a 43 85 b5 2c f6 5b 70 b0 // 12 7b 9f 9d ae ff d6 37 90 10 b9 7f 1b 47 98 6f 5c e9 15 f2 // 79 31 2d 9c b0 e9 6f a8 d1 7d 5e c3 c8 10 90 09 b3 65 95 f8 // 22 7d 83 31 d4 9c d8 93 6a de 2e ee 72 f7 79 de 0b 04 13 23 // c2 c1 07 50 33 2e 24 47 36 9a f3 b0 de 3d aa 20 7d 05 0f 96 // 86 b1 7f 29 e1 e8 ff f1 31 69 a6 af 46 a3 c6 5c 59 47 9b 15 // 23 f6 2c b7 b1 e2 94 e5 15 f3 66 d3 4d 0c 71 e1 a0 63 8c 5e // 05 01 22 27 6d 9d 37 b2 25 93 69 e0 14 5c e8 88 c3 bc 24 c6 // f0 43 de 9b 02 99 df eb 16 5f 27 39 82 36 16 ee 56 e1 b7 13 // ed 55 00 18 4c b8 25 30 91 19 b5 88 4b 16 09 b3 b2 5f d3 5a // 49 9b 81 5b 07 b8 77 60 49 1a 34 08 5c f2 55 d4 21 31 42 84 // 47 32 b9 04 23 d1 77 15 d2 bb 83 4d f3 ef 4f b0 f0 d4 d8 85 // 15 be 3e c4 92 92 de 36 43 75 db 71 3e 25 28 64 7c 10 85 d3 // 85 f3 4f 77 cd 1a da a9 7a 7a 38 33 8c 17 c6 88 be 44 1a c6 // 34 39 dc 87 4d 76 92 fa 50 43 32 1b cf 21 8e d3 03 f4 0a 7a // e4 98 bb 8b bd 1f e4 b4 00 af bf 41 a5 b8 fc 23 53 24 83 e6 // 83 9d 90 b5 c7 e4 77 ab d4 49 a1 b2 48 6d 9a 55 11 6c 78 e6 // dd bd be 10 04 01 1e 8a fd 62 df ac 3f e7 b4 16 90 17 5e 37 // fb 21 51 47 0e 3e ee bd 08 4e 71 0d f4 1d 78 b3 a5 4f df d9 // a1 24 d0 ee 81 7b 51 90 f0 19 32 e5 42 ec 08 8a f5 fc 7d 9a // 57 ea 40 3b fc 6b 45 d2 79 d9 86 e4 9e 48 02 fb 7c c1 63 cb // aa d3 2c 6a 29 93 1f 63 59 0c 42 a7 7e d2 cb 34 9e bd 78 ff // 5c 9f e3 98 f1 86 1f 61 e0 67 fe ec 0f b6 3a 66 6d 57 cf ee // da 13 8f e0 3d 78 24 bf 04 d8 2a f8 f0 0c 99 f2 fa e8 a6 1c // d1 07 8a 10 cc f6 ae 9f 74 52 18 0a 89 7e 8b 5d 4f 20 5d 4b // 66 fa 29 9e 95 37 a9 56 8a 0a 26 b9 e4 7a e5 fb eb eb 29 ad // 06 30 a8 4c 74 2c ce 3b 11 83 4d fb 52 de 81 91 ca 94 81 7e // 26 dd 25 f3 82 21 87 93 c1 b7 bf a6 01 ee 9f 28 31 a7 c1 d2 // 86 d8 50 08 a8 1f 3e e2 29 92 e9 b5 53 6a 96 2e e8 be 7d 66 // 0c ac 55 bc de 40 f2 a0 a5 3e 08 00 6e cd 04 cd 13 98 60 25 // 0c 85 cc 51 db 28 9b 10 94 3a e3 14 28 40 59 11 cc 89 4c 61 // 10 b2 8f d5 07 b0 98 c7 92 2f b4 0d 37 d2 58 e2 58 c8 bd 0a // 04 a1 be ce f7 09 0f f2 e4 d3 ec 8f c3 10 cd a1 6c df 3f 19 // a1 81 22 e6 4a d7 e5 2a 08 78 2d 51 37 30 7e aa 1a 2b 5a b8 // ca f3 b8 92 e8 b2 6c c5 bc 83 11 96 fa ce 1a 62 04 1c 44 fe // a0 03 2c bf ac 8e 69 52 e5 1e e7 5a e8 5b 90 15 01 97 35 65 // 04 a7 c3 58 34 ab cb 5e 5d 99 0e 80 d0 6f f9 a5 d3 a4 4c 72 // cc 76 ba ca 5b 7d 6b 9f f4 1c 0f 14 b9 09 ba b0 a4 36 d6 c2 // fc 5d db db c7 ad 45 7b a1 2e bc 60 e5 45 e6 40 fe bc 71 2c // 8c a1 f8 7d 9b 9b 8d d3 50 ec 03 75 65 2b 60 3a 66 29 b5 19 // 51 1b 37 ff 5b 26 39 ca 2c 4c ef 89 36 9d 3e 6e 0d b6 2a e4 // 86 17 8c e1 d8 43 73 e6 5b eb ab e4 a3 fd ee 22 c3 2b 6c 31 // d1 78 42 da 89 2c ef ab ed 27 82 0f f8 eb e2 98 31 b9 b1 30 // c6 cd a2 85 10 f4 a1 8a c0 63 10 2d 3f e7 2e 46 cb 14 5c 28 // 28 5a c2 a1 58 42 06 8d 4b a8 10 9a d8 a2 ad e0 18 39 cb 68 // e8 21 02 b7 01 42 4c 3c 7a 13 54 7b 2a e8 55 be 7d b6 4b b5 // aa e1 f6 3f b4 46 f6 51 3f fc 94 07 fe 18 2d f7 2f eb 8a 2d // 98 a2 ce 3f be af 17 5c 68 d9 3b 5e ba e8 7d b5 f4 c7 5e ac // ac 71 9a a1 ae 59 06 16 84 55 64 52 3d 8f c0 35 0e 1e 9c 5d // 6f 5d d1 8c a9 c7 35 31 3a d2 86 b6 e1 56 37 b4 71 66 91 0e // 4b 65 24 04 7d 4e 0a 50 90 13 e0 49 dd 12 49 33 a4 e2 61 09 // e7 f6 18 8c d5 1d d4 64 84 d1 a0 ff 55 1c c1 34 e8 09 54 c3 // 4e 6d 62 5a 1d 5e 45 42 df e2 55 63 b2 ab 03 d8 e4 9a 88 9d // 89 8a 52 70 cc 35 1a 3b 4d f6 0a f3 92 76 da 3b d8 85 1e 2a // d6 c5 3e e9 71 dd ba 10 76 97 c7 f6 da 34 b7 00 34 f0 4e fc // 65 e6 48 fa 05 00 49 54 1d ed ca 02 69 7b ce cd e4 b0 e6 d3 // 25 d3 22 6e fa 21 98 e9 c9 da 06 26 5d 95 09 b4 08 5d ef f3 // 68 42 f4 da c1 c1 66 54 24 f1 07 de 4a af ee 84 58 18 e9 07 // 7c ea d1 42 41 9a 74 33 b8 69 41 73 87 26 03 2c 4a eb f7 a0 // a7 11 42 3d 39 a7 4e 61 6b d2 73 29 f5 9c 81 9b 7d bd 46 65 // 1e 43 c9 a8 a0 5e 3d 3a 7c fc 3d 65 55 33 b2 62 79 a1 c3 3f // 9c c1 ea 07 e7 06 4a 8d 68 84 9d 66 5c 44 38 2c d1 63 66 3e // e8 dc 37 bc 1b fa 99 c4 d6 cd ec 93 66 7f 50 b6 5f 95 57 f8 // 41 07 74 f3 96 20 6f d8 35 94 4c dc e5 30 90 2c 7d aa 9f 41 // 81 0e be fa 74 37 ca 14 27 5c 75 49 bb 53 bc d4 0f e7 b4 cf // 33 9f 34 a4 1b 99 1b 61 37 14 c9 01 52 b7 bf 47 79 05 b8 2d // 9e 6f f7 57 fb e8 11 07 7f a8 f3 bc 48 55 e9 af 09 db b6 ea // aa 46 9b dd 97 df e8 a7 b2 93 50 7a a7 41 65 32 06 81 f1 73 // 19 31 48 6c 2c b0 f6 b3 5e 0f cc 16 aa aa 62 e9 29 c1 61 2e // 9a 03 2d c8 bf db a7 5b 6f dd 2d 81 6f b3 a6 73 5a fe 97 fd // 15 29 14 6d 50 12 ae 5b cf 3f 5d 4b 19 a2 0c 20 27 b1 4a 9c // f2 63 60 15 95 74 94 74 9c e4 f9 c1 4b ef d1 2c 2d ec 7e 18 // 31 a6 8b 05 9f f4 58 d4 a5 8d c6 81 cd 96 bc 2f 64 bb b7 46 // 4d 4e 6b a4 e3 a7 cd 48 69 1f 42 57 59 c0 ce 8a 0b b1 8b 7d // 21 ab 43 09 7a b1 5c da bd 3c 43 1b 81 a2 4f 35 b0 f8 a0 22 // 30 16 64 b6 a0 28 ac 21 4d d3 1b 68 80 35 19 b2 cf 70 76 c3 // ac 2c 8c 6a 4a b1 34 fa 97 56 d5 0c 3f 38 58 b3 ef 2b 27 6e // f1 63 8b 7c c7 6f 5d 28 ce 4b e9 5e f0 98 6a 26 d3 b0 96 84 // fd a4 12 69 11 1a ff 68 46 a9 88 63 28 39 b6 b8 fa 80 ec 58 // f1 f8 4a d8 1f ee 14 2f a5 4b 91 62 f4 d3 a1 31 29 82 9f f2 // 5e b7 5c 64 23 da 63 34 15 2d df 33 39 b5 97 2b f1 78 29 c6 // b9 fb c7 f5 5d 08 4a 4c 29 1e 0d c7 91 ed 96 cc 3d cd b0 4c // d0 1f 44 b4 20 ff 6e b0 56 8b 1c 7e 8c df 45 0c aa 14 3f 5a // 07 72 b5 12 1c f7 51 30 fe ac 6e 64 32 2f 65 61 63 5a 05 40 // d1 aa 7b 36 d1 38 cc e3 e6 65 9b bb 79 ac 73 d7 ac 5c 6b 6e // a9 53 e5 2e b2 99 ec 36 13 76 e7 84 19 7a fb a8 f2 69 f6 c2 // 4f 73 5a ab 31 b3 6a e2 03 86 29 b2 68 e5 37 35 7e ea cd 2a // dd 73 d4 4b b5 49 b4 37 cc ff 8b 4d 3e 87 00 68 fa 82 90 a6 // 8a ab c1 9c 33 6b aa cb 20 82 3a e1 bc a4 4a 1c 1f e1 9c 34 // 48 51 00 65 53 77 d6 c0 c3 11 ad b0 6b fb 8e f7 3d bd db 29 // 97 19 f2 53 c9 86 9d 77 f7 b9 d3 c8 cc 2f 9d 08 79 05 d5 b2 // 5c 80 ae 63 00 b3 d7 06 e8 be b8 7e 8b 47 32 7b ee ae 80 5c // ad 7f d6 59 c6 8e 77 9e 94 32 3c 08 53 8b bc 21 a5 0c 81 7b // ae f5 01 f1 f8 4c cc e2 38 9d 75 35 13 ce 90 92 f9 70 b6 48 // 64 a5 5a 5c dd d8 f6 19 3a af 73 9d fe 83 0f ee 51 d2 51 06 // a0 e5 f3 1d ae 46 bd c9 6c 71 71 cc e6 eb 81 7b c9 e9 00 c1 // 67 16 d3 96 84 45 0c e4 7c a1 6b 3a 42 18 7a 35 ba 0f b4 9a // 85 e7 5c 78 3f e8 1a 10 a8 ff 37 9d 20 ba 51 2d c9 21 b2 73 // 24 4b 98 a1 3c 6b 20 8c 08 f5 c9 98 1f a0 07 43 3d 7f af 97 // e1 75 60 10 45 7a a9 95 ac 1f 32 b5 9e f7 cf c9 88 5f 35 d9 // 96 aa f9 83 b0 00 e3 4d 5e 93 57 1d 3c 8c ce a3 8a 13 94 cd // d9 d9 20 b2 ff 88 24 f2 cb 5a 97 26 1b 1e 20 5d 81 2d 2c f5 // bb f1 ae 68 ce 3b bd 7b c3 ab e7 3c 29 a0 26 a5 f2 1a f8 a3 // 57 80 41 11 6b 22 42 db 45 a8 61 bf d0 65 62 5b 73 0c dd f6 // 37 c6 44 df 79 58 ac bf b3 bc 0e 4f 64 b8 5b 6b a0 44 ce 59 // a9 37 f4 69 76 2b 6a 62 91 52 64 20 85 5a a0 24 2d e2 f6 f7 // d4 ae e4 0c 78 c9 4e 69 4d 31 76 cb 2d e3 f0 99 47 cd 58 0b // 1b 91 51 65 60 3b 3c 81 f5 84 ec 7e b8 c1 ce 28 a7 c7 37 e6 // b1 a4 d5 47 4e 94 08 0c 92 64 3c 62 20 a0 4e 39 c6 37 a9 e6 // 02 22 29 6c 4c d3 43 72 74 14 c2 20 af 7c 45 79 e1 16 a7 01 // b7 1d d3 94 bc e1 0a d8 ed 17 74 d7 74 e9 1b 71 a6 1e 1c 53 // c5 40 2b 29 16 49 81 0a 29 90 16 10 7b 6f 98 c1 c0 4a 33 b1 // 7a 9e c2 06 65 cf ec d7 63 81 34 d0 96 50 25 b7 9c 62 f9 36 // 75 f1 2c dc ca dd 51 d6 3c 3e 71 52 d1 e7 da f8 30 1f 64 16 // 7c c4 f5 bb 78 42 cc 9f 4d 06 49 65 06 a5 bc 06 18 9b 44 9e // 9f 3e 31 44 83 86 8d c9 b0 67 5b df 8f a8 28 c1 de b5 bf d6 // f6 be 54 da a6 20 63 75 19 4d c5 2a 56 c1 62 44 97 95 d4 aa // c1 7d de e0 aa 9e 8f 3f ce 47 57 93 40 eb fd 10 de 05 a6 eb // 47 b4 24 08 d2 f5 5f e6 17 61 e0 02 c4 53 03 14 eb b1 0d 26 // 07 db 6f 83 02 21 8f e8 75 2d 47 4a 6f aa 6e a8 1e 25 79} // (length 0x1000) // } // len: len = 0x1000 (8 bytes) // } // iovec[in, array[int8]] { // addr: ptr[in, buffer] { // buffer: {} (length 0x0) // } // len: len = 0x0 (8 bytes) // } // } // } // msg_iovlen: len = 0x3 (8 bytes) // msg_control: nil // msg_controllen: bytesize = 0x0 (8 bytes) // msg_flags: const = 0x0 (4 bytes) // pad = 0x0 (4 bytes) // } // } // f: send_flags = 0x41 (8 bytes) // ] NONFAILING(*(uint64_t*)0x200000002dc0 = 0); NONFAILING(*(uint32_t*)0x200000002dc8 = 0); NONFAILING(*(uint64_t*)0x200000002dd0 = 0x200000002d80); NONFAILING(*(uint64_t*)0x200000002d80 = 0x200000000480); NONFAILING(*(uint64_t*)0x200000002d88 = 0); NONFAILING(*(uint64_t*)0x200000002d90 = 0x200000000d80); NONFAILING(memcpy( (void*)0x200000000d80, "\xde\x40\x10\xbe\x75\x5d\x29\x0b\xbc\xcb\x16\x28\x85\x00\x95\x6f\xc9\x94" "\x8d\x6e\xb5\x1c\x70\x74\x49\xb1\x42\x0d\x0f\xf9\xed\x16\x49\xa6\x4e\x49" "\x71\xdf\xa4\x11\xe1\x97\x32\x00\x81\x12\x14\xdf\xe8\xe9\xbe\xe4\x3f\x06" "\xbd\x36\x92\x35\x12\x50\xd3\xa1\x38\xf0\x39\x0f\x4b\xce\xfe\x40\x39\xf9" "\xd6\xe8\x86\x12\x98\xa8\xb2\x9d\xd3\xf6\x02\x31\x35\x0f\xb1\x81\x97\xb5" "\x80\xe3\xe7\xe5\xa6\xd4\x59\xd8\x56\x43\xbb\xc2\x0f\x15\x74\xfe\x87\x2f" "\xa9\xc2\x88\x7a\x63\x08\x17\xad\x5d\xa8\x3f\x5e\x1c\xae\x77\x45\x59\x13" "\xd2\x60\x9c\x9c\xce\x98\x76\x59\x95\xd3\x4a\x3e\xb0\x83\x96\xff\x0e\xab" "\xea\x02\xae\x52\xd2\xeb\x3c\xcb\xe9\x6b\x1b\xbe\x3c\xd9\x49\x6b\xe2\x87" "\x51\x93\xe8\x45\x16\x3c\x6a\xdd\x97\xb8\x6c\xdb\x17\x7c\x60\x74\xdb\x48" "\x42\x20\x6e\xcc\x2b\x5b\xa2\x63\x96\x46\x85\x9d\xc3\x30\xc5\x3f\xb7\x65" "\x01\x64\xc1\x3c\xcd\x6c\xb9\xdb\xae\x2d\x7b\xac\x65\xdb\xc5\xa6\xc9\x50" "\x01\x9c\xf1\x59\x54\xff\x39\x29\x38\x6b\xe4\x93\x96\x12\x79\xb8\x1b\xd7" "\xc8\xba\x7b\x90\xde\x00\x22\xd7\x5f\xda\xa7\x70\xcb\x77\x3b\x82\xd3\x9c" "\xe2\x84\xf6\x69\xbd\xd7\x09\x2d\xb5\x35\x0a\x3e\x09\x62\xa4\x57\x94\x97" "\x7e\x45\x3a\x45\xdc\x98\xcf\x65\x35\x8d\x67\xac\xe4\xc4\xd1\x6e\x74\x00" "\x0f\xd9\x1f\xdc\x06\x30\x7c\x7b\x2d\x53\x22\x04\x67\x62\xcb\xac\xac\xd3" "\x5a\x80\xee\x22\xdd\xd1\xeb\xc7\x3f\xc6\x4d\xbd\x1d\xff\x3b\x90\x98\x8c" "\x67\x2e\xfd\xe6\xed\x15\x90\x19\xfc\x26\x8c\x65\x72\x80\x5a\xf1\x6c\x0e" "\x76\x31\x66\xe2\x6e\x6f\xcb\x24\x99\xbc\xeb\x98\xef\x33\xe1\x60\x5a\x0d" "\x13\x8d\xb4\xeb\x98\xb6\x50\x8e\x94\xf1\xb5\x2b\x4d\x66\x9b\x43\x98\x5f" "\xa0\x0f\x7e\xa6\xc1\x37\xc2\xd1\x9d\x17\x39\x2a\x59\x86\x62\x49\x5b\xff" "\xd6\x04\x69\x65\x3b\xe0\x7e\x54\xee\x44\xf7\x89\xd9\xb5\x4b\x62\xd1\x81" "\xd3\xf4\x73\x60\x89\xa5\x38\xbb\x86\x2a\xc1\x47\xeb\x0c\x8a\xd2\x09\xe3" "\x12\x0f\x03\x9b\x96\x14\x8f\xe9\x8c\x9d\x1e\x99\x4e\x7c\xe8\x81\xb2\x78" "\xc5\xda\x15\xa3\xbe\x7c\xd1\x29\xf1\x3d\xfb\x8f\x6d\x0b\x4a\xac\xb3\x58" "\x58\x47\x39\x4d\x3b\x56\x5c\x27\x26\x65\x20\x53\x55\x6f\xa8\x5c\xde\x4c" "\x7f\x7b\x8a\x8c\x12\x9b\xfd\x29\x64\x8e\x46\x1c\x65\xec\xfe\x19\x28\x12" "\x0e\x1b\x41\xea\x06\x06\x00\xbb\x12\x2e\xdc\x7a\xfa\x9e\xc6\x06\x46\x10" "\xc2\x46\x47\xa5\xc3\x8b\xc4\x78\x6e\xfb\xdb\x66\xb5\xc5\x51\xb2\xc7\xf0" "\x71\x88\xa5\x8e\x98\xb2\x34\xb8\x7b\x57\x89\x98\xe5\x82\xf1\x57\x56\x05" "\x41\x03\x4a\x30\xa4\x51\x92\xa4\x27\xa0\xcc\x2a\xa0\xbc\x3f\xa8\x0b\x6b" "\x90\x5f\x69\x68\x1e\x2e\x6c\x15\x98\x19\x2a\xe7\x37\xe1\x89\x6e\x65\x2c" "\x70\xa3\x4a\xb6\x3f\x20\x34\x52\x4b\xf2\x02\x41\x57\x6b\xa5\x82\x3f\xcf" "\x4f\x96\x1a\x32\xfd\x7c\x0b\xf4\x6f\x61\x93\x62\x50\x79\x07\xa4\x4f\x52" "\xd5\xa4\xbf\x55\x9a\xc4\xe5\x85\xcc\x99\x35\xe3\x3a\x26\x0b\xf1\x78\x7c" "\xdb\xcb\x5f\x21\x21\x93\x86\xaa\x21\x81\xb6\xdd\x1e\xf7\x60\xeb\xbc\x74" "\x9a\x2e\xa1\x0f\xf4\xa3\x74\x86\xaf\x7c\x95\x27\x3e\xcd\x72\x60\xc8\xe3" "\x0b\x84\x1f\xa7\xeb\x75\x92\xbe\xb5\xe9\x3d\x1e\xe0\x42\x2b\xd3\xf2\x31" "\xa7\x63\xbc\x68\x53\xbf\x5e\xa5\x2a\x03\xe7\x14\xcc\xc7\x5c\xd6\xf7\x4c" "\x8a\xca\x26\x22\x82\x55\x01\xdb\x2b\x49\x6e\x4a\x51\xce\xef\x09\xa8\x18" "\x45\x29\xb1\xed\x1b\x83\x8b\xeb\xd9\xf3\x26\x34\x11\x0a\x56\x04\xc2\x7a" "\x47\x1b\x18\x69\xe7\xa6\x4b\x4f\x74\x47\x94\x47\x15\x97\xaf\x4e\x31\x14" "\x55\x93\xf0\xa6\xd4\xad\xc6\x1e\x82\x60\x2f\xee\x76\x1e\x9a\x68\x6b\xf1" "\x62\xe9\x74\x58\x8c\xcd\x43\x87\xbb\x8a\xb7\x26\x61\xdd\xcb\x76\x02\x1f" "\x1f\x80\xcc\x20\xb5\x20\x3a\xfd\x8d\xfa\x5e\x44\xa8\x8b\x35\xd7\xdc\x45" "\x56\x8f\x2e\x79\x6f\x2e\xc3\x3b\x63\x0c\x5d\x43\x77\x94\xe5\x1b\x4c\x1d" "\xa9\x2d\x43\xef\x3a\x11\xd8\xe9\xa5\xa7\x98\x6c\xb6\x0d\x6b\x2d\x4b\x47" "\x46\x6e\x59\x26\xd8\x54\xf5\x49\x82\xd8\xa9\xdf\x89\x81\x86\x91\xb1\x81" "\x1b\x0e\x35\x84\x23\x82\xdf\xe1\x40\xdc\x63\xe4\x62\xa3\x3c\x70\x55\x0d" "\xd4\xcc\xce\x02\xf8\xe1\x5a\x01\x26\xb0\x31\x79\x6d\x90\x64\x29\x49\xe8" "\xc2\x64\x44\x1a\x91\xad\xdf\x3e\x92\xc2\x3a\xb9\x0e\x1d\x0b\x1c\xdd\x4d" "\x01\x4c\x8d\x96\x55\x2d\x74\x67\x24\xcf\x78\x1b\x8b\x0b\x59\xa4\xb0\xe0" "\xcf\x94\x07\xa4\x40\x0a\x3f\xda\xa9\x73\x1f\x10\xf7\x50\xac\x95\x2d\xc3" "\x8a\x42\xbf\x3b\x54\x71\x94\xa1\x25\xfa\xe9\xc3\x63\x87\x23\x4b\x6e\x1d" "\x0d\xba\x1e\x27\xe1\x60\x4d\xdb\xdb\x63\x24\x86\x48\x45\x4e\xba\x33\x2b" "\xea\x26\x6d\x34\x6e\xa8\x77\xf4\x39\xd7\x4e\xab\x75\xf9\x29\x85\x6b\xdf" "\xaa\xfb\x36\xce\x45\xd9\xb1\xd3\xb3\xd6\x22\x7e\x2a\xa6\x57\x18\x33\x45" "\x63\xc0\xfe\xe2\x30\x0e\x40\x22\x29\xaf\x9f\x35\xd8\xf5\xc8\x8b\xc1\x59" "\xe5\x3c\x1b\x53\x27\x70\xe7\xfa\xd9\x8d\x34\x6e\xe2\x10\x6e\x9a\x2a\x06" "\xcc\x5e\x46\x45\xe6\xec\x74\x0b\x90\xe3\x59\x6c\x47\xde\xc0\x32\x18\x48" "\x72\xd9\x6e\xbb\x1d\x75\x95\xd5\x1b\xc2\x54\x8c\x1e\x6c\x5f\xb8\x7f\xec" "\x21\x4c\xd8\xbc\x5b\x1f\x69\x34\xb0\x9e\xf0\xec\xb8\x5a\xb2\xfd\xb2\x2f" "\xb9\x0f\xbf\xb5\x6a\x35\x8c\x8d\x1a\x47\xfb\x4a\xc9\x1b\x68\x2f\x10\x1f" "\x44\xe6\x39\x96\x66\xbe\x1d\x09\x05\xd0\x39\x96\xe1\xa5\xe7\xac\xd4\xe0" "\xc1\xe7\xb2\xfc\x6c\x9a\x2d\x98\x9d\x99\xaa\x31\x1b\xc2\xd9\xd7\xf8\x82" "\x57\xb5\xfe\x5b\x7d\x6e\x02\xc8\x8e\x68\xad\xf8\xee\xab\x5d\x58\xd4\x4b" "\x3c\x12\x9f\x4d\x3f\x90\xd7\xac\x99\x19\xea\x63\x9f\xc7\xb1\xa6\x3e\x57" "\x20\xbb\xd5\x3e\xf5\x9b\x06\x91\x83\x46\x7e\xf9\xc6\xf4\xb5\xb6\xa5\x46" "\x59\x12\x49\x57\xdb\xf5\x1e\x8f\x98\x9f\x92\x9e\x76\xc4\x8e\xc3\xa9\x45" "\xde\xf5\xc8\x2f\x3c\xd4\x05\x00\x57\xae\xc7\x98\xd8\xbe\xb5\xe9\x54\x43" "\x5e\xa7\xb2\x99\xa2\x02\x5c\xac\x76\xe9\x55\x02\xbb\x5a\x2f\x94\xa0\x14" "\xfa\xfd\x9e\x5f\xe5\x73\xed\x25\x1c\xdc\xa6\xa5\x08\xc9\xe2\xe6\x0f\xaa" "\xd7\x91\xeb\x8e\xc4\xe5\xf6\xfd\xd6\x9c\xf8\x20\xfb\x2a\xff\xff\x17\x4b" "\xe1\xc3\x34\x10\x86\x8a\x9d\x78\x3e\xd7\x04\x81\xa5\x79\x98\x94\xfe\x89" "\x1e\xb6\xf2\xa6\x52\x6d\x7a\xf7\xf7\xca\x0f\x53\x5e\xa1\x87\x5f\x47\xa8" "\xd9\x64\x98\xe6\x21\x02\x02\x32\x0c\x45\x24\x4c\xd7\xaa\x1f\x0e\x13\x33" "\x65\x46\x0a\xa4\xad\x08\xaa\xd1\x3e\x04\x9c\x1b\x90\x52\xd5\x2c\xb3\x3e" "\xcb\xf5\xb6\x74\x99\x77\xdb\xcc\x12\x57\x04\x1c\x66\x1b\xca\x95\x3b\x1d" "\x4f\x4b\x1c\xd2\xe0\x98\xdb\x0e\x4a\x53\xe0\xe1\x16\x8f\x26\x10\x1f\x57" "\xdb\x98\x1c\x24\xf3\x0f\x40\xe4\x2f\x13\xb4\xea\xb7\x54\x5e\x5f\xb1\x13" "\xe8\xd1\x6c\xfd\x5d\x97\xc7\x33\x7b\x6d\xf6\xd9\xaf\xf3\x66\x48\xd1\x35" "\xad\xc9\x94\xbf\xea\x49\x2c\xc8\x11\x5e\x3e\x4a\x9a\x05\x72\xd4\x4c\xd5" "\x28\x1e\x39\x61\x97\x39\x23\x57\x3f\x43\x01\xd9\x54\x53\xc6\x94\xf7\xae" "\x98\x00\x48\x7f\xc3\x7a\xd1\x49\x85\x83\xb8\xe1\x88\x55\x02\xbb\xdf\x1f" "\x70\x88\x84\x71\xb7\x03\xe9\x4a\xf2\x10\x1d\x35\xfc\xc8\xe4\x66\x54\x0a" "\x17\xc9\xaa\x82\x76\x2b\xb5\x2d\x0e\xb5\x50\x26\xca\x24\x96\xc3\xfe\x70" "\x9e\xe0\xee\xa4\x71\xbe\x70\xdc\xc3\x99\xbb\x49\x9f\x30\xe7\xc7\x05\x37" "\x58\xa3\x4b\xfd\x8b\xd4\x51\x28\x6d\x1a\x48\x44\xba\x06\xda\x19\x51\xe1" "\x5f\x65\x26\xbd\x27\x59\x96\xce\xd0\xec\x33\x71\x02\xee\xa8\x13\xad\x07" "\x3c\x75\x7e\x58\x8d\x41\x52\xc7\x66\xa3\x7c\x63\xaa\xba\x4e\x94\x6f\xcd" "\x39\xf8\x7b\x8c\x3a\xba\x65\x4b\xa9\x59\x4b\x3f\x8b\x87\x0d\xd5\x8c\x4f" "\x1d\x53\x56\x8f\xf5\xaa\xd9\x85\xfd\x73\x5d\x00\x5d\x82\x58\xac\xa5\xfc" "\x9c\x9a\x39\xa4\x82\xea\xe3\x7c\x87\x49\x66\x3c\x5d\xd1\x7b\xad\x60\xb1" "\x82\xb0\x29\xe0\x2e\x76\x3e\x28\x76\x9c\x41\x62\x9b\x52\xbb\x84\x4a\x43" "\x85\xb5\x2c\xf6\x5b\x70\xb0\x12\x7b\x9f\x9d\xae\xff\xd6\x37\x90\x10\xb9" "\x7f\x1b\x47\x98\x6f\x5c\xe9\x15\xf2\x79\x31\x2d\x9c\xb0\xe9\x6f\xa8\xd1" "\x7d\x5e\xc3\xc8\x10\x90\x09\xb3\x65\x95\xf8\x22\x7d\x83\x31\xd4\x9c\xd8" "\x93\x6a\xde\x2e\xee\x72\xf7\x79\xde\x0b\x04\x13\x23\xc2\xc1\x07\x50\x33" "\x2e\x24\x47\x36\x9a\xf3\xb0\xde\x3d\xaa\x20\x7d\x05\x0f\x96\x86\xb1\x7f" "\x29\xe1\xe8\xff\xf1\x31\x69\xa6\xaf\x46\xa3\xc6\x5c\x59\x47\x9b\x15\x23" "\xf6\x2c\xb7\xb1\xe2\x94\xe5\x15\xf3\x66\xd3\x4d\x0c\x71\xe1\xa0\x63\x8c" "\x5e\x05\x01\x22\x27\x6d\x9d\x37\xb2\x25\x93\x69\xe0\x14\x5c\xe8\x88\xc3" "\xbc\x24\xc6\xf0\x43\xde\x9b\x02\x99\xdf\xeb\x16\x5f\x27\x39\x82\x36\x16" "\xee\x56\xe1\xb7\x13\xed\x55\x00\x18\x4c\xb8\x25\x30\x91\x19\xb5\x88\x4b" "\x16\x09\xb3\xb2\x5f\xd3\x5a\x49\x9b\x81\x5b\x07\xb8\x77\x60\x49\x1a\x34" "\x08\x5c\xf2\x55\xd4\x21\x31\x42\x84\x47\x32\xb9\x04\x23\xd1\x77\x15\xd2" "\xbb\x83\x4d\xf3\xef\x4f\xb0\xf0\xd4\xd8\x85\x15\xbe\x3e\xc4\x92\x92\xde" "\x36\x43\x75\xdb\x71\x3e\x25\x28\x64\x7c\x10\x85\xd3\x85\xf3\x4f\x77\xcd" "\x1a\xda\xa9\x7a\x7a\x38\x33\x8c\x17\xc6\x88\xbe\x44\x1a\xc6\x34\x39\xdc" "\x87\x4d\x76\x92\xfa\x50\x43\x32\x1b\xcf\x21\x8e\xd3\x03\xf4\x0a\x7a\xe4" "\x98\xbb\x8b\xbd\x1f\xe4\xb4\x00\xaf\xbf\x41\xa5\xb8\xfc\x23\x53\x24\x83" "\xe6\x83\x9d\x90\xb5\xc7\xe4\x77\xab\xd4\x49\xa1\xb2\x48\x6d\x9a\x55\x11" "\x6c\x78\xe6\xdd\xbd\xbe\x10\x04\x01\x1e\x8a\xfd\x62\xdf\xac\x3f\xe7\xb4" "\x16\x90\x17\x5e\x37\xfb\x21\x51\x47\x0e\x3e\xee\xbd\x08\x4e\x71\x0d\xf4" "\x1d\x78\xb3\xa5\x4f\xdf\xd9\xa1\x24\xd0\xee\x81\x7b\x51\x90\xf0\x19\x32" "\xe5\x42\xec\x08\x8a\xf5\xfc\x7d\x9a\x57\xea\x40\x3b\xfc\x6b\x45\xd2\x79" "\xd9\x86\xe4\x9e\x48\x02\xfb\x7c\xc1\x63\xcb\xaa\xd3\x2c\x6a\x29\x93\x1f" "\x63\x59\x0c\x42\xa7\x7e\xd2\xcb\x34\x9e\xbd\x78\xff\x5c\x9f\xe3\x98\xf1" "\x86\x1f\x61\xe0\x67\xfe\xec\x0f\xb6\x3a\x66\x6d\x57\xcf\xee\xda\x13\x8f" "\xe0\x3d\x78\x24\xbf\x04\xd8\x2a\xf8\xf0\x0c\x99\xf2\xfa\xe8\xa6\x1c\xd1" "\x07\x8a\x10\xcc\xf6\xae\x9f\x74\x52\x18\x0a\x89\x7e\x8b\x5d\x4f\x20\x5d" "\x4b\x66\xfa\x29\x9e\x95\x37\xa9\x56\x8a\x0a\x26\xb9\xe4\x7a\xe5\xfb\xeb" "\xeb\x29\xad\x06\x30\xa8\x4c\x74\x2c\xce\x3b\x11\x83\x4d\xfb\x52\xde\x81" "\x91\xca\x94\x81\x7e\x26\xdd\x25\xf3\x82\x21\x87\x93\xc1\xb7\xbf\xa6\x01" "\xee\x9f\x28\x31\xa7\xc1\xd2\x86\xd8\x50\x08\xa8\x1f\x3e\xe2\x29\x92\xe9" "\xb5\x53\x6a\x96\x2e\xe8\xbe\x7d\x66\x0c\xac\x55\xbc\xde\x40\xf2\xa0\xa5" "\x3e\x08\x00\x6e\xcd\x04\xcd\x13\x98\x60\x25\x0c\x85\xcc\x51\xdb\x28\x9b" "\x10\x94\x3a\xe3\x14\x28\x40\x59\x11\xcc\x89\x4c\x61\x10\xb2\x8f\xd5\x07" "\xb0\x98\xc7\x92\x2f\xb4\x0d\x37\xd2\x58\xe2\x58\xc8\xbd\x0a\x04\xa1\xbe" "\xce\xf7\x09\x0f\xf2\xe4\xd3\xec\x8f\xc3\x10\xcd\xa1\x6c\xdf\x3f\x19\xa1" "\x81\x22\xe6\x4a\xd7\xe5\x2a\x08\x78\x2d\x51\x37\x30\x7e\xaa\x1a\x2b\x5a" "\xb8\xca\xf3\xb8\x92\xe8\xb2\x6c\xc5\xbc\x83\x11\x96\xfa\xce\x1a\x62\x04" "\x1c\x44\xfe\xa0\x03\x2c\xbf\xac\x8e\x69\x52\xe5\x1e\xe7\x5a\xe8\x5b\x90" "\x15\x01\x97\x35\x65\x04\xa7\xc3\x58\x34\xab\xcb\x5e\x5d\x99\x0e\x80\xd0" "\x6f\xf9\xa5\xd3\xa4\x4c\x72\xcc\x76\xba\xca\x5b\x7d\x6b\x9f\xf4\x1c\x0f" "\x14\xb9\x09\xba\xb0\xa4\x36\xd6\xc2\xfc\x5d\xdb\xdb\xc7\xad\x45\x7b\xa1" "\x2e\xbc\x60\xe5\x45\xe6\x40\xfe\xbc\x71\x2c\x8c\xa1\xf8\x7d\x9b\x9b\x8d" "\xd3\x50\xec\x03\x75\x65\x2b\x60\x3a\x66\x29\xb5\x19\x51\x1b\x37\xff\x5b" "\x26\x39\xca\x2c\x4c\xef\x89\x36\x9d\x3e\x6e\x0d\xb6\x2a\xe4\x86\x17\x8c" "\xe1\xd8\x43\x73\xe6\x5b\xeb\xab\xe4\xa3\xfd\xee\x22\xc3\x2b\x6c\x31\xd1" "\x78\x42\xda\x89\x2c\xef\xab\xed\x27\x82\x0f\xf8\xeb\xe2\x98\x31\xb9\xb1" "\x30\xc6\xcd\xa2\x85\x10\xf4\xa1\x8a\xc0\x63\x10\x2d\x3f\xe7\x2e\x46\xcb" "\x14\x5c\x28\x28\x5a\xc2\xa1\x58\x42\x06\x8d\x4b\xa8\x10\x9a\xd8\xa2\xad" "\xe0\x18\x39\xcb\x68\xe8\x21\x02\xb7\x01\x42\x4c\x3c\x7a\x13\x54\x7b\x2a" "\xe8\x55\xbe\x7d\xb6\x4b\xb5\xaa\xe1\xf6\x3f\xb4\x46\xf6\x51\x3f\xfc\x94" "\x07\xfe\x18\x2d\xf7\x2f\xeb\x8a\x2d\x98\xa2\xce\x3f\xbe\xaf\x17\x5c\x68" "\xd9\x3b\x5e\xba\xe8\x7d\xb5\xf4\xc7\x5e\xac\xac\x71\x9a\xa1\xae\x59\x06" "\x16\x84\x55\x64\x52\x3d\x8f\xc0\x35\x0e\x1e\x9c\x5d\x6f\x5d\xd1\x8c\xa9" "\xc7\x35\x31\x3a\xd2\x86\xb6\xe1\x56\x37\xb4\x71\x66\x91\x0e\x4b\x65\x24" "\x04\x7d\x4e\x0a\x50\x90\x13\xe0\x49\xdd\x12\x49\x33\xa4\xe2\x61\x09\xe7" "\xf6\x18\x8c\xd5\x1d\xd4\x64\x84\xd1\xa0\xff\x55\x1c\xc1\x34\xe8\x09\x54" "\xc3\x4e\x6d\x62\x5a\x1d\x5e\x45\x42\xdf\xe2\x55\x63\xb2\xab\x03\xd8\xe4" "\x9a\x88\x9d\x89\x8a\x52\x70\xcc\x35\x1a\x3b\x4d\xf6\x0a\xf3\x92\x76\xda" "\x3b\xd8\x85\x1e\x2a\xd6\xc5\x3e\xe9\x71\xdd\xba\x10\x76\x97\xc7\xf6\xda" "\x34\xb7\x00\x34\xf0\x4e\xfc\x65\xe6\x48\xfa\x05\x00\x49\x54\x1d\xed\xca" "\x02\x69\x7b\xce\xcd\xe4\xb0\xe6\xd3\x25\xd3\x22\x6e\xfa\x21\x98\xe9\xc9" "\xda\x06\x26\x5d\x95\x09\xb4\x08\x5d\xef\xf3\x68\x42\xf4\xda\xc1\xc1\x66" "\x54\x24\xf1\x07\xde\x4a\xaf\xee\x84\x58\x18\xe9\x07\x7c\xea\xd1\x42\x41" "\x9a\x74\x33\xb8\x69\x41\x73\x87\x26\x03\x2c\x4a\xeb\xf7\xa0\xa7\x11\x42" "\x3d\x39\xa7\x4e\x61\x6b\xd2\x73\x29\xf5\x9c\x81\x9b\x7d\xbd\x46\x65\x1e" "\x43\xc9\xa8\xa0\x5e\x3d\x3a\x7c\xfc\x3d\x65\x55\x33\xb2\x62\x79\xa1\xc3" "\x3f\x9c\xc1\xea\x07\xe7\x06\x4a\x8d\x68\x84\x9d\x66\x5c\x44\x38\x2c\xd1" "\x63\x66\x3e\xe8\xdc\x37\xbc\x1b\xfa\x99\xc4\xd6\xcd\xec\x93\x66\x7f\x50" "\xb6\x5f\x95\x57\xf8\x41\x07\x74\xf3\x96\x20\x6f\xd8\x35\x94\x4c\xdc\xe5" "\x30\x90\x2c\x7d\xaa\x9f\x41\x81\x0e\xbe\xfa\x74\x37\xca\x14\x27\x5c\x75" "\x49\xbb\x53\xbc\xd4\x0f\xe7\xb4\xcf\x33\x9f\x34\xa4\x1b\x99\x1b\x61\x37" "\x14\xc9\x01\x52\xb7\xbf\x47\x79\x05\xb8\x2d\x9e\x6f\xf7\x57\xfb\xe8\x11" "\x07\x7f\xa8\xf3\xbc\x48\x55\xe9\xaf\x09\xdb\xb6\xea\xaa\x46\x9b\xdd\x97" "\xdf\xe8\xa7\xb2\x93\x50\x7a\xa7\x41\x65\x32\x06\x81\xf1\x73\x19\x31\x48" "\x6c\x2c\xb0\xf6\xb3\x5e\x0f\xcc\x16\xaa\xaa\x62\xe9\x29\xc1\x61\x2e\x9a" "\x03\x2d\xc8\xbf\xdb\xa7\x5b\x6f\xdd\x2d\x81\x6f\xb3\xa6\x73\x5a\xfe\x97" "\xfd\x15\x29\x14\x6d\x50\x12\xae\x5b\xcf\x3f\x5d\x4b\x19\xa2\x0c\x20\x27" "\xb1\x4a\x9c\xf2\x63\x60\x15\x95\x74\x94\x74\x9c\xe4\xf9\xc1\x4b\xef\xd1" "\x2c\x2d\xec\x7e\x18\x31\xa6\x8b\x05\x9f\xf4\x58\xd4\xa5\x8d\xc6\x81\xcd" "\x96\xbc\x2f\x64\xbb\xb7\x46\x4d\x4e\x6b\xa4\xe3\xa7\xcd\x48\x69\x1f\x42" "\x57\x59\xc0\xce\x8a\x0b\xb1\x8b\x7d\x21\xab\x43\x09\x7a\xb1\x5c\xda\xbd" "\x3c\x43\x1b\x81\xa2\x4f\x35\xb0\xf8\xa0\x22\x30\x16\x64\xb6\xa0\x28\xac" "\x21\x4d\xd3\x1b\x68\x80\x35\x19\xb2\xcf\x70\x76\xc3\xac\x2c\x8c\x6a\x4a" "\xb1\x34\xfa\x97\x56\xd5\x0c\x3f\x38\x58\xb3\xef\x2b\x27\x6e\xf1\x63\x8b" "\x7c\xc7\x6f\x5d\x28\xce\x4b\xe9\x5e\xf0\x98\x6a\x26\xd3\xb0\x96\x84\xfd" "\xa4\x12\x69\x11\x1a\xff\x68\x46\xa9\x88\x63\x28\x39\xb6\xb8\xfa\x80\xec" "\x58\xf1\xf8\x4a\xd8\x1f\xee\x14\x2f\xa5\x4b\x91\x62\xf4\xd3\xa1\x31\x29" "\x82\x9f\xf2\x5e\xb7\x5c\x64\x23\xda\x63\x34\x15\x2d\xdf\x33\x39\xb5\x97" "\x2b\xf1\x78\x29\xc6\xb9\xfb\xc7\xf5\x5d\x08\x4a\x4c\x29\x1e\x0d\xc7\x91" "\xed\x96\xcc\x3d\xcd\xb0\x4c\xd0\x1f\x44\xb4\x20\xff\x6e\xb0\x56\x8b\x1c" "\x7e\x8c\xdf\x45\x0c\xaa\x14\x3f\x5a\x07\x72\xb5\x12\x1c\xf7\x51\x30\xfe" "\xac\x6e\x64\x32\x2f\x65\x61\x63\x5a\x05\x40\xd1\xaa\x7b\x36\xd1\x38\xcc" "\xe3\xe6\x65\x9b\xbb\x79\xac\x73\xd7\xac\x5c\x6b\x6e\xa9\x53\xe5\x2e\xb2" "\x99\xec\x36\x13\x76\xe7\x84\x19\x7a\xfb\xa8\xf2\x69\xf6\xc2\x4f\x73\x5a" "\xab\x31\xb3\x6a\xe2\x03\x86\x29\xb2\x68\xe5\x37\x35\x7e\xea\xcd\x2a\xdd" "\x73\xd4\x4b\xb5\x49\xb4\x37\xcc\xff\x8b\x4d\x3e\x87\x00\x68\xfa\x82\x90" "\xa6\x8a\xab\xc1\x9c\x33\x6b\xaa\xcb\x20\x82\x3a\xe1\xbc\xa4\x4a\x1c\x1f" "\xe1\x9c\x34\x48\x51\x00\x65\x53\x77\xd6\xc0\xc3\x11\xad\xb0\x6b\xfb\x8e" "\xf7\x3d\xbd\xdb\x29\x97\x19\xf2\x53\xc9\x86\x9d\x77\xf7\xb9\xd3\xc8\xcc" "\x2f\x9d\x08\x79\x05\xd5\xb2\x5c\x80\xae\x63\x00\xb3\xd7\x06\xe8\xbe\xb8" "\x7e\x8b\x47\x32\x7b\xee\xae\x80\x5c\xad\x7f\xd6\x59\xc6\x8e\x77\x9e\x94" "\x32\x3c\x08\x53\x8b\xbc\x21\xa5\x0c\x81\x7b\xae\xf5\x01\xf1\xf8\x4c\xcc" "\xe2\x38\x9d\x75\x35\x13\xce\x90\x92\xf9\x70\xb6\x48\x64\xa5\x5a\x5c\xdd" "\xd8\xf6\x19\x3a\xaf\x73\x9d\xfe\x83\x0f\xee\x51\xd2\x51\x06\xa0\xe5\xf3" "\x1d\xae\x46\xbd\xc9\x6c\x71\x71\xcc\xe6\xeb\x81\x7b\xc9\xe9\x00\xc1\x67" "\x16\xd3\x96\x84\x45\x0c\xe4\x7c\xa1\x6b\x3a\x42\x18\x7a\x35\xba\x0f\xb4" "\x9a\x85\xe7\x5c\x78\x3f\xe8\x1a\x10\xa8\xff\x37\x9d\x20\xba\x51\x2d\xc9" "\x21\xb2\x73\x24\x4b\x98\xa1\x3c\x6b\x20\x8c\x08\xf5\xc9\x98\x1f\xa0\x07" "\x43\x3d\x7f\xaf\x97\xe1\x75\x60\x10\x45\x7a\xa9\x95\xac\x1f\x32\xb5\x9e" "\xf7\xcf\xc9\x88\x5f\x35\xd9\x96\xaa\xf9\x83\xb0\x00\xe3\x4d\x5e\x93\x57" "\x1d\x3c\x8c\xce\xa3\x8a\x13\x94\xcd\xd9\xd9\x20\xb2\xff\x88\x24\xf2\xcb" "\x5a\x97\x26\x1b\x1e\x20\x5d\x81\x2d\x2c\xf5\xbb\xf1\xae\x68\xce\x3b\xbd" "\x7b\xc3\xab\xe7\x3c\x29\xa0\x26\xa5\xf2\x1a\xf8\xa3\x57\x80\x41\x11\x6b" "\x22\x42\xdb\x45\xa8\x61\xbf\xd0\x65\x62\x5b\x73\x0c\xdd\xf6\x37\xc6\x44" "\xdf\x79\x58\xac\xbf\xb3\xbc\x0e\x4f\x64\xb8\x5b\x6b\xa0\x44\xce\x59\xa9" "\x37\xf4\x69\x76\x2b\x6a\x62\x91\x52\x64\x20\x85\x5a\xa0\x24\x2d\xe2\xf6" "\xf7\xd4\xae\xe4\x0c\x78\xc9\x4e\x69\x4d\x31\x76\xcb\x2d\xe3\xf0\x99\x47" "\xcd\x58\x0b\x1b\x91\x51\x65\x60\x3b\x3c\x81\xf5\x84\xec\x7e\xb8\xc1\xce" "\x28\xa7\xc7\x37\xe6\xb1\xa4\xd5\x47\x4e\x94\x08\x0c\x92\x64\x3c\x62\x20" "\xa0\x4e\x39\xc6\x37\xa9\xe6\x02\x22\x29\x6c\x4c\xd3\x43\x72\x74\x14\xc2" "\x20\xaf\x7c\x45\x79\xe1\x16\xa7\x01\xb7\x1d\xd3\x94\xbc\xe1\x0a\xd8\xed" "\x17\x74\xd7\x74\xe9\x1b\x71\xa6\x1e\x1c\x53\xc5\x40\x2b\x29\x16\x49\x81" "\x0a\x29\x90\x16\x10\x7b\x6f\x98\xc1\xc0\x4a\x33\xb1\x7a\x9e\xc2\x06\x65" "\xcf\xec\xd7\x63\x81\x34\xd0\x96\x50\x25\xb7\x9c\x62\xf9\x36\x75\xf1\x2c" "\xdc\xca\xdd\x51\xd6\x3c\x3e\x71\x52\xd1\xe7\xda\xf8\x30\x1f\x64\x16\x7c" "\xc4\xf5\xbb\x78\x42\xcc\x9f\x4d\x06\x49\x65\x06\xa5\xbc\x06\x18\x9b\x44" "\x9e\x9f\x3e\x31\x44\x83\x86\x8d\xc9\xb0\x67\x5b\xdf\x8f\xa8\x28\xc1\xde" "\xb5\xbf\xd6\xf6\xbe\x54\xda\xa6\x20\x63\x75\x19\x4d\xc5\x2a\x56\xc1\x62" "\x44\x97\x95\xd4\xaa\xc1\x7d\xde\xe0\xaa\x9e\x8f\x3f\xce\x47\x57\x93\x40" "\xeb\xfd\x10\xde\x05\xa6\xeb\x47\xb4\x24\x08\xd2\xf5\x5f\xe6\x17\x61\xe0" "\x02\xc4\x53\x03\x14\xeb\xb1\x0d\x26\x07\xdb\x6f\x83\x02\x21\x8f\xe8\x75" "\x2d\x47\x4a\x6f\xaa\x6e\xa8\x1e\x25\x79", 4096)); NONFAILING(*(uint64_t*)0x200000002d98 = 0x1000); NONFAILING(*(uint64_t*)0x200000002da0 = 0x200000001d80); NONFAILING(*(uint64_t*)0x200000002da8 = 0); NONFAILING(*(uint64_t*)0x200000002dd8 = 3); NONFAILING(*(uint64_t*)0x200000002de0 = 0); NONFAILING(*(uint64_t*)0x200000002de8 = 0); NONFAILING(*(uint32_t*)0x200000002df0 = 0); syscall(__NR_sendmsg, /*fd=*/(intptr_t)-1, /*msg=*/0x200000002dc0ul, /*f=MSG_OOB|MSG_DONTWAIT*/ 0x41ul); // syz_usb_control_io$hid arguments: [ // fd: fd_usb_hid (resource) // descs: nil // resps: nil // ] NONFAILING(syz_usb_control_io(/*fd=*/r[0], /*descs=*/0, /*resps=*/0)); // syz_usb_control_io$hid arguments: [ // fd: fd_usb_hid (resource) // descs: ptr[in, vusb_descriptors_hid] { // vusb_descriptors_hid { // len: len = 0x24 (4 bytes) // generic: nil // USB_DT_STRING: nil // HID_DT_REPORT: ptr[in, vusb_descriptor_t[USB_TYPE_STANDARD, // HID_DT_REPORT, hid_descriptor_report]] { // vusb_descriptor_t[USB_TYPE_STANDARD, HID_DT_REPORT, // hid_descriptor_report] { // type: const = 0x0 (1 bytes) // req: const = 0x22 (1 bytes) // len: bytesize = 0x4 (4 bytes) // data: hid_descriptor_report { // items: array[hid_report_item_short] { // union hid_report_item_short { // global: union // hid_report_item_short_t[HID_ITEM_TYPE_GLOBAL, // hid_report_item_global_tags] { // item_012: // hid_report_item_short_012_t[HID_ITEM_TYPE_GLOBAL, // hid_report_item_global_tags] { // bSize: len = 0x0 (0 bytes) // bType: const = 0x1 (0 bytes) // bTag: hid_report_item_global_tags = 0x0 (1 bytes) // data: buffer: {} (length 0x0) // } // } // } // union hid_report_item_short { // local: union hid_report_item_short_t[HID_ITEM_TYPE_LOCAL, // hid_report_item_local_tags] { // item_012: // hid_report_item_short_012_t[HID_ITEM_TYPE_LOCAL, // hid_report_item_local_tags] { // bSize: len = 0x0 (0 bytes) // bType: const = 0x2 (0 bytes) // bTag: hid_report_item_local_tags = 0x1 (1 bytes) // data: buffer: {} (length 0x0) // } // } // } // union hid_report_item_short { // local: union hid_report_item_short_t[HID_ITEM_TYPE_LOCAL, // hid_report_item_local_tags] { // item_012: // hid_report_item_short_012_t[HID_ITEM_TYPE_LOCAL, // hid_report_item_local_tags] { // bSize: len = 0x1 (0 bytes) // bType: const = 0x2 (0 bytes) // bTag: hid_report_item_local_tags = 0xa (1 bytes) // data: buffer: {8b} (length 0x1) // } // } // } // } // } // } // } // HID_DT_HID: nil // } // } // resps: nil // ] NONFAILING(*(uint32_t*)0x200000000180 = 0x24); NONFAILING(*(uint64_t*)0x200000000184 = 0); NONFAILING(*(uint64_t*)0x20000000018c = 0); NONFAILING(*(uint64_t*)0x200000000194 = 0x200000000040); NONFAILING(*(uint8_t*)0x200000000040 = 0); NONFAILING(*(uint8_t*)0x200000000041 = 0x22); NONFAILING(*(uint32_t*)0x200000000042 = 4); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x200000000046, 0, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x200000000046, 1, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x200000000046, 0, 4, 4)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x200000000047, 0, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x200000000047, 2, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x200000000047, 1, 4, 4)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x200000000048, 1, 0, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x200000000048, 2, 2, 2)); NONFAILING(STORE_BY_BITMASK(uint8_t, , 0x200000000048, 0xa, 4, 4)); NONFAILING(memset((void*)0x200000000049, 139, 1)); NONFAILING(*(uint64_t*)0x20000000019c = 0); NONFAILING( syz_usb_control_io(/*fd=*/r[0], /*descs=*/0x200000000180, /*resps=*/0)); // syz_usb_ep_write arguments: [ // fd: fd_usb (resource) // ep: int8 = 0x81 (1 bytes) // len: len = 0xffffff75 (8 bytes) // data: ptr[in, buffer] { // buffer: {b9 42 5b 44 65 1d d2 32 41 96 35 99 00 00 00 11 00 00 00 4a // 16 94 1f f5 f4 b4 f1 f0 ad d7 fc f2 b8 77 fc ea ff ff ff ff ff f1 ff // df 4c d9 f5 d3 96 98 90 52 2c 77 15 7d 88 01 00 00 00 3a 5b d5 53 1d // 45 9d ff ff 03 00 00 00 00 00 91 ff 00 00 00 e8 f5 b3 37 1d a3 63 5b // 8b 4f a6 37 13 58 00 00 1f 65 e4 b4 36 aa 9e 50 bc 0f 19 b7 d3 37 2f // f9 eb ce de 1f b5 e9 42 8f 54 d5 d1 f0 cc 75 2c f2 46 a5 d2 da 34 a5 // aa 97 dc 14 a4 69 c3 dd 3e 26 b4 1c 35 64 84 e4 6f d6 6e 3f 2c 78 07 // e8 77 3e ed 7b 94 fa 09 9a b8 4f ea de c2 ea 95 f6 5b ba 45 2e ae 5b // 09 00 f9 8a 97 9a 88 c5 17 a2 dc 36 0a 00 23 77 23 e2 f4 67 af 70 6e // a1 72 26 29 6b 3a 10 a3 51 cb 47 ab a2 c6 b8 36 c9 06 79 b4 dd 85 9d // dc 9e 48 00 44 8a ab 00 00 00 00 00 00 0d 75 f3 4b b5 0d 8d 70 84} // (length 0xf9) // } // ] NONFAILING(memcpy( (void*)0x2000000002c0, "\xb9\x42\x5b\x44\x65\x1d\xd2\x32\x41\x96\x35\x99\x00\x00\x00\x11\x00\x00" "\x00\x4a\x16\x94\x1f\xf5\xf4\xb4\xf1\xf0\xad\xd7\xfc\xf2\xb8\x77\xfc\xea" "\xff\xff\xff\xff\xff\xf1\xff\xdf\x4c\xd9\xf5\xd3\x96\x98\x90\x52\x2c\x77" "\x15\x7d\x88\x01\x00\x00\x00\x3a\x5b\xd5\x53\x1d\x45\x9d\xff\xff\x03\x00" "\x00\x00\x00\x00\x91\xff\x00\x00\x00\xe8\xf5\xb3\x37\x1d\xa3\x63\x5b\x8b" "\x4f\xa6\x37\x13\x58\x00\x00\x1f\x65\xe4\xb4\x36\xaa\x9e\x50\xbc\x0f\x19" "\xb7\xd3\x37\x2f\xf9\xeb\xce\xde\x1f\xb5\xe9\x42\x8f\x54\xd5\xd1\xf0\xcc" "\x75\x2c\xf2\x46\xa5\xd2\xda\x34\xa5\xaa\x97\xdc\x14\xa4\x69\xc3\xdd\x3e" "\x26\xb4\x1c\x35\x64\x84\xe4\x6f\xd6\x6e\x3f\x2c\x78\x07\xe8\x77\x3e\xed" "\x7b\x94\xfa\x09\x9a\xb8\x4f\xea\xde\xc2\xea\x95\xf6\x5b\xba\x45\x2e\xae" "\x5b\x09\x00\xf9\x8a\x97\x9a\x88\xc5\x17\xa2\xdc\x36\x0a\x00\x23\x77\x23" "\xe2\xf4\x67\xaf\x70\x6e\xa1\x72\x26\x29\x6b\x3a\x10\xa3\x51\xcb\x47\xab" "\xa2\xc6\xb8\x36\xc9\x06\x79\xb4\xdd\x85\x9d\xdc\x9e\x48\x00\x44\x8a\xab" "\x00\x00\x00\x00\x00\x00\x0d\x75\xf3\x4b\xb5\x0d\x8d\x70\x84", 249)); NONFAILING(syz_usb_ep_write(/*fd=*/r[0], /*ep=*/0x81, /*len=*/0xffffff75, /*data=*/0x2000000002c0)); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_802154())) printf("the reproducer may not work as expected: 802154 injection setup " "failed: %s\n", reason); install_segv_handler(); for (procid = 0; procid < 4; procid++) { if (fork() == 0) { use_temporary_dir(); loop(); } } sleep(1000000); return 0; }