// https://syzkaller.appspot.com/bug?id=012edf00e41142489846a98eafd64783ab8ed000 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include __attribute__((noreturn)) static void doexit(int status) { volatile unsigned i; syscall(__NR_exit_group, status); for (i = 0;; i++) { } } #include #include #include #include #include #include #include const int kFailStatus = 67; const int kRetryStatus = 69; static void fail(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus); } static void exitf(const char* msg, ...) { int e = errno; va_list args; va_start(args, msg); vfprintf(stderr, msg, args); va_end(args); fprintf(stderr, " (errno %d)\n", e); doexit(kRetryStatus); } static uint64_t current_time_ms() { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) fail("clock_gettime failed"); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir() { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) fail("failed to mkdtemp"); if (chmod(tmpdir, 0777)) fail("failed to chmod"); if (chdir(tmpdir)) fail("failed to chdir"); } const int kInitNetNsFd = 253; static uintptr_t syz_init_net_socket(uintptr_t domain, uintptr_t type, uintptr_t proto) { int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) return netns; if (setns(kInitNetNsFd, 0)) return -1; int sock = syscall(__NR_socket, domain, type, proto); int err = errno; if (setns(netns, 0)) fail("setns(netns) failed"); close(netns); errno = err; return sock; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void setup_cgroups() { if (mkdir("/syzcgroup", 0777)) { } if (mkdir("/syzcgroup/unified", 0777)) { } if (mount("none", "/syzcgroup/unified", "cgroup2", 0, NULL)) { } if (chmod("/syzcgroup/unified", 0777)) { } if (!write_file("/syzcgroup/unified/cgroup.subtree_control", "+cpu +memory +io +pids +rdma")) { } if (mkdir("/syzcgroup/cpu", 0777)) { } if (mount("none", "/syzcgroup/cpu", "cgroup", 0, "cpuset,cpuacct,perf_event,hugetlb")) { } if (!write_file("/syzcgroup/cpu/cgroup.clone_children", "1")) { } if (chmod("/syzcgroup/cpu", 0777)) { } if (mkdir("/syzcgroup/net", 0777)) { } if (mount("none", "/syzcgroup/net", "cgroup", 0, "net_cls,net_prio,devices,freezer")) { } if (chmod("/syzcgroup/net", 0777)) { } } static void setup_binfmt_misc() { if (!write_file("/proc/sys/fs/binfmt_misc/register", ":syz0:M:0:syz0::./file0:")) { } if (!write_file("/proc/sys/fs/binfmt_misc/register", ":syz1:M:1:yz1::./file0:POC")) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); setsid(); int netns = open("/proc/self/ns/net", O_RDONLY); if (netns == -1) fail("open(/proc/self/ns/net) failed"); if (dup2(netns, kInitNetNsFd) < 0) fail("dup2(netns, kInitNetNsFd) failed"); close(netns); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 160 << 20; setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 8 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 0; setrlimit(RLIMIT_CORE, &rlim); if (unshare(CLONE_NEWNS)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } } int wait_for_loop(int pid) { if (pid < 0) fail("sandbox fork failed"); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_cgroups(); setup_binfmt_misc(); sandbox_common(); if (unshare(CLONE_NEWNET)) { } loop(); doexit(1); } static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exitf("opendir(%s) failed due to NOFILE, exiting", dir); } exitf("opendir(%s) failed", dir); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); struct stat st; if (lstat(filename, &st)) exitf("lstat(%s) failed", filename); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exitf("unlink(%s) failed", filename); if (umount2(filename, MNT_DETACH)) exitf("umount(%s) failed", filename); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exitf("umount(%s) failed", dir); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exitf("rmdir(%s) failed", dir); } } static void execute_one(); extern unsigned long long procid; static void loop() { char cgroupdir[64]; snprintf(cgroupdir, sizeof(cgroupdir), "/syzcgroup/unified/syz%llu", procid); char cgroupdir_cpu[64]; snprintf(cgroupdir_cpu, sizeof(cgroupdir_cpu), "/syzcgroup/cpu/syz%llu", procid); char cgroupdir_net[64]; snprintf(cgroupdir_net, sizeof(cgroupdir_net), "/syzcgroup/net/syz%llu", procid); if (mkdir(cgroupdir, 0777)) { } if (mkdir(cgroupdir_cpu, 0777)) { } if (mkdir(cgroupdir_net, 0777)) { } int pid = getpid(); char procs_file[128]; snprintf(procs_file, sizeof(procs_file), "%s/cgroup.procs", cgroupdir); if (!write_file(procs_file, "%d", pid)) { } snprintf(procs_file, sizeof(procs_file), "%s/cgroup.procs", cgroupdir_cpu); if (!write_file(procs_file, "%d", pid)) { } snprintf(procs_file, sizeof(procs_file), "%s/cgroup.procs", cgroupdir_net); if (!write_file(procs_file, "%d", pid)) { } int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) fail("failed to mkdir"); int pid = fork(); if (pid < 0) fail("clone failed"); if (pid == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); if (chdir(cwdbuf)) fail("failed to chdir"); if (symlink(cgroupdir, "./cgroup")) { } if (symlink(cgroupdir_cpu, "./cgroup.cpu")) { } if (symlink(cgroupdir_net, "./cgroup.net")) { } execute_one(); doexit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { int res = waitpid(-1, &status, __WALL | WNOHANG); if (res == pid) { break; } usleep(1000); if (current_time_ms() - start < 3 * 1000) continue; kill(-pid, SIGKILL); kill(pid, SIGKILL); while (waitpid(-1, &status, __WALL) != pid) { } break; } remove_dir(cwdbuf); } } #ifndef __NR_renameat2 #define __NR_renameat2 316 #endif uint64_t r[13] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; unsigned long long procid; void execute_one() { long res = 0; res = syscall(__NR_pipe, 0x20000000); if (res != -1) r[0] = *(uint32_t*)0x20000000; syscall(__NR_ioctl, r[0], 0x4b30, 5); memcpy((void*)0x20000500, "/dev/nullb0", 12); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000500, 0, 0); if (res != -1) r[1] = res; syscall(__NR_pread64, r[1], 0x20000540, 0xfffffed4, 0); syscall(__NR_mmap, 0x20660000, 0x1000, 0x200000a, 0x13, r[1], 0); memcpy((void*)0x20000500, "/dev/nullb0", 12); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000500, 0, 0); if (res != -1) r[2] = res; *(uint64_t*)0x20000000 = 0; *(uint64_t*)0x20000008 = 0; syscall(__NR_ioctl, r[2], 0x1264, 0x20000000); memcpy((void*)0x20001240, ".", 2); memcpy((void*)0x20001280, "./file0", 8); syscall(__NR_renameat2, -1, 0x20001240, -1, 0x20001280, 6); *(uint32_t*)0x20000000 = 0; res = syscall(__NR_accept4, 0xffffff9c, 0, 0x20000000, 0x80800); if (res != -1) r[3] = res; *(uint64_t*)0x20000900 = 0x20004480; *(uint16_t*)0x20004480 = r[3]; *(uint64_t*)0x20004482 = 0; *(uint64_t*)0x2000448a = 0x20000940; memcpy((void*)0x20000940, "\x0c\x2e\x4f\x5a\x5b\x65\x3f\x35\xde\x0d\xd6\xcc\xeb\x8b\x40\x8b\x9d" "\x7a\xa2\xb3\x30\x66\x63\xef\x65\xdb\xc4\x63\xf1\xb6\xe3\x26\xff\xc4" "\xee\x02\x60\xd6\x6c\x6f\x6f\xa4\x0e\x85\x0d\x5f\x68\xeb\x90\xe9\xe4" "\x09\x48\x29\xe6\x74\x7c\xe0\x96\x00\x47\x32\x14\x76\xaf\x99\x8a\x1f" "\x33\x5b\xd0\xd1\xb1\x42\xb2\x09\xa5\x5e\x19\x09\x31\xb1\x03\x81\xb1" "\x03\x60\x58\x3d\x8f\xeb\xb1\x6b\x79\xd1\x80\xc6\x7c\x36\xfb\x09\x52" "\xed\x68\x79\x0c\x8a\xcc\xfe\x4e\x4c\x4a\xa3\x13\x76\x3b\x70\xee\x51" "\x13\x33\x92\x25\x03\x6c\x57\x3a\x60\x80\xd4\x42\x4a\x72\xc0\xfe\x5e" "\xe6\x3b\xda\x84\x2c\x1c\x10\x65\x27\x9a\xb7\xc2\x09\x85\xb4\x51\x40" "\xa2\x3b\x5b\x34\x00\xb0\x73\xad\x1c\x15\x31\xa0\x2f\x54\x02\xdf\x8d" "\x63\x2c\xdd\x94\xb7\xed\xff\xac\x09\x3d\xcc\x59\x78\xfd\x83\x55\xfd" "\x22\x79\x61\xe0\x07\xa5", 193); *(uint16_t*)0x20000a01 = r[3]; *(uint32_t*)0x20000a03 = r[3]; memcpy((void*)0x20000a07, "\xc1\xf9\xcc\x27\x62\x31\xeb\x48\x03\xb7\x3b\x1d" "\x58\xed\xc0\xa8\x89\x28\x50\x12\x6d\x48\xb4\x74" "\xe8\x76\x99\x3f\x26\x7e\xac\x44\xd0\x59\x05\xae" "\xbe\x5b\x2b\x51\xa5\xe5\x5f\x8d\xd3\x20\x7e\xf7" "\xac\x59\xac\x45\xaa", 53); *(uint64_t*)0x20000a3c = 0; *(uint64_t*)0x20004492 = r[3]; *(uint32_t*)0x2000449a = 0; *(uint64_t*)0x2000449e = 0x20000a80; memcpy((void*)0x20000a80, "\xf9\x10\x46\x9a\x88\x33\x58\x7e\x39\xd4\xf0\xd0\xb2\x15\x41\xd2\x95" "\xe3\xe2\x7a\xd7\x3f\x19\x23\x5a\x8d\x58\x64\x99\xe9\x5b\xd9\x51\x01" "\x24\xa2\x58\xc0\x4c\xa9\xf2\xa2\x7b\x80\xd5\xcd\xda\x96\x60\x15\x8a" "\xea\x1e\x21\xe1\xe0\xf6\x1b\x69\xa4\xb1\xe8\x84\xce\xe4\x8d\x89\xf6" "\x0b\x7c\xc5\xc4\x69\x1e\x36\xc1\x0b\x30\xf5\xed\x77\x49\x3e\x1f\x29" "\x05\x85\x2f\xd9\xa1\xd4\xaf\xfc\xe0\x7e\x71\x1c\xbe\x68\xc7\xa7\x40" "\x28\x7b\x05\xb2\xde\x1e\x5f\x08\xe7\x1c\x16\xb2\x3d\xee\xef\xee\x77" "\x69\x58\x91\x2e\xaf\x20\x3c\x5c\x5a\x10\x6d\xc3\x7e\xed\xa1\x03\x5a" "\x91\xc7\x42\xa0\xeb\xa5\x88\xed\xed\x41\xe3\x99\xa1\x7f\x67\xb9\x1b" "\xbf\x48\x9b\x6f\xe9\xd7\x1a\x41\x0b\xc4\x4a", 164); *(uint64_t*)0x20000b24 = -1; *(uint64_t*)0x20000b2c = 0; *(uint64_t*)0x200044a6 = 0x20000b40; *(uint64_t*)0x20000b40 = 0; *(uint16_t*)0x20000b48 = r[3]; *(uint64_t*)0x20000b4a = r[3]; *(uint64_t*)0x20000b52 = 0; *(uint32_t*)0x20000b5a = r[3]; *(uint64_t*)0x20000b5e = 0; *(uint64_t*)0x20000b66 = r[3]; memcpy((void*)0x20000b6e, "\xe8\x3a\x59\xae\xa4\xf7\xdd\x13\x90\x61\x1f\x8c\xcf\x29\xbf\xec\x92" "\x7c\xd9\x43\xb9\x42\xd0\x85\x46\x65\x61\xa2\x42\x06\x1e\x4d\xca\x43" "\xf6\x6c\xd8\x94\x7a\xc0\x32\xb2\x72\x89\x8f\xe5\x47\xc3\x9a\x83\xd7" "\xa2\x1e\xbc\x63\x4e\x7d\x2c\xb5\x06\xe4\x36\xed\x15\xd8\x41\xa6\xce" "\x69\x5e\x2c\x53\x7f\x00\x1e\xa9\x90\xfc\x34\xe7\xe4\x5b\x4a\xb1\xa4" "\xd2\x40\xea\x21\x4d\x4b\xbb\x92\x68\x1a\xfd\x6e\x86\x8c\xf4\xeb\x0a" "\x9e\x05\xc5\x66\xe0\x06\x7d\x36\x0a\xc1\xc9\x9e\x13\xb0\x98\x1f\x13" "\x38\xeb\x7d\xc8\xf3\x78\x05\xfa\xbc\x85\x18\xd6\x63\xf4\x49\xee\x92" "\x76\xe1\x35\xb2\x0c\xf3\x9b\x8d\xf6\xda\xbd\x73\xb4\x9d\x44\xd0\xe7" "\xfe\x04\xae\xb9\x9f\xf1\xc3\x95\x9c\x02\xd7\xa4\x49\x06\x70\xb4\x14" "\x40\x6a\x9d\x96\x78\x07\xcd\x9d\xc3\x54\x25\xf8\xf0\xd0\xf8\xce\xfb" "\x8a\x32\x04\x70\x95\xe9\x1a\x80\x13\xc7\x2c\x60\x22\xbc\xe7\xb9\xdb" "\x97\x5b\xab\x10\xd7\xcd\xa8\x79\xdf\x48\xfc\x69\x80\x03\x73\xb9\x0f" "\x97\x57\xd9\x04\x6e\x2c\xff\x08\x24\x58\xb5\x48\xed\x49\x00\x45\x57" "\x1f\xed\x98\xda\x97", 243); *(uint32_t*)0x20000c61 = r[3]; memcpy( (void*)0x200044ae, "\x2d\x4e\x39\xfc\xe5\x06\x4a\x42\x2d\x94\xe8\x63\xb1\xb8\xd4\x7b\xf2\x43" "\x56\x29\x6d\x2a\x1a\x9e\xdd\x5e\x0d\x4d\x05\x13\xd5\x8a\x2d\x46\xef\x00" "\x14\x07\xef\x49\xb8\xf7\x9c\xa7\x02\x78\x0e\x6f\xb5\x74\x0f\x8b\xbb\x93" "\x35\x41\xdc\x36\x93\x56\x40\xbe\x91\x8b\xb8\x21\x47\xea\x11\x98\x68\x7f" "\xe3\x64\x76\x3f\x3b\x5a\xfa\xd7\xd8\xfa\xb0\x62\x74\x6f\x0a\x0d\x32\x79" "\xf0\x47\xab\x2a\xe0\x80\x53\xc2\xa3\xa1\x42\xce\x70\x18\xb3\xc9\xeb\x78" "\xc3\x10\x9c\x37\x8e\x1e\x51\x75\x4a\x94\xd4\xae\x9f\xb0\x4f\x78\x63\x03" "\x9e\xaf\xc1\xba\x57\x7e\x5a\xad\x1a\x89\xea\xbd\xa2\x3a\x9b\x93\x0d\xb8" "\x57\x5e\x54\x8e\x90\xe5\xda\xa6\xf9\xb6\x59\x0f\xb2\x93\x43\x5e\x65\x03" "\x97\x99\x7d\x91\x98\x73\xa0\x82\xdd\xd3\xd3\x05\xdc\x18\xf4\xf2\x25\x03" "\xdd\x10\xed\x9a\x21\x31\xb1\x46\x1d\xb6\x6d\x94\x93\xb2\x86\x5c\xff\x40" "\xae\x0d\xc6\x3e\x5a\xd7\xd7\x0e\x2f\x00\xb6\x18\xa0\xe4\x42\x5f\x84\xd8" "\x92\xe9\x6c\x59\x5b\x0f\x43\xf9\x44\x13\xec\x05\x1f\x2a\xfd\x79\xd0\x03" "\x0a\xa7\x8a\x9c\x54\x26\x8b\x60\xa7\x51\x7b\xf0\x7b\x83\xd5\xe6\x1b\xc7" "\x6d\xf3\x25\x32\xc4\x63\x42\x50\x1b\x69\xc3\x84\x86\x84\xc3\xb0\x08\x51" "\xf1\x6c\xb1\x1f\x48\x93\x76\x12\x35\x4b\xd6\xc6\xd0\x07\xb3\x41\x36\x4f" "\x91\x7a\xac\x1c\x8e\x7a\xd5\x34\x97\xea\x80\xf2\xa1\xec\x75\x29\x71\x2a" "\xe6\x07\xfc\xfd\x7f\x9d\x11\x3a\x14\xf6\xbb\xef\x11\x9b\x07\xf0\x7d\xcb" "\x83\x65\xd6\x91\x0e\x5c\xa4\xa8\xa5\xce\x34\xf3\xc6\x08\xfc\x10\x68\xf9" "\x4c\x00\xe4\xf1\x18\x0c\x9a\x54\x6c\x36\x88\x1a\xc8\x76\x55\x5d\xa9\x64" "\xbc\xd7\x70\xcd\x5b\x3b\x8b\xff\x0c\x22\xec\x62\x8d\xd4\x4b\x49\x5b\x6c" "\x0b\xbc\xfe\x0a\x75\xfe\xd9\xd0\x24\x6f\xc3\x15\xd7\xca\x1b\x78\x45\xc9" "\x39\x95\xb6\x11\x38\x50\x9f\x9e\x41\xf5\x31\xf2\x2c\x09\x79\x06\x89\x19" "\xc0\xc2\xbe\x3c\x95\x41\xa3\x68\x27\x81\x75\x63\x14\x85\x63\x32\x93\x62" "\x08\xf6\x00\xcc\x81\x62\xec\xe3\x25\x44\x54\x1d\xbd\xf5\x52\x28\xd4\x86" "\x5b\x3f\x00\x4c\x96\x7a\x8e\x0c\x3c\x50\x4c\xe3\x1c\x4d\x9b\x11\xe8\x91" "\x1e\xc8\xde\xc2\xbd\x5e\x5e\x6d\x0f\xc2\x8c\xf8\xf4\x2e\x1e\x9b\xa1\xc7" "\x77\x5a\x3b\x86\x33\x5b\xec\xd1\xf1\x79\xac\x50\x07\x87\x92\x16\x04\xba" "\xec\x85\xa0\x4e\x78\x72\x9b\x59\xd4\x45\x00\x98\x15\x10\x8d\x7d\x5b\x79" "\x2f\x22\x38\x21\x08\x65\x9c\x62\xfa\xbb\x57\xe9\x07\x87\xd9\xab\x7d\xb4" "\x81\x01\x20\xed\xf6\xe4\x24\xb8\x28\x60\x2c\xb5\x5e\x9e\xf3\x30\x2a\x70" "\x29\xf0\x2b\x29\xd6\x57\x2c\x66\x47\x7d\xae\x77\x32\x7c\x5b\x22\xef\xe9" "\xe3\x81\xc2\x3e\xe0\x00\x6c\xac\x9d\x19\x5f\x6c\xac\x04\xdd\x5a\x9c\x4c" "\x47\x9c\xb9\x1c\x3f\x6e\xf0\xbb\x6a\x76\xeb\xd1\xf1\x62\x41\xff\x04\xe2" "\x16\xb3\x3b\x79\x94\xcc\x55\xc9\xc4\x6e\xcf\x5e\x79\xde\x43\x35\xa1\x6f" "\xfb\x87\xc3\xc9\x24\x76\xe0\x30\xc6\xb9\x46\xfb\x23\x01\x6a\x7d\x1e\x03" "\x40\xf8\x13\x0d\x34\x0c\x7a\x2b\x72\xe8\x5b\xe0\x03\xf9\x56\xb3\x01\xae" "\xcf\x86\x87\xca\x21\x6e\x32\x80\x3b\xb0\x36\xaa\x74\x14\x56\xa3\x48\xb4" "\x61\x83\xf0\x98\xbc\x6f\x9e\x09\xb1\xae\x75\x59\xfa\x65\xaa\xc0\xb0\x43" "\xb2\xe6\x25\xac\x97\x42\x9a\xf1\x7a\x9f\xac\x10\xbd\x18\x2d\x5a\x2c\xe0" "\x46\x25\xfc\xa6\xd4\xd4\xfa\x36\x2a\xde\x85\x9f\x54\xea\x92\xde\x07\xf3" "\x8f\x43\x3e\x38\x52\xc9\x7f\x60\x98\xf9\x01\x1d\x7a\xe3\x56\x48\xbc\xae" "\x81\x7b\x6e\x70\x11\x94\x96\xe6\xee\x2f\x30\x57\x7d\x44\xea\x85\x19\x2b" "\x8a\xa5\x3c\xc9\x58\x74\x53\x54\x8b\x8f\x4c\xfa\x48\xdd\xa9\x02\xaa\xae" "\xaf\x0d\xc0\x4d\xd8\xa5\xb6\x9b\x18\x22\xbe\xfa\xfc\x06\xf7\xcd\xc5\x33" "\x83\x54\xc2\xb1\x01\xd7\x05\x97\xc9\x66\x17\xad\x38\xbf\x9f\xcb\xf8\x4e" "\x3f\x6e\x69\x6e\x04\x18\x2e\xf5\x81\x29\xdf\x18\x81\xb8\x1f\xbd\x19\xb0" "\x48\x7b\x49\x8a\xd2\x3d\x2f\x5c\x83\x41\x92\xb8\xe1\xcc\x60\xd1\x36\xa2" "\xbe\xdf\x9d\x63\x06\x7c\xa0\xc6\xf3\xb4\x6c\x72\xc8\xdc\x3d\xa3\x81\x8a" "\x92\x7b\xf4\x4b\xfe\x12\x40\x65\xd4\x09\x0b\xfb\xbe\x61\xd8\x25\xfb\xd2" "\xaf\x76\xa4\x93\x71\x43\xbb\xc5\x63\x56\x59\x38\xe4\x2d\x02\x1f\xff\xea" "\x1b\x2f\x3e\x54\xee\xcf\xfd\x46\xa8\x81\x1b\xf0\xb4\xdf\x45\xd9\x8b\x65" "\x10\xa6\x57\x74\x55\xbb\xbd\xe7\x76\x2f\x90\xa3\xaa\x83\xaa\x58\x05\x6e" "\xaf\xe3\x09\xcd\xba\x78\xb3\x85\xe5\xf4\x66\x5b\x13\x32\x31\x6b\x33\x05" "\xfb\x3c\x43\xbf\x09\x11\x0f\x25\x17\xe6\x3a\xd6\x0c\xb8\xcc\xbb\x23\xa3" "\x59\x05\xb1\x6b\x95\xbf\xbb\xab\x9f\x16\xae\x70\xa7\xbe\x35\x0a\xfc\xcb" "\x2f\xa6\x91\xd1\x38\x6f\x2b\x7f\xd3\xf9\x66\x21\x12\xc1\xdf\x39\x1f\xeb" "\x8a\x60\x16\xa8\xfd\xe4\xd3\x26\x1a\xf9\x19\x81\x91\x39\x4d\x7d\x10\x6c" "\xe7\x05\x0f\xaf\xe9\x91\xe6\x16\x69\xa6\x7d\x5f\x16\xa7\x3a\x48\x2a\x40" "\x7c\x39\xbb\xec\x5d\x0c\x30\xf5\xf2\x52\xac\x00\xb4\xdd\xc2\xda\xc8\xb4" "\x2b\x23\xa1\x92\x16\x4e\xa9\xf6\x06\x23\x32\x6a\x2e\x8e\x08\x73\x45\xd3" "\x26\xe4\x20\x31\xe7\x16\xbf\x0c\xa0\xc1\x0c\x86\xe4\xcc\x9e\x21\x07\x98" "\x30\xb4\x09\x1d\xc0\x4a\x23\xe7\x4d\xbc\xda\xdf\xbb\xc1\xdb\x19\xee\x68" "\x37\xd3\x04\xb9\x9a\xf4\x4c\x0e\x04\x79\x71\x70\x68\xed\x73\xe8\xca\x33" "\x87\xa5\x42\xbb\xdb\x21\x01\x5d\xb0\x33\x95\xfe\x79\x34\xeb\xea\x8a\xaf" "\x7c\x27\x39\xf7\xf4\x52\x0b\xa4\xbf\x17\xe8\x53\x3f\x3d\xb9\xa6\x6b\xe3" "\x1f\x6b\x96\xb8\x48\x9d\xc1\x9b\xd3\xdb\xa1\x44\xce\x62\x8d\x6d\xfb\x85" "\x48\x7b\x21\x7a\x1c\x42\x45\x46\x1e\xff\xe7\x7b\x12\xa6\x57\xe6\xfc\x3f" "\x25\x5a\x38\x73\x51\xd9\x2c\x33\x57\xf7\xba\x87\x63\x62\xe2\xd6\xfb\x55" "\xe1\x14\x35\xc2\xf5\x89\xba\x2c\x12\x7a\xa3\x35\xe9\x7b\xce\x20\xc5\x01" "\xc8\x9d\xce\xcc\xee\x0d\x4b\x98\xb9\x12\x5f\xa0\xc4\x7d\xf6\x2e\x89\x57" "\x78\x2f\x4b\x6a\x57\xc8\x7c\xac\x83\x81\x22\x1c\xae\xc8\xa5\x02\x5a\x9c" "\xa8\xbe\xf4\x3c\x0f\x8c\x02\xf7\x4a\x7e\xe6\xcb\x3d\xcb\x68\xb6\xe5\xe5" "\xc0\xaa\x5d\x62\xa5\xbc\xc0\xa7\xa9\x14\x70\x96\x87\xc3\x85\x12\x4d\x0f" "\x1d\x25\x77\xa7\x17\x40\x8b\xb1\xf7\xc2\xd4\xf9\x45\x3c\x43\xf3\x16\x15" "\xa3\x48\x15\xc4\x1d\xa2\xb0\x91\x32\xff\x3f\xc2\xd2\xb3\xe6\x9c\xff\x19" "\x08\xdc\xba\x15\x13\x50\x88\x64\x5a\xa9\x91\xb9\xed\x96\x2b\x20\x95\xf6" "\x96\x5b\xed\xbb\x44\x56\x18\x09\x28\xcd\xea\xf7\x6b\x89\xec\x7b\x0f\xb4" "\xbe\xa5\x04\x4f\xf6\xc3\xb3\x97\xfb\x43\xdb\xc9\xad\xf5\xc4\x2a\x9f\x75" "\xc0\xd0\xca\x51\x0b\x5a\x68\x13\xe0\xa0\x28\xa9\x81\xd5\x6d\xe3\xa3\xf0" "\x02\xb9\xa4\xfe\x51\x18\x10\x76\x0b\x2b\x61\xd8\xc7\x30\xce\x89\xc8\x8c" "\xe3\x9b\x40\xa3\xac\x28\x71\x2a\x6a\x21\x6c\x0a\x7d\x60\x23\x6b\xc6\x94" "\xea\x9c\x4b\x3b\x2f\x8e\xed\xe4\x1f\x82\xea\x9f\x89\x7a\xf6\x06\xf1\x55" "\xf8\x3c\xa4\xfa\x63\x43\x6f\x10\x3a\x04\x58\x52\xc9\x6a\xfe\x08\xf6\x54" "\x19\xb6\x1b\x44\x6a\x8f\xfa\xd9\xb6\xbd\x4c\x11\x64\xbe\x64\x28\xd0\xbd" "\xef\xc3\x48\x70\x1f\xea\xbc\xa2\xed\x90\x72\x44\x78\x70\x46\x1c\xf2\x4c" "\xea\x47\x3f\xef\x5f\xdb\x0e\x02\x4b\x26\x05\x89\xf0\xd1\xff\xb7\x95\x5f" "\x7b\x0d\x21\x8e\xb2\x5b\x98\x22\xbe\x33\x63\x7e\x83\xe2\x07\x80\x8a\x72" "\xc8\xf5\x0b\xd8\x90\x98\x39\xb1\x74\x8d\x63\xcd\xb8\xca\x9b\x38\x2e\x1a" "\xd2\x09\xbb\xbc\x3b\x25\x18\xbe\xff\xc1\xbc\xf3\x8d\x03\xa0\xd6\x0e\x7b" "\x62\x41\x94\x77\x41\x7c\xe6\x30\x64\x8f\xcb\x52\xea\xca\x23\xe8\x5c\xe3" "\x81\xd2\x3f\x23\xd6\xd3\x97\xa5\x89\xd5\xe2\x6a\x15\x79\xbe\xfc\x45\x15" "\xb1\x7c\x0d\xff\x01\x6a\x1b\x5b\xfd\x52\x51\x52\x0d\x67\x30\x27\x76\x49" "\x87\x3f\xaa\xb1\xf7\xb0\x50\xaa\xa0\x76\x71\xc3\xf8\x06\xed\x4e\x88\xdb" "\x79\x48\x6c\xc6\xf4\xfd\xbb\x39\xe8\x70\x87\x26\x74\x4f\x8d\xa1\x06\x54" "\xf9\x62\xfc\xa2\x7a\xb1\x85\x35\xe4\xae\x98\x12\xc3\x91\x8d\xd1\x4e\x8f" "\xd3\xeb\x74\x30\x58\x1a\x82\x67\xea\x4c\x43\x59\x8a\xa4\xdd\x81\x19\xbe" "\x60\x12\xa2\xee\x16\xbd\xab\x97\x7c\x60\xcd\xea\xb6\x72\x45\xcc\x35\xd2" "\x27\xf3\xb2\xa9\x6f\x3a\xf9\xdd\x78\x5b\xfa\xc5\xb4\xd5\x79\x03\x61\xf3" "\x5a\x02\xf8\xd9\xce\x03\x98\xaa\xcc\xb4\x7f\x22\xa1\x6b\x7d\xfb\x76\xad" "\xc6\x91\x58\xc2\x9e\xe9\xb5\xed\x4c\x4a\x10\xe8\x15\xba\xbf\x9a\xea\x62" "\x5f\x37\x92\x09\x47\x26\x6b\x71\x82\x65\xe8\x48\x66\x2b\xe4\x29\x45\x51" "\x91\xc1\x93\xd2\x04\xdc\x16\x16\xbe\x7a\xf8\xba\x89\x45\x92\xb9\xa4\xfc" "\x0a\x45\x9f\xdb\x70\xae\x0d\x7a\x14\x07\xd1\x39\x8e\x2c\x6a\x86\x96\x89" "\x46\x79\xb3\x8b\x1b\x1a\x5c\x00\xa3\x0f\xed\x88\x18\x35\x23\xd9\x6e\xf8" "\x9f\x8a\x28\xe6\xc3\xb6\x93\xef\x44\x8b\x32\xbe\x2c\x73\x10\xdf\x06\x33" "\x75\x5f\xdb\xcb\x50\x25\xee\x13\x9e\x00\x5c\x6f\xbb\xa3\x15\x73\xdc\x64" "\xb8\x06\xbc\x5b\x91\x7d\x96\x88\x2d\xa0\x6d\x4a\x61\x6f\x78\x84\x0e\x48" "\x68\x01\xfb\x7e\x02\x7e\xaa\x3c\xed\x93\x9d\xb6\x8b\x15\x0b\x0d\xcb\x0b" "\xf0\x38\x6d\xab\x47\xab\x89\xc6\xb1\xa1\xd6\xe8\x8a\x8f\x03\x2e\x64\xa1" "\xf2\x8e\xb9\x53\x0b\x8e\x5c\x68\x47\xb1\x55\x7a\xa4\x2e\x6d\xb0\x4d\xd2" "\x27\x66\x98\xfb\xb8\x5e\x28\xc3\xa4\x6e\xe3\xf9\x01\x01\xfe\x8e\xf4\xd3" "\x45\xcc\x55\x5b\x56\x7d\xb8\xc3\xb2\x70\xc2\x1b\xd6\x8d\xba\x80\xc3\x51" "\x26\x9e\xe5\x08\x94\xda\x52\xf1\x0f\x66\xc0\x1b\x4b\xfd\x7e\x58\xd4\xca" "\x1b\x71\x69\x65\x2e\x59\xb1\x95\x34\x66\x34\x95\x40\x63\xbd\xe1\x0f\x2a" "\x24\xe8\xd7\x31\xb3\xc5\xcc\x1b\x49\xd9\x59\x13\xde\xfb\x84\x61\xf6\xef" "\x28\xd7\x47\x7f\xba\x7d\xa8\xd0\xa0\x62\x77\x74\xba\xe1\x85\x0b\x25\x47" "\x6d\xb5\x61\xcc\xc6\xeb\x24\xce\x46\x15\x1e\xb5\xcf\x12\x70\xa5\x8a\xfd" "\x49\x9e\xd6\xc0\x02\xeb\xed\xd4\x6c\x72\xa3\xe4\xc5\xc0\xfd\xd7\x9d\x89" "\x70\x53\x2c\x33\x0a\x25\xd0\x94\x8a\xa3\x1d\x95\x5b\xd8\xd0\x57\x25\x82" "\xb5\x7c\xfa\xeb\xb1\x2e\x70\xb4\x88\x92\xa7\xd9\xeb\xad\xcc\x4d\x02\xc3" "\x3b\x9e\x55\x34\x93\x3e\x49\xd4\x08\xf5\x94\x29\x72\x24\x65\xc6\x7b\xa6" "\x0b\x15\x15\x2c\x93\x20\x29\x49\x48\x31\xc1\x5b\xbb\x3f\x53\x1c\x2b\xb4" "\xaa\x27\x07\x67\xc2\xb7\x72\x90\x82\x4b\x13\xfb\x0f\x00\xf8\x20\x8c\x4d" "\x8a\xb1\x3b\x55\xc7\x38\xfe\x32\x75\xad\xae\x0d\x85\x58\xbb\xc9\xb2\xd9" "\x01\xfb\x47\x7c\x64\x9c\xbe\x21\x08\x1b\x64\x8d\xc7\x07\xf7\xb1\x2e\x6f" "\x1a\x68\x2d\x25\xb8\xea\x4e\xc6\xc6\x59\xeb\x1a\xb8\x6a\x39\xab\xb3\xf6" "\x3f\x44\x7d\xe6\x43\xc7\x1f\x4f\x84\xa6\x11\x3a\x4c\x3b\x63\x42\x54\xae" "\x7e\x7f\x8b\x0f\x0e\x6c\x2e\x08\x2a\xe0\x93\x15\xbb\xb9\x7e\x48\xa0\xf9" "\x0a\x5a\x00\x00\x20\x01\x77\xf1\xeb\x3f\x67\x82\xf5\x07\x80\xb5\x94\x15" "\xfc\x91\x91\x0e\x35\x1b\x8a\x3d\x6a\xa9\x9d\x63\x98\xb9\x26\x81\xe9\x9b" "\x1e\xa1\x86\xa4\x38\x14\x69\x70\xef\xee\x9c\xd6\x34\x9f\x67\x6d\x8b\xf4" "\x45\x1f\x24\xe6\x10\x5c\x91\x7a\xc1\x9e\xd1\xa8\x08\x78\xb7\xc7\xeb\x3f" "\xa9\x22\xa7\x16\x53\x55\xe3\xa3\x56\x6a\xd0\xe3\x1f\x69\x76\x1d\x83\x9b" "\xc0\x52\x77\xbd\x9e\x3d\x1c\x20\xe0\x90\x2e\x75\x06\x7d\xcd\xed\xe2\x17" "\x7e\x90\xf3\x37\xe2\xe3\x33\x18\x59\x54\xdd\xce\xe3\x38\x9b\x7e\x80\xd1" "\x29\x18\xd9\xf9\x19\x4e\xee\x1d\x83\xdc\x8d\xac\xf2\x9f\x6e\x11\x00\xd5" "\x75\x88\x21\x20\x1d\xe7\x66\x22\x4c\x93\xd0\xde\xbb\x07\xd5\x6e\xcb\x6f" "\x37\x88\xb4\x4e\x36\xf5\xf0\xdb\xed\x95\x69\xf0\x44\xb2\x86\x38\xe7\xbb" "\xd7\x1f\x3c\xce\x3d\x6e\x14\xf4\xac\x0e\x12\x7b\xe0\x24\x6d\x60\x23\x0b" "\xef\xa0\xed\xa0\xfc\xa3\xec\x20\x3f\xd3\x94\xe4\x7f\x1d\x93\x84\x63\x88" "\x2f\xc4\xf7\x48\x09\x9b\x70\x1a\x59\xc6\x4a\xd5\xa1\x53\x1c\xb3\xe9\x3b" "\x29\x5d\x32\x2c\xd8\x1a\x9c\xce\xdc\x2b\x5c\x4f\xb1\x02\x73\xb9\xe7\xab" "\xee\xdd\x74\x2f\x20\x62\xf7\x98\xfc\x31\x36\x8e\x81\x85\xa4\x74\x0d\x8a" "\xd7\xfc\x62\x51\x0b\x56\x7b\xc5\x2f\xe5\xa2\x39\x11\x8e\xe9\x8d\x03\x39" "\x14\xbc\xd9\xa1\x00\x74\x08\x36\x1d\x89\xcc\x5e\x7d\xe3\x30\xed\x15\x7c" "\xff\xa2\x5e\xd1\x12\x49\xbf\x0e\xa2\x23\xf1\xb2\x3f\xc2\x74\x1a\xa7\xfb" "\x48\xde\xe6\x54\x85\xe5\x02\x5c\x5a\x10\xd3\x96\x69\xed\x1a\x72\xde\xe6" "\x21\x9d\xd4\xde\x88\xdc\xab\x94\xb9\xa1\x85\x66\x94\xf4\xcc\xf7\x9a\x2a" "\xe3\x50\xb7\x0a\x2b\xd0\xd1\x7d\x38\xa1\x81\xd6\x7f\x56\x4d\x4d\xfc\x88" "\x6a\x8a\xe7\x1e\xf2\x6b\xab\x9d\xc4\xb9\x23\x7f\x9c\x4b\x84\x45\x05\x61" "\x6a\xa4\xa0\x70\x2e\xf8\xaf\xe8\x61\x5f\xc2\x0d\xd9\xd7\x4b\xc8\x60\x71" "\xfc\xed\xaa\xe2\xfb\xc4\x04\xe2\xa8\x63\xf9\xe9\x1d\x41\x32\xe8\x3b\xdf" "\x94\x9b\x03\xc2\x2c\xd2\xe4\x91\xce\xc0\x32\x12\x18\x1e\x6c\x3e\x9e\x38" "\x67\x57\x6f\x60\xb2\xe4\xa8\x29\x1b\xe0\x41\xae\xd2\x4d\x1a\x36\x58\x00" "\x9e\x6d\xe0\xf8\x96\x82\xc9\x6e\xc8\x51\xe7\xba\x79\xa0\xfa\x94\x49\x27" "\xa4\x8c\xd1\x78\xf6\xb9\xa3\xc4\xda\xc3\x37\x85\x7a\xf5\xfc\xa9\xbb\xdf" "\x6b\x5c\xcb\xab\xa9\x45\x28\xe8\x1a\x95\xef\x69\x78\xe7\x01\xed\x58\x3b" "\xf1\xe5\xde\x63\x8a\x23\x3d\xa5\xba\xb2\x62\xaf\x0b\x38\x8a\xc8\x02\x08" "\x10\xcb\xab\xdf\x17\xc6\xdf\xd2\x5e\x72\x77\x5e\x54\xbc\xa2\x3f\xb3\xa2" "\x78\x51\xff\xda\x15\xc4\xbb\xb9\xdf\x41\xe1\xd0\x7f\x0b\xa3\xfa\xc9\x73" "\xb5\x34\xcb\x83\x48\x70\x0c\x5e\x84\x23\x51\xf6\xd2\x70\x31\xca\xd2\x83" "\x87\xd6\x04\x72\xbe\x79\x6a\x40\x9f\x80\xa4\xfa\x0a\xdd\xf0\x69\xee\x3a" "\x73\x56\xd7\x0d\xdc\x3b\x61\x7e\xe3\x2b\x49\x4d\xb6\x81\xf7\x26\x03\x01" "\x12\x25\x68\x4d\xfa\x54\x6d\xc3\x8a\xf7\xfe\x21\x3c\xa0\x78\x06\xfa\x86" "\x62\x65\xf9\x5a\x79\x84\xf5\x27\x0b\x13\x0a\x50\xad\x68\x9e\xc1\x31\x94" "\xa2\x97\xdc\x2c\x43\x71\x18\x36\x71\x67\xb0\x4c\x9e\x6c\x2f\x81\xed\x9e" "\x1e\x43\x15\x53\x57\x7a\xc5\x1b\x2d\x7b\x00\x2b\xff\xb9\x3c\x94\xfe\xd0" "\x25\x57\x00\x75\x2c\x31\x38\x32\x4f\xb1\x7e\xb0\xd8\xb0\xa2\x0c\x56\x4e" "\x22\xd2\x51\xc0\xab\x4d\x2f\x95\x1d\x44\xa7\x9b\xb1\x6b\xc7\xac\x47\x33" "\x84\x47\x1d\x22\x49\x6e\xa4\x88\x21\x38\x80\xc8\x27\x5c\x43\x9a\xc1\x17" "\x7b\xb0\x49\xf0\x20\xa1\x56\xb1\xc1\x79\x33\xa6\x33\x6f\x0d\x2f\x43\x32" "\x9e\xab\xba\x58\xf2\x34\x9b\xed\xf8\xaf\x21\x01\x50\xc6\x88\xb4\xb5\x3e" "\x5b\x6c\x2f\x9e\xf4\xf0\xdf\x6a\x48\xaa\x06\xde\xbe\x52\x50\xf9\xd9\x86" "\x6c\xee\x28\x4f\x9e\x40\xc4\x96\xe3\x72\x57\xc1\xfa\xa7\x22\x4c\x05\xab" "\xda\x23\xbc\xd1\x18\x4a\xaf\xb7\x18\xd8\x6d\xc9\x7d\x0b\x2d\xb2\x37\x7c" "\x14\x66\x41\x91\x60\x28\xd3\xfa\x73\x7f\x18\x6c\xce\x3f\xd3\x47\x9f\x52" "\x2c\xc9\x1c\x83\x08\x3b\x00\x40\xff\x0e\xb5\xac\x0a\x7b\xf7\x6c\x2f\xfc" "\xbf\x69\xff\xa3\x3b\x79\x46\xee\xca\x4a\x0c\xe7\x64\x5d\x09\x90\x22\xf8" "\x9b\x0b\x38\x2f\xae\x34\xac\x77\x38\x9d\xb1\x9f\x73\xfd\xc4\x9b\x71\x8b" "\x4f\xba\x95\x05\x89\xea\x0c\xb8\x47\x6a\x41\xb3\x0f\x52\x2e\x94\xbd\x24" "\xa6\x33\xf0\xfc\xa8\xaf\xc2\xac\x5f\x33\xa8\x4f\x4d\xd2\xe9\x73\x4a\xb8" "\x5d\x98\x32\xd7\xe4\x9a\xb9\xeb\x6e\x91\x12\xc8\xa5\xe3\x7b\xb6\xc4\x68" "\x65\xcf\x4d\x5d\xf9\x81\x4c\xab\x88\x85\x80\x4b\x3a\xe9\x3b\xbf\xcf\x95" "\x77\x02\xec\xe7\x8b\x74\x40\x47\x98\xb3\xdb\x22\xa5\x12\x40\x52\xdc\xf5" "\xa4\xf6\x1c\xe6\xa6\xe0\x30\x23\x45\xf0\x50\x81\xa9\x7c\xb5\xd1\x3e\x3e" "\x5e\xc5\xfa\x23\x14\x42\xda\x3d\xe2\x89\x9a\xfc\x59\xc8\x41\x37\x31\x3a" "\x01\x28\xc3\x6c\x6c\xec\x6a\x0a\x53\x08\x2c\x96\xe8\x88\x58\xc0\x26\x3a" "\x99\x5e\x68\x76\x4c\x71\x4c\xc6\x3d\xf9\xa0\xa1\xab\xa4\x4b\x9e\x4a\xe6" "\x7b\xa2\xf5\x35\x40\x0f\x0a\x18\xe1\xbe\x2b\x2d\x99\xfb\x4e\xcb\x1f\x18" "\x05\xa8\x70\xb4\xe7\xf4\x56\x93\x3f\xab\x61\xd3\xb7\xd8\x25\x48\xb7\xd7" "\xf8\x5f\x65\x2f\xfb\x30\xfb\xd8\x0f\xd4\xe7\xcb\xba\x09\x52\xac\xa3\x5e" "\x6b\xdc\xf8\xe6\x7b\x7e\x32\x13\x73\x8b\x08\x01\x17\xc6\x77\xb5\x5b\x0f" "\x33\x0e\xcf\x1d\xdb\x76\x01\x8f\x36\xe9\x2d\x7e\xec\x84\x39\x64\x38\x1f" "\x55\xde\xb1\x7a\x4d\x1a\xff\x2e\x3f\x50\x71\x01\x11\x66\xd4\x3f\x81\x0d" "\x0b\x7d\xe9\xd4\xdd\xe6\xfb\x5c\x5a\x3e\x83\x19\xed\xc9\x89\x13\xc4\xec" "\x0d\x27\x65\x45\xb3\x95\xf7\xb2\x8d\xb3\x15\x4d\x6d\x1c\xa5\x24\xdf\xc6" "\xae\xab\x37\x41\xc3\x7c\x24\x9b\x1b\xb1\x12\x71\x93\x25\xed\x0d\x30\x75" "\x0b\x32\x2c\xef\xc7\x4b\x7f\x35\x21\xc4\xb2\x83\x0b\xe3\xb1\x33\x43\xb4" "\x44\xc4\xbc\x83\x15\xf6\x37\x39\xdd\xdf\x08\xca\x47\x7e\xb9\x82\x3f\x83" "\xc3\xf4\x2c\x15\x5d\xcc\x32\x44\x4d\x60\xa4\x32\x8f\x6e\xc4\xbf\xd0\x0d" "\x4c\x04\x59\x8c\x41\xfa\x4f\x13\xfc\x16\xd2\xe1\x59\xbf\x54\x59\x3d\x6e" "\x68\x6a\x6c\x50\xda\x42\x1d\x44\x9d\x0d\x16\xaa\x57\x4e\x68\x39\x49\x04" "\x0e\x55\xd0\xb6\xa2\x0f\x12\xfe\xdc\x14\x72\x85\x2d\x25\xe8\xc9\xc7\x95" "\x0d\xef\x6e\x9c\xdb\x75\xfe\x68\x6c\x4d\xb2\xa2\xd6\xa7\xde\xe2\xec\x6e" "\x6d\x76\xca\xc6\x22\xa4\x5a\x1b\x64\x64\xc2\x83\xdd\xff\x7f\x71\x31\x17" "\x7d\x53\xc4\xf0\x0f\x86\x31\x4c\xf7\x83\x8d\xc5\x13\x42\x37\xe9\xa7\x46" "\x9c\x82\xc8\xb3\x87\xfe\xc5\x39\xd1\x83\x0c\x4c\x12\x75\xef\x3f\x15\x16" "\xf6\x1f\xa6\x17\x81\x26\xdf\xd5\x1e\x24\xdb\x3b\x95\x07\xa2\xa9\x56\x51" "\xae\xe7\xd7\x6d\xb6\x1e\x44\xcb\x26\x2d\xe0\x77\xcc\x86\x67\x52\xf8\x34" "\x68\x54\x08\x7e\xfc\x01\x40\xac\x26\xcf\xa3\xfa\x91\xaf\xe2\x09\x4c\x92" "\x4e\xc5\x2c\x0d\x35\x1a\xf1\xbd\x10\xef\x1f\xbc\xaf\xd5\xb6\x6d\xc0\xe1" "\x9e\x26\xb4\x79\xf5\x43\x28\x28\xda\x2e\x2b\x3e\xa9\xad\x7d\xcb\x54\x9b" "\x42\xdd\xed\x43\xd0\xdd\x8f\x3a\x49\x43\xd0\x93\x50\x01\x3d\xa1\xe8\x3b" "\x1e\x50\x6d\x8c\x2e\xfe\x36\x25\x49\x65\xcd\x9a\x03\xaf\xfd\x38\x7b\x61" "\x31\x01\x2f\x22\x28\xd5\x65\xaa\x9e\x1c\xb8\x97\x18\x02\xca\xc1\x46\xa9" "\x59\x8a\xf8\xba\x95\x6c\x54\xe7\xdd\xcb\xca\xc0\x7e\x37\xb1\xa6\x1c\x4e" "\xdb\x89\x19\xf1\xef\xed\x9c\x14\x2c\x58\x04\x6c\xa3\x8e\xac\x43\x35\xf3" "\xae\x89\x4c\xa7\x08\xac\xd8\x48\x22\x53\x50\xb9\x0a\x17\x7c\x49\x0b\x8f" "\xaa\xf7\xb9\x52\xdf\xbf\x1e\x85\xf2\xb3\x39\xaa\x8b\x11\x68\xd0\xcb\xf2" "\x25\xc6\xac\x4f\xff\x64\xc3\x7b\x6c\x9c\x52\x95\x9f\xc3\xab\xa1\x6c\xec" "\x5e\x9c\x22\xd1\x5c\xf1\x87\xf7\x0f\x8a\x0c\x1d\xbe\x26\x24\x7b\xb9\x84" "\x5b\xf4\x0d\xda\x7c\x69\x54\x33\xa3\x11\xd8\x1c\x69\x88\xef\x07\xaa\x30" "\x4f\x20\x2e\xd7\xde\xd2\x45\x1b\x21\x2e\xa1\x3d\x3c\xe1\xe4\x05\xbc\x8a" "\x9e\xad\xe4\xee\x93\x38\x41\x6e\xf7\x69\x13\xdd\x05\xd9\xd7\x31\xb6\x62" "\x83\xf3\x0d\x78\x29\xef\x4a\xb7\x0b\x92\x59\xc9\x2d\x0e\xd7\x89\x96\x5e" "\x88\x7f\xa5\xc2\x51\x35\x0e\x4c\xe0\x69\x73\x6b\xfe\x52\xca\x7f\xf3\x92" "\xe4\xc1\x71\xd5\x0f\xe1\xf7\xe2\xc8\x61", 4096); *(uint32_t*)0x200054ae = r[3]; memcpy((void*)0x200054b2, "\xcb\xe6\x54\xca\x81\x2d\x5e\x44\xe1\x44\x63\x7a" "\xca\x50\xdc\x10\x39\xd6\x1b\x87\xe3\x98\x78\x8e" "\xf0\xa5\x1c\xc7\xc0\x38\x0e\x51\xdb\xc2\x69\xf4" "\xb1\xcd\x73\x14", 40); *(uint32_t*)0x20000908 = r[3]; *(uint64_t*)0x2000090c = 0x200008c0; *(uint32_t*)0x200008c0 = r[3]; syscall(__NR_fremovexattr, r[3], 0x20000900); memcpy((void*)0x20000080, "/dev/mixer", 11); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000080, 0x400002, 0); if (res != -1) r[4] = res; *(uint32_t*)0x20000140 = 6; *(uint32_t*)0x20000144 = 2; *(uint32_t*)0x20000148 = 0xa3; *(uint32_t*)0x2000014c = 7; *(uint64_t*)0x20000150 = 0x200000c0; *(uint8_t*)0x20000158 = 0; *(uint8_t*)0x20000159 = 0; *(uint8_t*)0x2000015a = 0; *(uint8_t*)0x2000015b = 0; *(uint8_t*)0x2000015c = 0; *(uint8_t*)0x2000015d = 0; *(uint8_t*)0x2000015e = 0; *(uint8_t*)0x2000015f = 0; *(uint8_t*)0x20000160 = 0; *(uint8_t*)0x20000161 = 0; *(uint8_t*)0x20000162 = 0; *(uint8_t*)0x20000163 = 0; *(uint8_t*)0x20000164 = 0; *(uint8_t*)0x20000165 = 0; *(uint8_t*)0x20000166 = 0; *(uint8_t*)0x20000167 = 0; *(uint8_t*)0x20000168 = 0; *(uint8_t*)0x20000169 = 0; *(uint8_t*)0x2000016a = 0; *(uint8_t*)0x2000016b = 0; *(uint8_t*)0x2000016c = 0; *(uint8_t*)0x2000016d = 0; *(uint8_t*)0x2000016e = 0; *(uint8_t*)0x2000016f = 0; *(uint8_t*)0x20000170 = 0; *(uint8_t*)0x20000171 = 0; *(uint8_t*)0x20000172 = 0; *(uint8_t*)0x20000173 = 0; *(uint8_t*)0x20000174 = 0; *(uint8_t*)0x20000175 = 0; *(uint8_t*)0x20000176 = 0; *(uint8_t*)0x20000177 = 0; *(uint8_t*)0x20000178 = 0; *(uint8_t*)0x20000179 = 0; *(uint8_t*)0x2000017a = 0; *(uint8_t*)0x2000017b = 0; *(uint8_t*)0x2000017c = 0; *(uint8_t*)0x2000017d = 0; *(uint8_t*)0x2000017e = 0; *(uint8_t*)0x2000017f = 0; *(uint8_t*)0x20000180 = 0; *(uint8_t*)0x20000181 = 0; *(uint8_t*)0x20000182 = 0; *(uint8_t*)0x20000183 = 0; *(uint8_t*)0x20000184 = 0; *(uint8_t*)0x20000185 = 0; *(uint8_t*)0x20000186 = 0; *(uint8_t*)0x20000187 = 0; *(uint8_t*)0x20000188 = 0; *(uint8_t*)0x20000189 = 0; syscall(__NR_ioctl, r[4], 0xc0505510, 0x20000140); syscall(__NR_ioctl, r[4], 0xaea2, 1); syscall(__NR_sync); *(uint32_t*)0x20000040 = 0x4f; syscall(__NR_getsockopt, r[4], 0x11, 1, 0x200001c0, 0x20000040); memcpy((void*)0x20000500, "/dev/nullb0", 12); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000500, 0, 0); if (res != -1) r[5] = res; syscall(__NR_mmap, 0x20660000, 0x7ffffffff000, 0, 0x100000000000010, r[5], 0); res = syscall(__NR_socket, 0x10, 3, 6); if (res != -1) r[6] = res; *(uint64_t*)0x20001500 = 0x20000140; *(uint16_t*)0x20000140 = 0x10; *(uint16_t*)0x20000142 = 3; *(uint32_t*)0x20000144 = 0; *(uint32_t*)0x20000148 = 0; *(uint32_t*)0x20001508 = 0xc; *(uint64_t*)0x20001510 = 0x200014c0; *(uint64_t*)0x200014c0 = 0x20000000; memcpy((void*)0x20000000, "\x04\x01\x00\x00\x1a\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0" "\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xac\x14" "\x14\xaa\x00\x00\x00\x00\x00\x00\xff\xff\xff\x9e\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 64); *(uint32_t*)0x20000040 = 0; memcpy((void*)0x20000044, "\xe0\x15\xe1\x63\xd6\xf6\x00\x68\x98\x44\x00\x00\x08\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3c\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x02\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x14\x00\x0e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x2c\xb4\xcd\x94\x71\x8d\xb9" "\xcc\x29\x09\x1a\x1f\x11\x03\x89\x0c\x8a\x90\xd1\xcc\x93\x82\x23\x12" "\xa4\x74\x2c\x96\x16\xc8", 227); *(uint64_t*)0x200014c8 = 3; *(uint64_t*)0x20001518 = 1; *(uint64_t*)0x20001520 = 0; *(uint64_t*)0x20001528 = 0; *(uint32_t*)0x20001530 = 0; syscall(__NR_sendmsg, r[6], 0x20001500, 0); memcpy((void*)0x20000500, "/dev/nullb0", 12); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000500, 0, 0); if (res != -1) r[7] = res; syscall(__NR_mmap, 0x20660000, 0x1000, 0x200000a, 0x13, r[7], 0); memcpy((void*)0x20000000, "/dev/cuse", 10); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000000, 0x80, 0); if (res != -1) r[8] = res; *(uint32_t*)0x20000080 = 0x28; res = syscall(__NR_getsockopt, -1, 0x84, 0x1d, 0x20000040, 0x20000080); if (res != -1) r[9] = *(uint32_t*)0x2000004c; *(uint32_t*)0x200000c0 = r[9]; *(uint32_t*)0x200000c4 = -1; *(uint16_t*)0x200000c8 = 0x20; *(uint32_t*)0x20000100 = 0xc; syscall(__NR_getsockopt, r[8], 0x84, 0x72, 0x200000c0, 0x20000100); res = syscall(__NR_epoll_create1, 0); if (res != -1) r[10] = res; res = syz_init_net_socket(0x27, 1, 1); if (res != -1) r[11] = res; *(uint32_t*)0x20000080 = 0; *(uint64_t*)0x20000084 = 0; syscall(__NR_epoll_ctl, r[10], 3, r[11], 0x20000080); memcpy((void*)0x20000040, "security.ima", 13); syscall(__NR_fremovexattr, r[11], 0x20000040); memcpy((void*)0x20000500, "/dev/nullb0", 12); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000500, 0, 0); if (res != -1) r[12] = res; *(uint64_t*)0x20000000 = 0; *(uint64_t*)0x20000008 = 0; syscall(__NR_ioctl, r[12], 0xc0101282, 0x20000000); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); char* cwd = get_current_dir_name(); for (;;) { if (chdir(cwd)) fail("failed to chdir"); use_temporary_dir(); do_sandbox_none(); } }