// https://syzkaller.appspot.com/bug?id=53599a7fc4882bf655e43ac53edfe43e7740baab // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; int valid = addr < prog_start || addr > prog_end; if (skip && valid) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ ({ \ int ok = 1; \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } else \ ok = 0; \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ ok; \ }) static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; unsigned n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != hdr->nlmsg_len) exit(1); n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (n < sizeof(struct nlmsghdr)) exit(1); if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr)) exit(1); if (hdr->nlmsg_type != NLMSG_ERROR) exit(1); return ((struct nlmsgerr*)(hdr + 1))->error; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); (void)err; } static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev, const void* addr, int addrsize) { struct ifaddrmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120; hdr.ifa_scope = RT_SCOPE_UNIVERSE; hdr.ifa_index = if_nametoindex(dev); netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize); netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize); return netlink_send(nlmsg, sock); } static void netlink_add_addr4(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in_addr in_addr; inet_pton(AF_INET, addr, &in_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr)); (void)err; } static void netlink_add_addr6(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in6_addr in6_addr; inet_pton(AF_INET6, addr, &in6_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr)); (void)err; } static void netlink_add_neigh(struct nlmsg* nlmsg, int sock, const char* name, const void* addr, int addrsize, const void* mac, int macsize) { struct ndmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ndm_ifindex = if_nametoindex(name); hdr.ndm_state = NUD_PERMANENT; netlink_init(nlmsg, RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, NDA_DST, addr, addrsize); netlink_attr(nlmsg, NDA_LLADDR, mac, macsize); int err = netlink_send(nlmsg, sock); (void)err; } static struct nlmsg nlmsg; static int tunfd = -1; #define TUN_IFACE "syz_tun" #define LOCAL_MAC 0xaaaaaaaaaaaa #define REMOTE_MAC 0xaaaaaaaaaabb #define LOCAL_IPV4 "172.20.20.170" #define REMOTE_IPV4 "172.20.20.187" #define LOCAL_IPV6 "fe80::aa" #define REMOTE_IPV6 "fe80::bb" #define IFF_NAPI 0x0010 static void initialize_tun(void) { tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); printf("otherwise fuzzing or reproducing might not work as intended\n"); return; } const int kTunFd = 240; if (dup2(tunfd, kTunFd) < 0) exit(1); close(tunfd); tunfd = kTunFd; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { exit(1); } char sysctl[64]; sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE); write_file(sysctl, "0"); sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE); write_file(sysctl, "0"); int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); netlink_add_addr4(&nlmsg, sock, TUN_IFACE, LOCAL_IPV4); netlink_add_addr6(&nlmsg, sock, TUN_IFACE, LOCAL_IPV6); uint64_t macaddr = REMOTE_MAC; struct in_addr in_addr; inet_pton(AF_INET, REMOTE_IPV4, &in_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr, ETH_ALEN); struct in6_addr in6_addr; inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr, ETH_ALEN); macaddr = LOCAL_MAC; netlink_device_change(&nlmsg, sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN, NULL); close(sock); } static int read_tun(char* data, int size) { if (tunfd < 0) return -1; int rv = read(tunfd, data, size); if (rv < 0) { if (errno == EAGAIN || errno == EBADFD) return -1; exit(1); } return rv; } static void flush_tun() { char data[1000]; while (read_tun(&data[0], sizeof(data)) != -1) { } } #define MAX_FDS 30 static void setup_cgroups() { if (mkdir("/syzcgroup", 0777)) { } if (mkdir("/syzcgroup/unified", 0777)) { } if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) { } if (chmod("/syzcgroup/unified", 0777)) { } write_file("/syzcgroup/unified/cgroup.subtree_control", "+cpu +memory +io +pids +rdma"); if (mkdir("/syzcgroup/cpu", 0777)) { } if (mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuset,cpuacct,perf_event,hugetlb")) { } write_file("/syzcgroup/cpu/cgroup.clone_children", "1"); write_file("/syzcgroup/cpu/cpuset.memory_pressure_enabled", "1"); if (chmod("/syzcgroup/cpu", 0777)) { } if (mkdir("/syzcgroup/net", 0777)) { } if (mount("none", "/syzcgroup/net", "cgroup", 0, "net_cls,net_prio,devices,freezer")) { } if (chmod("/syzcgroup/net", 0777)) { } } static void setup_cgroups_loop() { int pid = getpid(); char file[128]; char cgroupdir[64]; snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } snprintf(file, sizeof(file), "%s/pids.max", cgroupdir); write_file(file, "32"); snprintf(file, sizeof(file), "%s/memory.low", cgroupdir); write_file(file, "%d", 298 << 20); snprintf(file, sizeof(file), "%s/memory.high", cgroupdir); write_file(file, "%d", 299 << 20); snprintf(file, sizeof(file), "%s/memory.max", cgroupdir); write_file(file, "%d", 300 << 20); snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); write_file(file, "%d", pid); snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); write_file(file, "%d", pid); snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } snprintf(file, sizeof(file), "%s/cgroup.procs", cgroupdir); write_file(file, "%d", pid); } static void setup_cgroups_test() { char cgroupdir[64]; snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid); if (symlink(cgroupdir, "./cgroup")) { } snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/cpu/syz%llu", procid); if (symlink(cgroupdir, "./cgroup.cpu")) { } snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/net/syz%llu", procid); if (symlink(cgroupdir, "./cgroup.net")) { } } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } setup_cgroups(); } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } initialize_tun(); loop(); exit(1); } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_loop() { setup_cgroups_loop(); } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setup_cgroups_test(); write_file("/proc/self/oom_score_adj", "1000"); flush_tun(); } static void close_fds() { for (int fd = 3; fd < MAX_FDS; fd++) close(fd); } static void setup_sysctl() { static struct { const char* name; const char* data; } files[] = { {"/sys/kernel/debug/x86/nmi_longest_ns", "10000000000"}, {"/proc/sys/kernel/hung_task_check_interval_secs", "20"}, {"/proc/sys/net/core/bpf_jit_enable", "1"}, {"/proc/sys/net/core/bpf_jit_kallsyms", "1"}, {"/proc/sys/net/core/bpf_jit_harden", "0"}, {"/proc/sys/kernel/kptr_restrict", "0"}, {"/proc/sys/kernel/softlockup_all_cpu_backtrace", "1"}, {"/proc/sys/fs/mount-max", "100"}, {"/proc/sys/vm/oom_dump_tasks", "0"}, {"/proc/sys/debug/exception-trace", "0"}, {"/proc/sys/kernel/printk", "7 4 1 3"}, {"/proc/sys/net/ipv4/ping_group_range", "0 65535"}, {"/proc/sys/kernel/keys/gc_delay", "1"}, {"/proc/sys/vm/nr_overcommit_hugepages", "4"}, {"/proc/sys/vm/oom_kill_allocating_task", "1"}, }; for (size_t i = 0; i < sizeof(files) / sizeof(files[0]); i++) { if (!write_file(files[i].name, files[i].data)) printf("write to %s failed: %s\n", files[i].name, strerror(errno)); } } #define FUSE_MIN_READ_BUFFER 8192 enum fuse_opcode { FUSE_LOOKUP = 1, FUSE_FORGET = 2, FUSE_GETATTR = 3, FUSE_SETATTR = 4, FUSE_READLINK = 5, FUSE_SYMLINK = 6, FUSE_MKNOD = 8, FUSE_MKDIR = 9, FUSE_UNLINK = 10, FUSE_RMDIR = 11, FUSE_RENAME = 12, FUSE_LINK = 13, FUSE_OPEN = 14, FUSE_READ = 15, FUSE_WRITE = 16, FUSE_STATFS = 17, FUSE_RELEASE = 18, FUSE_FSYNC = 20, FUSE_SETXATTR = 21, FUSE_GETXATTR = 22, FUSE_LISTXATTR = 23, FUSE_REMOVEXATTR = 24, FUSE_FLUSH = 25, FUSE_INIT = 26, FUSE_OPENDIR = 27, FUSE_READDIR = 28, FUSE_RELEASEDIR = 29, FUSE_FSYNCDIR = 30, FUSE_GETLK = 31, FUSE_SETLK = 32, FUSE_SETLKW = 33, FUSE_ACCESS = 34, FUSE_CREATE = 35, FUSE_INTERRUPT = 36, FUSE_BMAP = 37, FUSE_DESTROY = 38, FUSE_IOCTL = 39, FUSE_POLL = 40, FUSE_NOTIFY_REPLY = 41, FUSE_BATCH_FORGET = 42, FUSE_FALLOCATE = 43, FUSE_READDIRPLUS = 44, FUSE_RENAME2 = 45, FUSE_LSEEK = 46, FUSE_COPY_FILE_RANGE = 47, FUSE_SETUPMAPPING = 48, FUSE_REMOVEMAPPING = 49, CUSE_INIT = 4096, CUSE_INIT_BSWAP_RESERVED = 1048576, FUSE_INIT_BSWAP_RESERVED = 436207616, }; struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; uint32_t uid; uint32_t gid; uint32_t pid; uint32_t padding; }; struct fuse_out_header { uint32_t len; uint32_t error; uint64_t unique; }; struct syz_fuse_req_out { struct fuse_out_header* init; struct fuse_out_header* lseek; struct fuse_out_header* bmap; struct fuse_out_header* poll; struct fuse_out_header* getxattr; struct fuse_out_header* lk; struct fuse_out_header* statfs; struct fuse_out_header* write; struct fuse_out_header* read; struct fuse_out_header* open; struct fuse_out_header* attr; struct fuse_out_header* entry; struct fuse_out_header* dirent; struct fuse_out_header* direntplus; struct fuse_out_header* create_open; struct fuse_out_header* ioctl; }; static int fuse_send_response(int fd, const struct fuse_in_header* in_hdr, struct fuse_out_header* out_hdr) { if (!out_hdr) { return -1; } out_hdr->unique = in_hdr->unique; if (write(fd, out_hdr, out_hdr->len) == -1) { return -1; } return 0; } static volatile long syz_fuse_handle_req(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { struct syz_fuse_req_out* req_out = (struct syz_fuse_req_out*)a3; struct fuse_out_header* out_hdr = NULL; char* buf = (char*)a1; int buf_len = (int)a2; int fd = (int)a0; if (!req_out) { return -1; } if (buf_len < FUSE_MIN_READ_BUFFER) { return -1; } int ret = read(fd, buf, buf_len); if (ret == -1) { return -1; } if ((size_t)ret < sizeof(struct fuse_in_header)) { return -1; } const struct fuse_in_header* in_hdr = (const struct fuse_in_header*)buf; if (in_hdr->len > (uint32_t)ret) { return -1; } switch (in_hdr->opcode) { case FUSE_GETATTR: case FUSE_SETATTR: out_hdr = req_out->attr; break; case FUSE_LOOKUP: case FUSE_SYMLINK: case FUSE_LINK: case FUSE_MKNOD: case FUSE_MKDIR: out_hdr = req_out->entry; break; case FUSE_OPEN: case FUSE_OPENDIR: out_hdr = req_out->open; break; case FUSE_STATFS: out_hdr = req_out->statfs; break; case FUSE_RMDIR: case FUSE_RENAME: case FUSE_RENAME2: case FUSE_FALLOCATE: case FUSE_SETXATTR: case FUSE_REMOVEXATTR: case FUSE_FSYNCDIR: case FUSE_FSYNC: case FUSE_SETLKW: case FUSE_SETLK: case FUSE_ACCESS: case FUSE_FLUSH: case FUSE_RELEASE: case FUSE_RELEASEDIR: case FUSE_UNLINK: case FUSE_DESTROY: out_hdr = req_out->init; if (!out_hdr) { return -1; } out_hdr->len = sizeof(struct fuse_out_header); break; case FUSE_READ: out_hdr = req_out->read; break; case FUSE_READDIR: out_hdr = req_out->dirent; break; case FUSE_READDIRPLUS: out_hdr = req_out->direntplus; break; case FUSE_INIT: out_hdr = req_out->init; break; case FUSE_LSEEK: out_hdr = req_out->lseek; break; case FUSE_GETLK: out_hdr = req_out->lk; break; case FUSE_BMAP: out_hdr = req_out->bmap; break; case FUSE_POLL: out_hdr = req_out->poll; break; case FUSE_GETXATTR: case FUSE_LISTXATTR: out_hdr = req_out->getxattr; break; case FUSE_WRITE: case FUSE_COPY_FILE_RANGE: out_hdr = req_out->write; break; case FUSE_FORGET: case FUSE_BATCH_FORGET: return 0; case FUSE_CREATE: out_hdr = req_out->create_open; break; case FUSE_IOCTL: out_hdr = req_out->ioctl; break; default: return -1; } return fuse_send_response(fd, in_hdr, out_hdr); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 11; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); close_fds(); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { setup_loop(); int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) { continue; } kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[4] = {0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: NONFAILING(memcpy((void*)0x20000400, "./file0\000", 8)); syscall(__NR_mkdir, 0x20000400ul, 0ul); break; case 1: NONFAILING(memcpy((void*)0x20002080, "/dev/fuse\000", 10)); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20002080ul, 0x42ul, 0ul); if (res != -1) r[0] = res; break; case 2: NONFAILING(memcpy((void*)0x200042c0, "./file0\000", 8)); NONFAILING(memcpy((void*)0x20002000, "fuse\000", 5)); NONFAILING(memcpy((void*)0x20002480, "fd=", 3)); NONFAILING(sprintf((char*)0x20002483, "0x%016llx", (long long)r[0])); NONFAILING(memcpy((void*)0x20002495, ",rootmode=00000000000000000040000,user_id=", 42)); NONFAILING(sprintf((char*)0x200024bf, "%020llu", (long long)0)); NONFAILING(memcpy((void*)0x200024d3, ",group_id=", 10)); NONFAILING(sprintf((char*)0x200024dd, "%020llu", (long long)0)); syscall(__NR_mount, 0ul, 0x200042c0ul, 0x20002000ul, 0ul, 0x20002480ul); break; case 3: res = syscall(__NR_read, r[0], 0x20004340ul, 0x2020ul); if (res != -1) NONFAILING(r[1] = *(uint64_t*)0x20004348); break; case 4: NONFAILING(*(uint32_t*)0x20004200 = 0x50); NONFAILING(*(uint32_t*)0x20004204 = 0); NONFAILING(*(uint64_t*)0x20004208 = r[1]); NONFAILING(*(uint32_t*)0x20004210 = 7); NONFAILING(*(uint32_t*)0x20004214 = 0x20); NONFAILING(*(uint32_t*)0x20004218 = 0); NONFAILING(*(uint32_t*)0x2000421c = 0); NONFAILING(*(uint16_t*)0x20004220 = 0); NONFAILING(*(uint16_t*)0x20004222 = 0); NONFAILING(*(uint32_t*)0x20004224 = 0); NONFAILING(*(uint32_t*)0x20004228 = 0); NONFAILING(*(uint16_t*)0x2000422c = 0); NONFAILING(*(uint16_t*)0x2000422e = 0); NONFAILING(*(uint32_t*)0x20004230 = 0); NONFAILING(*(uint32_t*)0x20004234 = 0); NONFAILING(*(uint32_t*)0x20004238 = 0); NONFAILING(*(uint32_t*)0x2000423c = 0); NONFAILING(*(uint32_t*)0x20004240 = 0); NONFAILING(*(uint32_t*)0x20004244 = 0); NONFAILING(*(uint32_t*)0x20004248 = 0); NONFAILING(*(uint32_t*)0x2000424c = 0); syscall(__NR_write, r[0], 0x20004200ul, 0x50ul); break; case 5: NONFAILING(memcpy( (void*)0x20000000, "\x9e\xda\x43\x88\x38\x74\x3b\xd4\xe9\x72\x0b\xee\x57\x09\x35\x15\xdc" "\x18\x9a\x5e\xa6\x85\xe9\x55\x6c\x1c\x2c\x3c\xfc\x4d\xf5\x0d\x66\xd3" "\x1a\x48\xaa\x31\x26\x63\xb6\x8d\x18\xc5\x82\x6b\x5b\x55\xfb\x73\x82" "\x08\x86\x3d\xac\x0f\x10\xf4\x23\xae\xe7\xa5\xd8\xdd\xc4\x5e\xbd\xfe" "\xb7\x42\x4b\xae\x85\x9d\x7c\x37\xec\xfc\x4b\x63\x91\x4d\x5a\x56\xd9" "\x10\x17\xdd\x22\xbc\x84\xf7\x59\xa1\x59\x69\x95\x1a\xef\x9d\x5c\x88" "\xc9\x65\x60\x89\x69\x88\xfa\x18\xcd\x94\x6c\xfc\xc3\xa0\xf1\xc9\x93" "\x34\x83\x77\x90\x4e\xac\x32\xc9\x80\xbd\xf7\x97\x6e\xbc\xa2\xb4\x99" "\xca\xb6\x3c\x4e\x84\x15\x14\x27\x7f\xc7\x1d\x46\x20\xe2\x9a\x92\x52" "\x34\x02\x48\x5d\xe0\xe8\x28\x96\x48\x4c\x0a\xe4\x97\xa4\xd6\x86\xdf" "\x23\xca\x7b\x68\xc3\xfd\x5e\x62\x4d\x35\x10\xd7\xf9\x48\x38\xe5\x4a" "\xf8\x77\xca\x58\xa0\x0c\x5a\x67\x2b\xba\x11\xf5\xaa\x1e\xd1\x98\x0d" "\xfe\xf4\x7b\x99\x73\xd0\xbf\x45\x6d\xed\x5e\x72\xf1\x70\x2b\x3d\xc5" "\x19\x7f\xce\x39\xcb\xa5\x3a\x03\x8d\x8d\xc0\xec\x78\x3c\xe7\x05\x77" "\x10\x7d\xc5\xe8\xb2\x99\xe6\x4a\x0b\x7f\x11\x91\xf0\x92\x6b\xd2\x57" "\x62\x37\x01\x91\x71\x0b\xab\x2f\x44\xe9\x06\x9f\x55\xf8\xa3\xf8\x7e" "\x4c\xb4\x88\xa2\xfb\x33\x48\xc0\xbf\x3b\x38\x74\x29\x1f\x83\xe4\x77" "\x6b\x16\x0e\xa7\x3a\xaf\xa3\x91\x9c\x7c\x06\x9c\x73\xc0\x05\x21\x73" "\xa6\x31\x58\xdb\x8b\x65\x54\x1d\x16\x1f\x9c\x96\x49\x26\xad\x7f\x06" "\xbd\xd6\xcb\x6a\x32\x13\x5b\x04\xe3\x57\x01\xc2\xe1\x3c\x49\xc1\xf7" "\x5d\xc7\xa2\x5d\x62\x33\x78\x86\x06\x92\xd1\x72\xec\x3f\x1e\x1f\x2d" "\x9d\xc7\x7c\x01\x5c\x13\x72\x1e\xfc\xb1\x01\xc2\x39\x0a\xbb\x84\x7e" "\x87\x11\x32\xf4\x72\xa3\x7c\xc0\x16\x3b\x39\xb1\xd5\x75\xa5\x44\x4e" "\x24\x6a\x08\xa1\xaf\xb1\xa6\x96\xca\xba\xb2\x94\x98\xa3\x14\x42\x9a" "\x3b\x9f\x44\xc4\x3b\xa2\x9f\x71\xfa\xc1\xfb\xe0\xd0\x1c\x3c\x16\xd2" "\x27\x30\x93\x27\x04\xbc\xfb\x0c\x1b\x7a\x43\x2b\xc5\x1d\xd3\xf5\xdd" "\x5a\xfc\x3b\x34\x2c\xbe\x6a\x6f\xf8\x99\x03\x9e\x28\xf9\xa5\x18\x81" "\xb1\xd4\x6f\xdc\xf3\x17\x67\xcb\x6f\x5c\x5c\x69\xab\x3c\x80\x61\x5d" "\x77\xc4\xd1\x66\x4f\xc4\xec\x83\x1b\x8c\xea\x2e\x75\x2b\xbb\x7a\x9c" "\xe7\x9d\xf8\x75\xb2\x9f\x1e\x23\x27\x51\xda\xf3\x2a\x1a\x0c\x4f\xf8" "\xbd\x06\x88\xe2\xb8\xe2\xd6\x68\xb8\xa7\x7e\x20\xa9\xeb\x6e\xc2\xe2" "\xc2\x3b\x94\xe5\x07\xba\xea\xcb\xcf\xa3\x1f\xb6\xe1\xca\x33\x43\x66" "\x8f\x43\xe3\xaa\x6d\x85\xe7\xc2\x9b\xf0\xbb\x4d\xbd\xab\xdd\xc9\x2b" "\xe7\xf4\xa6\xf5\xd2\x1b\x19\xe6\xda\x17\xbf\xb6\xcc\x92\x6e\x38\x47" "\x53\x2f\xae\x29\xc7\xb6\x2f\xb9\x09\x13\x0e\xc3\x72\xd3\xc1\x6c\xfe" "\x6a\xaf\x3c\xe2\xaf\x0f\xe7\x61\x0f\xde\x7a\xad\x61\xbc\x80\xd2\xf9" "\x6b\x99\x9c\x8c\xcf\x6d\x22\xcf\x90\x3c\xa8\xae\x8b\x87\x9e\xc4\xa4" "\x16\xf3\x34\x98\x2e\x98\x10\xc0\x14\x0a\x18\xd4\xdc\x81\xb5\xed\xaa" "\xe2\x3e\x9f\x4a\xba\xf4\x0e\xd7\x15\x12\xae\xbb\xba\x5b\xb2\x51\x54" "\x5e\x18\x8d\xb7\x89\x55\x8a\x84\x5a\x28\x77\xb1\x4b\xda\xee\xc3\xc7" "\x38\xb7\xd7\x30\xc0\x86\x05\x31\xbf\x55\x17\xd4\xf0\xe8\xf9\x5e\xd3" "\x57\x1f\x8a\x35\x81\x6d\x51\x16\xfc\xb8\xd7\xcb\xf4\x2b\x7d\x5d\x5e" "\x65\x54\x15\x08\xc8\x98\xbb\x2e\x0f\xe9\x62\x97\xd2\xab\x71\x35\x66" "\x2d\xe3\x9d\xf0\x99\xeb\xae\xd5\x87\x11\x11\xf5\x34\x62\x78\xce\xe5" "\x72\x8c\xec\x51\x2e\x6c\x0a\x0d\x65\xb5\x1e\x3d\x62\x78\x73\x19\x5b" "\x84\x10\x33\x41\xc2\xbc\x83\xb6\xc8\xfd\xd8\xba\x17\xf5\x95\x74\x13" "\xf6\x1c\x69\xd6\x18\xc9\xb9\xd0\xb1\xf0\x8d\xc8\x19\x21\xb6\xc6\x62" "\xee\x1d\xa3\xbf\xa0\x19\xb0\x95\xe9\xa0\x3c\x2d\xb4\xd6\x45\xcc\xb7" "\x36\x4e\x89\x50\x98\xcb\xf7\xd9\x32\xc7\x2d\x80\x66\x3c\x7a\x16\x94" "\xd1\x22\xf7\x34\x83\x93\x07\x92\x23\xc1\x1d\x36\xc6\x4a\x58\x56\xea" "\xe0\x39\x7a\xb9\xa9\xd9\x48\x20\x4b\x74\xe5\x65\x25\xa9\xd5\x52\xdd" "\x09\x16\xde\x81\xcb\xb5\xaf\x3c\x59\xb3\xd7\xf8\xf9\x15\x44\x23\xce" "\x2c\xb4\x5a\x5b\xc8\x08\xe2\x4b\xef\x13\x21\x20\x19\xa1\x95\x45\xfe" "\x54\xba\x84\xd0\x15\x34\x35\x83\x80\x19\x2b\x8c\x7b\x0e\xda\x90\x78" "\x10\x37\x5b\xb6\x6a\x57\x8a\x58\xfe\xc3\x92\xb4\x79\x91\x27\x1c\x83" "\x67\xb9\x1d\x71\x0e\x8a\x17\x6b\xc1\xa4\xe9\x6f\x0e\x13\x7d\x4c\x25" "\xfb\xb0\x3e\xdd\xc3\x92\xf9\xf1\x70\xdd\x74\x44\x72\xb8\x64\xfb\xba" "\xe7\xc9\x3d\x86\xe6\x82\x30\x8b\x21\xb7\x3c\x56\x52\x06\x5d\x72\xcf" "\x02\xe1\x15\x2b\x44\x02\x4a\x90\xa3\xb5\x2e\xb0\xbb\x3c\xb4\x12\xe5" "\x18\xd3\x7a\x68\xaa\x4c\x7f\x46\x78\x9c\x54\xab\x30\xd3\xa7\x3d\x0a" "\x87\x12\xfd\xe6\x12\x29\x4c\xda\x2a\xa1\xcc\xf1\x64\x93\x0b\x9b\x1d" "\x17\x80\x1d\x4f\xbb\x06\xe8\x49\xd3\x9b\xf2\xb5\x14\x13\x30\xca\xa0" "\xd2\x61\x8b\x61\x6f\x1c\x67\xe1\xca\x57\x08\x0e\x79\xed\x90\x92\xba" "\x7a\x55\xe8\x12\x1c\xfc\x82\x5c\xd2\x6a\x01\x99\xa4\x79\xa7\xab\x1b" "\x7b\x23\xd2\xa4\xdd\x82\xfa\x6d\x04\xee\x41\xca\x68\x04\x35\xef\xc9" "\x34\xf0\x45\x1e\x86\x5e\x86\x32\xac\x2f\x11\x15\xf4\xcd\xd3\x3b\x0f" "\xcc\xb7\xa2\x32\x61\x27\xfa\xf2\x0c\xba\x37\xc8\x28\x61\x3d\xba\x5a" "\x98\xf4\xe1\xad\x25\xeb\x6b\x91\x07\x8c\xf7\x3d\x87\x3d\xf9\xef\x91" "\x53\x14\x76\xf6\x4b\x83\x55\x9f\xf7\xcc\xdc\x4c\x07\x0d\x47\x8b\x18" "\x19\x6e\xa0\x5f\xe8\xd4\xea\x02\x16\xee\x52\x73\xdf\xab\xbd\x04\x58" "\x2f\x40\xf0\x64\xc9\x78\x1a\xfd\x2c\xbf\x30\x90\x1f\x28\xcd\x09\xcc" "\x93\x4f\x1b\x2d\x50\x88\x37\x78\x27\x41\x77\xe3\xdb\xa8\xaf\x0a\x1b" "\x93\x1d\x80\xce\x1a\x6c\x40\x85\x78\x0e\xa2\x19\x5b\x65\xec\xfd\x29" "\x53\xf7\x8a\x52\x90\xfe\x56\x0d\x0c\xd6\xa5\xe7\x38\x90\xa5\xa8\x2d" "\xc4\x10\xb9\x2a\x3e\xf2\xbe\x05\xec\x56\x07\x82\x0f\xd4\xca\x6b\x9c" "\x3a\xa2\x58\xd5\x90\x22\xfd\xcb\x21\x66\x5f\x1c\xe4\xe8\xaa\xd8\xfd" "\x91\x8c\x43\xbd\x3c\x2a\xfe\x3d\xc2\x23\xff\x9f\x48\x83\x1d\x40\x1c" "\x8b\x69\x96\x19\x07\x93\xd1\xdd\x75\x51\xf8\x51\x1b\x69\x28\x39\x92" "\x39\x8d\x8f\x9b\x4b\xd2\xb3\x39\x8d\x3b\x8c\x6f\x3c\x5d\x8b\x80\x2c" "\xa5\x28\x2b\x70\x24\x2d\xf2\xb7\xbe\x4b\x38\xe7\x0c\x30\x65\xf8\xda" "\x88\x86\x31\x37\x5a\xfc\xc0\x5c\xe5\x78\x08\x9c\x4f\x78\x37\x76\xb2" "\x86\xb7\xa6\x0d\x1b\x5e\x18\x9e\x27\x42\xa3\x24\x0c\x10\x36\xa9\x53" "\xd8\x86\x88\x54\x22\xee\xf0\x14\x13\xc3\x80\x99\xb6\x45\x05\xfd\x5a" "\x73\x48\x8a\xcb\x4e\x61\x18\x20\x67\x4c\x58\xae\x74\xd6\xc6\x4a\x88" "\x5d\x4b\xed\xa9\xbd\x79\x03\xbc\xdc\x71\xe3\x71\x1e\x2a\x05\x7c\x0e" "\xab\x21\x00\xc3\x21\x05\x0a\xb1\x4c\x6e\x45\x3c\x53\x18\x25\x77\xad" "\x31\x78\x60\x3c\xd9\xaf\xde\x40\xa7\x01\x12\x0e\x9a\x36\x07\x4f\xd5" "\x82\x42\x8c\x74\xe0\x27\x81\x31\x8e\x6c\x65\x45\x0f\x8f\x02\x0b\xd2" "\x24\x75\x69\x6f\xe1\x3b\x8c\x59\x26\x0e\x53\xa0\x6d\x16\xea\xbd\x13" "\x5e\x88\x7a\x0a\x6b\xbc\x8a\xd2\x1b\xe7\x66\x1d\xf7\x6f\xec\x5b\x13" "\x84\x4f\x68\xb8\xee\xd1\xa7\x37\x97\x13\x73\x8b\xea\xc9\xf2\x3c\x7a" "\x26\x52\x0e\x19\x79\x7a\x91\x0c\xde\x9f\xb2\x85\x17\x95\x26\x88\x9b" "\x90\x8b\x7e\xb4\x9b\xb0\x6f\x70\xf6\x27\x1f\xba\x87\x12\xc1\xa4\x26" "\x9e\xbc\xf4\xb7\xd0\x43\xe9\x24\xe3\xd2\xc4\xc7\x53\xfd\x7e\x54\x7d" "\x95\x84\x1e\x33\x51\x79\x83\x6f\x76\x42\x4e\x72\x88\x10\xd7\xf3\x2b" "\x78\x25\x6e\xa3\x0c\x79\xd9\x23\x8a\x65\x88\x42\x6e\x1f\x2d\x4c\x0b" "\x03\xd5\x60\x5b\xd8\x26\xed\x24\xf0\xf1\x13\x26\xb4\xcf\x95\x86\x32" "\xb8\x6e\x01\x7a\xa8\x0e\x14\x2d\xb1\x58\x0c\x44\xf7\x6d\x9c\x98\x19" "\x6f\x3f\x68\x52\xab\x2b\xfc\x6a\x01\xa3\x55\x3a\x13\x0c\x2d\x17\x19" "\x57\xf5\xa4\x5c\x35\x50\xfb\xbc\x99\x0e\xf8\x74\x2a\x98\xa8\x6b\x28" "\x0a\x57\xb9\xf1\x98\xff\x43\x6b\xc0\x11\x61\xad\xa5\x0e\x6f\x23\x02" "\x6c\x32\x54\xad\xf2\x32\x1b\xff\x7e\x20\xaa\x54\x08\x0b\xbb\x57\xd8" "\xd5\x2c\x6a\x6d\xf6\x10\x77\x06\xa2\xe5\xbc\x6d\xa6\x8f\x17\xb4\x74" "\xc0\xed\xd3\x94\x01\xd7\x65\x08\x6e\x88\x5c\xf7\x99\x24\x05\xf8\x56" "\x55\x79\x15\x60\x3c\xbe\x88\x94\x67\x6e\x99\x6b\xba\xdb\xb6\x49\xa5" "\xe7\x49\x8b\x91\xf9\xbd\x2f\x69\x7d\xd9\xeb\xbe\x4d\x38\x60\x50\x25" "\x8b\x9f\x4c\x94\x78\x1e\x61\xc6\x60\x65\x1c\x3f\x1e\x3a\xe5\x1f\x8c" "\x03\x5e\xca\x36\x5b\xf1\x5d\x6d\xb4\x8e\xa9\xce\x18\x35\x15\xf4\xa2" "\x08\xd0\x10\xf7\xc2\x3d\xca\xcb\xd6\xe2\x25\x49\x0d\x7e\x9c\x13\x35" "\x25\xf5\xc9\x01\x8d\x75\x2b\x21\xb4\x89\x7b\xf1\x8b\x64\xb6\xa9\x93" "\x6f\x53\x8a\x0a\x89\x58\xfc\x93\x44\x40\xae\xea\xad\x2b\x68\xac\x84" "\x4d\x76\xf0\x90\x0a\x6c\x95\xbd\x0b\x35\x3d\x85\xd4\xfb\x62\xeb\x88" "\x36\x01\x12\x23\x7f\xd8\xc6\x36\xa8\x0e\x31\x30\xb2\x1d\x66\xae\x8e" "\xc5\x8a\x4b\x76\xcb\xa0\x60\x2f\x96\xda\x91\x9f\x7e\x84\xfd\x37\xe3" "\xec\x23\x79\xf5\x8e\x38\x9a\x39\xc7\x8d\x24\x82\xe0\x3c\x37\x9e\x3c" "\x46\x49\xad\x63\xa7\x6e\x37\x07\xec\xff\x07\xd2\xfc\xb0\xc9\xdf\xc5" "\x24\xca\xb4\x9e\x69\xa0\x9c\x92\xe4\xf8\x87\x14\x33\x5c\xb5\x7d\x3f" "\x61\x84\xd0\x7b\xef\x96\x57\x28\x0f\xb5\xc9\xfd\x2d\x8f\x94\x0f\x7a" "\xc6\xc5\x40\x7e\x30\x77\xaa\x2e\x4b\xa8\xe2\x17\xe0\xee\x19\xe3\x02" "\xd6\xd9\x0e\x3b\xe0\x5a\x86\xda\xde\x35\xd2\xe4\x54\xe5\x11\xaf\xb5" "\xcf\x59\x36\xf1\xd1\x1f\x2f\xa6\xbe\x6c\xea\xa8\x17\xdb\xdc\x7a\x6a" "\xab\xf2\xfa\xd8\xff\x3e\xfa\x83\x82\xa2\x50\x99\xf0\xc5\x98\x9d\x2a" "\xd5\x6a\xe0\xf4\x96\x8b\x2c\xfc\xfc\x67\xb4\xf1\xc1\x61\xc7\x59\x00" "\xb4\x84\x8f\x59\xa3\xc0\x37\x6d\xfc\xb7\x99\x7b\xf2\x8e\x9e\x85\xd6" "\xdd\x94\x2a\x36\x05\x16\xde\x38\xe1\xc1\xa0\x38\xa7\x96\xf9\xa7\x7f" "\xf2\xb0\xc7\xe5\xe8\xf4\x93\x23\x91\xa0\xe5\x8e\x76\xda\xcc\x6f\x97" "\x64\x17\x8a\x21\x1d\xfd\xe3\xe7\x5d\x36\x7d\x29\x11\xff\x39\x81\x26" "\xff\xdf\x83\xcf\x2f\xbd\xf1\xad\x52\x32\xbe\xd9\x15\x5f\x7a\x16\x86" "\x38\xa5\x72\x09\x4a\x9e\x93\x4d\x49\x69\xb3\x58\xcf\x6e\x12\x1d\x7f" "\xd2\xae\xae\x2f\x49\x90\x68\xb4\x2c\x15\x2f\x0e\x34\x03\xa2\x30\x88" "\x5d\x6f\x92\xf0\x38\xdd\xaa\x23\x49\x9f\x80\x4f\xfb\x06\xab\xdb\xab" "\xb5\x1f\x6c\x38\xc9\x2f\xb1\xa6\x27\x1a\x4b\x13\xd6\xd1\x11\x25\xb8" "\xec\x12\xef\xa5\x90\x7d\xc6\x50\x62\x79\x7f\xb9\xcc\xa1\x5e\x2f\x25" "\x4e\x76\xb1\x82\xd3\xfc\xdb\x4e\x96\xac\x4d\xe3\x6d\x6d\xf7\xe7\xbb" "\xa5\xc3\x2f\x42\x22\x86\xb1\xbe\x3b\x79\xbf\xfb\x6f\xd6\x93\x76\x19" "\x52\xd1\x95\xa8\x4a\xd9\xce\xb0\x72\x87\xa0\xfb\xef\xab\x9e\x03\x47" "\xb5\x13\xc5\xf6\x02\x33\xcc\xd4\xb5\x2d\x90\xec\x14\x4a\x2f\x89\x6d" "\x9d\xc7\xf2\x79\xf8\xaa\x93\x03\x8f\x3e\xfa\x28\x6e\x1c\x30\x06\x93" "\x3a\x4d\x71\x83\xd9\x52\xf8\xd2\x8b\x14\x1b\x28\xb2\xaf\x35\x5b\x5b" "\xd8\x19\x8d\xfd\xe1\xff\xb8\xd0\x92\x02\xaf\xf0\xd1\x6c\xa3\xfe\xc1" "\x94\x66\x28\x92\xa4\x9f\x82\x98\x13\x97\x0a\x45\x20\xf1\x22\x8a\xa0" "\x3d\x21\x1a\x45\xbe\xd3\xb2\xe0\x5b\xf1\xf1\x0b\x1a\x15\x27\x61\xe7" "\xb6\xc6\xdd\xea\x86\x3a\x3c\x02\x22\x42\x56\x09\x2c\x70\xca\x70\xdc" "\x18\x5c\x4c\x38\x5d\xd9\x8b\x09\xe2\x68\x26\x61\xe1\xe6\x6f\x71\xd9" "\xc4\x03\x70\x48\xeb\x70\xe8\xa1\xcb\xe5\x7d\xe8\x7e\xc4\x37\x13\xab" "\xf5\xfd\xcf\x63\xb9\xc4\x82\xf3\x18\xe3\xbe\xc3\x7e\x87\x8d\xad\xba" "\xe1\x5a\x02\xd7\x31\xe6\xc8\x57\x4e\xb1\x4c\x05\x9d\x72\xf7\x3b\xe5" "\x17\x4a\xdd\x78\x6d\x06\xb5\x85\xa2\x8a\x06\xd3\x49\xd8\xe4\x34\xa4" "\x91\xb3\x48\x97\xb3\xc1\xad\x78\x6e\xc8\x28\x0d\x7f\x57\xed\xd4\xfb" "\xc6\xae\xa5\x48\x5d\x65\x9b\x59\xd3\x93\xe3\x31\xcf\x91\xe6\xed\x76" "\xf3\x40\xfc\xf7\xcf\x46\x08\x92\xfa\x73\x18\xfc\x42\xb8\x83\xf6\x1d" "\x88\x8a\xd9\x82\xa7\x51\xac\xcb\x61\x3c\x66\x66\x1f\xba\x5f\x3d\x6d" "\xe7\x51\xa6\xa9\xef\x8a\x47\x00\x31\x6a\xaa\xd0\x4e\x99\x1a\xab\x79" "\x03\xf4\xef\x01\x2e\xc2\xa8\xc0\x92\x23\x4e\x74\xef\x33\x5d\xaf\x36" "\x0a\xe4\x7b\xbd\x2b\xbc\x6a\xd8\xc1\xa4\xf8\x1e\xfe\x8b\xbd\x70\x3c" "\xb5\x5e\xf3\x6b\x32\xb4\xe3\x0c\xb5\xa3\xb1\x65\xc0\x2b\xa2\x95\xd0" "\xe1\xc4\x0c\xe6\xff\x8f\x47\x9a\x74\xf0\x12\x75\xf1\x13\xeb\xfa\x8a" "\xde\x37\xa5\x9c\xe7\x0e\x6c\xa2\xa6\xf4\x8f\x1b\xe0\x85\xf6\x1b\xf7" "\x72\xe2\xc2\xda\x52\x3a\x2c\xfe\x63\xe9\x9c\x57\xbd\xb1\xff\x23\x13" "\x9d\x4f\xca\x49\xef\xf7\x54\x7e\x98\x80\xee\xfd\x3f\x75\x11\xa6\x77" "\xef\xa2\x3b\x52\x09\x8b\xa8\x90\x37\xc4\x8d\xfc\xda\x2e\x8c\x1c\xfb" "\x9f\x89\x21\x61\x04\x9e\x53\xf8\xce\xe5\x52\x56\x27\x95\x12\xae\xca" "\xb8\xc4\x41\x60\x0d\xae\x0f\xd9\x57\x88\x32\x73\x04\x7c\xf5\xc6\x6b" "\xa2\x09\xf8\x30\xaa\x2c\xe0\xcb\xe4\x1c\xa0\x8c\x0c\xef\x4a\xed\x7f" "\x43\x24\x00\x92\x00\x66\x1a\x7c\xe6\x80\xe5\xa8\xdf\x2d\x05\x1c\x1d" "\x8b\x2f\x63\xd2\x5d\x8d\x74\xd0\x5c\x75\xc4\x6c\x8f\x3f\x24\xd6\x25" "\x53\x9e\x63\x45\x96\x50\x96\x04\x98\xa5\x4e\xc3\xb1\x62\x25\xbb\xbf" "\x4d\x39\x30\x00\x9d\xf2\x65\x83\x9d\x72\x61\x1f\x53\x32\xa9\x04\xcd" "\xeb\xad\xa1\x08\x23\x6e\x44\x14\xa2\x90\x9a\xd0\x1e\xc4\x4b\x9d\x7f" "\x75\xde\x43\x85\xad\x7c\xa5\x15\x2e\x89\x0a\x09\x19\xb3\x63\x9f\xd1" "\xbc\xbc\xa3\xb7\x37\xeb\xb8\xd9\xae\x54\x1b\x12\x71\xcf\x21\x66\xba" "\x15\x83\x0e\x66\xf3\xd3\xaf\xd3\xb7\x54\xa7\xf8\x1a\xd4\xf0\x99\x97" "\x04\xae\x99\xc1\x14\x90\x7c\x5b\xe4\xa4\x79\x7f\x13\xb8\x05\x64\xf2" "\x34\x72\x3a\x34\xdb\xe1\x37\xda\xbf\xd7\xfa\x23\x56\x2d\xf6\x79\xf5" "\x4a\x6a\xb5\x4d\xef\x6d\x63\xde\xae\x98\x44\xf7\x2f\xd7\x3e\xfd\x04" "\x13\x55\x1f\x5c\x4b\x9e\xe8\x26\xeb\x3b\x7f\xaf\x92\xa5\x9e\xa3\x4a" "\x16\x72\x3b\x4f\xea\x14\xd1\xc8\x81\x5a\x4e\x2d\x39\xfc\x48\xd1\xdb" "\xce\x52\x6a\x7c\x53\xf5\xa9\x6d\x0e\xf6\x46\x3a\x0c\xee\x73\xfd\x35" "\x05\xf5\xc7\x64\xa2\x64\xb8\x3c\x4a\x21\xf8\x0e\x8b\x61\xc8\x2d\x24" "\x44\x2d\x13\xda\x99\xd1\x8d\xc1\xb2\x53\x8e\x7a\x51\x0f\x60\x93\xd9" "\xef\x2b\xc5\xcc\x77\x7d\x4f\x98\x41\x1e\x93\x91\x9e\xdd\xfd\x69\xd6" "\xe2\x0d\x22\x7c\xb6\x1c\x50\xf3\x58\xea\x22\x7f\x4d\xe9\x41\xfb\x08" "\x0c\x1c\xf6\xb1\xf6\xe2\x55\x33\x76\x8f\xe1\x33\xdb\xfc\x3f\x9d\x29" "\xc6\x03\xbe\xd3\x8a\xa3\xc5\xaf\x5b\x81\xa7\x06\xb0\x06\x7b\x40\xb8" "\x8f\x99\x26\x10\xd0\x4c\x7c\xc3\x6b\x8f\x64\x96\x97\xcd\x6a\x93\xfa" "\xe5\x11\x38\x16\x18\x91\xae\x75\xa7\x14\x77\x80\xfc\x59\xaf\x5a\x6e" "\x18\xc5\x4f\x9d\x2a\x4f\xe7\xfa\x92\x31\x4b\x39\x9a\xfb\xa9\xa4\x0d" "\x0c\xc2\x4f\x70\xa2\x59\x3a\xcf\x8d\x17\x92\x15\xe0\x6b\x7a\x9a\x88" "\x22\x4b\xaf\xcb\x2c\xbf\x60\xca\xf5\xfe\x4f\xf3\x82\x08\xa7\x07\x93" "\xb5\xdc\x33\xcd\x57\x29\x56\x26\x0e\x1c\x86\x31\x2d\x3b\xa9\xb3\xa4" "\xb2\xb4\x43\x76\xf2\xe7\x8c\x61\x6a\x6c\x08\x80\xac\x8d\xcb\xaa\x30" "\xb9\xf7\x61\xd5\x00\xfd\x03\xa8\x51\x8d\xd0\x50\x91\x57\xb1\x84\xa2" "\xd9\x5e\x0c\xaf\x3f\xfc\x8a\xc2\xdb\x6c\x54\xd8\x0c\x71\xa1\xe5\xb9" "\xea\x3b\xf5\x10\x71\xe2\x11\x8a\xf2\x04\x12\x3d\xac\xee\xb0\x4e\x4f" "\x6f\x31\xf3\x2a\x4d\x3f\xbb\x76\xee\x49\x44\x0c\xab\xda\x2c\x12\x1c" "\x1b\x99\xac\xab\x5b\x87\xce\xcc\x37\xc3\xf9\x06\x6a\xf3\x4a\xb2\x9d" "\x65\x98\xbb\xfd\x91\x04\x7a\x2a\xc7\xce\x3a\x8f\x30\x27\xff\x5e\x6d" "\x74\x35\x06\xf1\x61\x08\x72\x78\x89\x6a\x98\xed\x37\x12\x2b\xa2\x08" "\xb6\x1c\xf5\x4d\x39\x29\x55\x5a\xb0\x6b\x56\x4c\xd5\xe4\xf4\x6f\x47" "\x55\xa6\xcf\xa2\xef\x2b\x30\xd2\x9e\xa6\x6f\x27\x49\xd4\x06\x0d\x41" "\x1f\xa9\x16\x0c\x91\xb6\xf5\x5c\xf0\x71\xac\x82\x22\xc6\x31\x3d\xf1" "\x87\x59\xe2\x95\x8c\xdd\xfe\x3d\xb4\xcb\xeb\x9c\xd3\x9a\xbc\xf5\xf0" "\xbe\xae\xca\xe8\x43\x78\x13\x99\x5c\xb7\xed\x0b\x87\xd4\x2c\xa9\x42" "\xff\x72\x45\xec\xe2\x04\x79\x8d\x01\x36\x1c\x5f\x00\x8e\x0d\x82\xbd" "\xf7\x66\x60\x51\x5b\xc7\x8f\x7f\x8f\x40\x9c\xcf\x68\x61\x4b\x2c\xb5" "\x0f\x5a\xf2\x61\x56\x61\x32\x6f\xd9\x71\xbc\x57\xee\xea\xde\x60\xea" "\x90\x6b\x8d\xf1\xcb\x0d\xfa\xfd\x31\x8c\xd2\xc3\x96\x30\x9c\x32\x9d" "\x04\x69\xca\x19\x2a\xa8\xf5\x1d\x7c\x42\x27\x68\x54\x40\xf0\x73\x98" "\x32\x55\xba\xf0\x54\xb9\x7b\x9d\x7b\xe1\xd1\x47\x0d\x7e\xab\xd5\xc0" "\x9b\x21\x16\xb4\xe8\x6b\x05\x67\xb7\xe9\x7e\x08\x87\x17\xa4\xfe\x3d" "\xbd\xd3\x10\xa1\xc3\x91\x36\xea\x4d\x2c\x47\x49\x20\x01\xf9\x88\x5d" "\xba\x03\xbf\x97\xe7\xda\x37\x61\x71\xd6\x66\x44\x1c\xdc\x2f\x99\x9d" "\xb1\x37\x60\x3d\x57\xdf\x32\xb4\x26\x0f\xa0\x16\x5e\x82\x91\x7b\xb1" "\x63\x1e\xa3\x14\xe7\xa7\x43\x7e\x66\xfc\x68\xce\xf2\x2c\xda\x8f\x45" "\x6d\x6e\x58\x3f\x6e\x32\x37\xe0\xbc\x79\x98\x7a\x91\x03\xf7\xcf\x09" "\x18\xe2\x68\x81\xf6\x7e\xa5\x82\xe1\xff\x3a\x49\x17\x75\x99\xd3\x85" "\xbf\x6e\x42\x57\x2a\x25\x47\x93\x3a\xed\xdb\x82\x65\x30\xe9\xad\xf3" "\x0d\xd8\x4c\x3a\x7f\xae\x5c\x4c\x26\xf6\xc6\xf3\xa9\xf0\x90\x6d\xec" "\xd3\x14\xe2\x40\x78\x25\xab\xef\x95\x9c\x54\x16\xd1\x8a\x92\xff\x34" "\xe6\xc5\x21\xa1\x6e\x8a\x0a\x29\x93\x7c\x77\xd4\xee\x99\xb4\x1d\x53" "\x0a\x73\x2a\xcb\xe0\xbf\x5d\x27\x4d\xf9\xd4\x96\xb4\x7a\x9a\x62\x45" "\x46\xbd\xcf\x99\x76\xcd\xe1\x2e\xc9\x89\xcb\x2a\x70\xb3\x3a\x7c\x8a" "\x3a\x77\x65\x20\x23\x16\x46\x95\xf9\xdb\x30\xdf\xcf\x58\x7f\x0c\xd4" "\xf7\x3e\x38\x57\x30\xbc\xbd\xd6\x88\xf6\xdc\xb0\x8b\xa0\xef\xbb\x9f" "\x57\x92\x20\xaf\xef\xa4\xac\xfe\xa5\x22\xe8\x64\xfc\xe9\xb1\x78\x2c" "\xe9\xf1\x48\x24\xd1\x6e\x9d\x33\xa2\x60\x9c\x23\xba\x3c\x5a\x1a\xf0" "\x25\x49\x35\x7a\x0d\xcc\x12\xe3\x78\x19\xd7\x78\x02\x17\x62\xcf\x89" "\x5a\xbe\xac\x11\x25\xb7\x44\xc8\xb8\x22\x5a\x09\x1e\x7b\xe9\xde\xd9" "\x99\x3c\xfa\x3c\xa9\xab\xb8\x3e\x25\xc8\xf5\x59\x00\x99\x77\xa2\xed" "\x93\x74\xa8\x96\x19\xfa\xe5\xef\x6d\x16\x4b\xb7\x3d\x24\x20\x04\xdc" "\x84\x28\xe4\x46\x89\xb3\x3e\xe3\xbb\xe8\x8b\xb4\x96\x2a\xb0\xa3\x2a" "\x90\xe7\xae\xa0\x44\xf0\x84\x10\x75\x2c\xb2\xd7\xae\xaf\x31\x96\x64" "\x8a\x3a\x99\x09\x26\x65\xb4\x78\xbb\x39\x4b\x48\xf7\x9b\x36\xdb\x0e" "\xfc\x7f\x50\xd6\xa5\x17\x9c\x94\x5f\x52\x98\xcf\xaa\xc5\xe5\xde\xa7" "\x15\x29\x6f\x92\xab\xce\x72\x81\xd4\x8a\x0c\x9c\x6b\x78\x5a\x35\xef" "\x5f\x16\x97\xc0\x47\xdd\xb2\x54\xfe\x9a\x8a\xb9\xf4\x98\xb0\xc1\xae" "\x09\xff\xd0\x1a\x3d\x8d\x42\x7f\xee\x7e\x36\xc5\x1e\x0e\x5c\x2f\xee" "\x22\x45\xfb\x84\x64\x62\x6a\xb5\xc9\x85\x7e\xbc\xe9\x1f\x7d\x22\xbf" "\x02\x4d\x10\xc2\xd7\x10\x21\xcd\x69\x26\x84\x72\xde\x41\x9e\x6c\xef" "\xd9\x70\xcc\x3a\x8e\x4d\x1b\xbe\x64\x96\x79\x9a\xa7\xf1\x00\x41\x17" "\x66\xe7\x12\xaf\xf0\x8b\x73\x14\x60\xf1\x4f\x9d\x73\x56\xdb\x12\xcf" "\x8e\x1c\x61\x21\x96\x8d\xc6\x8b\x1d\x81\xc0\x86\xb3\x25\xca\x4c\xe6" "\xfe\x1f\x47\x67\x07\xe0\x8f\xa9\x13\x14\x4b\x75\x7c\x6b\xe1\x7c\xf9" "\x31\x50\xdb\x29\x54\x4d\x20\x7f\x09\xa8\x96\xf3\x3b\x73\x35\xd9\x33" "\x92\x15\xda\x75\x1e\x7a\xf2\xc6\xbd\xd1\x9d\xb6\xf5\x21\xaf\x2c\x8a" "\x59\x98\xdc\x60\x7f\x97\x02\x6d\x07\x11\x14\x88\x74\x11\x34\xc1\xc8" "\x6e\xba\x12\x32\x73\xd1\xfd\x5e\xe4\xb4\x71\xe8\x6f\x9a\xe9\x47\x8a" "\x04\xc7\x48\x20\x76\xab\x34\xa1\xec\xa5\xc6\x4f\x89\xe5\x10\x6e\xed" "\x44\xbc\xee\xc0\x19\xc6\x7c\x12\xfb\x4d\xb4\xfd\xac\x15\x3f\x4a\xc3" "\xb6\x3f\xfe\xb6\xd3\x0d\xe5\x8e\xc0\x39\xe2\xdd\x3c\x18\x1e\x25\x4c" "\xd9\x4d\x0a\x2b\x0b\x44\x49\x03\x84\xcc\x59\x15\xb5\x4e\xe1\xdb\x2b" "\x6d\x05\x98\x79\xbf\x81\x26\xc9\xca\x97\x6d\x0f\x78\x62\xda\x07\xec" "\xd3\x50\x93\x0a\x08\x18\x10\xa7\xaf\xd7\x2b\x2a\xd3\xf6\x5b\x96\xae" "\x9c\x7f\x91\x22\x7a\x2b\x55\x13\xa5\x59\xf3\x6b\x90\xfe\x01\xbe\x9a" "\xe5\xad\x3c\xa6\x5e\x2c\x26\xf3\x58\xfc\x26\xb8\x58\xa3\x63\x3f\xda" "\x7a\xe4\x9a\x5f\xb7\x05\x22\x0a\x58\x19\xb3\xcc\xa4\x1b\x1c\xcc\x21" "\xd7\xc4\x0f\x5f\xa9\xc4\x22\x28\x8e\xfa\x53\x94\xe4\x31\x26\x75\x89" "\x9d\x70\x4a\x2a\xab\x62\xb8\x36\x3f\x58\xfd\x4b\xc1\x2a\x8b\xea\x6f" "\xfc\x45\xb4\x41\x42\x37\xbf\x5f\x01\x93\x21\x20\x6d\xbb\xa4\x39\xac" "\xb5\xef\x26\x64\x1f\x30\xfd\xac\x20\xf9\x64\x35\x4b\xce\x94\xe4\xc9" "\xd7\x3e\x13\x7f\x98\x06\xde\xef\xaf\x6f\x4a\xca\xa0\xe7\x6a\xd4\xfe" "\xf9\xf6\xcb\x7f\xc0\x1b\xba\xbd\xa9\x61\x2c\x05\xad\xbe\x46\xaf\xcf" "\x94\x81\x9e\x8a\x4b\x4b\x49\xff\x76\x47\x84\xfa\x43\x2d\x47\xfb\x6d" "\x42\x30\x90\x00\x43\xd1\xb4\x52\x1c\xd6\x83\x9f\xe8\xc5\xdf\x4d\x18" "\x99\xfd\xfb\x13\x88\x0e\x20\x7c\xac\x73\xf0\xa2\x90\x20\xbd\xd5\x63" "\xbd\x9c\x2f\x6b\xcd\x1e\xc5\x23\xb3\xe0\x3e\xbf\x61\x64\xfc\x65\xaf" "\x00\x18\x30\xc5\x13\x96\xf9\xdf\x2d\x34\x6f\x83\xa5\x9c\xfc\x82\x20" "\x1c\xf1\x15\x0e\xa5\x72\x59\xd5\x79\xfc\x2e\xd1\x99\xb3\xfb\xe4\x2d" "\x51\x88\xc8\x4e\x43\x54\x61\x07\x43\xe5\xb2\x3a\x26\x52\x46\x31\x3c" "\xc6\x39\x13\xf1\x74\x12\xfa\x00\xd9\x8b\x37\x9b\x80\xb9\x6d\x93\x69" "\x69\x57\x2e\x11\x31\x6b\xc8\x92\x6c\xb2\x31\x15\x18\x6f\x3b\x23\x87" "\xb8\x2c\x38\x98\xfa\x41\xbf\x16\xa3\x08\xda\x62\xd5\xa3\xeb\x36\x09" "\xaf\x19\x43\xfd\xdd\xe0\x8a\x40\x36\xeb\x2a\x41\xb7\x29\x2c\xaa\xd9" "\xeb\x08\x26\x14\xb0\x2a\x1f\xa2\x55\xbc\x7a\xbd\x4d\x0e\x3b\x4e\xc1" "\x80\x1e\x13\x1e\x68\xc7\xaa\x9d\xa1\xa0\xff\x10\xf9\xde\x87\xde\xc8" "\xfa\xd1\xad\x8b\xfa\x99\xca\xa4\x9e\x20\x3a\x7b\x9c\x33\xe0\x44\xd4" "\x54\x4a\x53\x74\x71\xe7\xa4\x52\x46\x8b\x82\x19\x59\xbc\x48\x8c\x6b" "\x8c\xbf\x81\xe9\x00\x81\xa2\x6d\xe2\x73\xad\x12\x03\xcc\x06\xad\xb6" "\xaf\x24\x2a\xb1\x9f\x96\xc1\xc6\x6b\x58\xc3\x7e\x2c\x93\x09\x70\x4f" "\xba\x63\xaf\x99\xa8\xd9\xc5\xef\xc6\x51\xaf\xb6\x31\xfe\x9f\x54\x6b" "\x93\x8c\xc3\xb8\xe5\x26\xc4\x15\x9e\x5c\x9f\x7a\xfb\x29\xfd\x1d\x55" "\xfa\xbf\x09\x36\x7c\xe2\xa6\x3a\x35\xe7\xa2\x06\x2d\x1c\x77\x2e\xd9" "\x81\xfd\x77\x15\x7a\x84\x7f\x68\x7a\x17\x7c\xf9\x88\x6c\xe4\x1d\xf8" "\xcc\x50\x93\x02\xb4\x6b\xc1\xe2\xba\x89\x6b\x1c\x16\x56\xa1\xbb\xfd" "\xf4\xcd\x9a\xc3\x9c\xf8\x51\x0d\x1c\x82\x30\x75\xf1\x65\x50\xfd\x04" "\x4a\xac\xc8\xd4\x2a\x56\xf0\x37\x18\xf7\xb1\x84\x75\xcd\xc3\x99\x9f" "\xae\xb2\x5a\xb3\xdd\x8a\x80\x7e\xe0\x4d\x8e\x5d\x83\x1d\x08\xb4\xe3" "\x09\xdf\xf5\x03\x30\x68\x51\x38\x79\x7e\x10\xc6\x36\x26\x36\xf5\x3f" "\x22\xbf\xc1\xf3\xd5\x09\x0a\x5d\x36\x92\x82\xd9\xde\x36\xbb\x4e\x25" "\x05\x41\x1c\xcc\x6e\xa3\x95\xaf\xa1\x56\x7b\x15\xa2\xfb\x4b\xe2\xad" "\xee\xa7\x12\x6b\x1a\x8e\x80\x03\x41\x05\xe0\xd9\x8b\xdd\x78\xe7\x96" "\xce\x1c\xdc\x06\xa4\xae\x66\x6f\xc0\xba\xec\x5c\x52\x61\x43\x40\xed" "\x99\x76\x73\xe2\x6e\xc4\x7c\x88\x84\x6c\x00\x0b\xb7\xc9\x07\x73\x37" "\xcd\x44\xf5\xc0\x41\xfd\xcc\x64\x98\x6e\x5e\x1c\x0f\x48\x81\x48\xf0" "\xee\x6f\x84\x2c\x44\xc0\xb7\x2e\x82\x10\x92\x70\x34\x1b\xba\x6e\x90" "\x80\xb7\x0f\xcf\x93\x0d\x0f\x10\xbe\x5a\x36\x79\x8e\x70\x11\x1f\xed" "\x72\x72\x7b\x72\x28\x2f\xf1\x64\xfc\x08\x31\x9d\x74\xf1\xf5\x7c\xde" "\x71\xb5\x7c\xb3\x97\xa9\xe7\x53\xf8\x7b\x97\x72\x9b\xaf\xba\x01\x7a" "\x24\xcb\xfd\xee\x5d\xfe\x7f\xc2\x96\xc1\x12\xe9\x3b\xb8\xfc\xe5\x60" "\xca\x80\xa3\xaf\xd8\x37\x0b\xaa\xa7\x9a\xd7\x83\xb5\x13\x52\xb5\x44" "\x0b\x14\x4a\x47\x37\x8c\x9a\xe2\x2e\xda\x57\x94\x32\x8e\x95\xbc\xca" "\x22\x0f\xd0\x7b\xb5\x69\x15\x52\x9b\x15\x5c\x61\x85\x8e\xfe\x89\xad" "\x36\xa7\x92\x88\xe7\x4c\x0e\x25\x1a\xdd\xcf\xaf\x79\x74\x32\x17\x5a" "\x55\x62\xb4\x6e\xff\x5e\x3a\xeb\xeb\x74\x62\x3e\x18\xbe\xef\x85\x38" "\x93\x83\xc6\x04\xd8\x88\x44\x31\xb0\x7d\xc4\xbe\xa0\x17\x4a\xad\xc3" "\x37\xff\x41\xf5\x58\xa6\x3f\x16\x69\x0f\xea\xe4\x7e\xfa\x2a\x5d\x13" "\x18\xb7\x39\x7e\x1e\x4b\xa3\x98\x72\x7d\x28\x67\x91\xb7\x16\x10\xe1" "\xd7\x8d\x32\x80\x0e\x7e\x11\x3c\x12\xab\xf0\xf6\x0b\x6c\xa4\x40\x1e" "\xcd\x23\xb7\xaa\xcd\x99\x06\x33\xb2\xb0\x17\xda\xf6\xbf\xef\x1b\x23" "\x61\xec\xe7\x4b\x7d\xbc\xbb\x1a\x73\xd4\xbc\x1f\x9d\x2e\x5c\x9f\xb0" "\xb7\x98\x0d\x25\xcc\x44\xd1\xb1\x0c\x09\xef\x5a\x6a\x05\xc8\x46\x69" "\x29\x4a\x5c\xad\xf0\xcd\x88\xab\x44\x9f\x9f\x0b\xcd\xd8\xc4\x85\x90" "\xd4\x16\xc5\xc1\xfe\xaa\x49\x4a\x21\x45\x94\x9c\x2a\x33\x73\xdf\x7c" "\x60\x14\x22\x5f\x27\x45\xbb\xeb\x20\xff\x29\x4d\x22\xc0\xd9\x6c\xa1" "\x11\xe6\x92\x69\x46\x20\x7c\xab\x56\xa0\x31\x62\xa4\x9e\x68\x96\x8e" "\x39\x8f\x70\x69\x01\x88\xee\x3c\xa8\x47\xef\x42\x17\x42\xd6\x0b\x9a" "\x6a\xd0\x29\xe8\xa3\xd6\x07\x95\x0b\x2b\xf8\xad\x8f\xf2\x97\xcb\x39" "\xac\xc9\x49\x05\x63\x57\x70\x43\x6e\x13\x44\x35\xe2\x82\x05\x14\x03" "\x31\xb5\x10\x0d\x9f\x64\x46\x97\x92\xff\xfa\xc8\x7b\xca\x08\x35\xcb" "\xc6\x17\x44\x6f\xf8\x6a\x7b\x50\x41\x8c\x30\x5f\x32\xe6\x58\xb3\x21" "\x30\xe4\x91\xe3\x87\x09\xfd\x36\x97\x01\x7a\xc8\x08\x4c\xdf\x1e\xd8" "\x1a\x28\x37\x5a\xed\x09\x2a\xb4\xe3\x2c\xa8\x8a\x93\x31\x54\xdd\x3a" "\x9e\x99\x35\x1a\xcb\xad\xa9\x26\xb6\x7b\x31\x0c\x70\x70\xac\x1a\x41" "\x4a\x28\xc5\xab\xfe\x1f\x45\x47\x62\x49\xa1\x2f\x18\xca\x2d\x98\x15" "\x28\xd8\x81\xed\x3c\x50\x72\xe4\x6a\x6e\xff\x3c\xdf\x37\xdc\xbc\x89" "\xc7\xf7\x9c\x88\xa1\xf8\xd1\x5d\x15\xbe\xb6\x6a\x0e\x44\x40\xc7\xb9" "\x3e\x37\x9c\x4e\x2b\xac\x1d\x5c\x8e\x85\xf1\x85\x28\x87\xe2\xcf\xeb" "\x17\x8f\xba\x1c\x67\xdc\x2a\xdb\x0c\x87\xdf\x8c\xa4\x44\x4c\xa7\xf4" "\x55\x50\x9f\x49\x2e\xff\xb5\x00\x13\x28\xb8\xcc\x69\x6e\x29\x33\x20" "\x7a\x2d\x78\xbb\xce\x85\x62\xca\x34\xa2\x48\x19\x3c\x91\x44\x06\xb1" "\x61\xc8\x14\x14\x79\xd8\x91\xb0\xc6\x11\x0e\xc1\xe2\x5c\xad\x38\x29" "\x9b\x48\x9f\x2e\xc4\x37\x01\x7c\xad\xba\x67\xdc\xb5\x8a\xbd\x49\x33" "\xc9\x5b\x35\x26\xf1\xd4\x74\x7b\x87\x01\xa7\xd7\x1e\x44\x6e\x4b\x62" "\xe2\x94\x1d\x42\x81\xfa\xca\x0c\xf2\x29\x14\xbe\x5a\xad\x80\xf4\x71" "\x00\x00\x00\x00\xce\xb2\x4e\x82\x50\x8f\xe5\x5a\x92\xfb\x6d\xb7\x0d" "\x03\xd1\xc1\xec\x09\xcf\xee\x31\x63\x93\x41\x75\x6a\x46\x30\xa0\xea" "\xae\xca\xc7\xbf\xbd\xdf\x9d\x30\xc4\x2c\xbd\x45\xeb\x18\x1d\x5b\xd3" "\x41\x30\x7a\xd2\x6f\x49\x6b\xb0\x42\xe2\xb6\x55\xc0\x3a\xc3\xdc\xc5" "\x87\xac\xbf\x50\xf7\x9b\x5c\x23\x9b\xe9\x93\x8b\x62\xd3\x25\x1b\x19" "\x9f\x84\x13\xb0\x20\x60\x5d\x5d\x05\x52\xcf\xd9\xc3\x9c\x91\x32\x71" "\x9d\x6d\x0a\x32\x6b\x00\x0e\x12\xfc\xb5\x1b\xc2\x74\xdf\x79\xd1\x14" "\x30\x06\x0d\x05\x97\x8c\xdd\x50\x58\x3f\x1b\xca\x82\xc5\x7d\xbe\xe6" "\x05\xe2\xd0\x0f\xcb\x54\x14\xaf\x13\xa5\x96\xd3\x5c\xb5\xba\x62\xde" "\x6a\x28\xcb\xcc\xc8\x57\xd2\x35\x47\xb1\xc7\xfd\x5a\xc8\xfb\xf6\x75" "\x8d\x5b\x84\x51\xfa\x46\xd9\xac\xc0\x03\x44\xdc\x2e\x56\x56\x74\xb1" "\xdd\x35\x47\xeb\x8f\x8a\xa5\xff\xf9\x90\x42\xf8\xd1\xd5\x9e\x6a\xd2" "\xf5\x33\x79\x21\x1e\x68\x32\xfc\xb6\x8f\x57\x77\xeb\x2d\xb8\x5b\x28" "\xf7\x24\xf4\xe4\xce\x63\x42\xcf\x55\x71\x3f\xf7\xb0\xcb\x4f\x7f\x47" "\xdd\x12\xa6\x56\x6b\x86\x70\x9e\xae\xfa\xe0\x24\x37\x32\x67\xce\x72" "\xa8\x9e\x7f\x3e\x42\xab\x48\xed\xcc\xcc\x96\xb5\xd0\x40\x3f\xe9\x3a" "\x92\x7e\x5c\xcf\x47\x00\x14\xf2\x20\xb8\x25\x73\x93\x22\x6c\xd7\xb9" "\x96\xf2\x0e\x6a\x34\xf8\x12\x06\x73\x3a\x9f\xdc\xe0\x3b\x70\x19\x43" "\xc1\xb5\x60\xd3\xea\xb6\x8c\x2c\x22\x5c\xf7\xf7\xf2\xb5\x61\x23\xbe" "\x2b\xb1\x73\xe9\xe5\xb3\x7f\x4d\x33\x48\xf6\xb9\x87\x76\x4a\xd0\x7c" "\x2a\xcd\x44\x51\x4f\xf2\x64\xd7\xed\xa3\x1e\x5e\x51\x7a\x17\x94\x14" "\x84\x1a\xd4\x55\x3d\x51\xc0\x8f\x43\x5e\x05\xf1\x0a\xa8\x2d\x74\xb9" "\x7a\x9b\xa3\xa1\x33\xe6\xc9\x17\x5f\xdc\xd4\xf3\xdc\x9c\x16\xd3\xbe" "\x1d\x5b\xba\xf1\x32\x40\x17\x70\x81\xac\x1d\x56\x68\x1b\xfa\x98\x8a" "\x93\xaf\x09\x86\x8a\xfd\x60\x85\x20\xc0\xbf\xd7\x1d\x85\x7a\x66\x61" "\xfd\xaf\x6f\x2e\x16\x69\x87\xeb\x00\x74\x49\xdd\x26\x33\x4a\xe9\x32" "\xc5\x00\x3f\xef\xc0\xf9\x83\xb9\xe4\x9c\xbf\xce\xa3\x25\xf2\xde\x16" "\xa9\xae\x93\x5c\xaa\x46\xf5\xb3\x43\x39\x57\xfb\x37\x09\x71\xed\x95" "\x7f\x13\x8f\x08\xa6\x0f\xed\x5b\x84\x99\x5e\x42\x8e\x7a\xe7\xd5\xc2" "\x20\x21\xff\x01\x6b\xae\xf0\xe7\x13\xa1\x18\x34\x4c\x01\x6a\x99\xad" "\x46\x93\x13\xba\x7f\x24\x52\xda\x0d\xd8\x2e\x01\x9f\x64\xaa\x22\x9c" "\xf8\x0a\x69\xb3\xe0\x8a\xc5\x84\x7f\x10\xd2\x47\x17\x98\x55\x54\x63" "\x13\x23\x2f\x23\xe0\x55\xc2\xf7\x4e\xce\xf1\x4e\x0f\xdc\xc2\x9a\x9b" "\xf0\x97\x6f\xbb\x24\x9b\xd5\xc7\x90\x31\x83\xd2\xa5\x3c\x70\x96\x0a" "\x18\x36\x30\xe7\xd4\x92\x8d\xaa\x70\x91\xa8\x5a\xd9\x87\xd2\xa4\xa5" "\xb8\xf6\xbe\x66\x12\xfa\x72\xd9\xfb\xb3\x3c\x67\xbb\x38\xef\xf1\x9f" "\x2e\x78\x4f\x94\xe0\x35\x4c\xf6\xd3\x5a\x5b\x2c\x62\x23\x3c\x03\x9d" "\xe3\x73\x4b\x38\xe9\x7e\xc7\x2b\xd6\x73\xfe\xf0\x9f\xd5\x6f\xec\x32" "\x98\x18\xcc\x68\xcd\xf1\x2c\xb5\x2f\x7d\x37\xa8\x35\x0c\x16\xe9\x42" "\x08\x88\x0b\xfc\xd3\xe8\x95\xd7\xaa\x44\x89\xe3\xdd\x15\xdb\x4a\x90" "\x26\xf0\xd2\xa4\x6f\x1e\x89\xc3\x58\x45\xdb\xd9\x76\xa1\x99\x2b\x87" "\xc1\x5a\x0c\x75\x80\xe6\x42\x4b\x87\x92\xa7\xbb\x7b\x93\x3d\x7c\x54" "\x33\xd4\x13\x3b\xa4\xdb\xbc\xf7\x99\x5d\x6e\xd3\xfe\xaa\x32\xf8\x76" "\xa2\x87\xfe\xeb\x9c\xc6\x10\x77\x78\xc1\xf8\x3e\x01\x19\xd9\x80\xb9" "\xe9\x94\xc2\xa3\xae\x3d\xe2\x4a\x10\x3e\xfb\x3c\xac\xb7\x46\xb4\x9d" "\x1a\xd8\x57\x46\xb2\x33\xab\x4a\xaf\x0e\x98\x8e\xc2\xa7\x86\xbc\x93" "\xf3\x20\x40\xd3\xbd\xc3\x00\x80\x31\x63\x4c\xdf\xde\xd5\xac\x95\xb2" "\x27\x9e\x09\x62\x43\x22\x82\x96\x59\x1e\x7b\xa5\x3c\x4a\x12\x77\x72" "\xcc\x46\x20\xe6\xb2\x38\xcc\xad\x25\x06\x29\x19\x45\x33\xd0\xa6\x69" "\xff\x33\x66\xc5\x2d\x64\x92\x86\x93\xe0\xb0\xcb\xb0\xb8\xe2\xc6\x02" "\x90\x89\xd4\xdf\xe2\xb4\xb6\xc5\xdc\xd8\x5f\x1a\x02\x77\x06\x11\xe6" "\x50\x01\xe4\x8a\x32\xa8\xb0\x43\x1a\x3b\x9d\x77\xfa\x3a\x95\xbe\x38" "\xa0\x43\x6a\x70\x4c\x05\xa8\xe0\x18\x3f\x32\x14\xc2\x55\x31\xa6\x37" "\x96\xf6\x79\xbf\x72\x88\x5a\xa7\x66\x46\x8d\x42\xb2\x54\x35\x42\xd7" "\xe8\x25\x44\xef\xc5\xc5\xe8\x1e\x6a\x91\xa0\xf5\xd4\xe6\x80\x00\xcf" "\xf6\x87\xd6\x3e\x45\xc9\xa1\x1d\x4e\xf5\x15\x05\x0d\xaa\x59\x2c\x9a" "\x82\x8a\xc7\xc0\x48\x8e\x7c\xdb\x3d\x6f\xda\xef\x5e\x91\x76\xee\x68" "\xd9\x81\xea\x50\xd3\x86\xd7\x4d\xf3\xb4\x06\x60\x35\x17\x36\xde\xb0" "\x3b\xfc\xeb\x72\x18\x78\xcf\x98\x94\xb0\x30\x2d\xf1\x59\x64\x24\x2a" "\xb6\xb9\xf7\x7f\x98\xba\x1c\x79\x93\x73\x59\x83\xd2\xb0\x22\x60\x0a" "\xb7\x4a\x19\xe3\x63\x6e\x14\x00\xd0\x8b\xa4\x5d\x3a\x5c\x27\x74\xcb" "\x06\xa1\xc3\x58\xbb\xfc\x11\xd2\x7e\xfa\xf7\xca\x53\xc2\xe7\x75\x7c" "\x8c\x76\xda\x24\x70\x7d\x91\xa4\xa5\x24\x42\x62\x89\x8d\x68\x08\x3f" "\xf9\x1c\x51\x4d\x9b\x9b\x1e\xba\xa0\xcb\x0b\x10\x25\x4f\xda\x1b\x1e" "\x82\xb9\xa1\xa4\x7f\x11\x7b\x5b\x28\x0d\xdb\xec\x1f\x67\x32\xd1\x11" "\x17\xef\x1a\x7a\x67\x46\x99\xdf\x87\xfe\x79\x5d\x12\x43\xcb\x9c\x45" "\x27\xe3\x64\xe2\xb7\x11\xb6\x56\x2a\x87\xfa\xfc\x13\x0c\xe0\xba\xf1" "\x70\x16\x86\x63\x9b\x05\xf0\xc8\xdc\x70\x8f\x00\x8b\x1e\x6a\xb8\x9e" "\x8d\x62\x3b\xb8\x3f\x3d\x54\xb7\xbc\xdb\xda\xcd\x05\x5a\xc4\xec\xcb" "\xd3\x6b\xbe\x0a\xf0\xf6\x5a\x00\xe3\xd6\xdd\x98\x5a\xe8\x85\x1d\x17" "\x69\x76\xcf\xb5\x81\x6d\x1f\xc2\xa6\x3d\x35\x46\xae\xca\xa4\xe7\x12" "\xca\x69\x61\xd1\xf1\x81\x31\x5d\x55\x3d\xe6\xb5\x34\x85\xfa\xed\x0d" "\xcf\xcf\x81\x9a\x1b\xa3\xba\xdf\xfe\x79\x73\x77\xd3\xd1\xdd\xae\xd8" "\xe7\xa0\xac\xc0\xc3\xd2\x77\x76\x22\x62\xa1\x39\xf9\x4d\xe4\x9f\xac" "\xa1\x67\xb1\x1b\xf0\x4f\x21\x04\xa5\xab\x9a\x73\x36\x7a\x64\x61\xf7" "\x12\x4c\x91\xa2\xc4\x22\x9e\xf9\x8e\x6e\xbd\xe9\xaa\xc2\x83\xc7\xd0" "\x29\x40\x0d\x71\x29\x3f\x48\x8b\xa1\x69\xb6\x2c\x1e\x94\x68\x9c\xf5" "\xb2\x48\xed\x4a\xea\x62\xb8\x8d\x65\xbb\x76\x4c\xfe\x27\xd5\x23\x1a" "\x58\x48\x6e\x73\x81\xdf\x51\x8f\x4e\xd8\x1c\xb9\x05\x10\x8c\x54\xa5" "\x05\x0a\x94\xca\x0e\x94\xda\x20\xd3\x79\x4b\xc5\xfa\xb9\x12\x7d\xc9" "\x5b\x64\x04\xb1\xe2\x7b\x4e\x28\x13\x6f\xc2\x78\x06\xf7\xbe\x79\x84" "\x44\xc3\x3a\xca\x88\xff\xd4\x5b\x86\x0e\xba\x0d\x50\x33\x83\x9f\x5a" "\x09\x28\x63\x95\x46\x04\xf1\x95\x2b\xd6\x1d\xad\x23\xb1\x16\x43\xfe" "\x14\xf3\xad\xe0\x81\x16\xaa\x2c\x13\xee\xe7\x01\xcc\xd1\x3e\x50\x6b" "\xd6\x5a\x10\x60\xbf\x69\x57\x9a\xea\x8c\x81\x43\xcd\x38\xc0\x89\x1a" "\x30\x65\xf2\x51\xeb\xa0\xc2\x0a\xb9\xc6\x9d\xdf\x28\xe3\xbd\x64\x00" "\xcc\x20\x3b\xac\x8d\xe1\x88\x22\x39\xad\x4e\x1b\x97\xb0\xae\x2f\x1a" "\xbb\x7b\xac\x7c\x0d\x8e\xf8\x2b\x97\xeb\xfb\x1f\x55\x77\xf0\x6a\x3a" "\x13\x77\xb0\x9a\xda\x4d\xb8\x7d\x34\x2f\x20\xab\x0e\xca\x4b\x9c\x20" "\x60\x42\x47\x13\x07\x51\x14\x29\xcb\x57\xa5\x78\x21\x1f\x92\xd3\x64" "\x71\x89\x86\x1c\xad\x91\x45\xf5\xeb\x26\xab\x69\x6a\xbe\x50\xa2\xa6" "\xc1\xb4\x69\xdf\x97\xda\x28\xab\xa4\xe7\x9b\x58\x6c\x34\x8a\x43\x0f" "\x5e\xa6\x1c\x4b\xe1\x03\x2f\xa6\x1d\x18\x58\x1f\x05\xa0\x7f\xb8\x70" "\x7c\x89\x96\xe0\xff\xf1\xc3\xed\xa5\x9b\x99\x26\x87\xfa\x12\x48\x3b" "\x93\x27\xe1\x02\x24\xb2\x0d\x42\xe8\xb3\xfc\x46\x70\xbf\x07\x0c\xed" "\x60\x22\x83\x27\x3d\x68\x18\xac\xd1\xf6\xda\x56\x7c\x44\xd3\xf5\xe1" "\x37\x70\x65\xd4\x3d\x87\xd8\x89\x84\x3a\xe4\x8e\x7f\xa8\xba\x16\x34" "\x81\x56\x95\xb8\xc4\x80\xca\x27\x1e\x6e\x83\x37\x99\xc7\x0d\xa8\x0f" "\xd7\x9a\xcc\x09\xb9\x89\x66\x7a\x22\x94\xde\x5d\xa7\x3f\x03\x63\xdf" "\x9a\x33\xad\x4d\xab\x8d\x27\xcf\x7b\xed\x0a\x06\x83\x86\x72\xe3\xd0" "\x7d\x52\xb6\x39\x6e\x9b\x55\x76\x02\x1d\x5e\x92\x5a\xbd\x53\x3b\xf1" "\x61\xc9\x44\x79\x50\x65\xfd\xd4\x4e\x84\x62\xe3\x07\x0c\x47\x9f\x1c" "\x11\x82\x76\x65\x34\x88\xdd\x9b\x2f\x1a\x67\x3f\x8c\xad\x36\x12\xca" "\x1f\xab\x43\x88\xec\x9c\x8f\x83\x4a\x01\xa4\x99\xad\xb7\xb3\xa9\xa9" "\x77\x67\x2f\x6d\x75\xb4\x1b\xbd\xd7\xf9\x1c\xeb\x7e\x7a\x88\x56\x8d" "\x17\xbb\x43\x2b\xe9\xe4\xe9\x6e\x11\x50\x75\xbc\xe1\x97\xef\x47\x54" "\xd2\x91\x4c\x2c\x59\xe2\xd7\xf4\xc0\x8f\x0d\xbe\x34\xd3\x1f\x22\x94" "\x28\xf2\x11\xbf\x1d\x7e\x8f\x5c\x31\x9e\xd4\xa8\x27\x3c\xb6\x25\x5e" "\xb3\x18\x85\x1a\xc4\x55\x7b\x02\x78\xfa\xc6\x31\x07\xa5\x4d\x40\x7c" "\x42\xf3\x00\xb8\x43\xa1\x2a\xbd\x3b\x89\x3b\x46\xc7\xef\xac\x2e\x38" "\x8a\xb4\x2b\x87\xae\xbe\x25\x43\xbd\x4c\x15\xf4\x59\xbc\x50\xaa\xd1" "\x0f\xfe\x1c\x11\x96\xfb\x52\xc2\x6e\x54\xbd\xaa\x7f\xbd\x52\x45\x1f" "\x20\x7f\xfb\x07\x3e\xf4\xb3\xf7\x1e\xed\xd7\xda\x40\xc8\x95\x05\x01" "\x97\x39\xe3\xfa\x73\x3b\xcd\xc8\x4f\xf4\x91\x9e\x8f\xe2\x35\x81\x29" "\xef\x28\x29\x1b\xe1\xd6\x42\x6b\x8b\xaf\xe8\x84\x63\xb1\xd3\xcd\x72" "\x73\x74\x53\x81\xc7\xf6\x52\x21\x89\x8e\x6a\xd3\x61\xe8\x8b\x24\xc5" "\x4c\xcc\x7a\xc9\xa8\x30\x14\x5b\x6d\xc0\x96\xe2\xd7\x1e\xf7\x1e\xc4" "\xf0\x35\x24\xcb\x87\x0b\x72\x4e\x08\xd2\x23\xbd\xec\x2f\x6f\xdd\xe6" "\x20\x02\x17\xa1\x3b\x51\x36\x00\x4d\x45\x5d\x66\x54\x7f\x5a\x17\x93" "\xe0\xca\xd8\x56\x77\xd4\x9e\x5c\x55\x88\x52\x10\x70\x07\xc8\x13\x68" "\x12\xcf\x02\x1a\xfa\xf6\xf7\xe8\xf5\x98\x83\x37\x1b\xe4\x6c\xda\x41" "\x2d\xd9\xc6\xfc\xf1\x87\xc3\x12\x52\xce\xb5\x75\x89\x01\xd3\x9c\xd5" "\x35\x5a\xb3\x86\xd9\xa7\xfe\x6e\xa4\x6e\xbf\x27\x7a\xaf\x80\x9c\x30" "\x23\x21\x1e\xa9\xaa\x18\x9d\xe4\xd4\x22\x08\x0e\xbb\x9f\xec\x50\xff" "\xab\x6b\x95\xba\x4a\xe5\x01\x8a\xcc\xc4\x97\xe7\x91\x49\xed\x60\x47" "\xce\x56\x1c\xcc\x10\xe9\x19\x4c\xdc\xcd\x5c\x9f\xb7\x51\x75\xc8\xdb" "\xc9\xd0\xa9\x16\xad\x59\x28\x8f\x01\x0d\xef\xbb\xb5\x0d\x26\x30\x41" "\xab\x37\xaa\xc0\xf9\x32\x53\xbe\xf6\xf8\x98\xcd\x08\x25\xd9\x9d\x27" "\x22\x4f\x26\x18\x1f\x97\x13\xb8\x97\x9d\xa6\x47\x56\xc9\x5e\x75\x05" "\xf2\x5a\x26\x88\x96\x0d\x61\x55\xc3\x61\x3d\xcc\x31\xb6\xc3\x37\xa6" "\xdb\xfc\x6b\x12\xcf\xde\x1d\xb2\x2b\x93\xbb\xd5\xe4\x85\x34\xfb\x0b" "\xda\x8b\x21\x25\x77\xa1\x4d\xcf\x66\x5c\x83\x4b\x0b\xd2\x4e\x5f\x62" "\x4d\x24\x55\xfe\x04\x8d\xbe\x93\x03\x28\xd7\xcb\x63\x2d\xb3\xb0\xe2" "\x44\xbb\x5d\x43\x39\x0b\x42\x0b\x15\x15\x7a\x33\x94\x87\xfc\x78\x97" "\x6f\x86\x7d\x3a\x36\x1a\xaf\xdd\x3f\x50\xa9\x3c\x01\x88\x2d\xa7\xc2" "\x20\x08\x9a\x54\x43\x81\xdb\x22\xe2\xc8\x6b\x22\x8d\xc2\xbe\x01\x82" "\x04\x68\x46\x04\x37\x58\x89\x52\xa5\x49\xd3\x74\x98\xe5\x29\xe6\x2a" "\xa6\x2b\xad\x15\x80\x54\x6b\xcb\x1e\x9a\x6e\xd1\x87\x0b\x78\x38\xd0" "\x5d\x12\xf6\xe3\xa0\x41\xe7\x8b\x1b\xdb\x80\x89\x46\x26\xf2\x08\x89" "\xcc\xb3\xa4\x68\xaa\x4f\xb2\x4b\x9c\x87\xcb\xb2\x86\x23\xce\x59\xc6" "\xb3\xc6\x28\x6d\xb3\x66\xd0\x80\x04\x55\x1a\x25\xfe\x4d\x8d\x19\x4a" "\x2b\xb7\xc5\x2e\x1c\x85\xa5\xfb\xe4\xcb\x15\xb1\x71\x48\x9d\xa1\x21" "\xbe\xa1\xc4\x69\xa6\xbb\x18\x5d\x63\x21\x30\x84\xe3\xa8\x1e\xe5\x4d" "\xc0\x3a\x94\xdc\x5e\xcd\xda\x7b\xfa\xad\x1d\xf6\x80\x21\xaa\xf4\x62" "\x7c\x9d\x52\x9f\x13\xe5\xc8\x1b\x5e\xe4\xdd\x22\x89\x49\xca\x16\xb9" "\xa6\x1d\x18\x62\x11\xd1\x53\x29\x44\x70\x90\x75\x57\xe5\xe1\x4a\xe6" "\x65\x01\x3f\x28\x5f\xe4\xd3\x76\x6e\x7b\x3d\x8c\xe5\xe2\xa1\x46\x92" "\x07\x2d\x4d\x8f\x79\x35\x4b\xcc\x8d\xb8\xa2\xa3\x6c\x8b\xcd", 8192)); NONFAILING(*(uint64_t*)0x200069c0 = 0); NONFAILING(*(uint64_t*)0x200069c8 = 0); NONFAILING(*(uint64_t*)0x200069d0 = 0); NONFAILING(*(uint64_t*)0x200069d8 = 0); NONFAILING(*(uint64_t*)0x200069e0 = 0); NONFAILING(*(uint64_t*)0x200069e8 = 0); NONFAILING(*(uint64_t*)0x200069f0 = 0); NONFAILING(*(uint64_t*)0x200069f8 = 0); NONFAILING(*(uint64_t*)0x20006a00 = 0); NONFAILING(*(uint64_t*)0x20006a08 = 0); NONFAILING(*(uint64_t*)0x20006a10 = 0); NONFAILING(*(uint64_t*)0x20006a18 = 0x200066c0); NONFAILING(*(uint32_t*)0x200066c0 = 0x90); NONFAILING(*(uint32_t*)0x200066c4 = 0); NONFAILING(*(uint64_t*)0x200066c8 = 0); NONFAILING(*(uint64_t*)0x200066d0 = 7); NONFAILING(*(uint64_t*)0x200066d8 = 0); NONFAILING(*(uint64_t*)0x200066e0 = 0); NONFAILING(*(uint64_t*)0x200066e8 = 0); NONFAILING(*(uint32_t*)0x200066f0 = 0); NONFAILING(*(uint32_t*)0x200066f4 = 0); NONFAILING(*(uint64_t*)0x200066f8 = 0); NONFAILING(*(uint64_t*)0x20006700 = 0); NONFAILING(*(uint64_t*)0x20006708 = 0); NONFAILING(*(uint64_t*)0x20006710 = 0); NONFAILING(*(uint64_t*)0x20006718 = 0); NONFAILING(*(uint64_t*)0x20006720 = 0); NONFAILING(*(uint32_t*)0x20006728 = 0); NONFAILING(*(uint32_t*)0x2000672c = 0); NONFAILING(*(uint32_t*)0x20006730 = 0); NONFAILING(*(uint32_t*)0x20006734 = 0x6000); NONFAILING(*(uint32_t*)0x20006738 = 0); NONFAILING(*(uint32_t*)0x2000673c = 0); NONFAILING(*(uint32_t*)0x20006740 = 0); NONFAILING(*(uint32_t*)0x20006744 = 0x800); NONFAILING(*(uint32_t*)0x20006748 = 0); NONFAILING(*(uint32_t*)0x2000674c = 0); NONFAILING(*(uint64_t*)0x20006a20 = 0); NONFAILING(*(uint64_t*)0x20006a28 = 0); NONFAILING(*(uint64_t*)0x20006a30 = 0); NONFAILING(*(uint64_t*)0x20006a38 = 0); NONFAILING(syz_fuse_handle_req(r[0], 0x20000000, 0x2000, 0x200069c0)); break; case 6: NONFAILING(memcpy((void*)0x20002040, "./file0/file0\000", 14)); res = syscall(__NR_openat, 0xffffff9c, 0x20002040ul, 0ul, 0ul); if (res != -1) r[2] = res; break; case 7: NONFAILING(*(uint32_t*)0x20002300 = 0x53); NONFAILING(*(uint32_t*)0x20002304 = 0xfffffffd); NONFAILING(*(uint8_t*)0x20002308 = 0); NONFAILING(*(uint8_t*)0x20002309 = 0); NONFAILING(*(uint16_t*)0x2000230a = 0); NONFAILING(*(uint32_t*)0x2000230c = 0); NONFAILING(*(uint64_t*)0x20002310 = 0); NONFAILING(*(uint64_t*)0x20002318 = 0); NONFAILING(*(uint64_t*)0x20002320 = 0); NONFAILING(*(uint32_t*)0x20002328 = 0); NONFAILING(*(uint32_t*)0x2000232c = 0); NONFAILING(*(uint32_t*)0x20002330 = 0); NONFAILING(*(uint64_t*)0x20002334 = 0); NONFAILING(*(uint8_t*)0x2000233c = 0); NONFAILING(*(uint8_t*)0x2000233d = 0); NONFAILING(*(uint8_t*)0x2000233e = 0); NONFAILING(*(uint8_t*)0x2000233f = 0); NONFAILING(*(uint16_t*)0x20002340 = 0); NONFAILING(*(uint16_t*)0x20002342 = 0); NONFAILING(*(uint32_t*)0x20002344 = 0); NONFAILING(*(uint32_t*)0x20002348 = 0); NONFAILING(*(uint32_t*)0x2000234c = 0); syscall(__NR_ioctl, r[2], 0x125d, 0x20002300ul); break; case 8: NONFAILING(memcpy((void*)0x20000080, "memory.events\000", 14)); syscall(__NR_openat, 0xffffff9c, 0x20000080ul, 0x26e1ul, 0ul); break; case 9: res = syscall(__NR_openat, 0xffffff9c, 0ul, 0x7a05ul, 0x1700ul); if (res != -1) r[3] = res; break; case 10: syscall(__NR_syncfs, r[3]); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); setup_sysctl(); install_segv_handler(); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; }