// https://syzkaller.appspot.com/bug?id=0362ae3b4b52ac2d7d91e8b6f19bed0193c7b501 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b" "\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba" "\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00" "\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8" "\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f" "\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22" "\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89" "\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3" "\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48" "\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2" "\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83" "\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83" "\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c" "\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff" "\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02" "\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00" "\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08" "\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7" "\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00" "\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c" "\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00" "\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00" "\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48" "\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02" "\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20" "\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00" "\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89" "\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2" "\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c" "\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20" "\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00" "\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48" "\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7" "\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0" "\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58" "\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2" "\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04" "\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48" "\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00" "\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00" "\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7" "\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0" "\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff" "\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20" "\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28" "\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00" "\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7" "\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00" "\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89" "\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f" "\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00" "\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01" "\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f" "\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00" "\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e" "\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24" "\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08" "\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); intptr_t res = 0; memcpy((void*)0x20000000, "/dev/kvm\000", 9); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000000ul, /*flags=*/0ul, /*mode=*/0ul); if (res != -1) r[0] = res; res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xae01, /*type=*/0ul); if (res != -1) r[1] = res; res = syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae41, /*id=*/0ul); if (res != -1) r[2] = res; *(uint64_t*)0x20000040 = 0x40; *(uint64_t*)0x20000048 = 0; *(uint64_t*)0x20000050 = 0; syz_kvm_setup_cpu(/*fd=*/-1, /*cpufd=*/r[2], /*usermem=*/0x2003d000, /*text=*/0x20000040, /*ntext=*/1, /*flags=*/0, /*opts=*/0, /*nopt=*/0); *(uint16_t*)0x20000480 = 0; *(uint16_t*)0x20000482 = 0; *(uint32_t*)0x20000484 = 0x80; *(uint64_t*)0x20000488 = 0; *(uint64_t*)0x20000490 = 0; *(uint16_t*)0x20000498 = 0; memcpy( (void*)0x20000500, "\x0b\xa9\xc1\xb2\xa1\xfe\xa6\x85\x89\x70\xc9\xc8\x3a\x62\xee\x9d\xae\x91" "\x10\x15\x53\x7c\xbc\x14\xf9\x70\x5e\xf8\xba\xa2\xdd\x67\x05\x6f\x13\x28" "\x94\xf1\xe5\x92\x6a\xe5\x43\x9c\x4e\x21\xf6\x00\xfb\xa5\x54\x46\xac\x47" "\x09\xfb\x31\xda\x14\x36\x9e\xd1\x69\x2f\x8c\x85\x1b\x9c\x6b\x79\xb6\xe6" "\xfe\x7c\x49\xab\xde\x54\xb5\x75\xca\xd3\xf8\x5c\x50\x85\xed\x7e\xe0\xa9" "\xbd\xa9\xcc\x27\x0d\x0c\xc1\x1f\x4b\xc5\xf5\x12\x37\xf1\xe4\xe8\x5b\xbc" "\xd3\x74\x1f\xb2\x44\x32\x88\xed\x62\x5f\xdf\xc0\xf6\x00\xff\xf9\x5e\x13" "\x64\xba\x78\xfa\xae\x90\xef\x6d\xe4\xf6\x01\xa0\xa1\x67\x82\x25\x8f\xe9" "\x5a\x8f\xc9\xaa\xae\x65\x6d\x1a\x58\x2d\xe0\x45\x9a\x2c\xd6\x2b\xe8\x79" "\xf5\x4e\xea\x8b\x2b\xe4\x9a\x55\x1c\x2b\x71\x4d\x8d\x45\xd5\x11\x8e\xc1" "\x09\x74\x95\xdc\x04\xfd\x79\xf0\x5a\x0f\xf7\xa8\x8b\x74\xa7\x64\x74\xe0" "\xae\xf5\x09\x6e\x1e\x0e\x37\x71\x4f\xa6\xa5\xee\x0d\x28\xee\xb4\xd8\x86" "\x6f\xfb\x63\x90\xae\x0d\xcc\x2f\x88\x13\x4d\x40\x77\x00\xf8\xb9\x24\xe6" "\xbd\x36\xaa\x86\xf4\x52\x31\x1c\xc4\x19\x04\xc3\xc7\xb3\x6c\x15\x11\xf2" "\x2e\x6a\xf2\xe5\x9a\x8e\x1f\x4e\xb2\xdb\x59\x04\x49\x42\x8d\x21\xec\x79" "\xb2\x93\x70\xb4\x77\xa2\x33\x04\x43\x56\x95\xe4\x73\x33\xbd\xe4\xa3\x3d" "\x89\x0e\xc6\xd3\x31\x6f\x85\x1e\x04\xb4\x5c\x84\xb3\xf1\xf1\x84\x7a\xf5" "\xe8\x10\x06\x28\x39\x91\x15\x16\x65\xc2\x99\xf7\x7e\x77\xab\xc6\xa0\x97" "\x3c\x65\x66\xa7\xfe\x05\xf0\x3a\xbd\xe3\xcd\xf6\x67\x33\x29\x75\x00\xce" "\xb5\x3e\xb7\xc8\x49\xa1\x49\xda\x5a\xe8\xb7\xd5\x63\x12\xe2\x28\x54\x80" "\xb6\x7e\x26\xa0\xa9\x7c\xd6\xe7\xb1\xa8\x1c\xdf\xb4\x81\xf0\xa9\xd6\x51" "\x4b\x60\x7c\x19\x7c\xef\xc2\x5c\x83\xc2\x72\x9b\x51\x41\xf2\xa0\xf4\x21" "\x1d\xdf\x53\x88\x0d\xda\x5b\x3c\xfa\x67\x72\x51\x89\x78\x59\x9c\xe1\xd6" "\x51\x76\xad\xd7\x4a\x55\xa5\xf8\x0d\xe7\x60\xc2\xe4\xad\x90\xb0\x89\xec" "\xd9\x92\x87\x0e\x32\xf7\x6b\x1a\xf2\x3f\xc2\xae\x56\x2e\x59\x13\x10\xd9" "\xe8\x35\x56\xab\x1c\x7d\xee\x03\xc1\x4c\x69\xda\xb6\xf2\x4a\x4e\x41\x25" "\x8c\x1c\xf3\x9c\x35\x37\x12\x00\x6f\xae\xb1\x4f\xf7\x16\xb6\xac\x4c\x8f" "\x51\x00\x16\x28\x30\xbf\x0f\x1a\xaa\x78\x26\x9e\xee\xec\x86\x61\xc0\xb7" "\x31\xb1\x37\x8c\xaa\x07\x7e\xc7\x1e\x3e\x57\x21\x05\x43\xe7\x8e\xe6\x8f" "\xde\xd4\x0a\xae\xb8\x29\xd6\x64\xbd\xbf\xf8\x90\xa2\xec\x94\x90\xac\xf3" "\xaa\x0d\xc7\x45\xf6\x0a\xe1\x9b\x8d\xe4\xc4\x6e\x51\x9e\x5c\xcb\x7c\xf5" "\x2a\x7a\x96\x34\xfe\x16\xc2\x91\x68\x99\xae\xa9\x63\x2a\xa2\xda\xe3\x21" "\xf6\xbc\x13\x22\x94\x47\x0c\xe3\xc4\xea\xb9\xca\x56\x0a\x77\xba\xdb\x17" "\x96\xa8\x9b\xab\xce\x09\x57\x9a\x0b\x1b\xcd\x1b\x52\xd9\xa0\x28\xe5\xcb" "\x73\xa7\x54\x3f\xaf\x81\x91\x84\x03\x37\x78\x08\x7a\xc7\xea\xb6\x8e\x9f" "\x3d\x4e\xf0\x15\x76\xe0\x42\x86\xe4\xdb\x57\xc4\xd1\xb1\xd1\x9a\x14\x5b" "\x8e\x1a\xee\x99\x81\x73\x19\x78\x94\x16\xa2\x30\x09\x7c\x96\x82\x1c\x07" "\xd6\x93\xf3\x87\x0f\xdf\x0d\x29\x77\xc6\xb5\xb0\x4e\x70\xce\xd2\x23\x37" "\xf1\x96\x4c\x1b\x4a\xa6\x33\x9a\xdb\x92\x76\xee\x90\x1e\x6b\xb1\xd4\x9e" "\xbd\x4a\x0c\x25\x58\x7d\x20\x69\xe8\x4f\x03\x4d\xfc\x96\x22\x76\xe0\x9d" "\x45\x99\xc6\x4a\x94\x35\x6c\x13\x7d\xed\xfc\x1f\x60\xce\x94\x2e\xec\xf9" "\xdf\x30\x93\x70\x12\xf5\x3d\xd7\x9e\x94\x25\xff\x98\x0c\xde\xc0\xc1\x64" "\x12\xb9\xa9\xa9\x2d\xf6\x6d\xcb\xeb\xe6\x45\x92\xf2\x1b\xec\xd8\x77\xb2" "\x46\x5a\x0c\x4d\xdc\xa9\xd9\x37\x4d\x54\xd8\xad\xff\x61\x96\x9b\x1f\xeb" "\x8b\x60\x80\x38\xe3\x01\x56\x43\x9d\x7e\xc8\x31\x9f\xa7\x85\xab\x5b\xb2" "\x9e\xe3\x64\xf9\xb4\x6c\x33\x03\x33\xcf\x50\x66\x6a\x33\x69\xb4\x2e\x0b" "\xd8\x49\x24\xb2\x8e\xe4\x75\x76\x17\xba\x4a\x8d\x7f\x6b\xe0\x0d\xb1\x97" "\x2c\x15\x3e\xbb\xd6\x18\xe6\x5c\xfb\x78\xf8\xd5\xdd\xe7\x34\x48\xef\x12" "\x48\xfb\x65\x49\x83\xf5\xaf\x17\x4c\xe4\xbc\xf7\x95\x80\xaf\xc2\x8d\x18" "\xcb\x19\xcf\xb7\xfe\xea\x23\x23\xb4\x4e\x68\xa6\x74\x01\x17\x40\x9b\x1c" "\x26\x13\xbd\x42\x02\x4d\x99\x2a\xd2\x34\x0b\x5e\xd1\x3f\xd5\xd7\xda\x0b" "\x2c\x29\x71\xf3\xdc\x87\x91\xff\xea\xc4\x3e\x35\xad\xdf\x96\x6f\x23\x95" "\x88\x0c\x41\x94\x76\xc1\x7e\x76\x13\x36\x9e\x77\x95\x6b\xef\x05\x39\x17" "\x74\x6d\x12\x4b\x7f\x03\xf1\xad\xb8\x15\xc3\x30\x13\x2d\x6c\xb7\xbe\x15" "\x2d\xaa\x86\x6f\xf3\x29\x04\x0d\xfe\x11\x12\xbe\xa1\x4e\xad\x78\xaf\x9f" "\x65\xa2\xf9\xc9\x5b\x39\xe6\xe6\x77\x5e\xb4\x71\x0f\x1a\xff\xb3\x56\xa2" "\x09\x48\x35\xd9\x98\x05\xc2\x9c\x6e\x96\x74\x80\x6b\x76\x76\x45\xe3\x28" "\x16\x66\x5d\x1f\xa1\x0a\x6b\x12\xa3\xfe\x7b\x75\xd2\x1f\x25\x79\x2a\x1f" "\xd0\xe3\xcc\x38\x9a\xcf\xfc\x33\xd7\x32\x4a\x5d\x2e\xc1\xe2\x56\x0d\xb3" "\x18\x0d\xef\x4d\xac\xea\x13\x9a\xf4\xa1\x92\xdf\xa4\x54\x4d\x93\x43\xbb" "\xe3\x6d\xb3\x0e\x92\x16\x49\xab\x83\xea\xb0\x7f\x5f\xa1\x66\x80\x5b\x9a" "\x74\x3e\x25\x83\xc1\x4b\x51\x7d\xd1\xfc\xd8\xd7\x72\x7c\x3e\xb7\xf7\x8a" "\x15\x2f\x5f\x4a\x53\x95\xdd\xdc\x5c\xcd\xeb\xe2\x08\xd7\xaa\xe7\x95\xec" "\x71\xc6\x77\x05\xba\x5e\xd9\x26\xe2\x44\xa8\xf8\xd8\x66\x05\x5c\xc5\xa5" "\xcd\x6f\xb3\x59\xfd\x93\x25\x50\x88\x7f\xee\x31\x44\x92\x21\x0b\x36\x16" "\x57\x5d\xae\x8e\xac\x6b\xeb\x66\x78\x3c\x04\xb6\x55\x01\x1b\xe5\x62\x6a" "\x1f\xe6\xee\xf0\x14\x2a\xbe\x32\x92\x09\xba\xc6\xdb\xd4\xdd\x49\x8b\x64" "\x78\x7a\x2f\x93\x28\x0f\xaf\xc9\x9a\x1e\x9f\xf8\x02\x12\x1f\xe9\xaa\x9e" "\x86\xca\x9c\x77\xa4\x8a\x54\xf9\xcb\xdb\x64\x46\xb5\x01\x7e\x03\x42\xe3" "\x97\x01\x9b\x11\x86\xdd\x33\xc4\xda\xd6\xa8\x12\x6c\xa0\xd9\x8f\xe7\x2f" "\xec\xc8\x18\xf9\xb9\x9c\xf9\x64\xb5\x7c\x68\x94\x66\x8b\x04\x03\xa2\x0f" "\x93\x63\xcb\x80\x0f\xeb\x8a\xe6\x76\x90\x6f\x91\xce\x65\x17\xb7\x92\xc0" "\xeb\x16\xc3\xf1\xf8\xd4\x0e\x31\x28\xd7\xc3\x77\x9c\x39\xbf\xde\x44\x7e" "\xf6\x4a\x88\xb8\x32\xd0\x85\x96\x65\x1f\xa9\xb7\xd0\x90\xf7\xf5\x0b\x76" "\x8c\x79\xc6\x95\xfb\xec\x6d\x0c\xb8\xa8\xc9\xe1\x9a\x72\x10\x37\xc5\x60" "\x89\x80\x93\x82\x02\xd8\x0e\x2a\x22\x27\x6c\x44\x4e\xc2\x39\x09\x4a\x94" "\x77\xc8\x65\x60\x24\x6a\x16\xb3\x67\x3e\x56\x48\xae\x1e\x32\x7f\xca\x1b" "\x60\xd1\xc1\x62\x84\x38\xf8\x53\xf7\x73\x77\x7b\xb8\x77\x43\x89\x10\x8e" "\xe9\xec\x30\x0f\x45\x40\x37\x5a\x05\x5f\xd1\x3d\xf7\x46\xdc\x3c\x60\xba" "\xc9\xf8\xa9\x00\x3f\x03\xbf\x68\xc6\x8f\x04\xb7\x8a\xc6\x7b\x69\x45\xb0" "\xf0\xac\x8c\x6f\x18\xf9\x1b\x2c\xd7\xcb\x73\x29\xd4\x31\xcb\x93\xbc\xf1" "\xfe\x48\xc7\x1b\x5f\xe7\xc6\xf1\x11\xf2\x7b\x82\x1b\x03\xc1\x41\x1e\x61" "\x3e\x3b\x7c\xc4\x5f\xeb\x8b\xbd\x8f\x5e\x8c\x28\x36\x6a\x12\xd1\xc9\x1d" "\xd4\xce\xc1\x3b\x19\x05\x1e\x19\x8c\x6b\x3a\x66\xf8\x8a\x5a\x72\x43\x80" "\x51\xdb\x0e\x6a\x35\xa7\x70\x58\x1d\x09\x9c\xb5\xe1\xd4\x3c\xde\x94\xb5" "\x17\x79\x2f\xd6\x8c\x56\x2f\x67\x7b\x90\xd4\xd8\x11\xf1\xa1\xa8\x1f\x7b" "\xc4\x20\x85\xa6\x9a\x6a\xf8\xa4\x56\x79\xec\xaf\xa7\xe3\xff\xe0\xb1\x96" "\xbb\x84\x6d\xa4\x2c\x87\x21\x0c\x01\x7b\xe8\xe7\xec\xf1\x22\x22\xa8\xb3" "\x07\x49\x8c\xf5\x5b\x9a\x77\xd4\x1e\x33\x0f\x14\xbf\x0e\x5a\xc9\x59\x52" "\x2e\xf2\x5d\x04\xd8\x7b\x07\x0b\x06\x6c\xc0\x0e\x4b\xd2\x29\xd0\x4b\xa8" "\x3c\x87\xfc\xf7\x17\x07\x02\x6d\x4f\x84\x70\x05\x50\x83\xaa\xac\xe2\xda" "\x14\xb6\xa7\x1a\xc7\xe0\xd5\xf6\x8a\x3b\x2d\x91\x5d\x26\x2b\x7b\x57\xcc" "\x4e\xc6\x4e\x37\x03\x0c\xc0\xb2\xf9\xda\xa9\x04\x26\x90\x89\xa8\xc4\xef" "\x74\x23\x29\xdd\x8d\xc2\xee\xe9\x94\x84\xee\x48\x1a\xb5\xab\xaa\x55\x6e" "\x52\xa9\x66\x4c\xe3\x59\x80\x9e\xa4\x26\xe9\x22\x29\x79\xf5\xb0\x49\x3c" "\xb5\x97\x2e\xc1\xa8\x65\x47\x8b\x75\x5a\xe3\xcf\x56\x88\x59\x33\x7c\x1e" "\x28\x99\xcd\x5a\x15\xb2\xfe\x68\xbe\x70\xd9\xa7\xdf\xec\x49\x92\x09\x7c" "\x9f\xf7\x87\x21\x7f\x25\xbd\x38\x52\x91\x1a\x55\x04\x5a\x97\xea\xc4\x0f" "\x65\xef\x6d\x5d\x4d\xaf\x6d\x5d\x98\x3f\x25\xc2\x81\x91\xc4\xa6\x19\x06" "\xde\x2f\xe6\xc9\x18\x12\x20\x8a\xa8\x8c\x3d\x7f\x73\xbb\x9c\xd0\xc5\x50" "\x09\x52\xe8\xaa\x82\xea\x9d\x68\x2b\x0c\xb0\x06\xf5\x4d\x53\x41\x84\xc9" "\xb7\xce\x45\x5f\x3f\x25\x9f\x9c\x7c\x17\x8e\x01\x17\x72\x79\x44\x5a\xa4" "\x6b\x05\x8f\x86\x5f\xd2\xeb\xe1\x88\xa0\x10\x44\x5e\x80\xe8\x88\x03\xa9" "\x00\xdc\x77\xe2\x1f\x34\x08\xc8\x3b\x50\x63\x05\x63\xfb\xdd\xd7\x08\x13" "\x66\x53\xb7\xe3\x6e\xc5\x98\x3e\x06\x0c\x0e\xa8\x7c\x53\x71\x17\x53\x38" "\xbb\xd5\x8f\xb2\x17\x6b\x89\xe5\x6c\x19\x24\xe2\x45\x5c\x1b\x14\x75\xa3" "\x80\xf0\x0c\x3d\x8e\x6a\x92\x63\x1a\x95\xd5\xce\xba\x24\xdb\xe5\xdf\x5e" "\x4b\xdd\x63\xb3\xe5\xf7\xef\xd3\x9c\xb7\xa7\x05\x51\x36\x7d\xed\x26\x85" "\x94\x31\xfc\x2c\xcc\xf2\xbf\x27\x35\xff\x20\x5a\xe5\x78\xc9\xad\x37\xad" "\x83\x63\x99\x74\xd1\xd2\x90\x32\x1c\xba\xa7\xef\xbb\x60\xeb\x8e\xd9\x19" "\x1a\x5f\xf0\x1c\xd5\x84\x0a\x57\x84\x79\x0a\x3f\x75\x43\xa0\x18\xeb\xdd" "\x6b\x74\x72\x20\x0d\x45\xd6\xce\x29\x41\xf2\xce\xff\xc3\x93\x0f\xfc\x8e" "\xd2\x40\xd6\xa4\x57\x59\x5e\x77\x6c\x99\x74\xb3\x4b\xe3\x4e\xad\x5b\xd6" "\xed\x83\x77\x2c\x7e\x72\x14\xd8\x76\xe8\xc7\xde\xf0\x15\x6f\x0e\x00\xdd" "\xa0\x34\x33\xb5\xfb\x5a\xf2\xec\x43\xeb\x1d\x65\x7e\x3c\xc8\x3b\xd7\xfc" "\xb7\x8b\x42\x1b\x45\x63\x2c\x9d\xed\x5e\xa9\x49\x6e\xef\x41\x71\x12\xb3" "\x2d\x10\x87\x47\x2d\xd2\x87\x75\x90\xb1\x6d\x46\x35\x62\xcf\xd9\xae\x92" "\x49\x78\xbd\xf7\x70\xc9\xed\x58\x5c\x45\x54\xcc\x21\x61\x20\x6c\xea\x1d" "\x2f\x73\x01\x1d\xe6\x13\x98\x01\x09\x44\xa6\xd0\x06\x7b\x7f\x93\xd2\x69" "\x2d\x37\x7b\xe2\xe3\x8b\xbc\x80\xb7\x39\xe6\x25\x88\xd3\xc9\x02\xfa\x0c" "\x81\x4b\xdd\x12\x4f\x7b\x62\xbf\x4f\x88\xc6\x1e\xb0\xe0\x66\xb3\x00\x47" "\x9b\x96\xaf\x82\x6b\xf5\x24\x7b\x5b\xb5\x86\xc3\x48\xdd\x17\x46\x1a\x37" "\x80\x57\x32\x6a\x10\x72\xc8\xa4\x06\x49\x9d\xf5\x09\xd6\xf7\xae\x3a\x55" "\x68\x2d\x91\x9b\x9e\xbd\x3b\x17\xc4\xe8\xf8\x80\xa7\x5d\xe1\xe2\x6f\xe0" "\xb5\x39\x1b\xd2\xe8\x09\x79\x22\x55\x3b\xde\xfe\x94\xbb\xa6\x62\x7b\xb2" "\x6f\xae\x10\xa4\x9b\x1d\xad\x32\xab\x36\xd3\xdb\x46\x58\x06\xc4\x7b\xa4" "\x24\xab\x90\x64\x4f\x1c\x24\x33\xd6\x60\x76\xee\x31\x66\xf2\x28\xa1\x20" "\xd2\xea\x77\x67\xc5\xc5\xed\x71\x0e\x0a\x21\xc1\x08\xc7\x5c\xb2\x30\x31" "\x07\xdb\x75\x92\xa9\x61\x4e\xa8\xeb\x0a\x88\xc0\x25\x7c\x75\x1e\xd7\x18" "\x73\x48\x68\x15\x8e\x16\x85\x51\xe3\x4b\x20\xc0\x0a\x46\xff\x4b\x97\xdd" "\xed\xd6\x64\x76\xfc\x1b\xc2\x25\x50\x76\x30\xf7\xda\x48\x41\xf5\x10\xc1" "\x97\xcf\xeb\x7f\xa2\xa2\x9c\x31\x2c\x1f\x60\x54\xc0\xd3\x35\xa3\xbf\x1d" "\x89\x1b\xf0\xe2\xb8\xe3\xba\xf1\x5b\xb2\xff\x75\x4c\x32\xfb\x07\x2a\x38" "\x7f\x0a\xa8\xd8\x00\x3f\x9d\x5a\xcf\x34\xd2\xce\x95\xb0\x23\xef\x25\x01" "\x7d\x6f\xd2\x58\x44\x2c\xe8\xd8\xd8\x10\xc2\x3c\x03\x9e\xf3\xcd\x32\x08" "\x27\x99\xa8\xfd\x63\x6b\x13\x67\xee\xdb\x03\xa9\x2c\x31\x23\x3f\x67\xc6" "\x85\xeb\x29\x24\x37\xbf\xc6\xca\x75\x0d\x03\x5e\x5e\x86\x9f\xbf\xc0\x37" "\x7b\x22\xff\xbc\xa8\x96\x6f\x74\x6e\xa5\x7c\x0e\x5d\x03\x49\xc1\xb9\x66" "\x74\xd2\x93\x6e\x3a\x9f\x43\x1a\x10\xad\x2e\x18\x21\xb3\x56\x37\x0f\xf8" "\x4e\xf9\xc6\x22\x53\x40\xb5\x2d\x66\x95\x36\xcb\xdf\x5f\xef\xa1\xf8\x35" "\xcc\x0e\x16\x89\x43\xe6\x73\x56\x42\x89\x17\x8b\x94\x1f\xb9\xaa\x0c\xeb" "\xbc\x6a\x77\xc0\x62\x37\x6a\xa0\x52\xa1\x21\xfc\xe6\x0b\x1f\x2e\x92\xbe" "\x1a\x60\x48\x07\xea\x98\xc1\xab\x3d\xb6\x1f\x45\xb8\xa5\x25\xa1\x3c\x2e" "\x84\xc1\x63\x23\x95\x1d\x82\x65\xc2\x39\x36\xc5\x23\xa3\x20\x15\x98\x4a" "\xa2\xe1\x6f\xf8\xc1\x72\x55\x04\x5a\x25\x69\xcf\x29\x8b\x34\x7c\x66\x0c" "\x91\x6d\xac\x17\x17\x56\x45\xfb\xde\x55\x34\x4c\x04\x03\x37\xb1\xed\x98" "\x4f\x6f\x38\x03\x69\x60\x33\xed\x86\xeb\xdf\x87\xf6\x4e\xd8\x38\xff\xb4" "\x16\xd4\xf5\xff\x03\xb8\xc0\xa8\xf8\x29\xff\x5c\x8f\x9f\xaa\x7f\xe8\xf6" "\x62\x1d\x25\xc3\xf5\xc6\x3e\x7e\x7b\x65\x95\xa7\x30\x8a\x59\xd7\xcb\x68" "\x52\x52\x9f\x6b\xce\x7c\xa2\xb2\x1b\x2a\x4a\xea\xc3\xef\x4c\x8b\xe5\x21" "\xa0\xba\x7e\xb7\x4b\x16\x43\x99\xce\xe3\x40\x9c\x6e\x4d\x22\xea\x28\x93" "\x09\x54\x1e\xe2\x31\x7d\xf0\x58\x21\xe7\x37\x5f\x2a\x33\xd2\x5f\xa4\x85" "\xd3\x58\x39\x84\x67\xa6\x8c\xaf\x11\xef\x07\x41\x0f\xa9\x46\xd8\xe5\x2c" "\x4d\x75\xe7\x2b\x0b\x7a\x93\xc2\x73\x0d\x1c\x0b\xb9\xaf\x63\xfe\xc6\xa5" "\xb2\x71\xb7\x9d\x82\x8c\x40\x03\x20\x1b\xe0\x66\xdd\xd2\x62\x8f\xe2\x5b" "\x96\x1d\xb0\x28\xc3\x9c\x4c\x8b\xc4\x8b\x9d\x5c\xc1\x98\xe2\xc7\x89\xc9" "\x1c\xd4\x90\xc2\xb4\x15\xb6\x6c\x0e\x61\x4f\x8c\xf6\x8a\x2a\x77\xa6\xbe" "\xeb\xce\xd6\xdf\x48\x40\x88\x91\xf5\xa2\x8d\xad\x97\xd4\x7f\xd3\x77\x0d" "\xab\xb6\x50\xda\xfc\x42\x22\x2a\xd9\x29\xc7\x3d\xec\xa6\x73\x34\x48\xbc" "\x33\x46\x7c\x4e\x17\x43\xd4\x08\xcb\x5b\xc9\xd5\xc9\x8d\x7a\xb9\xf0\x83" "\x98\x8a\x40\x67\xce\x22\x05\x49\xbd\x37\x23\x7f\x76\x07\x37\x7c\x6b\xfd" "\x77\xda\x09\x5d\x7a\x5a\xc4\x71\x28\x90\x9f\xb6\x1c\xe7\x63\x6b\xe0\x82" "\x9a\x4e\x5c\x02\xde\x7e\xc0\x28\x34\x35\xc7\xd0\x41\x73\xa4\xf8\xb5\x39" "\x95\x6d\x48\x46\x69\x45\x83\x00\x0d\x3e\xca\x12\x42\x82\x7d\x95\x00\x55" "\xf3\x8d\x8d\xa2\xc8\xcf\x62\xa9\xc5\xe3\xa8\x2c\xec\xe1\xba\xaf\x6f\xee" "\x2d\x82\x52\xcc\xd9\xde\x0b\x0c\xe9\x79\x3c\x8e\x00\xc9\xb7\x5f\x2f\xdb" "\xcd\xe2\x85\x64\x07\x1d\x58\x7d\xb0\xec\x60\x4b\x1f\xb6\x6a\xd3\x0c\xd3" "\x9e\x41\xdf\xa3\x8d\x0b\x52\xfc\x57\xaf\x9e\x37\xf0\x85\xb1\xe1\x02\x8a" "\x04\xce\x05\x26\x86\xa9\x67\x0f\x18\x87\x90\xa6\x15\x44\xa5\x61\xad\xc6" "\x6a\xda\x0c\xa0\x4d\xbb\x47\xaf\xbd\x63\x43\x87\xe1\x65\x52\x06\xf6\x99" "\x4f\xa9\x25\x0b\x2a\xb4\x87\x21\x23\xec\x4b\x84\xc2\x19\x7e\xc1\x54\x8b" "\x5e\xf9\x3e\x8b\x7a\x0c\xd1\x12\x18\xff\x2e\xc7\xc7\xc3\x5f\x8a\xf9\x64" "\x17\xe9\xd9\xfb\x7b\x05\xf7\x69\xf4\xde\xc8\x05\x9b\xdb\xa7\x5d\xf6\xd3" "\x13\x2c\x3a\x11\x4b\x86\xa5\xdc\xa1\x11\xcc\xd1\x5e\x94\x4c\x02\x30\xb7" "\x1a\xbc\x12\x75\xd0\x94\xd9\xac\x62\x8d\xb2\xd7\x47\x85\x40\x41\x4e\xdd" "\xf1\x5a\x24\xeb\x2c\x62\x63\xb4\x2d\x25\x77\x50\xf6\x3e\xe0\xbe\x0f\x21" "\x15\x2c\xa8\xb5\x91\x29\xa3\x32\xff\xe9\x13\x64\xbe\x24\x77\x7f\x0b\xf9" "\x88\x63\xe7\x5c\x87\x93\xc7\x02\x22\xe0\x3e\xcd\x7f\x6a\xb1\xb1\x6b\x66" "\x6b\x0a\x3e\xef\x93\xb1\x15\x92\xd1\xb7\x7c\x73\x4a\x5b\x80\xef\x9a\x95" "\xec\x45\x50\xd1\xe3\xc2\xef\xcd\xd2\x9a\x5b\xb2\x7b\xf7\x9c\x24\xe4\x23" "\x0f\xa2\xdc\xb3\x6d\x32\x54\xcf\x2c\xe4\x45\xe9\x2d\x53\x63\xf5\xc9\xbb" "\x17\xef\x83\xc6\x0c\x85\xc1\x96\xbd\x02\xfc\x98\xe3\xc3\x68\x44\x7a\x60" "\x99\x4b\x51\x1a\xa7\x74\x4a\xbe\x95\xac\xd4\x22\x17\xf0\x89\x8f\xf0\x7f" "\x5d\xa4\x3d\x20\xf9\x4f\x11\x49\x99\xb4\x9a\xfe\xa8\x30\x60\x94\xfb\xf0" "\x78\xf1\x60\x39\xbd\x4d\x3c\xbc\x08\x69\x9a\xe6\xf7\x4d\xdc\x00\x48\x83" "\x84\xe7\xf1\x70\x90\x5c\x6b\x55\xe8\x5a\x81\xc8\x72\x1f\xdd\xfc\x9d\xe6" "\x67\xe0\x3a\x70\xe8\x45\xcc\x89\xb6\x17\xea\xfe\x2c\x7b\x3d\xae\xef\x6b" "\x05\x8c\x27\x8a\xf6\xf5\x07\x35\xb4\x5b\x68\xba\x84\x7b\x77\x52\x79\x29" "\xea\x37\xd7\x34\x48\x1a\x78\x28\x59\x07\x6b\x83\x6c\x62\xef\x0e\xbc\x0f" "\x9f\x7d\x43\xdf\x47\xb0\xd1\x91\x2c\xbc\x74\xec\x57\xcf\xac\xd7\x48\xf5" "\x56\x04\x4a\xff\xbc\x73\x78\x23\xec\x8e\x2b\xd4\xe3\x62\x1e\xcd\x1d\x28" "\xfe\x97\xb2\x0a\xcf\x35\x62\x28\xfe\x23\x05\x77\xf6\xbf\x1a\x0f\xff\x74" "\xc1\x2d\x24\x61\x8c\xae\x9a\x73\x39\x3b\x36\x6a\x9c\x71\x14\xfb\xb8\xc9" "\xf4\x40\x6e\x36\x66\x07\xc5\x5c\x3f\x90\x4c\xc1\x3b\x15\xfe\x8b\xc2\x4e" "\x11\x9f\xde\xa9\x7d\x74\x51\x59\xca\x26\x4a\x3d\x97\xd2\x8d\x85\x54\x16" "\x7f\xa9\x94\x38\x32\x7c\x6a\x8a\x19\xb8\x3a\x0d\x66\xdf\x37\x89\x55\x41" "\x74\x89\xe4\x4c\x24\x4a\x97\x4d\xf8\x65\x8e\x72\x3c\x92\x06\x2b\x09\xd2" "\x8a\xfd\x60\xa6\x89\x1c\x2d\xea\xf7\xc8\x53\x96\x02\xc7\xb0\xa5\x93\x52" "\x5f\x53\x29\x22\x88\xe5\x4d\xe5\x30\xcb\xf9\x08\xa2\xc7\x80\xfb\xfc\x39" "\x72\x07\xfc\x61\x6a\x9d\xc7\xbd\x17\xf4\x1c\x37\x44\x68\xc8\x7d\xb2\xe3" "\x1e\xa0\x01\x34\xd4\x51\xbb\xaf\x13\xd5\x28\xf4\x2d\x20\x0a\x51\xc2\x6a" "\x08\xf0\xe3\xbe\x8f\xd8\xa7\xd8\xca\x7d\x6a\xb8\xa2\xef\xcd\x31\xa1\xc3" "\x58\x57\x7a\x1d\x14\xb7\x30\x0c\x3a\xac\x96\x62\x22\xd2\x94\x91\x1b\xc5" "\x0d\xc0\xd9\xa8\x9b\x1a\xbb\x2a\x80\xcb\x2f\x50\xa1\xba\x2d\x92\x6d\x1a" "\xc2\x44\x31\xc2\x69\x8f\x63\x0a\xc9\x50\x52\x80\x47\xd2\xe5\x95\x5a\x26" "\xe4\x1a\x07\x6f\x04\x78\xc7\x83\x37\xd7\xae\xe5\xf2\x42\xbe\xbd\x5e\x99" "\xd2\x15\x92\xf3\x76\x7b\x0f\x6a\x11\x09\x86\xf5\xf6\x19\xa4\x31\xd1\x66" "\x95\xa5\x50\x63\x3f\xf0\x33\xea\x42\xe6\x76\x6a\xf3\x51\x26\xaf\xe7\xe4" "\x8f\x92\x76\x57\xcd\x20\x0e\xad\x8d\x06\x9e\x8e\x6d\x3e\x1c\x5f\x00\x2b" "\xed\x26\x02\x3f\xc5\x55\xf9\x74\xb2\x32\x17\xd9\x47\x5f\x6a\x40\x87\x1e" "\xaf\xf8\x49\x7e\x92\xa8\x9c\xf0\xa1\xe1\x09\x25\xb2\xc3\x71\x4d\x3b\xbf" "\x1d\x1d\x43\x96\x6a\x22\x19\xa3\xb4\x49\xfe\x64\xcb\xfa\x7d\x7a\x82\x99" "\xdd\x1f\x64\x5b\xb5\xdc\x1a\xd4\x77\xad\xd9\x91\x5d\x3f\xdc\x52\x99\x93" "\x68\x82\x1f\x31\xed\x85\xd5\x03\xdc\xea\x0a\x15\xee\x09\xaa\x7f\x7b\xee" "\x2e\x51\x08\x9f\xeb\x41\x4b\x97\xf0\x2a\xb3\xe0\xaf\x33\x27\xc8\x2f\xd4" "\x02\x73\x7a\xdb\xa3\xfd\xcd\xb7\x14\x24\xf4\x8d\x35\xc2\x40\x7f\x3a\xb1" "\xc6\x0d\x28\x9d\x9d\xb8\xe1\xa7\xc9\x31\x68\xba\xfd\xc8\x5d\xe0\x10\xc6" "\x80\xb2\x0d\xf1\x0b\x15\x1c\xbc\xe7\x90\xa0\x35\x9c\x0f\x53\x82\x0b\x51" "\xde\x58\x81\x16\x29\x73\x8e\x92\x68\x98\x2a\xc8\x4f\xb3\x38\x92\x2a\xbd" "\xef\xd9\x6f\xaa\x9e\xb2\x8b\xdc\xae\x41\x06\x67\x37\xba\x61\x82\x43\xce" "\xda\x27\xaf\x9b\x31\xf2\x6e\x30\xf4\x05\x32\x26\x43\xb3\x72\x19\xcc\xb5" "\xb3\x65\xce\x86\x70\xfb\xad\xfa\xf7\x87\xbd\x8a\x33\x71\x2c\xce\x4d\xec" "\x4c\x4a\x8f\xef\xad\xbb\xe7\xac\x52\x23\xf9\xff\xf5\x15\xe7\x36\x30\x6e" "\x60\xb8\x76\xbc\x4e\xea\x43\x24\xef\xba\x85\xd5\xfb\xf5\x93\xb8\x3d\xd8" "\xd2\x79\x4e\xd9\xb4\x2e\x13\xa8\xb8\x17\x41\xd0\x5b\x16\x71\xfa\x69\x3a" "\x75\xea\x47\xad\x1b\x4e\xf6\x89\x67\xb7\xff\xa0\x56\xcb\x52\xd6\x25\xfd" "\xfc\xd5\x33\x57\x59\x7a\x01\x07\x93\x2d\x9f\x6d\x12\xf3\xa4\x3a\x30\xe3" "\x81\x47\xf6\x1d\xaf\xb1\x1d\xf1\xf2\x19", 4096); memcpy( (void*)0x20001500, "\xea\x31\x3b\xe9\x5a\xc7\xeb\xed\x32\xa8\x69\x6f\x85\x57\x62\x89\x31\x01" "\x89\xbe\x83\x41\xdd\xfc\xe5\x78\x48\x0a\x43\xad\x51\x20\x82\x21\x46\x6c" "\x27\x6a\x93\x80\x4c\x13\xc6\x22\xfb\xd9\x09\x4e\xdf\x90\xd3\xe2\x1e\xf6" "\x7e\x8b\x95\x68\xc9\x9b\x67\x9b\xbe\xd5\x7c\x34\x9f\x7f\x91\x4d\x5d\x83" "\xc7\x0e\x27\xea\xe5\xc5\x5d\xac\xb1\x7e\x06\xfa\xae\xdc\x9d\xb8\xe4\xc9" "\x13\x3d\x99\x70\xbd\x1f\xd3\x0f\xf6\x4c\x9d\x4e\x6e\xdb\x57\x10\x1a\x7c" "\x49\x69\x50\xe7\x0c\xe4\xe6\x6d\x02\xae\x98\x9f\xcb\xd2\x95\x2e\x71\xab" "\x0e\x57\x1a\x79\xf0\x5b\xea\xa7\xa5\xa5\x1a\x53\xd4\xe1\x3b\x62\x96\xc8" "\x8b\x7d\xbe\xd1\x86\xd1\xfd\xc1\xed\x12\x65\xe9\x93\xce\x42\x8b\x12\x4c" "\xcb\x4b\x0c\x19\xc7\xe9\x09\x17\xcc\x15\xbe\x3f\x4e\x76\x14\x3e\xc0\x3d" "\xbc\x43\x27\xd8\x51\xc5\x94\x78\x29\x09\xc8\x3d\x96\xbd\x28\xb9\x4a\xe1" "\x6a\xef\x02\x64\x97\x31\x05\x5c\x0a\x51\xfc\xbf\xa7\x70\xd2\x65\x16\xb1" "\x13\xe6\xee\x0a\xe8\x76\x79\xa5\x87\xf4\xce\xa2\x12\x68\x9a\xba\x38\x1d" "\x95\x45\xa6\x2f\x92\xc7\x59\xe8\x3e\xbb\xa9\xc1\x4c\xcc\x27\xb7\x7a\x12" "\x2f\xff\x88\x4a\x72\x5a\x3e\x91\x0e\x4e\x94\xab\x1d\xef\x39\x50\xf3\x44" "\x4c\x61\xfe\x2a\xf6\x91\xe2\xce\x7a\x1d\x04\x0c\xf0\xc8\xda\xc5\xdf\x80" "\x38\x29\x4a\x08\x51\x2b\xdd\xce\x9d\xc7\x82\x6d\xbc\x06\x1f\x9f\x5c\x41" "\x3f\x64\xb0\xbe\xd5\xb5\x99\xef\xc8\x0f\x21\x5f\xa5\x03\xcb\x5a\x12\x6c" "\xbf\x3d\x5b\xda\x41\x72\x82\x9d\x13\x15\x74\x50\x33\xbc\x11\xf2\x19\x25" "\xb5\xe0\xa2\xf9\xfc\xac\xbf\xe9\xa2\x48\xb6\xc7\x6c\x0f\xa4\x2d\x58\x8b" "\xe6\x36\xd2\xb3\x28\xda\xbb\x55\x10\xfe\xc2\xd7\xfb\xd1\x75\x36\x0a\x2c" "\x12\x8d\xf6\x24\x0c\x4e\xb4\xc3\xf8\x0b\x61\x90\xe3\x5a\xe0\x4a\x0d\x46" "\xf4\x7e\xd4\xac\xf5\xd2\x5a\x98\x25\x1b\x0f\x60\xa2\xe2\xb1\xb4\xf1\x02" "\xe3\x49\xd6\x7c\x88\xd3\xed\x43\xb8\x8e\x62\x22\xae\x74\x3c\x15\xd9\x94" "\x6a\x6a\xce\xe1\x74\x7f\xa8\x5a\x51\xa1\x42\x95\x65\x72\x77\xe0\xa1\xd1" "\x2d\x99\xac\x67\xe2\xd9\x63\x2d\x74\xd5\x7f\x90\x41\x83\x9e\x19\x00\xf7" "\x94\x71\x90\x05\x21\xf4\xd3\xc8\x25\x0a\x8e\x30\x94\xb0\x31\xc1\x3d\x87" "\x19\x7b\x80\x9a\x57\xe9\xb8\xe2\x6d\x01\x62\x12\x28\x3f\xcf\xe0\xb5\x87" "\x06\x82\xad\x85\xf3\x62\x16\x3e\x1a\x7c\xe1\x3e\xb1\xbe\xa8\x83\xfd\x95" "\x17\x33\x88\xeb\x4e\x73\x8d\x96\x4a\xf9\x17\xe4\x49\x89\x3e\xd5\x2d\x11" "\x23\x6c\x93\x26\x16\x2c\x3e\x9f\x49\xfa\x10\x4a\x79\x1b\x7e\xea\x32\x14" "\x3b\xca\xc8\xe5\x45\x98\xfe\xda\x93\x95\xce\x3e\x1d\x4e\xbf\x93\x2c\x1d" "\x9b\x31\x74\x96\xbd\x2b\xbf\xdc\x49\xc7\x8f\x35\x22\x14\x04\xdf\x33\xaf" "\xdb\x5a\x62\xdc\xec\x0c\xf7\x32\x64\x9c\xfc\x4e\x11\x5f\x81\x6f\xa5\x6b" "\xb9\x05\x12\xe8\x89\x0c\x69\x81\x04\x22\x72\xd4\x49\x40\x85\xf0\x50\x82" "\x29\x3e\x04\x2e\x40\x15\x60\x7a\xfb\x3e\x77\x56\x6a\xea\x41\x8f\x52\xc1" "\x4a\xd1\x4e\x0e\x66\xff\x72\xec\xde\x88\xa6\x17\x02\xe0\x1b\x79\xc3\xa9" "\xe6\x74\xe2\xb3\x54\x51\xe1\x94\x52\xec\xe6\x82\x9f\xd7\x6e\xca\xcd\x96" "\x7a\x4f\xae\x94\xc7\xdc\x76\x36\xb0\x8a\xfc\x9c\x58\x75\x5f\x48\xe5\xfa" "\x35\xad\xa3\x60\xb6\x6c\x2f\xe3\x5b\xff\x6a\x6b\x1d\x8b\xfe\xb6\x5a\x83" "\xc4\x88\x3f\x30\x48\x45\x07\xad\xac\xf8\x5b\xe5\x81\x8d\xe8\x5c\xfc\x8f" "\x74\xeb\x9e\x39\x17\xab\x59\xf6\xd6\x0f\x2a\xbb\xd3\x19\xae\x52\x81\xb8" "\x92\x3a\x48\x06\x8e\xe6\x83\xea\xb7\xfa\x6e\x7f\x4d\x2d\x5d\x34\x59\x97" "\xca\xbe\x9e\xd3\x98\x6c\xc4\x41\xd9\x2b\x7c\xda\xb9\x9e\x82\xd8\x96\xf9" "\x48\x92\x0e\x40\x3d\x51\x29\xe4\x31\xb6\x50\x94\xda\x81\xd3\x4c\xee\xd6" "\x06\x32\x6d\x2d\xbd\x8f\xe5\xbe\x9d\x10\x05\x5f\xab\x24\x31\x67\x26\x66" "\x60\xac\xb9\xc3\xbf\x96\x88\x58\x01\x98\x94\xcb\xb3\x64\x84\xc4\x7d\x51" "\x5a\x85\x05\xda\xed\x1e\x57\x09\xf7\xe6\x93\xc4\xd9\xbe\x35\xab\x5e\x76" "\x3a\x72\x41\xea\xa8\xf7\x88\x0a\xfc\x30\x82\x57\xe0\x49\xb0\x10\x8a\x77" "\x00\x87\x3a\x33\x23\x17\xf5\x79\xd5\x43\x47\xe4\xa2\xaa\xfd\x93\x49\xd6" "\x1c\x2e\x50\xc7\x05\x86\x9b\xfc\x1c\x80\x19\x57\x80\xb6\xba\x1a\xa8\x16" "\x45\xeb\xb1\x12\xe0\x6f\x6e\x0b\x02\x3e\x46\xf1\xf4\x66\x54\x5e\xba\x5c" "\xeb\x45\x47\xfa\x8a\x56\x03\x87\x0d\xf2\x86\x6c\x11\x9b\x63\x42\xd0\x6a" "\x76\x8c\x7f\x1d\x97\x65\x5c\x34\xec\x1b\x64\x08\x16\xe2\xd3\x2a\x28\x88" "\x22\xa1\x50\x45\xab\x66\x37\xb2\x3e\xa5\x1a\x65\x2c\x7d\xf9\x14\xaf\x0b" "\x04\x0f\x47\xbd\x94\xa0\xc0\x2b\x9f\xe7\xf8\xb9\x3f\x50\x63\x56\x3a\xdd" "\x2e\x57\x28\x9a\x07\xae\x99\xba\x8d\x0a\xab\xc8\x11\x0d\x04\xa9\x96\x37" "\x26\x6e\xfb\x4b\xc9\xaa\x29\x3d\x5a\xc0\x00\x91\x8f\xd9\xea\x1b\x0f\xd2" "\xb4\x02\xf2\x1b\x5f\xe0\x69\xfd\xde\x3c\x21\x7a\xfd\xaa\x74\x66\x05\x64" "\xb2\xfa\x27\xbd\x68\x8d\xd0\x7e\xd4\xc7\xfe\x32\xad\xe4\x06\x6b\x86\xf5" "\x41\xc1\x9e\x2c\x3c\xfc\x5e\x52\x40\x17\x80\xda\x97\x1e\xdb\x2c\xbe\x88" "\x50\xde\x49\xcd\xad\x1c\xd5\xe7\xd6\x58\x39\xb6\x20\x9b\x4e\x60\xe9\x77" "\x27\x94\x90\x74\x01\xe7\x18\x9f\xdd\x00\x8d\xf5\x7c\xaa\xf8\x62\xaa\x83" "\x1e\xeb\x0d\x84\x6c\x58\xcf\xf2\x80\xc6\xdf\x29\x42\xa5\xc4\x73\x70\xc6" "\x3d\xc9\x16\x4a\x81\x4a\x7e\x9c\x32\x73\x63\x08\x58\x83\xae\x6b\x90\x43" "\x2c\x47\xb1\xaf\xc3\x1e\x05\x23\xd4\x5b\x8f\x48\x9d\xb4\x89\xf5\x4d\x77" "\x45\x67\xf3\x8f\xb3\x40\x48\x02\x83\x72\xeb\x36\xee\x22\x4b\x57\x43\x41" "\x6b\xb2\x8f\x50\xe2\x44\x48\x9b\xb6\x84\xf7\xb2\x5e\x40\x71\x24\x84\xec" "\x4e\x39\xec\x7a\xaf\xf1\xf1\xe1\xa6\xe2\x24\x3d\x9d\x8e\x46\x1a\x11\x13" "\x40\x89\x03\x1e\xdf\xc7\x9b\x15\x50\x79\x41\x90\x66\x64\x37\x7b\x8b\x60" "\x13\x22\xf7\xe3\x97\xed\xd5\x96\x81\xdc\xa5\x63\x90\xdf\x2e\x21\x03\xb8" "\xa7\x1b\x71\x81\x44\x0e\x1d\xa6\x85\x07\x84\x5a\xa1\x26\x18\xc0\xa2\xcc" "\x86\x0d\x6e\xd6\xf9\xf7\xe8\x21\x20\x89\x85\x40\xba\x35\x3e\x32\x3a\xa1" "\x87\x3e\xb5\x0f\x01\x5d\x87\x7d\x6b\x68\xb3\x38\xbf\xe6\x03\x3c\xda\xbc" "\xab\x0c\x12\x5e\xf3\x82\xa2\xea\x1a\xb8\xda\xd1\x57\x72\x1d\x4b\x1d\x1e" "\x16\xe0\xeb\x18\xd0\xc9\xe8\x0f\x16\x0c\xa5\xc1\xcf\x13\x15\xe0\x24\x6a" "\x12\x42\x73\x07\xd8\xb8\x4d\xfb\x4a\x32\x1b\x30\xef\x03\x74\xbe\x6f\xe6" "\xcc\xad\xb8\x00\xbf\x0c\x4f\xbb\x85\x9b\x78\x74\xfa\xd6\x87\x8a\xeb\x36" "\xb3\xd3\x68\x50\xa1\x5d\x19\x46\xd9\xa3\x3e\x6e\x9d\xe6\x5b\xb0\xd3\x81" "\x03\x55\x85\xda\xd9\x1c\xaa\x2d\x6e\xb0\x03\x58\xda\xc4\xb4\x12\x47\x6d" "\x02\x19\x9c\x2d\xe0\x46\x7b\x76\x82\x89\xe8\x52\xad\xea\xce\xa2\x8f\x77" "\x13\xa4\x81\x3d\x4d\x87\x53\x8c\xff\x7d\xad\xe2\xe9\x25\xa9\x2f\x0c\xf3" "\x4e\xcb\x4c\x67\xe2\x11\xa7\xc2\x8d\xf8\xab\x40\xfc\xf8\x3a\x98\x74\x94" "\x3b\x79\x66\x24\x7d\x34\x5e\x52\x9c\xef\x74\xef\xb9\x40\x6c\xee\x55\x4c" "\xa0\xac\x10\x5d\x09\x1d\x76\x60\x7e\x56\x30\xf8\x90\x87\x7b\x18\x77\x17" "\xeb\xf9\x6c\x16\x60\x3d\xd5\x8b\x54\x29\xf5\x3c\x38\x90\xa8\xd7\xd9\xb8" "\x78\x07\x40\xb4\x0d\xf8\xed\x56\xaa\x80\xe8\x55\x72\xfa\xe7\x20\x43\xaf" "\x26\xff\x00\x72\x28\xd2\xde\x0f\xda\xbb\x4b\x49\x11\xa8\xe1\x0a\x7a\xe9" "\x98\x72\x53\xc5\xe4\xd0\x75\x2e\xda\x80\x91\x1b\x73\xb8\x48\x07\xa4\x97" "\xdd\x9a\xe8\x4b\xf3\x0b\x17\x33\xd2\x06\x40\x55\x96\x09\x28\x7f\x0d\x24" "\xf9\xb7\xd8\xa3\xea\x97\xe0\xe2\xd7\xed\xb9\xac\x43\xcb\x30\xca\x5e\xde" "\x8b\x4d\xa7\x6c\x02\x73\x98\x68\x91\x37\x17\x5a\x04\xd0\x32\xe1\x1f\xd4" "\x9e\xd8\xe4\xab\xea\xd9\x7b\xbc\xb7\xc4\x21\x8b\xff\x2a\x6e\x21\x93\xf0" "\x17\xbc\xb4\x87\x9a\x66\x82\x4f\x41\x20\xb2\x60\x98\x80\x30\x3c\x13\x98" "\xac\x31\xd4\x43\x6c\x05\xb5\x71\x3a\x86\x59\x2d\x38\x54\x37\x23\x92\x62" "\x2f\x1c\x54\xd8\x71\xd5\xe3\x00\xe1\xc9\xd7\x6c\x00\x0f\xe6\x3d\x5f\xcf" "\x8a\xa7\x16\xf0\xa5\x0e\x32\xca\x32\x4c\xef\xa9\x00\xcc\xcd\xf6\xa9\x15" "\x87\xdb\xe5\xce\x92\x2c\x90\x25\xb7\x6b\x36\xfe\xbf\xe8\x0a\x13\x42\xbc" "\xe3\xf3\x31\x6e\xed\xca\x2c\xd5\xb8\x0d\xbd\x2d\x32\xa0\x37\x6a\xf0\x2f" "\x0c\x5a\x70\x75\x08\xa0\xa5\xa7\xd2\x00\x55\xcb\xcd\x76\x5f\x84\x16\x2e" "\x58\xbf\x1a\x6e\x6c\x57\x4d\x4f\x5f\x20\xe3\x97\x6b\x60\xee\xc7\xe0\x8a" "\x1c\x21\x53\x2f\x8b\x37\x67\x6b\x38\x5f\x7a\x2e\x6d\x36\x8f\x5f\x74\x96" "\x12\x34\x91\xcc\xe1\x24\xb0\xc6\x61\x25\x29\xeb\xce\x8c\xd2\x15\xc6\xc1" "\xd2\x15\xff\xe8\xeb\x95\x55\x4a\x35\xad\xa9\x66\xe0\xa5\x3d\x6b\x9c\xdf" "\xf4\x79\x2e\x5e\x76\x8d\xae\x84\xea\x45\x54\xd6\xbe\xe8\x70\x07\x8b\x6d" "\x8d\x2a\xcb\x7f\xbf\x5c\xfe\x8b\xbd\xf8\xa2\x7a\xb9\x3f\xb9\xb1\xa1\x29" "\xc2\x47\x00\xab\xd6\x2c\xad\xbd\xa8\xd7\x9a\xcb\xd9\x9e\x98\xba\xe0\x34" "\x3f\xa6\x52\x0a\x40\x98\xe4\xa9\xc0\x7e\xf8\x92\x81\xcd\x97\x12\x88\x62" "\xa4\x35\xda\x32\x75\x8f\x58\xf1\xd9\xa0\x9b\x5f\x3e\xc8\x40\x84\x98\x00" "\x05\xfc\xa7\xc2\x3d\x79\x05\x3b\x19\xcb\x52\x5e\xf0\x6b\x6f\xab\x5b\x10" "\xdb\xdf\x5e\x79\x4f\x70\x09\x61\xd9\x58\xbf\x50\xb0\xa4\x1a\xb8\x10\xa6" "\x4a\xaf\x8b\x10\x43\x8e\x65\x9f\xe4\xba\x55\x1d\x82\xa2\x7c\x68\x1c\x6f" "\x54\xc3\x5c\x61\x7e\x24\x3d\x2f\x13\xec\xd5\x8b\xed\x39\x53\x45\xc3\xe3" "\x2f\xec\xe9\x52\xa3\x35\xc7\xc7\x8e\xe1\xe8\xff\x7a\xbf\x46\xcf\xce\x17" "\xb0\x6b\xa6\x8f\xe4\x59\xc8\xb5\x8a\x73\x49\x61\x77\x68\x70\x4f\xb3\xad" "\x0b\x6a\xbb\x57\x3d\xc7\x51\x55\x7c\xf6\x7e\x6c\x14\x31\x62\xb7\xc8\xd1" "\xd9\x88\x4d\xa9\x1a\xff\x70\x88\x2f\xa1\x04\xad\xf4\xb6\xa8\xd3\x5b\x0d" "\x93\xd3\xe8\xaf\x23\x05\xbc\x9a\x65\x1c\xb4\xb6\x72\xca\x98\xde\xe9\xdc" "\x32\x3c\x22\x50\x6c\x30\xe1\x7c\x1c\xd1\x63\xac\xc4\x94\x60\x4c\xbc\x9e" "\xa8\x71\x6b\x48\xa3\x23\x9a\xaf\x1e\x57\x5b\xc4\xfd\xcd\xdd\xff\x9d\x7e" "\x00\x79\xc3\x37\xaa\xb3\xd4\x31\x56\xe6\xac\x00\xa8\xc9\x79\xba\xb2\xe2" "\x84\x80\x39\x9c\x02\x4b\xf5\xe8\xd4\x8f\xc8\x22\xc1\x33\x3d\x2c\x64\x7d" "\x8a\x56\x62\x19\x27\xe4\x25\xb4\x51\x2c\xb1\x64\x15\xd5\x2c\x69\x19\x8b" "\x1d\xa0\x95\x76\x3c\x1b\x87\x0b\x99\x81\x71\xe6\xc5\x95\x16\x16\x6c\x2b" "\x1b\x78\xe2\xdd\xe9\x61\x6f\x81\x45\x35\x06\x77\xa9\xdd\xac\x97\xd8\x72" "\x1e\xf4\x78\x6d\x17\x75\xd3\x54\x41\x3b\x43\xf8\x2c\x5e\x29\x94\x4f\x04" "\x92\x8b\x63\x01\x73\xac\x9c\x42\xb9\xd3\xc1\x77\xaa\x6c\xd9\x37\x2a\x17" "\xcf\x9f\xbf\x95\xe3\x0e\xc1\x17\xa4\x6d\x6b\x26\x84\x81\xbc\xc2\x7d\xc0" "\x4a\x78\x55\x6a\x73\x43\x7f\xdc\x89\xfe\xeb\x20\x44\x17\x1c\xcf\x98\xb7" "\xa4\xb1\x18\x92\x34\x7d\xfb\xe4\x68\xae\xf3\xea\x43\xd4\x08\x8e\x59\x15" "\x5e\xe6\x78\x3d\xb6\xaa\x01\x3d\x94\x1e\x4c\x26\x0c\x05\x48\xfa\x00\xf5" "\xe3\x58\xf6\x91\xf4\x83\xa7\xda\xe8\x7a\x9c\x72\x5d\xe7\xa0\x25\x24\x95" "\x9d\x87\xe3\x4c\xe0\xa6\xdc\x56\xa6\xf3\x04\x55\x4c\xc1\x11\xe2\x40\xa0" "\x7f\x8f\x83\x04\x3d\x77\x1b\x39\xa6\x40\x00\x32\x00\xbb\x6c\xde\x03\xcc" "\xa4\x0a\xed\x08\x92\x4e\xe0\x0e\x83\x89\x77\xfe\xe2\x77\xe6\x51\xfc\x69" "\x37\x04\xea\x39\xd8\x3e\x66\x17\xea\x64\x90\xcb\x7c\xbf\x35\x39\x96\x5a" "\xde\x62\xa8\xe5\xa5\x63\x88\xd1\xd8\xc8\xfd\x9b\x51\x9a\x38\xc0\x1c\x29" "\xc2\xba\xc7\xc0\x03\x0b\x80\x07\x89\x62\x1f\xed\x0b\xa6\xdd\x43\x34\xa3" "\xf7\xc8\x0f\x08\xe5\xe9\x4d\xfb\x03\xf8\x12\x24\xef\xfe\x10\x90\x14\xd5" "\x72\x6b\xb7\xd8\x71\x85\x57\xa3\xa0\x28\x33\xe6\x5f\xc9\xbe\xaa\x89\x83" "\xc3\x85\x2f\xc7\xcc\x12\x38\xf0\x14\x6c\x0f\x22\x6f\x82\x9f\x7f\x68\x69" "\x2c\x34\xae\x52\x0a\x5b\x94\xf4\x7a\x33\x55\x41\x35\x65\xad\x85\x9f\x4e" "\xc6\x83\x09\xa8\x40\x5a\xf5\x21\xd6\x02\x9b\x3d\x6e\x71\x22\x2c\x44\xfa" "\x3b\x82\xfc\x63\x43\xa8\xc8\x63\xaf\xef\x88\xe5\x0e\xc6\x00\xa2\x91\x6b" "\x40\xa1\x19\x7d\x0a\xd7\xe3\xe4\x21\x16\x9d\x79\x55\x3d\x99\xce\xe5\x4b" "\x1d\xbe\xb5\x43\xa1\xcd\x5b\x38\x4d\x7d\xa6\xb1\x8e\xa0\xe9\x68\x67\xc7" "\x1f\x3e\x24\xf7\x45\xcb\x1c\xe1\xbd\xfb\x1f\xab\x5e\xcb\x5f\x47\x39\x44" "\x5a\xeb\x5d\x2b\x68\xcb\x4b\x5b\x65\x23\x25\x74\x0b\xb5\xc0\xf2\x51\xf5" "\x3b\x08\x56\x09\x02\xcd\x65\xb4\xe0\x8c\x89\x5a\xee\x0b\x9d\xbc\x13\xa9" "\xa6\x54\x22\x20\x01\x6b\x75\xa7\x80\x43\xc6\x4b\x5a\x51\x86\x30\x21\x00" "\x51\x6c\xf2\x67\xa6\xee\xe6\xcc\xf4\x0e\xea\x45\x71\x24\x9e\x65\x6f\x58" "\x3f\x52\xf5\x44\x7f\x5d\x9b\x17\x2d\x20\xb0\xc1\xa4\x2f\xd8\x73\xeb\xa4" "\xf1\xfd\xa5\xde\x8c\x2a\x6c\xc8\xa0\xe0\x54\x46\x01\xc7\x5f\x77\xef\x80" "\x66\xcf\x53\x15\x20\x6b\xcc\xe3\xb7\x2a\xfa\xa1\x77\x12\x9d\xb3\x36\xbb" "\x44\xe9\x07\xc9\x51\x64\xd9\x19\x4e\xd1\x5d\x53\x0b\xb7\x67\x98\x66\xc1" "\xf6\x7e\x6b\x98\x15\xf7\xe9\x8d\x46\x76\x1d\x79\xe9\x9a\x78\xd2\x9c\xc6" "\x63\x8d\x1d\x7d\x60\x5f\xb7\x1f\x31\xc0\x5e\x94\xbe\x72\xe2\xca\xdc\xe9" "\xa0\x27\x59\x60\x05\x7a\x8e\x06\xef\x0c\x38\x43\x2e\xb7\xb6\x50\x4e\x0c" "\x8d\xb3\x7b\x81\xb8\x03\xdb\xed\x85\x75\xfa\x88\x61\xa7\xd9\x86\x34\x17" "\x17\x64\xc0\x81\xdd\x5c\x76\x37\x35\x0c\x79\x71\x1a\x30\x05\xb8\x3f\x0d" "\x7b\x81\x8e\xd7\x92\x76\xba\x4c\x39\x34\x70\x77\x95\x75\x51\x4d\x36\xcd" "\x76\x28\xde\xc4\xab\x90\x1d\xc9\x4d\xd8\xa3\x3b\xbc\x6a\x24\xb3\x35\xd2" "\x8b\xb9\x20\xe3\xea\x48\x4c\xac\xe2\x68\x2a\xfe\xdb\xca\x26\x24\x48\xf5" "\x70\x4d\xda\xa4\xb7\x4a\xf3\x46\xa2\x6e\x43\x39\xa1\xe7\x41\x66\x49\x53" "\x67\x14\xe7\x3a\x73\x6f\x47\x0d\x71\xbd\xa1\x80\x38\xaa\xa4\x51\xe2\x7b" "\xb4\xc9\xdb\x3a\xe7\x8e\xd9\x04\xd6\x87\xf2\x18\xa3\x88\xcd\x54\x70\x7e" "\x0b\x4b\xaf\xe5\x46\xfa\x9a\xcb\x1e\xad\xfa\x6e\xc1\x2f\x50\x28\x34\x15" "\xea\x07\xde\x98\x3e\xa6\x11\x8c\xe6\xd8\xa6\xa3\xad\xf9\x50\xee\xd0\xf2" "\xc5\xcf\x8f\xea\x58\xcb\x13\x03\xe3\xb2\x35\xb4\x94\x31\xa6\x61\x4b\x76" "\xf1\x9c\xd2\x2f\x4d\x98\x94\xcd\x23\x0e\x53\xe5\x2c\x3c\xb6\xb3\x9c\x0d" "\xfb\xee\x93\xce\x46\x69\x33\x66\x92\x21\x4d\x62\xa0\xdf\x33\xb1\x5a\x7c" "\xde\x1c\xce\xed\xf0\x3c\x6b\x6c\x05\x94\x63\x66\x64\x55\x5d\xce\x7b\xc7" "\xb4\x29\xe4\xa4\x1f\x6c\x85\xf4\x79\x9e\x97\x03\xe2\xaa\xae\xe5\x8f\x27" "\xd6\xa6\xaf\x2e\xdc\xaf\x67\x18\xcc\x9a\x97\x0f\xf8\xbe\x0e\x91\x6e\xa5" "\x99\x6d\x07\x2b\xd1\xcf\xa3\x4c\xde\x15\xb6\x9e\x75\xa6\xa5\xc8\x83\x0f" "\x14\xd3\x02\xf6\xb5\xe4\x18\xc8\xdb\x68\xd1\xd9\x83\x37\xfa\x9e\x1d\x91" "\xa8\x2c\xee\x4d\x2b\x7a\x01\x1a\x01\x40\xf6\x91\xd3\xdf\xbe\xb8\xce\x67" "\x5c\xfe\x35\x3a\xa8\xa9\xc8\xf8\x0e\x4c\x4e\x73\xd4\x6b\x9f\xf4\x48\x31" "\xfc\x2b\xd9\x91\x63\x77\x1e\x0c\x87\x8d\x15\x87\xba\x61\xf8\x57\x2a\xe3" "\x33\xa4\x8c\xb4\x92\x8d\xeb\x02\x10\x30\x76\xd8\x85\xc0\xbf\x5d\xa1\xea" "\x1d\xff\x5c\x71\xc5\xfa\xe5\x45\x59\x38\x4b\x10\xcb\x4d\x04\x01\xb4\x35" "\x20\xbc\xd9\x70\x6e\xd5\x5a\x52\xaf\x5a\xbd\x6f\xa2\x36\x76\x17\x39\x53" "\xf6\x99\xca\xca\x93\x67\xf3\x2d\xb2\xae\x49\xfa\x82\x4d\xf8\xd0\x1a\x51" "\x5a\x45\x99\x45\x12\x56\x36\xb3\x1d\x9a\x33\x04\xb3\x87\x21\x86\x98\x4c" "\x50\x32\x42\xe6\xab\xbd\x74\xbf\xbc\x33\x33\x92\x67\x92\x37\x21\x81\x35" "\x10\x38\x25\x29\x0e\x43\x8f\xeb\x99\x0c\xd9\x7d\xc5\x3f\x60\x46\xbe\xbf" "\xdc\xc6\x44\x7e\xfd\x23\x33\xf2\x04\xcb\xe3\xf4\x15\xca\x35\xb8\x6b\x7d" "\x39\x47\xab\x6c\x53\xdf\x45\x96\x7f\x22\xa7\xb0\x59\xdc\xed\xe9\x73\xff" "\x49\x68\x41\x25\x78\x0d\x81\xe7\x66\xcf\xb0\x32\x5c\x8d\x8d\x64\x57\x23" "\x89\x57\x33\xdf\xe3\x25\xa4\xbb\x69\x1c\x1f\x7a\xdb\x19\x2c\x93\x24\x06" "\x27\x3a\x2f\x45\x94\x60\x8a\x74\x56\xfa\x92\xb7\x52\x71\x00\xdd\x97\xff" "\x19\xac\x98\x98\x38\x27\x90\x59\x31\xb7\x6b\x50\x4c\x84\x44\x4f\x60\x76" "\xbc\xa9\x55\xe2\x74\x30\xc2\x0a\x50\xa2\x7f\x42\x63\x66\xd8\x94\xed\x7c" "\x50\xbf\x68\x31\x37\x53\x03\x7d\xa7\x23\xc4\xc7\x9a\x90\x09\x49\x38\x8a" "\xcd\xe5\x2f\x6d\xd9\xfc\x2c\x28\x03\x3c\x50\x47\xfd\xec\x01\x64\x84\x6a" "\xed\xbf\xb4\x6a\xd8\x00\xac\x81\x64\x09\xf8\x8f\x0a\xd6\xc9\xec\x31\xef" "\x49\x00\xe2\x03\x24\x04\x6e\x49\xa0\x81\x77\xf7\x4f\x2d\xbc\x7c\xdb\x2e" "\x61\x2d\x9a\x98\x07\x0e\x03\x35\x4f\x34\x93\xfb\x02\xb0\x0f\x69\x87\x6c" "\x40\x61\x5f\xcc\x03\x3b\xc6\x4a\x00\xdb\x05\x00\x15\xe7\xce\x8e\xc1\x08" "\x14\x72\x51\x27\xb9\x35\xfe\x4f\x45\x41\x14\x2c\xb1\x3e\xde\x16\x78\x7e" "\x1b\x1b\x00\x2f\xe5\x1f\x97\xd0\x72\xe0\x14\xcd\x21\xc3\x84\xa4\xd7\x9f" "\xec\xcf\x4c\xc3\x9f\xeb\x22\xab\x1c\x84\xe0\xd5\xbd\xa9\xc4\xa4\xb5\x8e" "\x84\x7f\x80\x1c\xfa\xe1\x20\xe7\x11\xeb\xf8\xcb\x98\x99\x4d\x2c\x0b\x3b" "\x81\x08\xcd\x6d\x77\x94\x0a\xa4\x4a\x38\x9a\x03\xdc\xac\x21\xef\x5c\xd4" "\xcd\x8a\x89\x1b\x79\x81\x42\x83\x04\xd8\x6d\xc3\x98\xfd\x97\xaa\x07\x1d" "\xd0\x90\x73\x2d\xcf\x92\xac\xf9\xb6\xe7\x42\xd2\xc2\x47\xe1\x36\x15\x20" "\x4a\x1c\xf4\x93\x4b\x2f\x9b\x1a\xd1\x3f\x3f\xc1\xdf\x41\xf7\xfc\xb2\x20" "\xfe\xc8\x8e\x88\x44\xec\xf1\x6d\xee\xd0\x9b\xbe\x48\x19\xaf\x6b\x91\xaa" "\x64\x91\xc9\x2f\xd4\x1e\xd0\xad\xf9\xa8\x46\x2b\x32\xd8\x9b\x9d\x86\xbe" "\x2d\x51\x52\xa9\x4e\x00\x46\x5c\x33\x26\xc6\x20\xce\xf8\x73\xec\x3a\x2d" "\xde\x86\x84\xef\xff\xaa\xfc\xab\xe0\x6b\x3a\x32\x71\x55\x8e\x40\x11\x72" "\x96\xf9\xe8\x58\x4c\x31\x77\xf8\x6f\x0e\x3e\xe9\xb2\x73\x23\x29\xbf\x1f" "\xf4\xf9\x3a\xe9\xba\xaf\x20\xc2\x6f\xfc\x8c\x7a\x18\xc7\xa0\x8e\x65\xa2" "\xf6\x73\x6e\x50\x92\xd5\xa5\x89\xfc\x85\xa7\xa2\xc5\x22\xff\x72\x59\x93" "\x89\xa6\x4d\x6e\xaa\x9c\x37\x85\x82\x03\x50\xf9\x77\x35\xe8\x8b\xaf\x4d" "\xec\xd2\xd1\xcb\x76\xbe\x9e\x88\x56\x0e\xe8\xac\x34\x0a\x67\xeb\x8e\x17" "\x0b\xca\xcc\x9e\x7e\x96\xbe\x21\x38\x1b\x7b\x36\xd6\x3b\x1b\x57\xef\xd6" "\xfa\xec\x42\xa1\x1a\xb4\x21\xae\x68\x42\x6e\xa9\x38\x49\xfd\xdb\x7f\xf8" "\xea\x7f\xfa\x3d\x3b\x00\x00\xde\x27\x42\xc6\xcb\x6d\xab\x3c\x01\xd6\x30" "\x32\xeb\xbf\x67\x97\x62\x98\x3e\xc0\xa3\xc9\xc2\x98\x4a\x8a\xdc\x7c\x95" "\xcd\x3a\x0f\xd4\x5b\x56\x21\xe4\x5d\xe1\xb2\x21\x65\x7b\x1a\x6e\xb3\x34" "\x16\x5b\xb7\xc9\x3f\x9c\x43\xa5\x0b\x89\x03\x45\x3e\x89\x2a\x20\x66\x6f" "\x0a\x34\x08\x65\x97\x3f\xbb\xa0\x7a\x7f\xd1\x46\xf3\x24\x15\x7b\xf8\x93" "\x91\x36\x65\xcd\xad\xe9\xa9\xb0\x38\xfc\x40\x1d\xaf\x6e\x65\x61\x1e\x30" "\xfe\x11\x32\x84\x4c\xe5\x61\xa0\x72\x47\x3a\xca\x26\xe0\xcd\x67\x90\xab" "\x13\xcb\x87\x10\x3d\xf0\x3f\x4c\x2e\x41\xfb\x40\xe1\xf6\xdc\xc6\x37\x02" "\x70\xd4\x7c\xe6\x9c\x67\x9b\xb0\x97\x4f\x8d\x5c\x8b\x8e\xa8\x1a\xa5\x5a" "\x7d\xc2\x9d\x9c\x1c\xff\xb1\x55\x3f\x29", 4096); syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x4080aebf, /*arg=*/0x20000480ul); *(uint8_t*)0x20000080 = 0; *(uint8_t*)0x20000081 = 0; *(uint8_t*)0x20000082 = 0; *(uint8_t*)0x20000083 = 0; *(uint32_t*)0x20000084 = 0; *(uint8_t*)0x20000088 = 0; *(uint8_t*)0x20000089 = 0; *(uint8_t*)0x2000008a = 0; *(uint8_t*)0x2000008b = 0; *(uint8_t*)0x2000008c = 0; *(uint8_t*)0x2000008d = 0; *(uint8_t*)0x2000008e = 0; *(uint8_t*)0x2000008f = 0; *(uint32_t*)0x20000090 = 0; *(uint32_t*)0x20000094 = 9; *(uint8_t*)0x20000098 = -1; *(uint8_t*)0x20000099 = 0; *(uint8_t*)0x2000009a = 0; *(uint8_t*)0x2000009b = 0; memset((void*)0x2000009c, 0, 27); *(uint8_t*)0x200000b7 = 0; *(uint64_t*)0x200000b8 = 0; syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x4040aea0, /*arg=*/0x20000080ul); return 0; }