// https://syzkaller.appspot.com/bug?id=b03a16598fa4c4c3966ba68a75e3c3c98af1a0b8 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_ADDR_SMRAM 0x30000 #define X86_ADDR_EXIT 0x40000 #define X86_ADDR_UEXIT (X86_ADDR_EXIT + 256) #define X86_ADDR_DIRTY_PAGES 0x41000 #define X86_ADDR_USER_CODE 0x50000 #define X86_ADDR_EXECUTOR_CODE 0x54000 #define X86_ADDR_SCRATCH_CODE 0x58000 #define X86_ADDR_UNUSED 0x200000 #define X86_ADDR_IOAPIC 0xfec00000 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 8) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_MEM_SIZE (1024 * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h, l) \ (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) #define ARM64_ADDR_GICD_BASE 0x08000000 #define ARM64_ADDR_GITS_BASE 0x08080000 #define ARM64_ADDR_GICR_BASE 0x080a0000 #define ARM64_ADDR_ITS_TABLES 0xc0000000 #define ARM64_ADDR_EXIT 0xdddd0000 #define ARM64_ADDR_UEXIT (ARM64_ADDR_EXIT + 256) #define ARM64_ADDR_DIRTY_PAGES 0xdddd1000 #define ARM64_ADDR_USER_CODE 0xeeee0000 #define ARM64_ADDR_EXECUTOR_CODE 0xeeee8000 #define ARM64_ADDR_SCRATCH_CODE 0xeeef0000 #define ARM64_ADDR_EL1_STACK_BOTTOM 0xffff1000 #define ITS_MAX_DEVICES 16 #define ARM64_ADDR_ITS_DEVICE_TABLE (ARM64_ADDR_ITS_TABLES) #define ARM64_ADDR_ITS_COLL_TABLE (ARM64_ADDR_ITS_DEVICE_TABLE + SZ_64K) #define ARM64_ADDR_ITS_CMDQ_BASE (ARM64_ADDR_ITS_COLL_TABLE + SZ_64K) #define ARM64_ADDR_ITS_ITT_TABLES (ARM64_ADDR_ITS_CMDQ_BASE + SZ_64K) #define ARM64_ADDR_ITS_PROP_TABLE \ (ARM64_ADDR_ITS_ITT_TABLES + SZ_64K * ITS_MAX_DEVICES) #define ARM64_ADDR_ITS_PEND_TABLES (ARM64_ADDR_ITS_PROP_TABLE + SZ_64K) #define GUEST_CODE __attribute__((section("guest"))) #define noinline __attribute__((noinline)) extern char *__start_guest, *__stop_guest; typedef enum { SYZOS_API_UEXIT, SYZOS_API_CODE, SYZOS_API_CPUID, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; static void guest_uexit(uint64_t exit_code); static void guest_execute_code(uint8_t* insns, uint64_t size); static void guest_cpuid(uint32_t eax, uint32_t ecx); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, } uexit_code; __attribute__((used)) GUEST_CODE static void guest_main(uint64_t size, uint64_t cpu) { uint64_t addr = X86_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; if (cmd->call >= SYZOS_API_STOP) return; if (cmd->size > size) return; switch (cmd->call) { case SYZOS_API_UEXIT: { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); break; } case SYZOS_API_CODE: { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); break; } case SYZOS_API_CPUID: { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_cpuid(ccmd->eax, ccmd->ecx); } } addr += cmd->size; size -= cmd->size; }; guest_uexit((uint64_t)-1); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_ADDR_UEXIT; *ptr = exit_code; } GUEST_CODE static noinline void guest_cpuid(uint32_t eax, uint32_t ecx) { asm volatile("cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_ADDR_SMRAM 0x30000 #define X86_ADDR_EXIT 0x40000 #define X86_ADDR_UEXIT (X86_ADDR_EXIT + 256) #define X86_ADDR_DIRTY_PAGES 0x41000 #define X86_ADDR_USER_CODE 0x50000 #define X86_ADDR_EXECUTOR_CODE 0x54000 #define X86_ADDR_SCRATCH_CODE 0x58000 #define X86_ADDR_UNUSED 0x200000 #define X86_ADDR_IOAPIC 0xfec00000 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 8) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_MEM_SIZE (1024 * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h, l) \ (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) #define ARM64_ADDR_GICD_BASE 0x08000000 #define ARM64_ADDR_GITS_BASE 0x08080000 #define ARM64_ADDR_GICR_BASE 0x080a0000 #define ARM64_ADDR_ITS_TABLES 0xc0000000 #define ARM64_ADDR_EXIT 0xdddd0000 #define ARM64_ADDR_UEXIT (ARM64_ADDR_EXIT + 256) #define ARM64_ADDR_DIRTY_PAGES 0xdddd1000 #define ARM64_ADDR_USER_CODE 0xeeee0000 #define ARM64_ADDR_EXECUTOR_CODE 0xeeee8000 #define ARM64_ADDR_SCRATCH_CODE 0xeeef0000 #define ARM64_ADDR_EL1_STACK_BOTTOM 0xffff1000 #define ITS_MAX_DEVICES 16 #define ARM64_ADDR_ITS_DEVICE_TABLE (ARM64_ADDR_ITS_TABLES) #define ARM64_ADDR_ITS_COLL_TABLE (ARM64_ADDR_ITS_DEVICE_TABLE + SZ_64K) #define ARM64_ADDR_ITS_CMDQ_BASE (ARM64_ADDR_ITS_COLL_TABLE + SZ_64K) #define ARM64_ADDR_ITS_ITT_TABLES (ARM64_ADDR_ITS_CMDQ_BASE + SZ_64K) #define ARM64_ADDR_ITS_PROP_TABLE \ (ARM64_ADDR_ITS_ITT_TABLES + SZ_64K * ITS_MAX_DEVICES) #define ARM64_ADDR_ITS_PEND_TABLES (ARM64_ADDR_ITS_PROP_TABLE + SZ_64K) const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b" "\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba" "\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00" "\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8" "\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f" "\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22" "\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89" "\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3" "\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48" "\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2" "\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83" "\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83" "\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c" "\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff" "\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02" "\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00" "\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08" "\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7" "\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00" "\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c" "\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00" "\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00" "\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48" "\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02" "\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20" "\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00" "\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89" "\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2" "\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c" "\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20" "\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00" "\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48" "\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7" "\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0" "\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58" "\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2" "\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04" "\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48" "\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00" "\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00" "\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7" "\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0" "\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff" "\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20" "\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28" "\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00" "\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7" "\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00" "\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89" "\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f" "\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00" "\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01" "\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f" "\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00" "\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e" "\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24" "\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08" "\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; #define PAGE_MASK GENMASK_ULL(51, 12) static void setup_pg_table(void* host_mem) { uint64_t* pml4 = (uint64_t*)((uint64_t)host_mem + X86_ADDR_PML4); uint64_t* pdp = (uint64_t*)((uint64_t)host_mem + X86_ADDR_PDP); uint64_t* pd = (uint64_t*)((uint64_t)host_mem + X86_ADDR_PD); uint64_t* pd_ioapic = (uint64_t*)((uint64_t)host_mem + X86_ADDR_PD_IOAPIC); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | (X86_ADDR_PDP & PAGE_MASK); pdp[0] = X86_PDE64_PRESENT | X86_PDE64_RW | (X86_ADDR_PD & PAGE_MASK); pdp[3] = X86_PDE64_PRESENT | X86_PDE64_RW | (X86_ADDR_PD_IOAPIC & PAGE_MASK); pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_PS; pd_ioapic[502] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_PS; } static void setup_gdt_ldt_pg(int cpufd, void* host_mem) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)((uint64_t)host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)((uint64_t)host_mem + sregs.ldt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SEL_CS64; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SEL_DS64; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; struct kvm_segment seg_tss64; memset(&seg_tss64, 0, sizeof(seg_tss64)); seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; seg_tss64.type = 9; seg_tss64.present = 1; struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)((uint64_t)host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); setup_pg_table(host_mem); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } static void reset_cpu_regs(int cpufd, int cpu_id, size_t text_size) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= 2; regs.rip = X86_ADDR_EXECUTOR_CODE + ((uint64_t)guest_main - (uint64_t)&__start_guest); regs.rsp = X86_ADDR_STACK0; regs.rdi = text_size; regs.rsi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(int cpufd, void* user_text_slot, int cpu_id, const void* text, size_t text_size, void* host_mem) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (!user_text_slot) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)user_text_slot + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(cpufd, host_mem); setup_cpuid(cpufd); reset_cpu_regs(cpufd, cpu_id, text_size); } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, void* host_mem, void** text_slot) { struct addr_size allocator = {.addr = host_mem, .size = KVM_GUEST_MEM_SIZE}; int slot = 0; struct addr_size next = alloc_guest_mem(&allocator, 10 * KVM_PAGE_SIZE); vm_set_user_memory_region(vmfd, slot++, 0, 0, next.size, (uintptr_t)next.addr); next = alloc_guest_mem(&allocator, 10 * KVM_PAGE_SIZE); vm_set_user_memory_region(vmfd, slot++, 0, X86_ADDR_SMRAM, next.size, (uintptr_t)next.addr); next = alloc_guest_mem(&allocator, 2 * KVM_PAGE_SIZE); vm_set_user_memory_region(vmfd, slot++, KVM_MEM_LOG_DIRTY_PAGES, X86_ADDR_DIRTY_PAGES, next.size, (uintptr_t)next.addr); next = alloc_guest_mem(&allocator, KVM_MAX_VCPU * KVM_PAGE_SIZE); vm_set_user_memory_region(vmfd, slot++, KVM_MEM_READONLY, X86_ADDR_USER_CODE, next.size, (uintptr_t)next.addr); if (text_slot) *text_slot = next.addr; struct addr_size host_text = alloc_guest_mem(&allocator, 4 * KVM_PAGE_SIZE); install_syzos_code(host_text.addr, host_text.size); vm_set_user_memory_region(vmfd, slot++, KVM_MEM_READONLY, X86_ADDR_EXECUTOR_CODE, host_text.size, (uintptr_t)host_text.addr); next = alloc_guest_mem(&allocator, KVM_PAGE_SIZE); vm_set_user_memory_region(vmfd, slot++, 0, X86_ADDR_SCRATCH_CODE, next.size, (uintptr_t)next.addr); next = alloc_guest_mem(&allocator, KVM_PAGE_SIZE); vm_set_user_memory_region(vmfd, slot++, 0, X86_ADDR_IOAPIC, next.size, (uintptr_t)next.addr); next = alloc_guest_mem(&allocator, allocator.size); vm_set_user_memory_region(vmfd, slot++, 0, X86_ADDR_UNUSED, next.size, (uintptr_t)next.addr); } struct kvm_syz_vm { int vmfd; int next_cpu_id; void* user_text; void* host_mem; }; static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; void* user_text_slot = NULL; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); setup_vm(vmfd, host_mem, &user_text_slot); ret->vmfd = vmfd; ret->next_cpu_id = 0; ret->user_text = user_text_slot; ret->host_mem = host_mem; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(cpufd, vm->user_text, cpu_id, text, text_size, vm->host_mem); return cpufd; } uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } memcpy((void*)0x200000000440, "/dev/kvm\000", 9); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000440ul, /*flags=O_TRUNC|O_NOATIME|O_RDWR*/ 0x40202, /*mode=*/0); if (res != -1) r[0] = res; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xae01, /*type=*/0ul); if (res != -1) r[1] = res; syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae60, 0); res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[1], /*usermem=*/0x200000bfe000); if (res != -1) r[2] = res; *(uint64_t*)0x200000000a40 = 0; *(uint64_t*)0x200000000a48 = 0; *(uint64_t*)0x200000000a50 = 0; res = -1; res = syz_kvm_add_vcpu(/*vm=*/r[2], /*text=*/0x200000000a40); if (res != -1) r[3] = res; *(uint32_t*)0x200000000000 = 4; syscall(__NR_ioctl, /*fd=*/r[3], /*cmd=*/0x4004ae99, /*arg=*/0x200000000000ul); *(uint16_t*)0x200000000a80 = 3; *(uint16_t*)0x200000000a82 = 0; *(uint32_t*)0x200000000a84 = 0xffffff67; *(uint64_t*)0x200000000a88 = 0x4000; *(uint64_t*)0x200000000a90 = 2; *(uint16_t*)0x200000000a98 = 0; memcpy( (void*)0x200000000b00, "\x3c\xde\x08\xe8\x8a\x84\x0d\x98\x8c\x44\x3a\x7e\x61\x17\x18\xc0\x15\x70" "\x4b\x99\x7f\x91\x01\x6e\xb5\x77\x88\x95\x61\xae\x48\x45\xa8\xd3\x63\x56" "\x23\xe8\x8e\xdd\x16\x70\x36\xb1\x97\xda\x64\x20\x27\x17\x70\xb6\xa9\x4a" "\xf0\x9a\x82\x09\x96\x42\x19\x10\x2f\x40\xc4\xb7\x61\xba\x61\x9a\x47\x2e" "\x29\xc2\x82\x3f\xfa\xb2\xa0\x71\x8c\xd7\xcd\x32\x8e\x76\xcc\x4b\x3d\xf1" "\x0f\x25\xb1\xb5\xa9\xf2\x11\x9d\xdc\x06\x0f\x7b\x69\x13\xb6\x90\x8f\x71" "\xcb\xfb\x34\x6a\x17\xef\x3c\xc7\xad\x28\xfb\xaa\x85\x63\x68\x22\x08\x58" "\x43\x91\x7d\x8a\x57\xa5\xf4\xb2\xb7\x2c\x44\x94\x8a\x51\xa4\x25\x35\x5e" "\x7d\x93\xa2\xcb\x78\x4e\xf8\xd3\xab\xc1\xb1\x5c\xcd\x6f\xf3\x46\x93\x51" "\xc6\x93\xe1\xc0\x6d\x14\x83\xd6\x8f\xa1\xce\x4a\x13\x0f\x99\x25\xf7\xf7" "\xbb\x2e\x64\x8c\x7b\x4f\x18\x88\xc3\x56\x19\x65\x5a\x0f\x13\xbf\xf6\x8b" "\xe6\x78\xc4\x73\x1f\xbf\x74\xfe\x15\x15\xc0\x2c\x6c\x73\x15\x45\xa7\x41" "\x3b\x13\xdc\x60\x87\x3b\x72\xcd\x1d\x21\x1c\x26\xbe\xbd\xc9\x00\xe7\x22" "\xe0\xfb\xa2\xeb\x6d\xbc\x6e\x5e\x4c\x7c\x43\x26\xd9\x51\x5a\xbc\x61\x91" "\x36\xcd\xf1\x5c\x63\xec\xd5\xce\x8f\xef\x33\x0d\x9c\x1d\xb5\xf3\xc9\x38" "\x1c\x63\xac\x85\x39\xab\x50\x68\xdd\x4a\x24\xad\xd9\x21\x3f\x33\xaa\x5d" "\x6a\xd4\xe2\x4e\x1a\x7a\xc0\xe2\x3f\xb0\x25\x1c\xdb\x25\x94\x5e\x7a\xae" "\x0b\xfa\x47\x30\x70\xd8\x2d\xc3\xca\x3f\x74\xdf\x0c\x0b\x72\xe7\x6f\xb0" "\xe5\x10\x89\x50\x28\x02\x31\xf0\xca\x7f\x67\x99\x24\x26\xa4\xf4\x29\x6e" "\x3c\xae\x0a\xf5\x03\xad\x07\x21\x09\x9b\x11\x4d\x24\xe6\xb4\xe4\x8e\x1b" "\xa3\xc6\xcf\x0c\xcc\x29\xc9\x3e\x94\xf9\xeb\x75\x37\x33\x5c\xcf\xe3\x4c" "\x5b\xe4\x47\xa5\x43\x39\xfc\xb2\x6d\x65\x14\xf3\xc9\x17\x36\x54\x38\xe1" "\x71\x6c\xcb\xb7\xcf\xee\x1c\xbb\x51\x26\xf0\x78\xd3\xa8\x09\xd8\x77\x03" "\x0e\xaa\x4f\x8e\x5a\x24\x26\x30\x04\x35\x8a\xf5\x9f\xb6\xad\xf1\x26\x30" "\xa3\x0b\x7e\x56\x4a\xf9\x9b\x4b\x32\xbf\xb0\x46\x6b\x21\xea\x5b\x4a\xa7" "\xe6\x1f\x04\xa1\x29\xef\x99\xf0\x8e\xb2\xe8\xb9\x28\xe2\xaf\x2f\x16\x44" "\x51\x8c\x46\xfe\xdd\xee\x25\x0a\xe1\x44\x1a\xc7\xa6\x80\xdb\xde\x8c\x12" "\xff\x31\x3f\x43\x43\x24\xcd\x96\x61\xa2\x61\xf6\x26\xd7\x1f\x0c\x31\x14" "\x1a\x5a\x73\x86\x36\xfb\x8e\x43\xe3\xa5\xf1\xba\x5a\xc9\x92\x2e\x7a\x67" "\x3b\x73\xff\xbe\x7e\xb1\x41\xc2\x2f\xe4\xd4\x5f\x94\xdb\x3f\xf0\x5a\x44" "\x27\x73\x79\x6b\x8d\x95\x55\x0b\x4a\xd6\x08\x87\x98\x3d\xf5\x06\xd0\x44" "\xa3\x01\x2f\xbb\x82\xef\x40\x73\x12\xa3\xc4\x05\x88\xd6\xcd\x50\xdc\x78" "\x7f\x93\x46\xd2\x4b\x21\x8a\x32\x65\x36\x8f\x8a\x78\x20\x1d\x18\x96\xbe" "\xb1\xc7\x5d\x4b\xce\x9b\x3b\x64\x22\x69\x24\xfa\x6d\xa4\x77\x2c\x0f\x2e" "\x78\x37\x06\xc8\xf3\x45\x73\x64\xc5\x20\xe2\x1e\x0b\x5d\xe6\xa3\x77\xb5" "\x53\x44\x93\x2c\x5c\x31\xba\x15\x6f\x72\x12\xf7\x4f\x0f\x5e\xc5\x10\x73" "\x3f\x19\xfe\xf2\xbf\xac\xc5\x6a\x51\x6d\x68\x17\xb0\x04\x8e\x4b\x21\xcc" "\x97\x51\xf2\xa1\xac\x90\x6e\x30\xa8\x7e\x56\x99\x54\x1a\x3b\x55\xe8\x03" "\x8b\x18\x75\x9a\x82\x1d\xc1\xe8\x9b\xf2\x7b\x42\x27\x9a\x1a\x51\x6c\x56" "\xe4\x38\xce\x80\x12\x8d\xd1\xb3\x0d\x51\xdb\xc1\x30\x7b\x41\xa0\x8c\x01" "\x4b\x86\x6f\x93\x48\x00\x4c\xae\x53\x02\x12\x97\x0b\x2b\x4b\xa6\x6c\x06" "\xd5\x0a\xf7\x08\xb8\x8b\x93\x67\x40\xc9\x2f\x17\xa2\x97\x5b\x49\x4c\x53" "\x2c\x84\xe5\xab\xf3\xf0\x9f\x11\x94\xc1\xdc\xf4\xf4\x27\x89\x07\x97\x8c" "\x20\xb4\xeb\xa9\xfb\x42\xd0\x49\x0b\x28\x68\xda\x9c\xac\xe8\xbe\x56\x0e" "\x7e\x92\xf0\xff\xca\x18\x24\xd9\xc1\x55\x81\x26\x6f\xbb\xd7\x59\x4f\x5f" "\xaf\xce\x43\x3c\x88\x3a\x97\xf9\x08\x6b\x51\xf1\x18\x43\x9a\x74\x9e\x7d" "\x42\x43\x11\xc0\x23\x4c\xe1\x40\xac\x0a\x74\xfa\xc5\xa5\x01\x2a\xc2\x3b" "\x0c\x4b\xd6\xcc\x10\x8a\xf9\x25\x73\xe5\xee\xc6\xc8\xc5\x58\x6a\x7d\x81" "\x04\x6b\x8d\x41\xb6\x91\x59\x6b\xb8\xf1\x58\xec\xa2\x41\x5e\x1a\x2a\xb1" "\xd7\x5f\x97\x56\x81\x2a\x75\xcc\x66\xb3\x98\x6f\x7d\x4c\xf2\xee\xac\x00" "\x1e\x38\x97\x92\xf4\xb8\x48\x38\x56\x4f\x73\xe9\x20\x1e\xf1\x96\x3f\xce" "\x9e\x3d\x36\x0a\x59\x72\xd1\xcb\xb8\x38\x51\xc1\x1d\x4e\x27\x39\x54\xb7" "\x4d\x53\xbc\x61\xd0\x59\x3a\xd0\xb6\x13\x25\xd1\xec\x93\x47\x5f\x0f\x3f" "\x03\xef\x25\x94\xb3\x87\xe7\xa6\x03\x75\xcd\x2a\x0e\x1f\x08\xf6\xa6\xe7" "\x7a\x36\x95\x78\x31\xb9\xf5\x49\xc0\x2e\x83\xf0\x9d\x36\xa6\x78\x21\x84" "\xda\x88\xb3\xb9\xec\x83\x87\x11\x18\x82\x03\x8c\xe3\x84\x03\xd6\xe2\x1a" "\x94\x89\xc2\x27\x30\xe7\x81\x8b\x34\x9c\x3f\xb7\xcd\x3d\xc2\xf2\x26\xb5" "\x6d\x72\x84\x31\xba\x70\xa0\x92\xa7\x4d\x02\xba\xf1\x7f\x00\x72\x7e\xd3" "\x01\x33\xd7\x52\x74\x9b\xef\x67\x64\xba\xa5\x55\xcf\x4f\xfa\xa1\x4e\x11" "\xae\xef\xff\x0c\x45\xd8\xb9\xf3\xfb\xd3\x08\xd7\x9a\xd2\xb2\xb6\xb9\xb4" "\x47\x74\x69\x91\x13\x5d\x04\x2f\xba\x72\xd7\x95\x7d\x50\x22\x57\x87\xdd" "\x99\x6b\x13\xa3\xe6\x73\xb6\x49\x23\x01\x4c\xdd\x1e\x8e\x54\x39\x2b\x37" "\x26\x50\x7e\xf0\xf0\xc7\x86\x6a\x54\x8b\x54\xee\x4d\x2a\x3a\xc7\x84\xd7" "\x1b\xbf\x43\x34\x4f\x61\xa0\x4a\x6c\x98\x5b\x12\x35\x7f\x5f\x1b\xac\xeb" "\xaf\x80\xbc\x21\x36\x9f\xdd\x1a\x68\x6b\xd3\x37\xf8\x3b\x71\xad\x08\x75" "\xdd\xec\x74\x31\xdb\x5b\x97\x7c\x8e\x16\x88\x33\xc7\xf3\x7c\x67\xf0\x3d" "\xb8\xca\x01\x03\x74\xc6\x95\xd2\x93\xef\xe3\x4e\xf6\x03\x88\x7b\x99\xf5" "\xd4\x8f\x1b\x70\xbc\xe1\x5b\x3e\xfe\xb2\xfd\xc5\x42\x9e\x09\xf2\x5b\x3a" "\xa4\x83\xa3\xc9\x0f\x07\xb3\xbf\xe4\xce\x4a\x7a\x2b\x21\x6e\xa1\x4b\x65" "\x27\x60\xfd\xe9\xa8\xa8\x70\x80\xc9\x54\x0e\xd1\xa2\xc3\x0a\x9c\x28\x66" "\x24\xe7\xef\x2b\xf6\x1c\xd0\x9c\x87\x15\x5c\x39\x4e\x9a\xdd\xd5\x25\xb0" "\x67\x51\x4a\x3c\x07\x18\xc0\x85\x02\xbc\xe1\x1c\xa0\xcb\xcf\x43\xd8\x44" "\x0f\xe8\x9e\x09\x65\x00\x73\xe1\x0a\xbb\xe3\x14\xa3\xe7\xf2\xbf\xff\x12" "\x00\x50\x87\x0e\x84\xb2\x14\xa5\x17\x31\x07\xf0\xbc\xf1\xdc\x3e\xe3\x42" "\xa1\x9a\xc0\x02\xf1\x12\xa4\x50\x03\x04\x99\x67\xd9\xdd\xe2\x91\xdb\x6b" "\x42\x4d\x1b\x88\x3e\x99\xa8\xb6\xf5\x5f\x78\x06\xc6\x04\x19\x63\xfb\x16" "\x48\x26\xef\x2d\x2c\xf0\x98\xda\x9b\x3f\x51\xba\x8e\x6c\x92\x09\x37\x4f" "\x7b\xfb\x80\x32\x79\xe7\xcb\x8d\x74\x6e\x29\xaa\x9a\xd2\x80\x3d\x2a\x04" "\xe0\xa8\xb0\xdc\x14\xc5\x5a\xbf\x1d\x78\xa4\xbb\xf7\x0b\xe1\x79\xbc\xe8" "\x56\x44\xe4\xb7\xeb\x0e\x13\x4e\xe2\x77\x8e\x06\xe8\x15\x7b\x09\xfc\x95" "\xf9\xea\xb5\x89\xf7\xe9\x2b\xa0\x01\x99\xa7\x51\x52\x95\x7e\x9e\xbf\x8d" "\xf1\xe9\x62\x2c\xaf\xf0\xca\x3d\x8b\xee\x3c\x11\x71\xe8\xba\x84\x45\x3e" "\x0c\xf2\x60\x8d\x80\x73\x5c\x5e\x22\xba\x58\x28\x63\xd4\x25\xd9\xf4\x8b" "\x1d\xd1\x07\x0b\x36\x3c\x39\x8c\x54\xa5\xad\x90\xcf\x68\xb3\xc2\xb3\x62" "\x59\x94\x9d\x7d\xaf\x71\xd2\xc9\xc6\x62\x17\x09\x22\xad\x0f\xd8\xce\x64" "\x0e\xfa\x31\xdd\x1f\x40\xec\x14\x6b\xf7\xd6\xdb\xcc\xaa\x8c\x0b\xfb\xae" "\x2f\x5f\x81\x1d\x64\x70\x0e\xf3\xab\x08\xe5\x11\xfb\xe5\x0b\xc6\x5f\x83" "\xca\xc0\xeb\x12\x5e\x6c\x33\x73\x1f\x7c\xd8\xb1\xa3\x5e\x4a\x39\x60\x24" "\x79\xf5\x5b\xc1\x7f\x0b\xfe\x22\xe9\xbb\x1d\x38\xb6\xe2\x79\x70\xaa\xc9" "\xc2\x6a\x53\xb9\x1c\xc3\x8e\xd5\x96\xa8\x27\xe6\x1f\x2d\xf1\x9c\x04\x13" "\x79\x5c\xf7\x76\xea\x5b\x40\x0c\xd6\x6a\xa8\x1c\x14\xe6\x79\x4b\x35\xd4" "\xd3\x9c\xa9\xef\x74\xf1\xe8\x1e\x70\x98\x4d\x19\x13\x52\xed\x66\xbf\x06" "\xa5\x27\xb7\xdf\xb6\x26\x87\x48\x36\xc5\x2f\xc2\x7f\xd7\x9a\x99\xdf\xc6" "\x15\xe3\xf7\xdb\x7c\xb8\xb4\xaf\x97\x0c\x75\xd6\x2c\xec\x2f\x61\x9c\xf5" "\xd6\xc0\x17\x11\xb7\xbc\x4c\x68\x5e\x35\xa6\x69\x55\x28\x72\xfc\xb9\x61" "\x7c\xb3\xde\x1c\xeb\x02\x66\x16\x77\x80\xd9\x2c\xd0\xcd\xa2\xd0\x85\x6f" "\x66\x45\xf8\x45\x75\xb6\x1a\xfc\x1b\x04\x04\x10\xc5\x57\xd0\xb4\x1c\x09" "\xe6\xe5\x89\x78\x8b\xbc\xa0\xb6\xf3\xbc\x7a\xcf\xa5\x08\xa8\x20\xf6\x5c" "\x79\xd2\xa5\x85\x3c\xda\x42\x2e\x77\xaa\x39\x5c\x1b\x8a\x7d\x44\x99\x8e" "\x1e\x4b\xde\xe8\xab\x25\xb1\x77\x64\x4f\x30\xb6\x9f\xd0\xd3\x24\xb1\x83" "\x9f\x63\x36\xa2\xe9\x14\x2b\x16\x44\x75\x8f\x04\xed\xab\x6b\xe8\x1b\x49" "\xed\x57\xed\x2d\x11\x7e\xe3\xa6\x0e\x17\xe6\x07\x43\x89\x94\x9f\xaf\x1a" "\xce\x12\x42\xae\x8e\x35\x8d\x89\x8d\xa1\x14\x6b\xe1\x00\x11\xa0\x47\xf3" "\xe1\xd1\xa5\x42\x49\x6a\x92\x21\xce\x09\xbe\x11\x21\x42\x20\xa5\x0e\x70" "\x8c\x7a\x66\x49\x7f\xb0\xf3\x6b\x5d\x6c\xab\xbb\x58\x8e\x37\x69\x6a\xf8" "\xb5\xc4\x98\x7b\x19\xd9\x92\x8b\x26\x10\x4f\xaf\xaf\xb8\x04\xb2\xef\xde" "\x4b\xa9\xb6\xde\x58\x8d\x03\x18\xd9\xdb\xde\x6f\xaa\x4d\x6a\x9b\x61\x72" "\x19\xd3\xac\xbc\x58\xbf\xd0\x72\x17\x64\x87\x19\x07\xd0\x5c\x40\xd9\x8c" "\xab\x83\x16\x19\xe8\x91\x43\x56\x95\x96\x41\x72\x77\xb7\x24\x48\x74\x6e" "\xfa\x45\xab\xcb\x1f\x8f\x18\x7e\xc0\x66\xcc\x5a\x4c\xee\x90\x44\x55\x9f" "\xec\x52\x3b\x17\xf2\x30\xd7\x7a\x6f\xf8\x20\xaf\xcf\x55\x28\x51\xff\x1b" "\xb8\x50\xfc\xda\xb4\x21\xf0\x10\x88\x9b\x3a\x45\x09\xe5\xb8\x75\x34\xe5" "\x79\x76\xc9\x03\x5e\x2d\x34\x83\xc8\x81\x2f\xb0\xa4\xd1\x14\x89\xbf\x93" "\x2e\x09\xab\x5c\x49\x34\x8c\x25\xf0\xbd\x38\x74\x3f\x33\x47\xd0\x14\x74" "\x2d\xc5\x2f\x1f\xe4\x85\x39\xfd\xbb\x2f\x15\x24\xdd\x22\xa0\x02\xfd\x83" "\x15\x7b\xc0\x2a\x51\x72\xb3\x5a\xfc\xe5\x9a\x89\xb3\x9c\xf7\x4d\x38\xeb" "\x5b\x77\xa8\x10\x12\x46\x56\x75\x53\x09\x80\x02\xa3\x03\xd8\x4a\x94\xcb" "\xdb\xe8\xa7\x22\xb8\xef\x3f\x5e\x9e\x40\x4c\x41\x04\x6e\xff\x7e\x7e\xc1" "\x11\x1a\xbc\xa7\x33\xbd\x4c\x6c\x17\xa1\xfa\x9c\x6d\xcd\x0b\x52\x1f\x3f" "\xe6\xfa\x84\xf8\x72\x3c\x25\x4c\x5b\x80\x76\x59\x1b\xdb\x1b\xda\xab\x9c" "\xd9\x78\xeb\x61\xcc\x7d\x8d\x15\xbe\x9d\x51\x86\x93\x19\x6f\x9a\xca\x63" "\x1e\x23\x51\x6a\x25\x8e\x8f\xfb\xeb\x4e\x51\x3a\xff\x57\x65\x06\x0f\xe9" "\xa6\x5f\x94\x02\x8e\xc9\xf5\x0e\xa1\x4a\xe2\xc2\x2e\x49\x83\x5b\x8a\x79" "\x03\x67\x62\x42\x2c\x3d\xff\x07\xbe\x34\xf2\x99\xa9\xba\xcf\x6e\x2e\x0e" "\xa4\xb4\x7a\xd1\xb0\x54\xe8\x34\x75\x91\xc9\xf6\x3a\xa0\xf7\xf5\xdd\x05" "\x36\x3d\xbd\x5c\xea\x88\x31\x06\x82\xc5\xe0\x2e\xff\xc5\xd6\x87\x35\xdf" "\x77\x87\x63\xee\x16\x2b\x9c\x34\xf8\x8a\xaa\x67\x61\x4f\x29\x01\xc0\x35" "\x2d\xe8\x94\x11\x83\x3f\xd9\x8b\x19\x63\xe4\x65\x77\x06\x71\xbb\xe2\xcc" "\x45\x0c\xfc\x8d\x3f\x51\xc6\x9f\x5c\xfe\x21\xaa\x1f\xb5\x27\x1e\x4f\x33" "\xd3\x7b\x8a\xa4\x45\x09\x4c\xb5\x53\xdb\xcd\x40\x9f\x7b\x6a\xd5\x68\x15" "\xb8\x18\x7f\x31\x80\xc5\x3b\x17\xca\x84\x0f\x19\xef\x80\x6f\x3c\x15\x83" "\x0a\xd8\xa1\x4f\x33\x22\xdf\xb7\x4f\xfe\x96\x49\x65\xf9\xd4\x48\x89\x15" "\x25\xd7\xfa\x53\x92\xe1\x7f\xd3\x7a\xbc\xa2\x37\xcf\x6a\x8c\xe2\x56\xaa" "\xa4\x2f\x38\x76\x6a\xed\x5e\xd2\x8e\x1f\x91\xc8\x25\x99\x00\xa3\x70\xf5" "\x67\x4b\x55\x2a\x6f\x14\xfc\x5f\xe7\x90\x34\x76\xc9\x64\xb1\x09\x08\x2d" "\x58\x8f\x42\xe8\x90\xd2\x68\x10\x07\x21\xb4\x6d\xb8\x1f\x99\xd6\xc8\xfe" "\xd0\x58\xec\xab\xc5\x66\xd6\x06\x8f\xa1\x9b\x33\x41\x33\x0b\xa4\x9a\xae" "\x70\xa1\x0a\x74\x69\x53\x13\xb0\x0b\x15\xb3\xaf\xba\x6f\x3c\x94\x93\x03" "\x0c\x7d\xe4\x60\xd4\x0d\xfd\x84\xcb\x37\x71\x29\x2c\xa7\x5e\x42\x36\xe8" "\x47\xc0\x99\xca\xc5\xca\x80\x5f\x0c\xec\xe6\x65\x70\x14\x9f\xf1\x7e\x4f" "\x83\xe1\x1d\x10\x19\x9b\xcc\x95\xd6\x9b\xa1\xe3\x37\xfa\x02\xab\x82\x2f" "\x46\x06\x51\x8f\xec\xeb\x08\x1d\xfc\xf9\x74\xd2\x17\x56\xeb\x78\x69\x11" "\x92\x03\x8b\xc3\x7f\xd5\x84\xfb\xf7\xfe\xd3\x8e\xd2\xde\xaa\x22\xd1\x91" "\x4a\xfa\x4a\x06\x72\xc9\xe8\x8c\x3f\x57\xe4\xb2\x9e\x0d\xfc\x5a\xcd\x1a" "\x4e\x27\xad\x42\x73\xaa\x53\x15\x5f\x75\x06\x53\xf6\x86\x90\x9b\x56\x1e" "\xf6\x58\x25\x41\xb4\xb9\x76\x8a\xaa\xf4\x8c\xff\x69\x89\x8f\xb9\x83\xcd" "\x6a\x49\x06\xd2\x5a\xd1\xff\xd8\xf4\xf4\x41\x0f\x92\xc5\x53\x11\x56\x1e" "\x7d\x15\x3a\x16\x95\x32\xc8\xd2\x14\xc6\xa4\x8f\x31\xcf\xfc\xff\x8a\x71" "\x68\x90\xa7\x5f\x5e\x4e\x9a\x47\x10\xfe\xd4\x8b\xa2\xa6\x44\xe6\xc4\x51" "\x16\x23\x4f\x64\x31\xef\xb4\x23\xb0\xf4\xac\x1f\x7c\x90\xee\x71\x74\xc3" "\x50\x5f\xa2\xac\x98\xc3\xea\x33\xd6\x41\x5a\x9c\xed\x90\x56\x5f\x42\x52" "\xc6\x07\x5c\x6e\x98\x39\xec\xc9\xd4\xd6\x85\x0d\x62\xad\x4e\xfe\xdb\x3e" "\x61\xe6\x1b\x87\x43\x04\x11\xd6\x20\x1f\x02\x2b\x55\x9a\xaa\x3e\x67\xae" "\xd0\xb8\x4f\x67\xfd\x5b\xba\xef\xe8\x18\x5f\x77\xd3\x4b\xa2\x18\x08\x2b" "\xbf\xc3\xfd\x06\x5d\xeb\x51\x58\xe3\xf0\xfa\xd7\x50\x04\x88\xc2\x7f\xc4" "\x80\x0e\x4a\x6e\x2f\x6e\x4a\x18\xf3\x31\x9b\xe5\x85\x48\x43\xcc\xfc\x91" "\x75\x77\x3e\xe7\x50\x34\x51\x1a\x35\x8c\x79\x87\x72\x78\x3a\x79\x98\x17" "\xb5\x68\x18\x51\x37\x7d\x5d\x28\x90\x53\x6a\x25\x0c\x78\x43\x4c\xb0\x5b" "\x77\xba\xc5\xc0\x8c\x14\xfc\xad\x69\xdf\x81\x1d\x5c\x1a\xf0\x5b\x69\xe6" "\xe2\xff\x20\xd1\xec\x8e\x71\x73\x70\x2a\x9c\x94\x54\x7d\xda\x5a\x75\xa7" "\xc7\xf2\x53\xef\xe3\xd0\xa9\x15\x09\xa0\x8b\x6b\x29\xba\xe8\xfd\x9a\x13" "\xf8\x5d\x58\x84\xad\xea\x38\xd1\xd7\x71\x93\xd6\xc0\x87\x1b\x8f\x52\x93" "\x62\x1c\xbe\xd9\x14\x5b\xc0\xb4\xe8\xef\xf1\x64\xf9\x78\x0a\xbb\x74\x42" "\x08\xd7\x27\xbc\x6b\x75\x9f\xfd\xc9\x04\x1d\x78\x14\x8d\xa4\x22\xd7\xc5" "\xac\xff\x69\xe0\xa8\x5e\x7d\x20\x70\x23\x60\xc6\x77\xb7\xf8\x1d\xe0\x22" "\x94\x54\x7a\x9f\x5d\x39\xf6\xfe\xbd\xbf\x7c\x5f\x57\x80\x73\xe7\xe4\xe9" "\x41\xc2\x26\x40\xc3\xff\xa5\x68\xa3\x79\xac\x2b\x81\x2a\x3c\x9b\x23\xb8" "\xec\x39\x11\xef\x06\xac\x50\x69\x9d\x11\x7a\x90\x14\x6a\x76\xaa\xc4\x1a" "\x53\x64\x0e\xb7\x49\x84\xde\xc7\xbf\x6b\xf8\xf1\x45\xb8\x06\x15\x33\x33" "\xeb\x71\x3b\xc7\xe5\xb2\x74\x16\x0b\xea\x2e\xab\xef\xca\x2f\x3d\xb0\x4d" "\x28\x55\xcb\x0f\xb0\xe6\xa1\x71\xa2\x55\xbc\x8d\xe0\x0b\x87\x8f\xbc\xac" "\x20\x10\x41\x81\x8d\xf2\x96\x0a\xa4\x8e\xae\xc8\x8f\x86\x05\x57\xd8\x0e" "\x86\x95\x9c\x80\x9f\x89\x7a\x64\x24\xbb\x6a\xc6\x3b\xb2\xe5\xa6\x43\x08" "\x17\x31\xbb\x83\xa7\xab\x25\xfd\x29\x9c\x9f\xe8\x2e\x04\xfe\x79\x2b\x09" "\xf7\x35\x7c\xb9\x9a\xc2\xb5\x24\x88\x74\x1f\xf2\x59\xe2\x9a\xa6\x0d\xc7" "\x46\x7d\xc5\xc4\xeb\xc7\xc1\xfa\x26\x95\x8d\x72\xb1\x1d\x6e\xb4\x7e\x67" "\xd3\x1e\x0e\xf0\x5b\x2c\x12\x7f\xc9\xe2\xf4\xa9\x02\xdd\xd1\x0b\x8d\x8e" "\x58\x3b\x1f\xa1\x73\xa2\x8c\xb2\x69\xbc\x0e\xb5\x09\x40\x8b\xa7\xbb\x7e" "\x66\xc7\x57\x68\x4c\x2d\x0f\x62\xfc\x30\x99\x1f\x22\x13\xd1\x3a\xcf\x58" "\xdc\x4e\x4f\x56\xf3\xf6\xe0\x11\xe7\x0d\xda\xf3\xf1\xca\x0f\x7d\x8a\x53" "\xef\xdf\xfa\x88\x48\xbb\xae\xf0\xfe\x49\x0f\x13\xdd\xf9\x75\x91\x96\x09" "\x19\xac\xbb\x55\x88\xca\xcf\xf4\xce\xa2\x67\x2d\xeb\x15\xbb\x29\x89\x9b" "\xe9\xbd\x00\xfc\x38\xe5\x7b\xa8\x53\x95\x4f\x62\x63\x90\xb4\x64\xce\xa7" "\x9a\x79\x3d\x04\x59\xba\xd7\xc5\x14\xcc\x39\x33\x2f\x48\x50\xe8\x64\x9f" "\xd9\x1d\x66\xc1\xb3\x95\x63\xd2\x43\xca\x76\x4d\x3c\xf4\xb2\x4b\x38\xc8" "\x76\x9c\x16\xfd\x2c\x50\x1c\x13\x93\xef\x6f\x7d\x93\x1d\x74\xfc\x93\xca" "\x94\xce\x83\x40\x2f\x44\xac\xe2\x8c\x40\x49\x0c\x3d\x7e\x81\xdf\xed\x02" "\xb2\x93\xfd\x6f\xae\xfb\xf8\x73\xd4\x1c\x7c\x2d\xe6\x2a\x89\x39\xb8\x43" "\x91\x94\x60\xfa\x21\xb5\x5b\xf7\xb0\xad\xbf\xa9\x60\x1f\xf7\x79\x73\x2e" "\xe8\x75\x21\xea\x67\x17\x9e\x20\x0a\xf9\xf1\x84\x05\x94\x6a\x98\xc9\xea" "\xdb\x5f\xe1\x7b\x09\x3e\x4b\x5e\x3f\xfb\x74\xbe\xac\x43\xdb\xca\x6e\xa6" "\x31\xdb\x8f\x63\x72\x78\x15\x68\xa4\x55\xcc\x79\x3e\x6b\x63\xc7\x9e\x5e" "\x1f\x8a\x3c\xc1\x1a\xa1\xbf\xcf\xbd\x7c\x0e\xd2\xa3\xf1\xb4\x2a\x12\x78" "\x35\x2c\xf1\xd7\xf1\xf3\xfc\xa1\xaa\xea\xbd\x71\xd8\x61\x12\x76\x03\xb5" "\x0a\x78\x6e\xe5\xee\xda\xc2\x1d\xb0\xc8\x0f\x82\x20\xd3\x51\x4a\x4f\xbc" "\x68\xc2\x25\xc6\x51\x8d\x5f\x09\x43\xc9\x7f\x51\xdc\x71\x2f\x9b\xd3\x89" "\xed\x56\xbd\x02\x9b\xad\xba\x82\x42\xd9\xb0\x42\xe4\x70\x04\x12\xd1\x27" "\x9f\x29\x99\xb3\xc1\x1d\x75\x4d\x73\x1f\xca\x2b\x5a\xfb\x61\xcc\x71\x5c" "\xc2\x4c\xc8\x0b\x9c\x9d\xca\xd1\x72\xd0\xe3\xf4\xee\xcd\x87\xaa\xe7\xae" "\x21\x5a\x9d\x96\xdd\xe3\x20\x0a\x15\xd7\xb9\x27\xb3\xb7\x10\x62\x35\x76" "\x4b\xde\x30\x19\x16\xc2\x28\xad\x7a\x58\xae\xb7\xa8\x5b\xb7\xa4\x0d\x7a" "\xa8\xe4\x33\x32\xdf\xfd\xd1\x44\xae\x22\x8d\x51\x5a\x9c\x71\x4b\x36\xca" "\x63\xcb\xca\x72\xff\xf6\x60\xf4\xb4\xff\x88\x07\x4f\x68\x9f\x21\xf1\x6e" "\xec\x2d\x5a\x9d\x7f\x8f\xa6\x10\x7f\x8a\x34\x60\xfb\xe8\xfe\x2b\x2e\xa7" "\x5f\x15\x9f\x8a\xca\xde\x78\x47\x23\x25\xaf\xc7\xa6\x11\x95\x47\x15\xf7" "\x8a\x60\xf5\x80\xed\x90\x44\x99\xc4\x50\xb5\x18\x09\xfa\x54\x49\xc4\x7b" "\x53\xe9\x0a\x56\x97\xfa\x29\xae\x2a\xfb\x0f\xe7\x5d\xe3\xab\xf9\xef\x0a" "\x72\xc3\x5b\x49\x26\xdb\xa9\x49\xa6\xbd\x48\xe8\x86\x05\x08\x1f\xab\x4f" "\xed\xc7\x9d\xbd\xa1\x11\xc9\x4b\xd5\x97\x48\xb8\xb2\x04\xee\x9d\x26\xfe" "\x3d\xc4\xb0\x30\x0d\xfc\x58\xa0\xf8\x30\xd1\x2f\x2f\xe2\xa0\x2f\xc3\xac" "\x76\x61\x3b\x31\xa5\x19\x6f\x53\x6b\x31\x14\xd0\x58\xd7\x8c\xfc\x13\xa2" "\x3e\x5f\x3c\x56\x13\xcc\xb8\xa5\xed\x46\x29\xfe\x57\x17\x0a\x3c\xd8\x51" "\x3f\xe1\x89\x9b\x5a\x32\xd2\xe4\x31\x47\x87\x42\x77\xa7\x7a\xa9\x52\x55" "\xc2\x51\x6e\xaa\x59\xa2\xfe\x8e\x68\xd9\x4f\xfc\x23\xd2\xd4\xe9\x56\xd0" "\x66\x96\x9e\x1f\xa4\xad\xa9\xbb\xdd\x95\x9c\xac\xe1\xd3\xd3\x6f\x0d\x99" "\x2d\x05\x6a\x19\x81\x98\x47\x01\xd7\xe4\xd6\x04\xf3\x97\x75\xa8\x58\xf0" "\x8a\x88\x23\xfc\x79\x83\x94\x43\x8e\x85\xa8\x7d\xca\x27\xca\x98\xa1\xcb" "\x06\x0e\x90\x78\x98\x03\xa6\x2e\x3e\xb1\xdd\x18\x9e\x62\x25\xb6\x29\x52" "\xb7\x55\x40\x2f\xf7\xd0\xea\xbb\x84\x58\x5c\xb8\x53\xab\xfd\x11\xe6\x2b" "\x7c\x4b\xba\xf3\x05\x0f\x08\x5e\xfb\xed\x43\xb7\xef\x44\x96\x29\x52\xc4" "\x8b\xc2\xda\x17\xa0\x3e\x8d\x2b\x0f\xc6\x78\xb2\x53\x68\xac\x07\x69\x03" "\x45\xbc\xee\x28\x06\x87\x84\x7d\x24\xb3\xe7\xe3\x3f\xa1\x7c\xbe\xde\xcc" "\xa6\x4a\x01\x22\x70\x1a\xf2\x87\xfa\xa0\xc2\x19\xec\x30\x5d\xa7\xf0\x6f" "\x37\x49\x6f\xf8\xc1\x8e\x42\xa6\xa5\x33\xe4\x9f\x82\x24\x17\x93\x7f\xf8" "\xdb\x72\x5c\x7d\xc0\x24\xef\xba\x3f\x34\x6a\x67\xd7\x03\x0b\xbf\x45\x13" "\xa7\xd9\x15\x1b\xb7\x08\xab\xe3\x85\xd2\x1a\x09\x8f\x34\x5b\x94\x99\xa7" "\x9d\xd3\x71\xfb\xdc\x4a\x29\xb6\xbe\x6c\xd0\xff\xbe\x5f\x2a\x49\xee\xfc" "\x2f\xd5\xf3\xea\xcc\x47\x0c\x32\x94\xe5", 4096); memcpy( (void*)0x200000001b00, "\x92\xbb\xe6\x8d\x68\x83\x14\x72\x73\x1a\x7d\x2c\x7a\x75\x4f\xd8\xb7\x96" "\xb7\xbe\x48\x98\x25\x76\xb6\xd9\xa9\x60\x1d\x71\x81\x1f\xd8\x57\xb1\x1f" "\x89\x03\x9f\xd5\x6f\x1c\xc7\x1b\x70\xdf\x1b\x5c\x66\x08\x4c\x14\xa9\x0b" "\x75\x2d\x8c\x4a\x37\xc6\xce\x3d\xfe\xa7\xee\x28\xd4\x7e\xf6\x0f\x00\xe2" "\x6b\xc9\x92\x32\x67\x36\x6b\x9c\x78\xde\x73\x6d\x87\xd0\x2e\xd8\x26\x5f" "\xfe\x73\x3c\xf8\x02\x9a\x49\x5c\xcd\x2d\xfa\x56\xab\x87\xfb\x1e\xb9\xcf" "\xa8\x96\x83\xc4\x13\xd4\x0e\xd8\xf7\xa4\x68\xaa\xad\x6a\xbf\x03\x08\x68" "\xec\x9b\x23\x77\x75\x27\x23\x09\x3a\xe5\x67\x68\xfb\xdb\xff\x77\x45\x91" "\xdc\x7e\x1d\xdb\xab\xfd\xca\xf7\xf9\xbb\x77\x30\x56\xef\x23\x9f\x16\x22" "\xd3\x10\x99\x3e\xfb\x4e\x84\xdd\x2e\xd5\x36\x83\x6b\x03\xf1\xb3\x29\x48" "\x22\x2e\x8b\xba\x28\x85\x69\xb7\x5a\x6e\x1f\xc0\x68\xa0\xd7\xee\xbb\x2b" "\x6f\xff\x77\xa4\x05\x24\xc4\x91\xa0\xc3\x12\x96\xca\x1f\x43\x04\x03\xaf" "\xbe\x50\xe1\x5a\xa2\xb9\x6f\xc1\xd2\xd4\x24\x03\x14\xeb\x56\xdc\x75\xdc" "\x8d\xcc\xeb\x7d\x82\x6f\x42\xf0\x43\x91\xb9\xe3\x62\x50\x31\xd5\x69\xbc" "\xbd\xc7\x5b\x1c\xcc\x5a\xb8\x48\x05\x6c\x3b\xa2\x7e\x4b\xfb\xcf\xba\xe3" "\x98\xf9\xad\xc3\xc8\xe2\xe5\x08\x7b\x45\x44\xa2\x49\x5f\xcd\xa9\x39\xfc" "\x4f\x19\xd1\xe9\x63\x62\x08\x79\xe2\xe7\xee\x7a\xb8\xf4\xfd\x7d\x33\x7a" "\x95\x10\x5b\xe0\x16\x6b\x8d\x15\x09\x0d\x45\x6e\x36\x33\x67\xa2\xe1\x9d" "\x54\x8a\x94\x10\x88\xbf\x1d\x1c\xf7\x15\xc5\x40\x1f\x95\xa2\x7d\xd1\x4c" "\xd2\x52\x50\x15\x23\x35\x31\xf5\x9e\x45\xeb\x75\x02\x46\x42\x70\x27\xfe" "\x3f\xbc\xfd\x1e\x17\xe9\xa1\xbd\x77\xdf\xf8\x79\x0e\xcd\x2a\x1a\x95\x94" "\x4c\xbe\x3a\xc1\x18\x1c\x0c\x15\xac\xf2\xae\xfb\x97\x00\x20\x56\xc3\xb0" "\x8e\x91\x8b\xe9\x15\xa7\x0b\xb9\xb6\xa9\xb1\xb7\xaf\x8f\x32\x93\x7c\xca" "\x7d\x53\x21\x54\x16\x21\x81\xda\x3c\x7b\xd4\x11\x5a\xd9\x56\x0c\x18\x75" "\x56\x6c\x62\x02\x08\x69\x29\xb7\xd2\xdd\x3a\xe6\x28\xe1\x81\x7d\xe9\x1c" "\x2f\x75\x02\x15\x33\x9a\xc2\x87\x81\x56\xfb\x12\x5e\x64\x56\x91\xf2\x9c" "\x7a\x7d\x05\x86\xa0\xb6\x32\x30\x33\x8a\x0a\x52\x16\x7b\x42\xd1\x89\x46" "\x49\xc0\x9d\xe6\x56\x69\xde\x20\xdd\x22\xa9\xb5\x14\xc6\x80\xd3\xc9\x23" "\x8b\xbf\xde\xb0\x3d\x06\x6f\x0a\x6a\xe3\xb2\x5d\x7d\xea\x41\x0a\x41\xa1" "\x0c\xb3\x2c\xb5\x88\xea\x5f\x73\x00\xeb\x2c\xa4\xee\x60\xba\x11\xcb\xf4" "\xab\x2d\x40\x16\xb9\xd2\xb2\x83\x22\x19\x73\xe2\x1c\x47\xad\x08\xa5\xe1" "\x51\x12\x12\x6b\xd0\xd9\x95\x46\xe8\xda\x93\xeb\x77\x23\xd5\x4c\x8e\xa4" "\x1a\x06\xec\x90\xed\xa6\x09\xcc\x2a\xfa\xe5\x09\xcc\xa4\x99\x80\x21\x63" "\xd1\xb6\x91\x3e\x56\xdc\x1d\xbb\x54\x02\x77\x2b\x13\x58\xfb\x05\x22\x0b" "\x01\xe5\xbe\x45\x6c\xce\x42\x9d\xab\x81\xce\x56\xdb\xa3\x33\x4b\xde\x68" "\xe6\xdd\xd8\xe8\x1d\x1a\x8f\x99\x08\x79\x14\x28\xfe\x82\x7c\xad\xa3\x99" "\x36\x5d\xb0\xbc\x9d\x55\x1e\x7e\x24\x58\x2a\x56\xfe\x24\x29\x24\x4b\x57" "\x1c\x91\xed\x8c\x39\x79\x11\xe9\x25\x02\xc8\xb7\x8b\x1c\x81\x41\xc2\x99" "\xc9\xe8\x67\xf6\x32\x95\xc2\x9d\xf1\xaf\xb3\x62\xdb\xd3\x85\x96\xd1\x59" "\xa7\x62\xd2\x24\x99\x5d\x59\xb3\xf1\x24\xd6\x8b\xac\xe2\x7d\xac\xa6\x95" "\x52\xf8\xf4\x27\x19\x6b\xc0\xe1\x05\x82\x8a\x8a\xbe\xe8\xae\x82\xdb\xcc" "\xb9\x16\xa5\xb4\x63\x6c\xee\x9b\x91\x31\xa7\x78\x1b\xe6\xd0\x34\x56\xee" "\xcf\x53\x3e\x42\x7c\x15\x17\xad\x59\x01\xbf\xf4\x44\x7c\xc6\xad\x04\x7b" "\x21\x4d\x01\xba\x95\x14\x33\xa9\x09\x60\xbd\x94\x2b\xd4\x8b\x08\xa5\x6a" "\x8f\xaa\x59\x67\x21\x4c\x75\xf0\x8b\x36\x61\xbc\x16\x9b\xa3\x66\x05\xbf" "\x35\x8f\x85\x4b\xf0\x52\xad\x84\xf1\xf5\x87\x26\xc9\x31\x33\xfe\xa2\x50" "\xc1\x14\xa2\x23\xe7\x36\x6e\xe5\xc5\xeb\x23\x5d\xb7\x20\xb8\x62\xa1\x58" "\xbc\xd0\x94\x5e\x97\xa6\x74\x4f\xf7\x3b\xa2\x94\xb7\xa2\xd0\x28\xc1\x65" "\xdb\xd9\xab\xd6\x23\xcd\xe1\xd4\x27\x19\x8a\x0f\xe6\x0f\x24\xc0\x1b\xc4" "\xe8\x08\x14\x7c\x2a\x03\xe8\xb6\x2d\x10\x47\xe4\x7e\x1d\x6f\xad\x8c\x96" "\xae\xe7\xe1\xc8\xc5\xc7\x62\xd5\x0f\x8d\x16\x3c\xf4\xaa\x39\x5a\x63\x93" "\x19\x30\xaf\x40\x6a\xf5\x2b\xd4\x89\x85\x21\x05\xf6\x7e\xe0\x92\x34\xb1" "\xe4\x69\x73\x13\xa7\xb3\xcd\x58\x0e\xb3\x67\xf6\x4e\x9a\x09\xdc\x32\xa5" "\x77\xf3\x8f\x68\x2e\x53\x6b\x35\xdb\x04\x0d\x19\xae\xf2\x1f\xd8\xf2\x9d" "\x7f\x73\x17\x1f\x42\xcb\x9d\xa7\x2a\x83\xcd\x86\xb8\x22\x4a\xe6\xa4\x96" "\xc8\xb2\xab\xff\xeb\xa2\x22\xb1\x6b\xe0\x38\xc9\x32\x19\x1b\x4a\xd1\xc3" "\x29\xe7\x85\x70\xbf\x57\x6c\x12\xfb\x21\x2f\x0e\xfb\x25\xcc\x3c\x3b\xe7" "\x55\xd7\xc8\x0b\xcf\x13\x54\xd6\xee\x6d\xba\x72\x77\x16\x60\xa7\x7f\xce" "\x17\x2e\x33\xf3\x2a\x3b\xa1\xbd\xf6\xb4\x27\xf3\x7c\xed\x09\x2e\xea\xbf" "\xa3\x68\xf1\x11\x01\x54\x79\x80\xb0\xcb\x82\x7e\xd3\xdb\x3a\x1b\x22\x43" "\x1c\x37\xef\x69\x1a\x8f\x9e\x07\xcd\xef\x55\x7a\x3c\xd0\xe6\x66\x18\x8a" "\x67\x80\x70\x9f\x37\x4b\xd8\xfb\xfd\xee\xb8\x8e\x0f\xaf\x1c\x95\xd0\xf6" "\x68\x11\x62\x27\xb4\x47\xbb\x14\x90\xb6\x59\x38\xdc\xaf\x47\xe3\x58\x59" "\x12\x20\xd8\xdb\xc5\xd8\x7b\x12\x2d\x9b\xe6\xf3\x0d\x36\x3c\x26\x26\xde" "\x93\xcd\x48\x0a\x21\x87\x5f\x47\x4b\x96\xbe\xd3\xf1\x98\xf6\x90\x88\x3f" "\x86\x22\xdd\x96\xc1\x74\xb4\x3c\xea\x38\x22\x9d\x32\x31\x42\xe0\x3a\x27" "\x01\x6c\x5f\x44\x2b\x94\x49\x37\x9a\xc4\x55\xaa\xe9\xf2\xbc\x87\xbd\x37" "\x6f\x52\x6c\x38\x6b\xea\x3f\xbb\x0b\xc9\x5e\x31\xbe\x68\xdc\x0d\xe0\x76" "\xaa\x75\x43\x22\x75\x5d\xbe\x09\xf6\x9f\x80\xba\x6c\xf4\xf7\x86\xda\x3c" "\xf3\x81\x36\x88\xed\x2c\x48\x41\x4e\x1a\x55\xcd\x1d\x04\xe3\x68\xdf\xe7" "\x3c\xc3\x14\xed\x0b\xd5\x55\xe9\xc6\x4b\xd5\xb7\x37\x54\x5b\x20\xa6\x54" "\xc3\xe2\xad\x4f\xe9\x4e\x27\x4b\x74\xee\x54\xbd\xbb\xf8\xf7\x63\x1c\xff" "\xd2\xfd\x84\x47\x87\x7b\x6e\xaa\xe6\xd9\x6c\xc0\xc7\x61\xd4\x49\x3a\xfa" "\x04\xd8\x81\x08\x52\x09\x7f\xd6\x1e\x1e\x6a\x9c\x4a\x7a\xeb\x71\x14\x23" "\x99\xaa\xa1\xa8\xea\x7c\x9b\xc0\x3c\x28\x02\x8c\x98\x3c\x94\x79\x90\x9d" "\x88\x10\xdf\xae\x68\x97\xe1\x36\x76\x6f\x3b\x24\xde\x25\xce\x7a\x13\x62" "\x7b\x2f\x37\xc0\x82\x30\x94\x7b\xc8\x9e\xa8\x01\x6a\xda\xdc\x10\x69\xb2" "\xaa\x04\xa0\x72\x72\x1f\xbc\xe0\x1c\x47\x1d\x35\x20\xe9\xe3\x35\x17\x69" "\x30\xce\x4a\x9e\x57\x3a\x97\xdc\x74\x1e\x78\x32\x5b\x1c\x83\x92\x81\x2c" "\x78\xd3\x62\x84\xc2\xd0\x30\xeb\xb8\x92\x45\xed\xe6\x80\xe7\x94\xbb\xdd" "\xc7\xf7\x25\x4c\x0d\x00\xf3\x79\x95\x6d\x9f\x8c\x90\xdf\x6e\xc7\x90\xda" "\x86\xaf\x76\xf8\xa8\x02\xd8\xe2\x37\x1a\x5f\x5b\x2a\x30\x84\x95\xc9\xdf" "\x54\x9e\x0c\x96\x6b\xf7\x47\x51\xfa\x64\x7b\x26\x8e\x47\x39\xd2\xe4\x07" "\x10\xc8\x2c\xd8\x86\x8a\x06\xf3\x7a\x2e\xb6\x83\x36\x2e\xa1\x4d\xbd\xbc" "\x4d\x3d\x12\x02\x0f\x4d\xc5\xe1\xd6\x82\x9b\xb1\xad\x6e\xfe\xcc\x44\x4e" "\x5e\x0a\xbc\xc5\x49\x35\xf3\x02\x53\x35\x7c\xfb\xfd\xba\x20\xaa\x68\x02" "\xd4\x73\xad\xd2\x96\x14\x45\x37\xe8\x30\x28\xa6\x93\xcb\xb1\x4b\x61\x25" "\xb6\x87\x34\xad\x01\x92\x61\x35\x6d\x8d\x83\xd9\x77\xec\x33\xde\x80\x16" "\x14\xd8\xa2\x2f\x5c\x4f\x8f\x0b\x2b\xc9\xbd\xc2\xb5\x32\x4f\xf5\x79\xd6" "\x14\x37\xd4\x04\x8b\xd9\x71\x1d\x96\xb7\x0a\x0e\xec\x2b\x73\x1d\xac\x54" "\xd0\xfd\xaf\x83\x32\x0e\xbc\x64\xbd\xae\x72\xb1\x56\x91\xfc\xa6\x30\x9d" "\x8d\x67\x38\x6a\x9d\xf1\x32\xf9\x47\xf4\x23\x48\x6d\xbf\x2f\x9d\xcd\x07" "\x4b\x0a\x70\xa0\xb9\xc7\x65\xef\x0d\xc6\x0e\x06\x07\xc0\x9e\x12\xfa\xe4" "\x8a\x91\xea\xe0\x9a\xcd\x1c\x2a\x15\xd2\xf8\x96\x62\x94\x6a\x4a\x85\x9d" "\x22\x20\x33\x46\xc3\xb8\xfe\xff\xa0\x17\x51\xd0\x1d\xad\x6d\x57\x20\x1f" "\xe0\x94\xd8\xc4\xe5\xdd\xda\x1d\xaf\x10\x0f\x65\x64\x07\x9d\xf3\x06\x23" "\x0e\x4b\xee\x17\x66\xd0\x30\x84\xb2\x20\xc6\x90\x73\x72\x7b\x03\x0c\x4a" "\x6e\x44\xf1\x81\x3a\xf2\x89\x79\x2d\x83\x78\x20\x42\x0e\xf4\xd6\x52\x5b" "\x59\x44\x4e\x5b\x5e\xea\xab\x77\x22\xfd\x84\x03\x6e\x3d\xa5\x13\xc4\x63" "\xc2\x72\xf8\x38\x75\x35\xa0\x41\x7f\x07\xc2\x11\xa9\x9d\x1e\x0d\xb2\x29" "\x60\x8e\x85\xf8\xcf\x11\x6f\x32\x28\xaf\x89\x10\x6d\xeb\x4e\x6a\xf2\x8b" "\x95\xa8\xbd\xe0\x3c\x0c\x04\x55\x7d\x22\x44\xc9\xa6\xd3\x1c\xd7\xed\x27" "\xa8\x20\x2e\xac\x27\xb5\x67\x6d\x86\x58\xbb\x48\xca\x76\x5b\xad\x75\x20" "\x0a\xc9\x57\x62\xf3\xf7\xfd\x79\x53\x72\x74\x0a\xb1\xf9\x85\xca\x20\x5b" "\xca\xce\xbf\xdb\x83\xa9\xbb\xc3\x2e\xcc\x3e\x3c\x0b\xce\xf1\x99\x7b\x5c" "\x6b\xd4\xa0\x45\xec\x04\x41\xee\x07\xb4\xc7\xd9\xad\x45\xae\xdb\xd9\x83" "\x22\x9f\x48\x74\x41\xa5\x2a\x64\x52\x07\x43\x82\xef\x27\x21\xee\xc8\x82" "\xa6\x4c\xdd\x69\x29\xda\x3d\x03\x41\x50\x60\x21\xe9\xa7\xb1\xa8\x69\x89" "\x8f\x96\xa5\xc7\xb9\xec\x6d\x32\x0a\xb0\xa3\xa6\x6f\x80\xa7\x42\x42\xd3" "\xe2\x67\xd3\x99\x90\x6f\x6b\xa1\xdd\xcd\x79\xb4\x7a\xcd\xff\x54\x6d\xf0" "\x87\xb4\x9b\xa8\x33\x81\xc6\x4f\xb7\xb7\x2d\x19\xc2\xba\x6a\x04\x79\x0f" "\x13\xc3\x03\x2a\x93\x0c\x4d\x86\xba\x14\xba\xc9\x8a\xf6\x5e\xbe\x10\xd2" "\x3d\xa4\x26\xe2\x63\x6a\xb4\x95\x0f\x0c\x0c\xaf\xb0\xf1\xf4\xa4\x93\xb7" "\xa6\x82\x46\x12\xd7\x94\x49\x45\x6b\x93\x0c\xde\xda\x4b\xfa\x93\x89\xb3" "\x14\xb7\xdd\x57\xdf\x97\xc4\x06\x14\x0f\x08\x10\xe2\x49\xc1\x20\x95\xc6" "\x10\x8b\x0c\x98\xa8\xe5\x53\xf9\x42\xf4\xc8\xf2\x8f\xde\xaf\x79\x81\xba" "\x62\x3a\xdd\x8f\x0c\x39\x06\xca\x53\x3d\x28\x62\x29\x55\x91\xd3\xab\xa2" "\x61\xf4\x1a\x23\x4e\xe5\x30\x5d\xe3\x09\xbb\x43\x14\x09\x85\xdd\x79\x6a" "\xfb\x3a\x02\xe0\x4b\xf3\x14\xa1\x65\xfb\x46\x98\xc1\xd2\x15\x6d\xbe\xce" "\x00\x13\x5d\x1e\x04\x3b\xd7\x80\x64\xdb\x6e\x97\xcf\x13\xaf\xb9\xa1\x88" "\xae\xc0\x94\x54\x05\xc8\xec\x7f\xcf\xf3\x39\x69\xd9\x7d\x60\xe2\xf2\xb0" "\x6e\x3a\xb8\x8f\x2c\xcc\x4d\xb9\x91\x5e\x42\xd3\x1e\x57\x5b\x91\x57\x7d" "\x3d\x57\x8e\xd2\x16\x9b\x2c\xde\x0d\x8d\xf8\xbb\x27\x74\x59\xbd\xac\x3c" "\x82\xda\xa7\x25\x4d\xaf\xd5\xa5\x18\xe0\x4f\xb7\x05\x74\xa3\x1f\x04\xda" "\x50\xff\x37\x9f\x15\x46\x4a\xe7\x00\x67\x48\x0e\x6b\x07\x1c\xb3\x38\x9d" "\x45\xa0\xe9\xcf\xa9\xbe\xf1\xa0\x40\xf6\xed\x85\xbe\x79\x23\x32\x5a\x23" "\xcc\xdf\xfe\x20\x89\x11\x31\x9a\xcc\xeb\x99\xb4\xf8\x45\x5a\x74\xd7\xf9" "\x8b\x2c\xfd\x53\x76\x1e\x78\xc6\xfe\x1e\xe0\x95\xaa\x2e\xd0\xe3\x38\xb7" "\x5c\x92\xb6\x47\x9a\x98\xe2\xf4\x41\xb7\x9c\x8b\xb2\xec\x73\xb3\x0f\xdf" "\x71\x64\xd0\xc4\xc8\xec\xbd\x43\x9f\x62\xf9\x1b\x32\x16\x5b\xd0\x60\x27" "\xf0\xc6\x4b\xc2\xac\xd2\x28\x1b\x57\xcf\xfd\x4e\x3f\x36\x37\x81\x60\xea" "\x6c\x0b\x33\x90\xbe\x56\xaf\x4e\x48\xfb\xa1\xa5\x99\x82\xa6\x77\xb0\xf0" "\xbd\x57\x1a\x84\xf1\x9f\x26\xbd\x23\xd6\x70\xa8\x6c\x7d\xb5\x0d\x42\xfa" "\x12\x19\xab\x7b\x42\xc4\xf2\xf4\x90\x32\xaf\x18\x25\xa6\x26\x46\xcb\xe4" "\x7f\x2d\x01\x28\xc3\xe7\x2f\x71\x27\x25\xeb\x57\x67\x03\x3f\x8d\xf3\xec" "\xc5\xa5\xdd\x2b\xe2\xd9\x1d\xac\x9c\x08\x56\xbd\x1a\xe2\x89\x08\x2a\x88" "\x97\x5a\x1e\xf4\x92\x74\xd7\xf7\x42\xa8\x66\x06\x7f\x4d\x9c\x76\xba\x4e" "\x88\x54\xf7\x91\xc9\x02\xdc\xc7\x94\xb2\xa8\x2d\xe8\xc3\x89\xe7\x4f\xdc" "\x67\x67\x00\xb0\xa7\xe5\x61\x59\x7e\xc7\x3f\x93\x3d\xbb\x8b\xa5\xb9\x90" "\x23\x46\xc8\x58\xb3\xff\x78\xc3\x8b\xf9\xc2\xda\xea\x6a\xad\xb3\x7b\x5e" "\x58\x62\x01\x98\xa8\x2c\x51\x98\xe6\x12\x8e\x08\x78\x93\xd2\x9c\xe3\x4c" "\x0d\x98\x27\x0e\x2f\x5f\x42\x72\xb9\xe2\x43\x35\x75\x28\x4b\x9d\x0c\x14" "\x61\x44\x2b\x95\xdd\xa0\xfa\xe5\x9f\x1f\x08\x41\xf1\xc3\xfc\x7d\xc7\x60" "\x52\xa3\x59\x39\x5f\x2f\xfb\x14\x66\xe2\x48\xaf\xa7\x24\x3f\x4d\x95\xa6" "\x34\xd6\x2f\x28\x1c\xfe\xdd\x8a\xa6\x28\x48\x19\x71\x0d\xde\x35\x41\xef" "\xdd\xae\xad\xab\xda\x06\x8c\x36\xc8\x87\xd9\x67\xa2\x3a\xf2\x65\x18\x9a" "\xeb\x14\x7f\x7b\x18\x3f\x40\x6e\x47\xa4\xf2\xdc\xb2\x47\x28\xe0\x94\x7d" "\x0c\xf9\x35\x29\xea\x26\x63\xcc\xea\x21\x50\xad\x89\x85\x60\x49\xd5\x95" "\xa5\x07\x01\x26\x28\xb4\x8b\x24\x0e\xb3\x14\x26\xf8\xc0\xa3\x31\x3f\xce" "\x2b\x1f\xde\xc1\x22\xc9\x1b\x52\xc5\xdf\xeb\xa8\xdf\x4e\x91\x45\x92\x4b" "\xc7\xfa\xb6\x18\xe3\x05\x8d\x0c\x2e\xaf\x7f\x47\xaa\xb8\xb1\x35\x05\xd8" "\xed\x5b\xe5\x7b\x63\xd9\x38\xa7\x7d\x5c\xd5\xbb\x13\x62\x41\x81\x2e\xe8" "\x6a\xce\xf0\xed\x4f\x3d\x29\x8a\xd5\xf1\x34\x52\x80\xa8\x41\x45\xe1\x8e" "\x23\x26\x5d\xcb\x43\x6e\x47\x77\xf8\x11\x12\x20\x4f\xed\x54\xd2\x0f\x90" "\x6e\xa5\x0f\xf3\x39\x02\xc1\x8c\x7d\xd9\xa5\x7e\xa9\x31\x15\xa3\xf9\xda" "\x7f\xc9\x17\xea\xc1\x44\x6c\xc6\x84\xac\x29\x3d\x90\xcc\x60\x06\x65\xe8" "\x37\x10\x2a\x1a\x25\x1f\xc9\x56\xd4\x9b\x30\x65\x1f\xc5\x10\x1c\x4e\x98" "\x4d\xe2\xb9\x79\x25\x7b\x4c\xe2\x15\x9e\x04\xa4\xfa\x58\x41\x29\x62\x12" "\xc4\x12\x47\x53\x0a\xa1\x47\xca\x36\x18\xc7\x9e\x7f\x8e\x4f\x91\xf3\xe8" "\x0c\x86\x46\x75\xcc\x1c\xae\xda\x77\x00\xbc\x01\x4b\x14\xf8\x70\x2d\x68" "\x47\x73\x89\xa9\x9a\x47\x60\xd3\x4b\xe7\xab\xa0\x80\x65\x94\x9f\x8e\x68" "\x84\x91\x60\xe9\x33\x60\x11\xc2\x6e\x10\x51\x7f\x5b\x4f\x6e\x68\x8f\xc2" "\x78\x77\x71\x4d\xb0\xd2\xb4\x9d\x13\xd6\x7f\xfa\x01\xc2\x11\x5a\x49\x28" "\x36\x93\xd9\x44\x69\xfa\x42\x5b\xcb\xe7\xf5\x6f\xda\x05\xec\x44\x82\x4f" "\x04\x68\xe9\x83\xee\xdb\x0f\x61\xff\x52\xd3\x26\xc9\x57\xb4\x13\xde\x50" "\x9b\x42\x9a\x10\xf5\x58\xbe\x7d\x87\x34\x84\xdf\xa0\x3d\x9e\xc4\x3d\xa3" "\xd4\x2c\x95\x10\x31\x55\x23\xd0\x57\xee\xb4\xc0\x57\xe7\xd5\xbe\xde\x83" "\x46\x20\xdc\xfa\x01\x9f\x05\x75\xe4\x4f\xd1\xa0\xd6\xb3\x80\x82\xd1\x04" "\x2c\x11\xff\x4a\x4c\x48\x22\xab\x71\x86\x04\xec\xfd\xd8\xc5\x2c\x19\x37" "\xab\x2d\x3c\x0a\xae\x66\xb0\x54\xe4\x4b\x95\xa8\x61\x3d\xd8\xc7\x25\xa8" "\x17\xd1\xd2\xc2\x71\x7e\xf1\x40\x91\x08\x3d\x3f\xfb\xb1\x91\x87\x5d\x29" "\x09\x42\xaf\xcb\xc2\xd3\x48\x0d\xe3\x53\x3d\x23\x77\x97\xcd\x1f\x75\xb7" "\x01\xb0\xf2\xcc\xa9\xf8\x0d\x62\x36\xd8\x88\xcf\x2e\x28\xea\xc2\xb1\xf4" "\x29\xdb\xd5\x4f\x0b\x0a\x2d\xf5\x0b\xf5\x7e\xb2\x76\x20\x01\x81\x26\xf8" "\xbd\x45\x80\xf2\x99\xd5\x7e\x44\xb0\x80\x77\x5b\x4d\xca\x99\x72\x22\x28" "\xd0\x70\xdb\x00\x56\xcd\xdf\x0f\x70\xab\x71\x57\xfb\x0c\xe4\xac\xfb\x71" "\x40\x88\x4e\x24\xb1\x68\x2b\x25\x23\x0d\x40\x36\x70\xa4\x22\xb4\x88\xcd" "\x97\x8b\xd7\xdf\x59\xba\xfc\x58\xf6\xf4\xeb\xa8\x7c\xb3\xd0\x31\xea\x2e" "\x59\x27\xb2\xdd\xbb\x21\x5e\xdb\x08\x20\x90\x0c\xd6\xd2\x1d\x88\xb0\xc7" "\x4a\x0f\x86\xcd\xef\xc3\xea\x91\x16\x01\xc7\x18\xed\xbe\x3b\x48\xd3\xcd" "\x52\x1e\xbe\xe2\xe6\x8c\xec\xa7\x9f\xe6\x5d\x1c\xb1\x90\xd8\xd5\x66\x89" "\xeb\xa0\x6f\xbf\x4d\xe6\xbd\xbb\xdb\x83\x1a\x2d\x83\x59\xc7\x58\x0e\xfe" "\x72\x69\xa7\x54\xd3\xf1\x21\xf9\x60\xa9\xa7\x23\x1d\xfd\xc0\xb4\x74\xa2" "\x4b\xed\x56\xf2\xf0\xea\xf3\x2c\x97\xb4\xf1\x03\xd2\xcc\xe6\xb4\xf0\xa9" "\x32\xa7\x43\xd9\xdc\xbb\x52\x58\x1f\x62\x8a\xea\x23\x82\x03\x47\xb8\x3c" "\xa1\x5e\x4f\x95\x2e\xa7\x7e\x84\xe0\x32\xc2\xc0\xf0\xa7\x0d\xeb\x9e\xe1" "\xc5\x87\xb4\xde\x34\xe4\x1d\x43\x7c\x89\x53\xc5\xe1\x60\x4a\xd4\x63\x11" "\x8d\xbd\x2e\xfa\xc2\x04\xec\xf8\xe6\x61\x34\x46\x68\xf7\x75\x3d\x1b\x24" "\xc5\x73\x81\xa6\xb5\x7b\xcd\xb5\x3b\x42\x99\x05\xcf\xfe\x7b\x8d\x0a\xc3" "\xc6\x92\xbf\x42\xf1\xaa\x30\x29\xa1\xde\x4b\x16\x68\xae\x6b\x78\xe4\xbf" "\x92\xec\x7f\xa4\x0b\x0b\x66\x75\x92\xef\x2b\xbe\x44\xbf\x3a\xb4\x86\x09" "\x27\x47\x54\x56\x26\x53\xc8\xab\xc1\x6c\x4e\x86\x20\x04\x48\xb7\xf7\x2d" "\x56\xd0\x98\xce\xa3\x9f\x7e\xd9\x48\x4c\xe9\xea\xdd\xf7\x2e\xc3\x29\x9c" "\x4d\x98\x08\xd1\x27\x6f\xde\x07\x36\x56\x4c\x35\x89\xd7\x80\x60\x7c\xb8" "\xcf\x11\x9b\x96\xf6\x32\x6d\x70\x28\x7f\x30\xa4\x6a\x4c\xa9\x4e\xa8\x6e" "\xa9\xe4\x90\xc0\x2f\x10\x61\x42\xdb\x5a\x0f\x2f\xa9\xd6\x93\x23\xdd\x89" "\xa8\x1a\x27\xfe\x76\xee\xb9\x4f\xa8\xcf\x16\x24\xac\x51\xc0\x5c\x9e\x30" "\x53\x50\x59\x3d\x50\x9d\xc3\xad\xf7\x0e\x3e\xe2\xf9\xab\x8c\x07\x80\xaf" "\x90\x84\x04\x4b\x40\x2a\x18\xb9\x42\xa7\x3f\x76\x04\x8d\x46\x6c\xdc\xdb" "\x0c\xaf\x26\xba\xdb\xc7\xb8\x7c\xf8\xf1\x1d\x5c\x06\x5f\x17\xb8\x93\x35" "\x9c\xdb\x0c\xf9\x4c\x04\x56\x85\x8e\x53\x43\xbe\xb6\x08\xe0\xcd\xa1\x0e" "\x8b\xa4\x57\xa9\xd6\x86\x7f\x0a\x98\x9e\xc5\x4e\x8d\x80\xd6\xe0\xab\x96" "\x1d\x85\xbd\xff\x43\x33\xe6\xc0\xdd\xb2\x25\x00\x99\xe0\x73\xa5\x02\x23" "\xa4\xcb\x78\xa9\xbe\x17\x4f\x17\xb8\xa6\x7d\x60\xea\xb0\xd6\xa1\xc0\xed" "\x0b\xfb\x03\x58\x9b\xfc\x81\xed\x5b\xc2\xb1\xff\x08\x54\x58\x18\x7a\x2d" "\x4b\x2d\xcd\x75\x3f\xbc\xc8\x83\xa3\x33\x95\x08\xa7\x2d\x6f\x36\x8b\xe3" "\xad\x94\x6c\x5e\x1f\xdd\x25\x54\x7b\xb2\x6d\x73\x61\x77\x61\xf5\x54\x54" "\xc1\x24\x23\x61\xc5\x16\x81\x19\xbf\x7f\x5b\x6f\x44\xa7\x2f\x5e\xea\xc7" "\x98\xa7\xe1\xfe\x19\x80\x2c\x75\x39\x78\x79\x59\x7e\x1c\xa5\x64\xd8\xd6" "\x2d\x5b\xc7\x3f\xbc\x0c\xee\xf1\x3f\x51\x1d\x24\xf1\x70\x2c\xb9\x70\x5a" "\xb6\xd4\x93\xcc\xf1\xd0\xf7\x9f\xb5\x84\xf7\x64\x28\xa7\xba\x80\xb6\xec" "\xde\xd9\xe1\x9e\x0f\x12\xa7\xf3\xa2\x8a\x80\x93\xfe\x6f\x4b\x5e\x2e\x7c" "\x7e\xfc\x0c\x5b\x71\xea\x4a\x27\x6f\xe1\x36\xa7\xd5\x89\xf2\x80\x78\x7c" "\xcb\x6b\x40\xa6\x85\xcb\x63\x2d\xe8\x53\x02\x15\x75\x92\x95\xc3\x6f\x2c" "\xf9\xc8\x82\xac\x95\x84\xd6\x8d\x58\x91\x52\x5e\x7b\x08\xfd\x75\x1e\x65" "\x9f\x51\xf1\x78\x5f\x27\x27\xcf\x5e\x1d\xde\x9d\x52\xb6\x28\x5e\x5d\xb4" "\xbf\xc3\x08\xec\x4e\xfe\xcd\xf4\x84\x3f\xbe\x0c\x40\x11\x3b\xe4\x73\xc6" "\xcb\x9e\xc3\xb5\x39\xae\x02\x16\xff\xcc\x74\xce\x5b\x57\xa8\xdc\xb9\x50" "\x60\x54\x7b\xc4\x2e\x03\x94\xe1\x99\x53\x5e\x71\xe2\x1e\xbf\x39\x46\x05" "\x48\x3f\x72\xec\x2e\xc5\x18\x8c\xa3\x8f\xd9\xfa\xa4\x76\x86\xbd\x33\x8d" "\xfc\x98\x70\xc8\xb6\x20\x3a\x20\x1d\x12\x58\x06\x45\x23\xc5\xd6\x27\x31" "\x3b\x78\xdc\x94\xf6\xa1\xa4\x88\xd4\x9a\x92\x96\xd6\x32\xe6\xe3\x1e\x17" "\x71\x22\x09\xfd\x67\xbc\x66\x95\x15\xfc\xa6\xca\x43\x21\x02\x03\xe9\x21" "\x08\x1a\xf1\x3a\x86\x2d\x14\x81\x2e\x98\xed\x1e\x38\x0c\x45\xfe\xc0\xb1" "\x6f\x3e\x4c\xc0\x4b\xf3\xfe\x00\xcb\x28\xa6\xc6\x5b\x44\x6b\x45\xc6\x53" "\x0c\x38\x05\x78\x41\xe2\x52\x11\xd5\x3f\x57\xac\xb2\x4d\x35\xc0\x76\x5d" "\x1f\x34\xc6\x26\x26\xcb\x89\xec\x09\xd6\xb6\xcc\x27\xce\x2c\x06\x41\x73" "\xce\x0d\x83\xb4\x53\x58\x91\xfa\xc2\xcb", 4096); syscall(__NR_ioctl, /*fd=*/r[3], /*cmd=*/0x4080aebf, /*arg=*/0x200000000a80ul); *(uint32_t*)0x200000000080 = 0x40000; *(uint32_t*)0x200000000084 = 0; *(uint64_t*)0x200000000088 = 0xb; *(uint64_t*)0x200000000090 = 0x2d; *(uint64_t*)0x200000000098 = 7; *(uint64_t*)0x2000000000a0 = 7; *(uint64_t*)0x2000000000a8 = 1; *(uint64_t*)0x2000000000b0 = 5; *(uint64_t*)0x2000000000b8 = 4; *(uint64_t*)0x2000000000c0 = 0x5ce; syscall(__NR_ioctl, /*fd=*/r[3], /*cmd=*/0x4048ae9b, /*arg=*/0x200000000080ul); syscall(__NR_ioctl, /*fd=*/r[3], /*cmd=*/0xae80, /*arg=*/0ul); return 0; }