// https://syzkaller.appspot.com/bug?id=676eeda0c763817c7d8ec3f899fd23bdc45b5d1c // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include unsigned long long procid; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ { \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i; for (i = 0; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0" "\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e" "\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba" "\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01" "\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22" "\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00" "\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22" "\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7" "\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f" "\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22" "\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89" "\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3" "\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48" "\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2" "\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e" "\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7" "\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48" "\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0" "\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0" "\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7" "\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0" "\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00" "\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48" "\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7" "\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0" "\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00" "\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00" "\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0" "\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79" "\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48" "\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c" "\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c" "\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00" "\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00" "\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7" "\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0" "\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00" "\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00" "\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20" "\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7" "\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e" "\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40" "\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00" "\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48" "\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7" "\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0" "\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00" "\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12" "\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68" "\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00" "\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00" "\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48" "\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7" "\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0" "\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff" "\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff" "\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f" "\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c" "\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48" "\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00" "\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00" "\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7" "\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0" "\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00" "\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f" "\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0" "\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20" "\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18" "\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31" "\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44" "\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48" "\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7" "\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3" "\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e" "\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24" "\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08" "\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; NONFAILING(dt[index] = sd); NONFAILING(lt[index] = sd); } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; NONFAILING(dt[index + 1] = 0); NONFAILING(lt[index + 1] = 0); } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 6: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = 0; const void* text = 0; uintptr_t text_size = 0; NONFAILING(text_type = text_array_ptr[0].typ); NONFAILING(text = text_array_ptr[0].text); NONFAILING(text_size = text_array_ptr[0].size); uintptr_t i; for (i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } NONFAILING(*(host_mem + ADDR_TEXT) = 0xf4); host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); NONFAILING(pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS); sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; NONFAILING(*(host_mem + ADDR_TEXT) = 0xf4); host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); NONFAILING(pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS); sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); NONFAILING(pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr); NONFAILING(pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr); NONFAILING(pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS); sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; NONFAILING(*((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON); NONFAILING(*((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS); NONFAILING(memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1)); NONFAILING(*((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE); text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); NONFAILING(memcpy(tss16_addr, &tss16, sizeof(tss16))); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); NONFAILING(memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16))); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); NONFAILING(memcpy(tss32_addr, &tss32, sizeof(tss32))); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); NONFAILING(memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32))); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); NONFAILING(memcpy(tss64_addr, &tss64, sizeof(tss64))); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); NONFAILING(memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64))); if (text_size > 1000) text_size = 1000; if (text_prefix) { NONFAILING(memcpy(host_text, text_prefix, text_prefix_size)); void* patch = 0; NONFAILING(patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4)); if (patch) NONFAILING(*((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6); uint16_t magic = PREFIX_SIZE; patch = 0; NONFAILING(patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic))); if (patch) NONFAILING(*((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size); } NONFAILING(memcpy((void*)(host_text + text_prefix_size), text, text_size)); NONFAILING(*(host_text + text_prefix_size + text_size) = 0xf4); NONFAILING(memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size)); NONFAILING(*(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4); NONFAILING(*(host_mem + ADDR_VAR_HLT) = 0xf4); NONFAILING(memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3)); NONFAILING(memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3)); NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0); NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0); if (opt_count > 2) opt_count = 2; for (i = 0; i < opt_count; i++) { uint64_t typ = 0; uint64_t val = 0; NONFAILING(typ = opt_array_ptr[i].typ); NONFAILING(val = opt_array_ptr[i].val); switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; NONFAILING(tss16_addr->flags ^= val); NONFAILING(tss16_cpl3_addr->flags ^= val); NONFAILING(tss32_addr->flags ^= val); NONFAILING(tss32_cpl3_addr->flags ^= val); break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff)); NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16)); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 9; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res; switch (call) { case 0: NONFAILING(memcpy((void*)0x20000180, "/dev/kvm\000", 9)); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000180, 0, 0); if (res != -1) r[0] = res; break; case 1: res = syscall(__NR_ioctl, r[0], 0xae01, 0); if (res != -1) r[1] = res; break; case 2: res = syscall(__NR_ioctl, r[1], 0xae41, 0); if (res != -1) r[2] = res; break; case 3: NONFAILING(*(uint32_t*)0x20000000 = 0); NONFAILING(*(uint32_t*)0x20000004 = 2); NONFAILING(*(uint64_t*)0x20000008 = 0); NONFAILING(*(uint64_t*)0x20000010 = 0x2000); NONFAILING(*(uint64_t*)0x20000018 = 0x20002000); syscall(__NR_ioctl, r[1], 0x4020ae46, 0x20000000); break; case 4: NONFAILING(*(uint64_t*)0x200001c0 = 0); NONFAILING(*(uint32_t*)0x200001c8 = 0x119000); NONFAILING(*(uint32_t*)0x200001cc = 0); syscall(__NR_ioctl, r[1], 0x4010ae67, 0x200001c0); break; case 5: syz_kvm_setup_cpu(-1, r[2], 0x2000f000, 0, 0, 0, 0, 0); break; case 6: syscall(__NR_mmap, 0x20000000, 0x7000, 0x80000000003, 0x11, r[2], 0); break; case 7: syscall(__NR_ioctl, r[2], 0xae80, 0); break; case 8: NONFAILING(*(uint64_t*)0x20003300 = 0); NONFAILING(*(uint64_t*)0x20003308 = 0); NONFAILING(*(uint64_t*)0x20003310 = 0); NONFAILING(*(uint64_t*)0x20003318 = 0); NONFAILING(*(uint64_t*)0x20003320 = 0); NONFAILING(*(uint64_t*)0x20003328 = 0); NONFAILING(*(uint64_t*)0x20003330 = 0); NONFAILING(*(uint64_t*)0x20003338 = 0); NONFAILING(*(uint64_t*)0x20003340 = 0x20001300); NONFAILING(memcpy( (void*)0x20001300, "\x03\x20\x2b\xd5\x51\x19\x8d\xbd\x09\x71\xd0\x14\x1c\x92\x6f\x10\xe0" "\x8e\x95\xf4\x98\x6f\xe8\x98\xd5\xde\x92\xa3\x91\x1a\x08\xfe\x19\x35" "\x2e\x24\x73\xfa\xed\x90\x35\x55\xb7\x2f\xf1\x49\x13\xa1\xac\x07\x18" "\x98\xd3\x77\x77\xf2\xb0\x53\x5f\x97\xee\x4a\x41\x23\xcb\xab\xcc\xe1" "\x37\x5e\x11\xa6\xbf\x79\x55\x93\x08\x52\x74\x46\xe0\x45\x67\x2d\xc0" "\x69\xd3\x2e\x0c\xc5\xac\x74\x70\xb5\x90\x91\x79\x6d\x5f\x9a\x4c\x6c" "\xe5\xe2\x8c\x7f\x64\x5d\x2b\x4c\xca\xe8\x8e\x66\x39\xec\x93\xf7\xc1" "\xb4\x4d\x21\xb3\xaf\xd9\xe4\x7c\x6b\x46\x98\x31\xbd\x29\x2e\x1f\xb4" "\x0d\x4d\x70\x1a\x5e\x7f\xf8\xcc\xd1\xe7\x3e\x0b\x75\x14\xaa\xc6\x6c" "\xa1\xc3\x1b\xc3\x85\x71\xe0\xe6\xe9\x3d\xe0\xdc\xa8\x84\x6b\x4d\x85" "\x29\x77\x8f\x5b\xb0\x69\x72\xb3\x71\xdc\x72\xff\xde\x0b\xa4\x8d\x16" "\x3c\xaa\xff\x69\x54\xec\xef\x18\xd5\xeb\xf5\x66\xbd\xe1\x9b\xf0\x9b" "\x08\x46\x86\x5f\xba\x58\xb2\xeb\x60\x4e\xac\xf1\x36\x71\xb8\x7a\x69" "\x78\xf9\x01\x81\xc7\x6e\x8a\x91\x7c\xcd\xc6\xf6\x10\xda\x51\xf6\x7e" "\xb7\xc2\x11\xb2\xe6\xd5\xc9\x82\x34\xa4\x13\xb6\x59\x27\x6e\xeb\xb0" "\x6d\x6c\xb3\x53\x9b\x01\x67\x37\xba\x3a\x74\xa1\x31\x3d\x3a\x47\xfb" "\x31\xd4\x1e\x41\x1b\x63\x50\x10\x2f\x0f\x7b\x35\x26\x0f\x48\x4f\x95" "\x1d\x30\x7c\x98\x44\x0a\x15\xb7\x26\xef\x6c\x16\xbe\x64\xc0\xae\xa3" "\xac\x19\x64\x36\xd5\xf8\x23\x05\xce\xf1\xe6\xd4\x90\x9c\xca\x97\xe2" "\x2c\x5e\x44\x97\xf6\x12\xde\x2a\xe2\x69\x3c\x43\x22\x05\x37\x7e\x6b" "\xab\xf8\x2e\xad\x74\x65\x3d\x7f\xdc\xf4\xcc\xe4\x27\xf0\x17\xc8\xa2" "\xc6\x80\x52\xa1\x4a\xa0\x9a\xd3\x12\x41\x47\x39\xb7\xd5\x40\xd0\x47" "\xf0\xc3\xac\x25\xfb\x8d\x0d\x9b\x38\x02\x96\xaf\x6f\x52\xab\x20\x52" "\xfd\x46\xc7\xe1\x04\x03\x60\xb8\x94\x6d\x97\x4e\x73\xbd\x36\x7d\x18" "\x1c\x67\x0b\x70\x40\xbf\xc6\x1c\x0f\xe3\x2c\xa6\x0a\xa2\x4b\xaf\xe6" "\x43\xc7\x9d\x2a\xde\xf4\x3e\x58\xc4\x2e\x33\x67\xf0\xc5\x20\x14\x77" "\xda\x6d\xe6\x48\x3e\x02\xe8\xe7\x3f\x68\x39\x9e\xaf\x97\xda\x6e\x02" "\x03\xc4\xb3\x2e\x1a\xf6\xb2\xe8\x24\xad\xf4\x79\x03\xdb\xc1\x45\x83" "\x62\xb2\xcf\x26\x6f\x8e\x4b\x4c\xb3\x2a\x4a\xe3\xda\x22\xb1\x12\x44" "\xa9\x6b\x09\xcb\x34\xc5\xcb\xd1\x73\xf7\x16\x6d\xac\x12\x0c\x9f\xe4" "\x19\x26\x4b\x99\xaf\xc5\xf3\x80\x82\xa2\xc9\x4a\xfa\x2a\x29\xfa\x8c" "\x6d\x23\x89\x51\xc7\x10\xc0\xeb\xd0\xd3\xdc\xb6\xb3\x2b\xbb\xbc\xa4" "\xbc\xde\xf6\xea\xbb\x98\xcc\x49\xc7\x4f\x82\xd2\xfa\xa8\x92\x6e\x32" "\x99\xc5\xeb\x2b\xe2\x63\x0e\xdb\x13\x06\xa2\x07\x53\xed\x16\x52\x72" "\xd3\x5f\xbe\x88\x8b\x49\x21\xd0\xcd\x69\x60\x27\x7b\x4a\x7a\x22\xf8" "\x29\x54\x84\xf7\x1a\x97\x30\xc9\x14\xd2\x9e\x92\x46\x43\x30\x0c\xcf" "\x85\x39\xb6\x37\x1f\x45\x7a\x59\x11\x4c\x05\xad\x72\xbd\xe5\xb0\x37" "\x8a\x5f\x56\x30\x33\xed\x31\xb5\xdb\x10\x5b\x7c\x68\xdc\x48\x3a\xbe" "\xd7\x26\x18\x63\x54\xed\xd6\x21\x3c\xe4\x0a\xae\x48\x43\xca\x23\x12" "\x02\x51\xa5\x5e\xcf\x4e\x45\x84\x83\x40\x39\x78\x86\xd2\xce\xdc\x3c" "\x92\x71\xfb\x13\xc2\xb4\x06\xa7\x62\x76\x11\xed\x10\xdd\xd0\x58\x74" "\x92\xb7\x38\x53\xba\x6f\x6e\xac\xb7\x5f\x7a\xa0\x4d\xd3\x52\x9f\x79" "\xd5\x05\xb9\xb0\x31\xcd\x69\x22\xd3\xd3\x60\xfb\x53\xfd\xb8\x8e\x1d" "\xdb\xe8\x41\x1f\x75\xb3\x28\x70\x12\x53\xcc\xa9\x86\x51\x4c\xdc\xa4" "\x03\x5a\x7f\xa1\x0d\xae\x99\xc1\x60\x5e\xf1\xb6\x85\x9d\x3e\x74\x98" "\xb6\x89\x51\xf3\x09\x14\xa1\x74\x56\xdf\x45\x9b\x97\x24\xa2\x67\x4f" "\x4d\x8b\xda\xbd\x75\x21\xc4\xd2\x8c\x27\x30\xdf\x86\xa5\x2a\x93\x4e" "\x78\x5c\x3b\x5e\x3c\xbc\x77\x7d\xcd\x6b\xc3\x78\xbf\xf9\xb2\x1b\x76" "\xfc\x6e\xc9\x56\x38\x68\x8a\x03\xbb\x80\xca\xec\x4a\xf3\xa9\x14\x35" "\xa1\x24\x56\x68\xf8\xa8\x5a\x1f\xb5\x65\xfc\x20\xbf\x15\xfe\xc9\x39" "\x47\x9d\xe2\xf2\x2d\x9e\x00\x7b\xf8\x3b\x55\x10\x95\xe8\xfd\xcd\xbd" "\xfa\x91\x8c\x3e\x32\x8e\x39\x62\x06\x4e\x1a\x9a\xc3\x1b\x62\x72\x27" "\x33\xd6\x49\xe6\x47\x9a\x7a\xa0\x69\x5a\x9b\x9a\xca\xa3\x39\x7d\xf4" "\x42\xa0\x17\x7c\x1f\xa0\x03\xf0\x19\x9c\xbf\xfe\x29\x81\x40\x7f\x10" "\xb6\xfb\x2c\xe7\x55\x3b\xc1\x67\xbe\x07\x7c\xec\xdb\xa6\x87\x61\x19" "\x24\xe1\x7b\x87\xc7\x0b\x92\x68\x89\xba\xbe\xa5\x24\x7f\x00\x7c\x50" "\xa2\xcf\xf1\xd8\x08\x8f\x99\x2e\x98\x7a\x3f\xb3\xb4\x91\x2f\x72\xa2" "\x15\x2d\x8b\x4a\x94\x02\xa9\x26\x81\xf8\x2f\xc1\x91\x10\x80\x77\x9b" "\x07\xe3\xa0\xf2\xb3\xc7\x7d\xd8\x75\x7e\xf3\xb3\xf9\x99\xc4\x9a\x93" "\x21\x3c\xa0\xd5\x8d\x0d\x02\x9c\x2d\x49\xd0\xe5\xc5\xee\x5c\xbc\x1c" "\x64\xc9\x77\x8e\x84\x3a\x55\xa4\x64\xab\x0d\xd7\xfa\x4c\x3b\x68\x53" "\x8d\xf5\xe2\x16\x21\x3c\x7c\x92\x39\x76\xf3\xbd\x76\x04\x0a\xea\xa6" "\x52\x36\x72\x19\x25\xae\xc0\x73\x6a\x67\x95\x32\xe3\x4a\x58\x59\xae" "\x45\x2b\x45\x5f\x0b\x31\x36\x7b\x59\x8e\xb1\x47\xda\x71\xc9\xd8\x8b" "\x04\x48\xbb\x7d\x81\x83\x4c\x64\x25\x6d\x92\x0f\x96\xb5\xfd\x74\x48" "\xfa\x6c\xf6\xc9\x60\x0f\x15\x07\x32\xc2\x04\xe1\x3a\xe6\x61\x97\x79" "\xfe\x3b\x1d\x64\x94\xf6\xe9\xfa\xa5\x21\x35\xe1\x7e\xb8\x71\x4e\x95" "\xce\xba\x7c\x5c\x12\x0e\x45\xec\x8d\xc2\x0a\xbe\x56\xa2\x11\x4c\x2e" "\xc0\x00\x1f\x11\x36\xca\x6d\x74\x49\xfc\xc8\xce\x33\x8f\x8e\x65\x5f" "\x58\x51\x7b\x2b\x82\xc1\xa8\x57\xde\x30\xee\x32\xd2\x88\x40\xc9\x0b" "\x5a\xd8\xcb\xf9\x51\xb5\x63\x3d\xb2\x38\x29\x74\x15\x2f\x2b\x7f\x7b" "\xb1\x55\xaa\x8f\x59\x66\x9e\xd9\xab\xba\xc7\x8e\x2b\x5e\x35\x38\x9b" "\x95\x1d\x29\x03\x24\x0d\x3c\x0c\xeb\x7d\x2a\x77\x3e\x14\xe7\x60\xa5" "\x8f\x47\xe2\x66\x5a\xef\x7e\x11\x02\xca\x33\xed\x99\xb7\x29\xe3\xcc" "\x89\xdd\x04\xdd\xd7\xbd\x76\xc6\x1b\x3f\xa1\x05\xb6\x4a\x3e\x23\x69" "\xe1\x66\xc0\x24\x15\xc7\x85\x89\x6e\xfc\x25\x0d\x77\x37\xe9\x70\x7f" "\xd1\x6a\x71\xda\x05\x96\x28\x65\x81\x35\x03\x82\x6a\xb1\x85\x8e\x23" "\xc2\xfb\xa1\x99\x75\x9c\xdd\xc9\x65\x8c\x15\x6d\x92\x7b\xbe\xbb\x1c" "\x74\xbc\x58\x45\xec\x86\xa9\x13\x71\x23\xf5\xb3\x0e\xcb\x8c\x78\xce" "\x62\x6d\x9b\x58\xb2\xd8\xda\xbc\xcc\xa5\x6b\x55\x4a\x35\xf0\x6a\xe5" "\x39\x9e\x0a\x1b\xdb\x72\x3a\xd1\x02\x63\xe1\x2a\xc5\x1f\x07\xf1\x7d" "\x5c\x9c\xe0\x4c\xa8\xa6\xab\xad\x2c\xd4\x2a\x54\x2e\xc5\xc0\x1e\x0c" "\x9b\xc2\x0e\xaa\x8c\xc5\xd6\x6f\x9f\xd0\xb5\x83\x5a\xda\xf4\xd0\x8b" "\x51\x45\x37\x49\xc7\xd6\x87\x04\xe6\x3f\xdd\x81\xbb\xc5\x6c\x68\x85" "\x97\x4a\x03\xdb\x91\x00\xb7\xb8\x68\xf2\x10\xfe\x70\x58\xe5\xf7\x5e" "\x08\xb3\x70\x31\x91\x7e\xe2\x67\x6d\xdd\xfa\x27\x7a\x6f\x6b\x32\xf6" "\xaa\x5a\x53\xc3\x35\xa6\xc6\xf9\x26\xb0\x06\xe7\x6e\xa6\xbb\x6a\xb1" "\x0a\xea\xb7\xb1\xde\x73\x00\x62\xf4\x0e\x2d\xee\xc2\x02\xa7\x1b\x80" "\x36\x10\xbe\x92\x5e\xc0\xa7\x07\xaf\x25\xfb\x1f\xba\xde\x2b\x63\x7f" "\x46\x93\x38\xfb\x03\x1a\xee\xa8\x93\x43\x49\x43\xa4\x94\xe4\x11\x39" "\x08\x4b\x45\xc2\xe5\x53\xa9\x51\x6d\xa3\xa1\xbb\x2a\x97\xc6\xc6\xea" "\x75\x74\xce\x4a\xdf\xd4\x6c\xaa\x08\x6f\x79\x76\xaf\x47\x29\xc1\x78" "\x0e\x6a\x98\x09\x54\x44\x49\xdc\xf6\xb1\xa7\xa6\x97\x97\x3c\xcf\x22" "\x25\x6c\x22\x23\x91\xa5\x5e\x6e\xda\xe6\x04\xb1\x74\x75\x1b\xb0\x6e" "\xe3\xf2\x95\xce\xc4\xe0\x39\xa2\xac\x35\xbd\x88\xd4\x4a\x6b\x61\x05" "\xdb\x64\x09\xc9\xa2\x82\xbd\xa0\xab\x29\x62\x87\xb9\x13\xad\x7f\xef" "\x20\x8e\x42\x6e\xc6\xe9\x4a\x34\x1e\x3d\xcc\x35\xb8\xba\x02\x1d\x12" "\xba\xd9\x2f\x1a\xc2\x9c\x63\x21\xb1\x37\xbf\xd1\xa7\x64\x38\xda\x44" "\xbb\x5b\x36\x78\x11\x21\xf7\xb9\xba\xf8\x29\x63\xc8\x86\x20\x54\xdb" "\xbd\x88\xc0\x90\xd8\x79\x1d\x61\x76\xaf\x18\x68\x86\x03\x80\xea\xea" "\x09\xe3\xaf\x28\x48\x24\x0f\x4d\x6e\x66\x67\x58\xf9\xdc\x4e\xaf\x57" "\x6d\x1e\xba\xa3\xf3\x96\x5f\x1c\x4d\xce\x74\x73\x25\xb6\x8d\xcf\xc7" "\xed\x93\x54\xf9\xe5\x6b\x88\x44\xb1\x97\xff\x9b\xb5\x28\x23\x17\x7c" "\xbf\x4f\xd7\x44\x73\xe9\x32\x56\x05\x06\x5a\x5c\xae\xc2\x22\xb9\x52" "\x4a\xa3\x85\x07\x8e\x27\x8f\xdb\x96\x3e\x8a\x5b\x77\x0b\x5a\x56\xe5" "\x41\xee\xea\x16\x2c\xf1\x4c\xc0\x31\xd3\x0c\x55\x9d\x7c\x60\xdd\x62" "\xee\x6b\x88\xf7\xfb\x0e\xc8\xbf\x80\x98\x22\x1c\x6c\x7f\x42\x56\x20" "\x51\x14\x4d\x7a\x04\xa6\x62\x98\x08\x3e\xa7\x14\x0c\xcd\x70\x2c\xe5" "\x86\x4b\x76\x84\x86\x7f\xbc\x87\xf1\xde\x11\x4c\x36\xdf\x79\xa3\x2a" "\x12\xa4\x7e\x25\xed\xc4\x93\xf8\x26\x04\xc9\xd0\x3b\x52\x7a\xf9\x87" "\x2c\x5a\xb8\xb1\x0e\x66\xe6\xef\xed\xeb\x58\x27\x6a\x3b\x0a\x90\x77" "\xcc\x61\xed\x78\xc6\xc7\x8f\x34\xd8\x94\x99\xe1\x59\x24\x84\x87\x84" "\x85\x48\xf4\xc4\xa3\xca\x6c\xb4\xe6\xa3\xcc\xef\xf7\xb4\x5c\x9b\x93" "\xaf\x97\xa3\x94\xa7\xd8\x0a\xf6\x9c\x6f\xf2\xdb\x45\x63\xbd\x7e\xc7" "\xca\x65\x6e\xa7\x9c\x07\xd5\x05\x84\x46\x70\xf8\xc6\x36\x22\x79\x07" "\xb3\x98\x44\x8d\x36\x43\xce\x67\x97\x67\x19\xfd\xa2\x24\x0e\x9b\xc6" "\x5c\x43\xb5\xb1\x8c\x2a\x4f\xd4\x6d\x75\x57\xe4\xb5\x96\xbd\x9a\x58" "\xfd\x18\xcb\xe7\x77\x1e\xea\x8e\xe2\x0e\xec\x81\x0f\xe8\xc4\x37\x5b" "\x8c\xc4\x02\xf3\xc9\x9a\xee\xe3\x1f\xa6\x68\x8a\xed\xfb\x60\x6d\xdf" "\x52\x46\x54\xbd\x84\x50\x6a\xed\x1c\x71\x6f\xe0\xf3\xf9\xc6\xfd\x4a" "\x52\x01\x5c\xee\xf9\x9e\x25\xff\x33\x7c\x35\xe8\x63\x2b\x7c\x8b\xe7" "\x64\x23\x56\x57\xf3\x26\x19\xc7\x2f\x9c\x06\x03\xff\xf8\xd0\x24\x13" "\x09\xb4\x64\xaf\xa7\x02\xf5\x36\x66\x3c\x02\xd3\x27\x57\x37\xf3\x34" "\x94\x51\x77\x42\x88\x32\x95\x25\x9a\xb0\x59\x27\x4a\x1c\x8b\x02\x8a" "\xa6\x2d\x52\x25\xa9\x81\x9e\x76\x66\x1c\x41\x91\x93\xc9\x17\x75\xa6" "\x44\x00\x4c\x11\x68\x37\x08\x37\x8c\x0a\x16\x03\xd8\x86\x97\x3d\xde" "\xda\xd5\xab\x25\x54\xaf\x21\x10\x87\xb3\xb1\x43\x9d\xde\x09\x54\x6f" "\x4b\x39\x0b\xf6\xe7\x3f\x3e\x3f\x7b\x01\x55\x12\xf0\xc3\xbc\x8e\xdc" "\xc9\xce\x25\xeb\x75\x4a\x70\x03\x4c\x23\x73\xef\x14\x64\xd6\x80\x2d" "\x38\x0d\x05\x7d\x7b\xab\x8a\x7f\x6b\xb8\x20\x61\xbe\x38\xf9\x8c\x42" "\xa8\x04\x07\x1b\xdd\x59\x90\xaa\x4f\xf0\xa7\x75\xd3\x2a\x40\xeb\x1b" "\x8a\x70\x38\xef\xb6\x98\xcb\x88\x7b\x44\xe6\x09\x1d\x31\x67\x7c\x62" "\xaf\xa7\x78\xd4\xef\x58\x5f\x07\x8f\x6f\x93\x6a\x9f\x8f\xc5\xd7\x5c" "\xf5\x61\x39\x7c\x1e\x36\xef\x92\xf3\x1a\xe9\x30\x3c\x6a\x1e\x3d\x49" "\x7d\x83\x7d\xbc\xeb\xf2\xfe\xb7\x69\x3f\xfb\x43\x48\x75\xbc\xf1\x46" "\x58\x6f\xa8\xcb\x6d\x9c\xb9\xf0\xf1\x9c\x5b\x59\xe9\xd7\xa8\xef\x45" "\x6e\x61\x4e\xca\x54\x60\xf7\x1f\xdb\x82\x2b\x8c\x56\x81\xe6\x1f\x7f" "\x7d\xc4\x40\xa4\x26\x68\x9a\x3f\x7d\xbd\x6c\xcd\xf1\x92\x4c\xc9\x0a" "\x7e\x92\xf8\x16\x47\xa6\x9d\xab\x5f\x89\x53\x7e\x93\x76\x2e\x7c\x66" "\x1d\xc6\xa8\x7c\x49\xe3\x8e\x44\xe8\xbc\x69\xac\x72\xee\xa2\x92\x91" "\xb2\x35\x08\xe9\x64\x34\xdd\x16\x81\xc0\x73\x26\xd2\x81\xb4\x2d\xa1" "\x98\x91\xc0\x7d\xe5\x75\x8c\xa6\xb4\xed\xe7\x78\xf1\x44\x0f\x8f\x38" "\xed\xa2\x95\x2c\xbd\x77\xcb\x8e\x90\xc9\x09\xd1\x94\xb2\x2c\x83\x59" "\x16\xae\xd2\x14\x34\x8f\x53\x4a\x0d\xeb\x2e\x3b\x98\x3c\x39\x40\x14" "\x5b\x86\x56\x16\xc9\x87\x97\xa6\xe3\xc5\xc6\x9d\x01\xb8\xe2\xfc\x6e" "\xf2\xcb\x05\x2b\x82\x45\x7b\xc5\xd1\xe5\xb1\xa8\x8d\x19\xf0\xaa\x9a" "\xa9\x8e\xf3\xf5\x06\x35\x81\xfa\xe5\x5a\x80\x1f\x42\x35\x18\xb8\xb2" "\xe3\x1a\xa5\x11\x84\x50\x7a\x24\xac\x00\xcc\x6b\x8e\x66\x25\x2b\x1f" "\x2c\x1b\x5c\x5e\x78\xbb\x47\x56\xbb\xec\x0a\x26\x19\x36\x32\x5a\x7e" "\x35\xff\x57\xd6\xec\x10\x11\x35\xf5\xb1\x98\xb1\xfb\xa1\xd9\xc6\xd9" "\x51\x52\x89\x01\x02\x5c\xeb\xc4\xee\x8b\xb9\x02\xf7\xe0\xba\x49\x27" "\x8a\x27\xd7\x40\x32\x87\x9a\x5b\x15\xff\x38\x22\xb6\x2d\x8d\x5a\x7b" "\x6f\xbd\x36\xbb\x40\xab\x45\xad\xb5\x99\x1c\x84\x8a\x6e\x4c\xcd\x97" "\x9d\x68\x52\x22\xb3\x12\xea\xa9\x27\x42\xf4\xc7\x5a\xb5\x94\x40\x92" "\xa5\x6d\x75\x17\xbd\xaf\x31\x8b\xa6\xc0\xf7\x33\xd1\xda\xcb\xec\x00" "\xb7\x88\xb3\xc5\xee\xb8\xc3\x81\x3d\xae\xba\xb4\xfe\x73\x4a\x90\x8c" "\x30\xd7\x34\x3c\x65\x99\x1d\x40\x41\xfe\x4b\x5a\x8a\xf5\xd8\x0c\x21" "\xc8\xb1\x58\xf0\x19\xeb\x78\x8b\x9e\x84\x11\xfb\x82\xa6\xa9\xbe\x36" "\x3b\xe2\xd9\xfb\x69\xc0\x4a\xf3\xe5\xc7\xbd\x3e\x65\xe6\x29\x6e\x0c" "\x8c\xab\xd4\x6c\xc4\x8e\xb7\x9e\x67\x98\xee\xb8\xe1\xc6\x8f\x5f\xea" "\x96\xf9\xfc\xbc\x32\x0b\x18\x2a\x70\xfa\x3b\x6d\xe2\x01\x04\xf4\x65" "\xa5\xfa\x03\x92\x36\x98\x48\x54\x4b\x69\x23\x90\x83\x63\xc5\x15\xff" "\x49\xcb\x9f\x7b\xa8\xb8\x79\x1f\xd9\xef\xaf\xef\x6b\x7b\x40\x0f\x9f" "\xf1\x22\x59\x21\x12\xda\x62\x6b\xe8\x69\x8e\xa8\x35\x5c\x8b\x11\xa1" "\x6a\x9d\x1f\xa8\x81\xeb\xab\x5b\xbb\x92\x6c\x38\x5e\x27\x3c\xb0\xd5" "\x2a\xbf\x7e\xc2\x8e\x0d\x72\xd0\x6d\xef\x3d\xdb\x59\xff\xa9\xf5\xa3" "\x33\xe1\xfd\xd8\xf1\xaa\xd1\xbe\xef\x2e\x77\xd5\x8c\x68\x19\xaa\x00" "\xc0\x55\xb0\x52\x84\x19\x90\xb8\x8c\x7d\x7b\x9a\xd1\x5d\xa5\x61\x4a" "\xd3\xce\xc4\xc5\x2b\xd3\x15\xe4\x3d\x7a\x71\x79\x79\xeb\xa8\xc9\xeb" "\xcd\x8d\xfa\x46\x3c\x9c\x43\x27\x14\x46\x80\x3e\x45\xde\x32\x50\x2c" "\x85\xa3\x25\xde\x57\xb8\xf3\x79\x01\x62\xb1\x3d\x8c\x41\x83\x96\x59" "\x9d\x71\x78\xa5\x62\x49\x12\xad\x59\xe6\x9e\xff\x22\x5f\xc2\x15\xe4" "\xec\x28\xf7\x10\xbe\x91\x25\x73\xc2\x27\x1d\xcb\xd8\x4f\x36\x7c\x32" "\x8a\x62\xf1\xd6\xad\x85\xb9\x69\x1d\xea\x4e\x1c\x79\x14\x9f\xc0\x05" "\xdc\xd9\x8e\x39\x85\xbc\x3f\xde\x69\x14\x43\x24\x5b\x2b\x8f\xa5\xb8" "\xef\x1a\xf0\xbc\x29\x2e\x3a\x29\x8c\x09\x2b\x80\x6b\x17\xce\x78\xc3" "\x1f\x73\x0f\x7e\x7c\xa5\x31\xea\xac\x25\x28\xdd\x06\x73\xc2\x82\xd9" "\xda\x32\xa0\xb8\x80\x1d\x11\x39\x99\x5b\xf8\x5c\x7d\x26\xf8\xf2\xd3" "\x76\x15\x59\x2f\x45\xb2\x89\x0e\xd1\x05\x73\x09\x06\x19\x4d\x55\x43" "\x2f\x45\x6c\x67\x0d\x40\x15\xfb\xa7\x22\xaa\xa3\x03\xbc\xb3\xa1\xdb" "\x28\x01\x44\x02\x6d\x48\x88\xac\x14\x9d\x8e\xda\x2a\x2a\x2d\x68\x32" "\x1a\xa5\x84\x50\xa8\x40\xb5\x00\xea\x5d\x9a\xd7\x84\xe7\xf3\x9e\xfc" "\xd9\xb5\xdb\xe2\x32\x72\xc9\x14\xf4\x08\xe7\x29\xb9\xa6\x0e\x2a\x2f" "\x50\x3a\x7a\x5d\x52\x50\x85\x1e\x1e\xb2\xa8\x9b\xc7\xed\xb9\x04\xd9" "\x06\x1b\x25\x80\xb2\x35\xfa\x2f\x1b\x6f\xd4\xf0\xae\x79\x42\x7e\xb6" "\xfc\xdf\xc2\xf0\xf7\xd5\x4e\x3f\xc8\xee\x0c\x5a\x8f\x98\x67\x34\x53" "\x88\x70\x68\x13\x6a\x11\xba\xeb\x59\xbc\xab\xd8\xc8\xb4\x18\xc3\xc8" "\xe0\x37\xcc\x8e\xa4\x9a\x6b\xc9\xdb\xe6\x40\x19\x6e\xe0\x95\x7e\x56" "\x90\x32\xd6\xac\xa9\xdb\x15\xb0\xe1\x0f\xf4\xb5\x69\x41\xa1\x58\x2f" "\x45\x74\x0b\x18\x19\xa2\x4d\x14\x1f\xb2\x2b\xe0\xc1\xe7\x89\xb6\x7e" "\xb5\x0e\x64\x34\xf9\x7c\xf0\x10\xb8\x35\x00\x44\xdc\xe3\xdf\x54\x93" "\x70\xb3\x9c\x2d\x6b\xe3\xe2\x38\x9d\xd7\x9a\xb7\xb0\x42\x4b\x0b\xdd" "\x5d\x3c\xb4\x51\x7d\xc8\x00\xbc\xe0\x84\x32\x49\xa5\xb8\xcc\xb3\x9c" "\xc5\x52\xbe\x3e\x3c\x92\x19\x93\xe0\x43\x19\x2f\x97\x60\xff\xf3\x5b" "\x94\xc1\x08\x3f\xf7\x02\xf0\xee\xf4\xfb\x74\x7f\x95\xb1\xed\xba\x1a" "\xd1\xe6\xe3\xd4\xff\xfb\xf9\xf7\xc1\x37\x82\x95\x39\xfd\xb8\x6f\xd3" "\xe6\x40\x2b\xb5\xfd\xa9\xb6\x6a\xae\x19\x91\xf3\x80\x25\x2e\xbf\x9e" "\xcb\x62\xfa\xd0\xb9\xcb\xd0\x38\x63\xaf\x73\x99\x21\x4f\x86\x6f\x47" "\xb4\x52\xd4\xb5\xd1\xe2\x61\x34\x8f\x35\x17\x87\x1b\xdb\x00\x2f\x3c" "\x09\xb2\xa6\x63\xc6\xe1\xf8\xba\x7b\xa9\xc4\x4a\x05\x64\x0d\x62\x85" "\xc4\xb1\x76\xe0\x12\x1f\x6e\x58\x56\x58\x1f\xa9\x1a\x6e\xf8\x05\x0d" "\xc3\x6e\xb0\x2f\xdf\x34\xb1\xa7\x3f\x72\xe3\xb0\x8d\x70\x95\x3f\x26" "\xfd\x5a\x2f\x58\x42\xe2\xe6\x47\x53\x72\x66\xab\x98\x1d\x64\x6b\x47" "\xe1\x71\xf0\x59\x0c\x20\x35\x3d\x26\x80\x47\x8a\xed\x3d\xa5\x5b\xa9" "\x29\xa6\x16\x13\x26\x1a\x54\x8f\x9b\x89\xd9\xdf\x83\xf6\x3b\xe7\x95" "\xcc\x89\x9b\x20\x5f\x99\xe0\x92\xf2\x51\x02\x57\x66\x65\x0c\x68\x0e" "\x36\xa8\x87\x66\x96\xaa\xba\x7c\x52\x3b\xcb\x5a\xe1\x4d\x5c\x85\xb6" "\xdd\x83\x61\xf5\x14\x09\xe3\x05\x98\x5f\xec\x7f\xa4\xd8\x3a\x5c\xc9" "\x6f\x83\xb0\x76\x78\x9b\x94\xd8\x0b\x16\x01\x64\xd3\x07\xa9\xa3\x60" "\x21\x7f\xbc\xdc\x29\x8a\xae\x92\xa7\x7f\x03\x1f\x0b\x70\xee\x39\x78" "\x18\xd3\x9f\x72\x53\x3a\x27\x4c\x1a\x84\xa1\x2c\x6f\xaf\xa2\xaa\xe4" "\x48\x0c\x0f\x6f\xde\x2b\x7c\x64\x0f\x90\xaf\x46\xb4\xad\x0d\x37\xec" "\x79\x18\x2b\xd8\xda\x25\x86\xbc\xde\x71\x9b\x6b\xce\xb3\xc5\xe6\x40" "\xbc\xdc\x9b\x94\x2b\xb2\x28\x4d\x5e\x5c\xa1\x47\x0f\x36\xa9\xb6\xb4" "\xfa\x3d\x60\xa5\xbb\x44\xeb\x68\x4e\xdd\x8a\x5a\xb6\x60\x48\x67\x3c" "\x7d\x1f\xae\x4e\x85\x71\x84\xfc\x76\x2e\x4b\x9f\x72\x07\xa8\x10\xcf" "\xce\x4c\x5d\x8a\x7e\xa1\xfa\x98\x83\x83\xc1\x52\xc3\xc0\xf2\x49\xad" "\x4d\x79\x6f\x9a\x8d\x79\x0c\x36\x8f\x33\x11\xe0\x8a\x43\x4c\x78\x72" "\x98\xc6\x6e\x24\x60\x29\x0c\x9f\xed\x61\x9c\x95\xfb\xd3\x98\xc1\xbd" "\x98\x66\x8f\x0e\x0b\xb5\xbc\xfc\x2b\xe0\x84\x20\x90\x08\x62\x25\x0e" "\xdf\x23\xd5\x32\x82\xfb\x0b\x03\x09\xdd\x08\x8f\xdc\x62\xb8\x2c\xdf" "\x6a\x1b\xc8\x64\x0e\x6c\xf3\x70\x2b\x59\x86\x55\xe0\xd7\xcd\x20\xd3" "\x1f\xf1\x93\xe0\x22\x42\x83\x82\x30\x6a\xfe\x94\x3a\x19\x19\xeb\x29" "\x51\x49\x4c\x3c\xdb\x54\x22\x52\xe5\x2d\xde\x42\x0f\xd6\xae\xe6\x05" "\xa4\x84\x33\x91\x86\x6d\x50\xfd\x19\xad\x6f\x31\xaa\x48\x13\xc2\xbc" "\x03\x6f\x93\xdb\x8e\x54\x6b\x6f\x79\x31\x35\x82\xd5\x1a\xd5\x22\x33" "\xf5\x08\xe3\x57\xa7\x53\x7f\x03\x2f\xfa\xd9\x35\x9d\x22\x4b\xcf\x15" "\xc8\x2a\x45\xac\x47\x78\xe2\x2c\xa7\x5a\x9b\x8d\xa3\xf0\x62\x5e\xb4" "\xb5\x79\xd4\x0b\x5c\x0c\x6e\x2b\x74\xab\x24\x37\x30\x20\x71\x04\x23" "\xd2\xd5\x6f\x7c\xd7\x45\xe1\xbf\xad\x5e\x50\xfc\xdb\xd0\x3f\xe8\xad" "\xb6\xea\x2c\x55\xa1\x2f\xc4\x80\x1a\x3c\x98\xa4\x2c\x9c\x43\x1c\x67" "\x38\x77\x17\x6f\x85\x07\x06\xbe\xf9\x2f\x9e\x1f\x85\xb3\x33\x5e\x0d" "\x79\x84\xb7\x0b\xa3\x0f\x95\x7a\xbd\xb1\x43\x60\x1d\x26\xba\xc3\x03" "\x79\x1e\xb2\xd3\x49\x01\x13\x2d\x86\x16\xa2\x59\x94\xdc\x17\x02\x4a" "\x54\xfa\xfb\xfe\x59\x78\xb0\x27\x7b\xee\x91\xd9\x9f\xae\x79\xfb\x88" "\x9f\x91\x21\x0b\xb8\xcf\xff\xc2\x61\x38\x42\x0a\xe5\x41\x7e\x43\x38" "\x2d\x4e\x7c\x2b\x8a\xa1\xa5\x25\x72\x02\xe2\x15\x53\x4b\x12\xe8\x0c" "\x13\x1c\xc3\x07\xd7\xf2\x1c\x81\xe1\xc0\x99\xac\x53\x3b\x07\x26\x62" "\xb5\x06\x38\xe7\x53\x88\xed\x1b\xa0\x95\xd5\x46\x76\xac\x0a\x72\xf7" "\x4a\x86\x87\x73\xbd\x23\xdf\x0f\x8f\x8a\x89\x88\x6c\xb5\xed\xc1\x0d" "\x20\xf9\x14\xce\x1b\x5f\x4d\xd3\xf3\x55\x95\x04\xfe\x33\xe3\x33", 4096)); NONFAILING(*(uint64_t*)0x20003348 = 0x1000); NONFAILING(*(uint64_t*)0x20003350 = 0); NONFAILING(*(uint64_t*)0x20003358 = 0); syscall(__NR_vmsplice, r[1], 0x20003300, 6, 8); break; } } int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); install_segv_handler(); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }