// https://syzkaller.appspot.com/bug?id=ad69d1c3f76bf1db050797e8f0a19612804da71e // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } #define WIFI_INITIAL_DEVICE_COUNT 2 #define WIFI_MAC_BASE \ { \ 0x08, 0x02, 0x11, 0x00, 0x00, 0x00 \ } #define WIFI_IBSS_BSSID \ { \ 0x50, 0x50, 0x50, 0x50, 0x50, 0x50 \ } #define WIFI_IBSS_SSID \ { \ 0x10, 0x10, 0x10, 0x10, 0x10, 0x10 \ } #define WIFI_DEFAULT_FREQUENCY 2412 #define WIFI_DEFAULT_SIGNAL 0 #define WIFI_DEFAULT_RX_RATE 1 #define HWSIM_CMD_REGISTER 1 #define HWSIM_CMD_FRAME 2 #define HWSIM_CMD_NEW_RADIO 4 #define HWSIM_ATTR_SUPPORT_P2P_DEVICE 14 #define HWSIM_ATTR_PERM_ADDR 22 #define IF_OPER_UP 6 struct join_ibss_props { int wiphy_freq; bool wiphy_freq_fixed; uint8_t* mac; uint8_t* ssid; int ssid_len; }; static int set_interface_state(const char* interface_name, int on) { struct ifreq ifr; int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { return -1; } memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, interface_name); int ret = ioctl(sock, SIOCGIFFLAGS, &ifr); if (ret < 0) { close(sock); return -1; } if (on) ifr.ifr_flags |= IFF_UP; else ifr.ifr_flags &= ~IFF_UP; ret = ioctl(sock, SIOCSIFFLAGS, &ifr); close(sock); if (ret < 0) { return -1; } return 0; } static int nl80211_set_interface(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, uint32_t iftype) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_SET_INTERFACE; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_IFTYPE, &iftype, sizeof(iftype)); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int nl80211_join_ibss(struct nlmsg* nlmsg, int sock, int nl80211_family, uint32_t ifindex, struct join_ibss_props* props) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL80211_CMD_JOIN_IBSS; netlink_init(nlmsg, nl80211_family, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, NL80211_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(nlmsg, NL80211_ATTR_SSID, props->ssid, props->ssid_len); netlink_attr(nlmsg, NL80211_ATTR_WIPHY_FREQ, &(props->wiphy_freq), sizeof(props->wiphy_freq)); if (props->mac) netlink_attr(nlmsg, NL80211_ATTR_MAC, props->mac, ETH_ALEN); if (props->wiphy_freq_fixed) netlink_attr(nlmsg, NL80211_ATTR_FREQ_FIXED, NULL, 0); int err = netlink_send(nlmsg, sock); if (err < 0) { } return err; } static int get_ifla_operstate(struct nlmsg* nlmsg, int ifindex) { struct ifinfomsg info; memset(&info, 0, sizeof(info)); info.ifi_family = AF_UNSPEC; info.ifi_index = ifindex; int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) { return -1; } netlink_init(nlmsg, RTM_GETLINK, 0, &info, sizeof(info)); int n; int err = netlink_send_ext(nlmsg, sock, RTM_NEWLINK, &n, true); close(sock); if (err) { return -1; } struct rtattr* attr = IFLA_RTA(NLMSG_DATA(nlmsg->buf)); for (; RTA_OK(attr, n); attr = RTA_NEXT(attr, n)) { if (attr->rta_type == IFLA_OPERSTATE) return *((int32_t*)RTA_DATA(attr)); } return -1; } static int await_ifla_operstate(struct nlmsg* nlmsg, char* interface, int operstate) { int ifindex = if_nametoindex(interface); while (true) { usleep(1000); int ret = get_ifla_operstate(nlmsg, ifindex); if (ret < 0) return ret; if (ret == operstate) return 0; } return 0; } static int nl80211_setup_ibss_interface(struct nlmsg* nlmsg, int sock, int nl80211_family_id, char* interface, struct join_ibss_props* ibss_props) { int ifindex = if_nametoindex(interface); if (ifindex == 0) { return -1; } int ret = nl80211_set_interface(nlmsg, sock, nl80211_family_id, ifindex, NL80211_IFTYPE_ADHOC); if (ret < 0) { return -1; } ret = set_interface_state(interface, 1); if (ret < 0) { return -1; } ret = nl80211_join_ibss(nlmsg, sock, nl80211_family_id, ifindex, ibss_props); if (ret < 0) { return -1; } return 0; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } #define WIFI_MAX_SSID_LEN 32 #define WIFI_JOIN_IBSS_NO_SCAN 0 #define WIFI_JOIN_IBSS_BG_SCAN 1 #define WIFI_JOIN_IBSS_BG_NO_SCAN 2 static long syz_80211_join_ibss(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { char* interface = (char*)a0; uint8_t* ssid = (uint8_t*)a1; int ssid_len = (int)a2; int mode = (int)a3; struct nlmsg tmp_msg; uint8_t bssid[ETH_ALEN] = WIFI_IBSS_BSSID; if (ssid_len < 0 || ssid_len > WIFI_MAX_SSID_LEN) { return -1; } if (mode < 0 || mode > WIFI_JOIN_IBSS_BG_NO_SCAN) { return -1; } int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock < 0) { return -1; } int nl80211_family_id = netlink_query_family_id(&tmp_msg, sock, "nl80211", true); struct join_ibss_props ibss_props = { .wiphy_freq = WIFI_DEFAULT_FREQUENCY, .wiphy_freq_fixed = (mode == WIFI_JOIN_IBSS_NO_SCAN || mode == WIFI_JOIN_IBSS_BG_NO_SCAN), .mac = bssid, .ssid = ssid, .ssid_len = ssid_len}; int ret = nl80211_setup_ibss_interface(&tmp_msg, sock, nl80211_family_id, interface, &ibss_props); close(sock); if (ret < 0) { return -1; } if (mode == WIFI_JOIN_IBSS_NO_SCAN) { ret = await_ifla_operstate(&tmp_msg, interface, IF_OPER_UP); if (ret < 0) { return -1; } } return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 9; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) { continue; } kill_and_wait(pid, &status); break; } } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: syscall(__NR_getpid); break; case 1: syscall(__NR_sendfile, -1, -1, 0ul, 0ul); break; case 2: memcpy((void*)0x20000140, "wlan1\000", 6); memset((void*)0x20000040, 2, 6); syz_80211_join_ibss(0x20000140, 0x20000040, 6, 0); break; case 3: res = syscall(__NR_openat, 0xffffffffffffff9cul, 0ul, 0ul, 0ul); if (res != -1) r[0] = res; break; case 4: syscall(__NR_sendfile, -1, r[0], 0ul, 0x4000000000010046ul); break; case 5: *(uint64_t*)0x20000a40 = 0; *(uint64_t*)0x20000a48 = 0; memcpy((void*)0x20000a50, "\x6d\x84\x83\x69\x9e\x28\xe5\x2c\x93\xf3\x50\x7a\x37\x97\xc7\xca" "\x8b\x29\x66\x63\x9a\x20\x50\x24\xc8\xc9\x72\xf3\xd6\x2e\x85\x29" "\x4a\xdf\xec\x71\x01\x61\x95\xa5\xb8\xe6\x33\x27\xc8\xcb\xe2\x08" "\x82\xe8\xb1\x3f\xec\x3a\x84\xfc\x95\x54\x9e\xe0\x99\x6f\x85\x18" "\x4d\x1e\x86\x78\xe6\xcf\x30\x42\x25\xb4\xbb\xe3\x56\x9d\x63\xf0" "\xbc\x7c\x78\x94\x84\xeb\xe9\x1e\xc1\x6f\xc4\xc3\x6d\x3c\xbc\x51" "\x44\x2d\x74\xfd\xc5\xd8\xe8\x60\x8b\x6b\xd1\xc3\xca\xe7\xea\xa3" "\x28\xe2\x56\xcf\x83\xf4\x13\x9c\x5e\x2b\xae\x0e\xd1\xe2\xc8\x78" "\x7c\xb4\x60\x97\xb5\xf4\xb2\xd3\x14\x64\xf0\xe4\xe9\x51\xab\x9e" "\xa5\x22\xac\xd1\xef\x94\x96\xb8\x0b\xe1\x52\xee\x11\x0d\x76\x0c" "\x7c\xbe\xb9\x42\xac\xa7\xdd\xb7\x98\x62\x57\x36\xb0\x86\xcd\xd8" "\x11\xff\xf0\xbd\xd8\x31\xa9\x2d\xb5\xd9\x68\x8f\xaf\x59\x5d\xab" "\x77\xad\xeb\x28\xdd\x51\x9a\x24\x3f\x8e\xb6\x30\x96\x23\x77\x3c" "\x5f\xd8\xe3\x13\x61\x76\xcf\x94\x3a\x64\x98\x79\xf8\xe5\xe7\xc2" "\xdd\x46\x3f\x68\x9c\x79\x70\xcd\x74\x9f\xe1\xe2\x4d\x27\xbe\xf9" "\x18\xf3\x4d\xe0\xc9\xae\x35\xe3\xf7\xd7\xcb\xe0\xdd\x3a\xbf\x47", 256); memcpy( (void*)0x20000b50, "\xe7\xa2\xc5\x6e\xd5\x78\xd5\x0a\x4e\x1c\x48\x63\x38\xc4\x52\xd6\x8a" "\x92\xca\xd5\x81\xa4\x3e\xcc\x86\xf4\x12\x67\xd6\x5b\xfd\xe1\x61\xd4" "\xef\xd4\x9a\x24\x93\xdf\xc3\x29\xf9\xfd\x4d\x84\xc7\x1d\xce\x63\x75" "\xd5\xf7\xd3\x8a\xcc\xb4\xb4\x57\x56\x41\x6d\x52\x65\xb3\xc4\xe4\x31" "\xc6\x36\x6f\xc1\x60\xff\x9e\x0f\x2f\x59\x0a\xbe\x3e\xe7\x0f\xa9\xb5" "\xca\xc3\xdc\xa3\x35\x6e\x61\x3e\x5e\x12\xc3\x47\x99\x58\xfa\x3e\x1f" "\x41\x4e\x98\x18\x6e\xba\x4b\xe6\x09\xa6\x34\xd0\x09\x8c\xb1\xa7\xcf" "\x0b\x12\xea\x32\x74\xa3\x86\x85\x99\x25\x36\x68\x81\xba\x31\xf6\x73" "\xc5\xfc\xd1\x00\x36\x28\x46\xd1\x02\x00\x95\xca\x5d\x33\x08\xb0\x4b" "\x03\x86\xa9\x19\x9c\x2b\x0b\xb7\xe1\xb6\x61\x36\xe5\x02\x3b\x26\x6a" "\xb0\xed\xc3\x69\xcf\x12\xda\x73\xb7\xb4\xcf\xeb\xd6\xe6\x1b\xf0\x61" "\x38\xa9\xae\x6a\xeb\xba\x8f\x7f\x10\x11\xaf\x66\x71\xd4\x24\xd7\x1f" "\x97\x47\x01\x09\xe0\x08\x98\x28\x40\x8c\xc3\xeb\x63\x69\x42\xb3\x53" "\xfa\x75\x33\x13\x26\x03\x2c\x67\xaa\x81\x55\xc4\x41\xd7\x1f\x4b\xda" "\xb3\x86\x81\x2f\xd6\xc8\x5a\x01\x5c\x42\x65\xe4\xe7\x7b\x4b\x97\x2a" "\x0b\x53\x6d\xa1\x5b\x67\x20\xe6\x53\x95\xdd\xaa\xfa\xc7\x4c\x23\x60" "\x33\x0a\xc9\xc6\x92\xf3\x54\x4e\xd4\x06\x67\x34\x67\x76\x3a\xd1\x71" "\x10\x0e\x23\x61\x19\x6c\xa7\x3a\xec\x9f\x40\x64\xef\x0d\x6c\xb5\x6e" "\x32\x0f\xec\xc3\xd0\x1a\x35\xa8\xd6\xe1\x2d\x83\x72\x56\xac\x34\x35" "\x76\xb7\x22\xbc\x72\xbd\x14\x8c\x57\x79\xc6\x6f\xd7\x37\xe0\x88\x9f" "\x10\xd7\x0d\x2d\xf7\x23\x8a\xf7\x7d\xb3\xdd\x74\x5d\x66\xcc\x3c\x3d" "\xa9\x1b\x3d\x14\x3b\xfd\x39\xec\x67\xc5\x76\x5e\x67\xe9\x7d\xc2\x08" "\x92\x35\x24\xc6\x9e\x98\x04\x2a\xd2\x7b\xa7\x96\x65\xaf\x44\x97\xdb" "\xf7\xd3\xde\xcd\x3a\xf7\x8c\x38\xc5\x85\x60\xbb\x65\x17\x0f\xcf\xd6" "\x0d\x35\x82\xea\x4e\x55\xaf\xbe\xb7\xd1\x31\xd8\xf0\x12\xef\xeb\x06" "\xe8\x66\x77\x66\x95\x14\xbf\x8f\xa2\xca\xd5\x23\xa6\xa9\xc5\xa8\x62" "\x27\x02\x32\xf1\xdd\xcc\xd8\xb2\x5c\x17\x40\x3a\xbc\x9a\xb1\x02\xda" "\x05\x60\x8c\x05\x3a\x6f\xaf\xa3\x1b\x6f\x3d\x5e\x74\x42\xb6\xec\x4f" "\x9b\x4b\xa8\x99\xbe\xd5\xba\x6b\x3d\xa4\x7c\xa7\xd4\xb4\x14\xe0\x59" "\x76\xa6\x46\x23\xa8\xbd\xbb\x37\x48\xfd\x70\x66\xd2\xb7\xe4\x9b\x09" "\x93\xf6\x33\x29\x0d\x8d\x60\xbc\x58\x92\xf3\xec\xb2\xbf\x8c\x4a\x88" "\xe7\xe3\x84\x16\xcf\x11\x41\x89\x76\x03\xef\x3b\x55\x71\x75\x37\x4c" "\x3d\x85\xa4\xed\x06\x20\xa9\x85\xe4\xf8\x7d\xa4\x94\x3f\x5a\x4d\x33" "\xe8\xe0\xa3\x5e\xc5\xb2\xe5\x9f\x1f\xd4\x61\x1d\xaa\x2f\x76\x09\x2e" "\xdf\xff\x84\x8b\xa5\xb3\x67\x5c\x67\xd0\xfa\x21\xd0\x53\x20\x5a\x6a" "\x18\x6d\x8f\xed\x9c\x50\xf7\xd4\xd3\xdc\xac\x80\x57\x79\xfc\x4e\x5e" "\x17\xe5\xe1\x5b\x4a\x3f\x87\xc3\xbb\xcf\x8a\x67\x06\x28\x3c\x4d\xe0" "\x7c\x75\xa2\x32\x26\xa3\xd3\x95\xea\x49\x26\x4a\x4d\x3b\x84\xa1\x56" "\xe7\x56\x5e\x1e\xc4\xeb\x1c\xcc\x48\xa1\xde\x1c\x6b\x5d\x82\xce\x64" "\x8f\xab\x2a\x34\x0e\xa8\x49\xf1\xeb\x89\x6a\x91\x81\x9b\x86\xd0\x2f" "\xd5\xab\x45\xb1\x44\x59\x14\xee\xa5\xc7\x7b\xe6\xa3\xb4\xef\x93\x21" "\x75\x4a\xa5\xd5\x78\x58\x5b\x58\xe7\x9d\x09\xf5\x65\xf4\x41\xde\x17" "\x1c\x72\xe9\x3c\x97\x12\x9d\xe1\x3f\x0d\xbe\x0f\x46\xcf\x84\xe3\x77" "\x7e\x8b\xe6\x25\x2b\x71\xd7\x31\x5e\x4d\x65\xb1\x24\x71\x14\xb7\x23" "\x78\xe1\x1c\xaa\x9a\x54\xa0\x18\x9f\x45\x54\xc8\xaa\x5b\x5d\x2d\x7c" "\x84\x81\x5e\x28\xd9\x0a\xf4\xa0\x3a\x84\x23\xdb\x17\xc0\x7a\x4e\x6a" "\x1c\x6e\x6a\xea\xde\xdd\x79\x37\xa3\x74\x82\x54\x24\x5c\x6e\xf7\x35" "\x43\x77\x63\x95\x28\x7e\x77\xb3\x5d\x9a\xda\x0e\xd2\x9d\x73\x7e\x18" "\x54\xd5\xad\xe4\x79\xc9\x0c\x0d\xee\x27\xab\xd1\x9e\x09\x73\x6e\x74" "\x37\x14\x48\x4d\xe0\x1b\x77\x26\x77\x3f\x1f\x3b\xd0\x30\xb1\xa6\xdf" "\xf7\x39\x01\xe0\xce\x0b\x98\x4e\xd7\xb2\x68\x24\x2c\x24\xc0\xc2\xb5" "\xd1\x39\x54\xe2\x82\x7a\xfa\xf1\x9c\x1f\x00\x0c\xb4\x61\x43\xc3\xe1" "\x52\x6c\x33\xb6\x61\xb1\x74\xee\x39\xf6\xa1\xfc\x78\x15\x4b\x9d\x67" "\x4c\x23\xb0\x8e\xd1\x66\x07\xc3\xa2\x57\xff\x95\x7c\x5d\x28\x48\x72" "\x70\x1d\xff\x35\x00\xf1\x6e\x8f\x23\xf4\xd5\x13\x92\x23\x7f\x3e\x41" "\x21\xa4\x38\x82\xad\xd5\x18\x20\x28\xcc\x12\x09\xa1\x59\xa8\xb4\xc8" "\x53\x60\xa3\xc2\x65\x21\xcd\x71\x55\x71\x03\xb9\x90\xbe\xf1\x03\xcf" "\x1f\xae\x37\x0d\x9b\xef\xb6\xc2\x42\x65\x60\x11\x88\x9a\x19\x07\x7c" "\xaf\x21\x9d\xbb\xb7\x3e\xa8\x03\x90\x83\xa5\x99\x06\x19\xad\x52\x1e" "\x6e\x0a\xc3\xab\xab\x8b\x2c\x3d\x48\x6d\x1c\x3c\xbe\x59\xf3\xff\x06" "\x79\x28\xa0\xd4\x7c\xcc\x2d\x90\x2a\x8e\x31\x5b\xb1\x11\xd2\xc3\xc3" "\x91\x43\x11\x01\xf2\xaf\x2e\x9a\x49\xff\x2c\x86\x03\x1a\xf2\x6c\x2b" "\x37\xf4\x21\xc6\x02\x1e\x17\x36\xd1\x54\x77\x5d\x59\x85\xe8\x73\x31" "\xa5\xf2\x1b\x7f\x04\x65\xdd\xec\xf6\x14\x87\x29\xa9\x1e\x46\x0d\x3d" "\xed\x0e\x41\xea\x88\xf6\x71\xe0\xc1\x02\x07\x04\x48\x45\x50\x96\x16" "\x31\xf2\x4c\x90\x4b\x50\x82\x4a\xde\x5b\xda\x29\xcf\xc7\x63\xda\xb3" "\x6d\x58\xf6\x5a\x73\xc1\xf7\x4a\x0e\x64\xfd\xf0\x0c\x10\xa8\xd6\x91" "\xc7\x13\xc2\xca\xe6\x72\xb6\x50\x63\x11\x57\x4c\x4a\x39\x06\x31\xc9" "\x01\xfb\xf2\x18\xae\xdf\x56\x08\x2e\x93\x43\xd5\xe4\x59\xb8\xa9\x63" "\x19\x32\xc3\xd0\x62\x32\x83\xb1\xf2\x19\x60\x2d\x74\x7c\xe1\xb3\xee" "\x25\xd8\x79\x66\x05\xfa\x12\x3f\xe2\x43\x4e\x3f\x2c\x00\xb3\x6c\xdb" "\x91\x18\x79\x0b\x5f\x59\x55\x6f\x9a\x25\x1b\x71\x21\x87\x3b\x04\xff" "\x08\xda\x23\x5e\x92\xef\x89\xd4\x99\x92\xbf\xe4\x35\x06\x60\x24\x29" "\x72\xf3\x43\x21\x56\xc1\x39\x04\xfe\xc7\x06\xb6\xf9\xde\xf8\x37\xcc" "\x67\xcc\xed\xe5\x5c\x95\x5b\x14\x60\x13\x52\x09\x29\xb2\x44\xe1\x60" "\xc6\xb8\xfb\xaf\x34\x15\x1c\xad\xd8\xcf\x3e\x4c\x12\x69\x9f\xa5\x43" "\x5f\x8d\x16\x45\x9b\xf8\xb2\xd0\x44\x19\x22\x53\xd0\xfb\xb6\xa8\x3c" "\x1b\xec\x9c\xf9\x9e\xfb\xa4\x93\x8e\x8a\xdd\x44\xa3\x75\x03\x2f\x03" "\x3e\xd5\xd6\x60\xd3\xc1\x2d\x5e\x05\x55\x38\xef\xdb\xe5\x6b\x0d\x9e" "\xa3\x7d\x23\x79\xcc\x69\x16\x01\x5e\x0a\xcc\xab\xa2\x8b\x3b\xf0\xa8" "\x91\x8d\x26\xe0\x30\xdd\xbe\x1b\x3c\x1f\x30\x83\x89\xc9\xa4\x78\x70" "\x21\x25\x93\x86\x14\x6f\x2b\x9a\x0b\x58\xa9\x45\x46\x3d\x31\x4e\xb8" "\x90\xe6\x8f\x99\xce\xf5\x16\x1c\xa6\x7c\x5c\x32\x34\x84\x74\x3d\xfe" "\x10\x3e\xc6\x20\x65\xc0\x80\x89\xee\xd6\x90\x6f\xa0\x1f\xe6\xeb\xab" "\x92\x0d\x08\xe0\x3f\x59\xb1\xf4\x12\xa2\x02\xb7\x0c\xf8\xa2\x06\x89" "\x7e\x91\x58\x3a\x0f\x82\x6e\x54\xe2\xa4\xbf\x40\x25\xae\x7d\xc1\x81" "\xf9\xbd\x26\x51\x18\x6d\x1f\x3f\x63\xa3\x06\x04\x11\x65\x54\x96\xef" "\x55\x8c\x0a\x15\x2b\x5f\x66\x09\xd1\xdd\xe8\xfc\xc3\x8e\xba\xf1\x65" "\xb1\x7c\xc8\x5d\x55\x34\xeb\x02\xe9\xe4\x2f\x27\x30\x59\xb6\xef\xf5" "\x90\x7a\xb6\xe6\x79\x55\x56\xb6\x61\x26\x10\x78\x26\x16\xdd\x2d\x37" "\xbd\xd6\x5b\x11\xda\x32\xa9\xee\x38\xe0\x51\x94\x2a\xcd\xea\xc6\x8e" "\x36\xde\xd9\x24\x7b\x46\x1f\xbe\x07\x81\x83\x06\x9f\x72\x0c\x61\x0b" "\x65\x2d\xff\x6c\xb7\x9f\xb1\x43\x8e\x36\x1d\xf1\x73\x7f\x32\xc3\x43" "\x2c\xd2\xaf\xdf\x5e\xfe\x0d\x2d\x2d\xa7\x92\x5a\xf4\xc4\x13\xbe\xe6" "\x42\xe6\xd8\x67\xe4\x78\x5b\x33\x78\xb3\xa8\x56\x5d\xe6\xa8\x16\xb9" "\x2a\xcf\xba\x6c\xe6\xe8\xa6\xd4\x5a\x52\x09\xd3\x25\xca\x2b\x0f\x6d" "\x74\xbe\x1d\x51\x6f\x62\x38\x6f\x2d\x0e\xe3\xf3\x15\xcc\xda\xa5\x6a" "\x20\x4f\xbf\xdc\x86\x41\xf6\x2e\xb4\xfe\xc4\xd5\x7d\x3b\x5f\xf7\x51" "\xd6\xa8\x1d\x60\xee\x45\x53\x70\xa1\x8f\xf0\x8e\xd8\x26\xa0\xf3\x42" "\x64\xed\x2b\xbc\x35\xec\xe9\x2a\xa7\x34\xe3\xce\x5c\xaf\x61\xd1\x74" "\xa1\x03\xee\xca\xe3\x46\x5e\xf9\x3a\x62\x39\x18\xe9\xfe\x44\x32\x52" "\xda\x01\xdb\x37\x96\xea\xac\x3e\x1b\x45\x7f\x73\xae\x7d\xa4\xd7\x35" "\x42\xf1\x08\x34\xb5\x15\x5e\x2c\x50\x0c\x7a\x98\xcc\x24\x27\x1f\x7c" "\x62\x0c\xdd\x6d\x27\x82\xac\xb1\x43\xd7\x0e\xb1\xfe\xbf\x80\xd3\x9f" "\x45\x07\x84\xf7\xf1\x98\x09\xcf\x5c\xa1\x8e\x93\x40\x63\x1c\x86\x52" "\x28\x13\x2b\xa9\x00\xda\x83\xcb\x32\x42\xda\xfe\x9e\xfe\x90\x43\x33" "\x32\xd0\x16\x3e\x55\x28\x72\xd6\xee\xeb\x4d\x2c\x25\x43\x46\xf5\x26" "\xe8\x8c\x4d\x73\x4a\x97\xb8\x41\x45\x42\x85\x82\x0e\x79\x96\x6b\xf4" "\xfa\xef\x01\x98\xfe\x77\x83\xe6\x49\xef\x5a\x46\x64\x66\xc2\x54\x1a" "\x05\x65\xd6\xae\xa6\x64\xb5\x07\x0b\x26\xde\x5f\xc2\xc1\xb2\xf9\x1b" "\x7c\x9d\xfb\x38\x7a\x36\x81\x84\xe5\xbc\x94\x09\x1c\x16\xe2\x57\x4a" "\xce\x46\x7d\x93\x3b\x25\x34\xb8\x3e\xf9\xf7\x4d\x33\xb2\xe1\x71\xab" "\x66\x27\x8f\x62\x6b\x91\xb6\x08\x6b\xe4\xb7\x20\x0f\x01\x69\xd3\x44" "\x66\xc5\xe2\x4e\x67\x64\x86\x99\xa4\xb7\x2d\xc8\x14\x52\x11\xbf\xcb" "\x13\x04\x07\x22\xb6\x27\x35\x2f\x55\x0d\x9c\x8e\x31\x55\x4a\x1a\xbf" "\xac\x7a\xee\x89\xc6\x01\x98\x8c\xb6\xe3\x25\x8c\x60\xea\xd6\x41\x02" "\x51\x60\x1f\x2b\xe9\x14\xca\xe7\xc2\xdf\xdb\xa9\x39\x0e\x92\xca\x47" "\xc1\x06\x9b\xe6\x90\x40\x2f\xf2\x7c\x4c\x94\x38\x04\x95\x0d\x3e\xa6" "\x2a\x59\x0e\xaf\xb1\x12\x48\x92\xb1\xc4\x49\x79\xa8\x0a\xeb\x48\x84" "\x3c\xe2\x95\xcc\x43\xb7\xf2\x4c\xd0\x29\xc2\xb9\x44\x0c\xc7\x61\x12" "\xf9\xf6\xfc\x97\x99\xf3\x50\x15\xc8\xfe\xa8\x18\x11\xd2\xbc\x57\x96" "\xd5\x97\x68\x0d\x4e\xbf\x1a\xa9\x79\xaf\x04\x5b\xf7\x5c\x25\xe1\x5c" "\xa0\x52\x0f\x79\xe1\x5b\x2d\x84\x3b\x43\x81\x3d\x82\xb2\x4d\x5c\x20" "\x85\x4f\x96\x1e\x51\x32\x94\x7b\xcf\xff\x33\xeb\x33\x8a\x42\xf3\xc1" "\x28\xe6\xf1\xea\x7d\x2e\x9e\xb4\x3f\xff\xde\x50\xd7\xdf\x1c\xa9\xce" "\x70\x5b\x1b\x38\xd5\xb6\xdd\xdc\x1e\xe9\x54\x16\x1c\x98\x1d\xc3\xd3" "\x4e\x26\x8b\x33\x19\xcb\xca\xac\x52\xcf\x83\x23\x3f\xfb\xef\x06\xd3" "\x91\xee\x04\x84\x14\xbf\x2b\xd4\x2a\x4b\x5b\x02\xb2\x60\xb1\x4d\x29" "\x4b\x17\x6a\x1d\x99\x89\x83\x29\x88\x9d\xa7\xfa\x4c\xe2\xb1\x48\x31" "\x42\x74\xf2\x10\xf5\xfa\xbe\x7b\x5e\xb8\x76\x13\x0a\xfb\x2a\x78\xa3" "\x44\x6e\x37\x7f\xd6\x5e\x7d\x93\x15\xfd\x23\x56\xb9\x00\x0f\xb7\x01" "\xa7\x52\x4e\x49\xdb\xd0\xd5\xbd\x56\xe1\xf3\x93\x00\x1e\x08\x28\xb0" "\x64\x8a\xcf\x4d\x39\xcd\x08\xdf\xb4\x9d\x84\x46\xca\x88\xce\x6e\x50" "\x89\xb8\x34\x4f\xe5\x55\x15\xac\x2d\xdb\x44\xe5\x0e\xac\xb2\x6e\x2d" "\xec\x7e\xc9\xb0\x3e\xa1\xa0\x20\xb9\x51\xb7\x8b\xdd\x96\x36\xa7\x7d" "\x71\x26\x0d\x3c\x00\x27\x86\x4f\xfc\x31\xfb\x37\x5b\x48\xfb\x92\x45" "\x59\x57\xef\x36\xf9\xd2\x0c\x39\x14\x0c\x31\xfa\xf3\x13\xad\xf3\xed" "\x80\x81\xd6\x83\x53\xcd\x32\xc8\x27\x1e\x87\x39\x9e\xe8\x65\x5a\x97" "\x72\xfe\x7e\x5f\x85\x5b\xf3\xf9\xa9\x63\x62\xfe\x9f\x8e\x8f\xba\x83" "\xa3\x31\x00\xd9\xf6\x60\xe4\x92\x3a\x50\xd3\xd3\x30\x3b\x0f\x3a\xe4" "\x59\x31\xb6\x4e\x8c\x0c\xc1\xdf\x17\x5c\x86\x31\x79\xea\x0b\xc6\xa9" "\xa8\xf4\x26\x4d\x7b\xaf\xb5\x7c\xdb\xae\x2d\x87\x49\xec\xaf\x5b\x18" "\xfc\xc0\xfc\x79\x1f\x66\xf7\xf0\xef\x99\xc5\xa9\x0c\xcb\x48\x62\x50" "\x6a\x49\x2f\x49\xc6\x9a\x42\x39\x4d\xc0\xb7\x4f\xfd\xa2\x61\x4a\x4c" "\xa0\xce\xfe\xb4\x0d\xf3\xcf\xe8\x8f\x4a\xf2\xc2\xff\xb1\xb9\x5f\xef" "\x96\xf8\x7b\xfe\x36\xd4\x59\x80\x3c\x11\xb1\x92\x8f\xa7\xf6\x63\xf2" "\xda\xc6\xf3\x1d\x3b\x6a\x67\x9a\xa9\xf7\x54\x6e\x24\xff\x7e\xa2\xf2" "\x26\xdc\x0a\x8c\x43\xd3\x1e\x08\x70\x38\x53\x9f\xf9\x27\xad\x6a\x94" "\x42\x1b\x92\x3a\x31\xf0\xed\x18\xe1\x1d\x71\xc8\xac\x8f\x6b\x1c\xd6" "\xb4\x10\x51\xd9\x07\x12\x1d\x2a\xff\x3f\x9a\x0f\xf8\x13\xb3\xd4\x24" "\x54\x21\xad\x1e\xbd\xdb\x30\xd1\x75\x04\x6b\x76\x37\x57\x85\xc0\x6e" "\x7f\x0a\xb2\xc3\x20\x26\xb3\xe6\x39\xd3\x73\xfd\x88\xbb\x68\x26\x7b" "\x5a\x24\x3f\xb2\x16\xd5\x7c\x45\x48\xa6\xd7\x79\xbc\xf9\xae\x94\x83" "\x2d\xb0\x74\x52\xd0\xe8\x05\x36\x5d\x34\x5c\x2d\x64\xf7\xf7\x14\x0b" "\xa9\xbb\x91\x2f\x23\xcf\xd4\x9c\x04\x94\xab\xe7\x3a\x81\x23\x5c\xfd" "\x3b\x96\x7e\xd1\x02\xb9\x1a\x29\x9f\x02\xb2\xe5\xcc\x26\x37\xa6\xd3" "\xd8\xaa\x47\x7e\x4c\x34\x24\xd3\xb1\xd3\xb3\x1c\x06\x11\x52\x19\x14" "\x69\xc3\x9d\xa0\xfd\x80\x0b\xac\xd8\x00\x8f\x89\x28\x9b\xfc\x28\x3d" "\x74\x29\x44\x38\xbd\xa1\xa3\x7a\xa3\x3c\xf5\xe6\x2f\x5c\x61\x67\xb4" "\x83\xfe\xc5\xfe\x49\xfa\x85\x76\xc4\x90\xb3\x78\x77\xe4\x93\x4c\xc7" "\x7a\x3e\x83\x3e\xb4\xec\x44\xa7\xc7\xac\xf4\xc0\x33\x5b\xcd\xf1\x34" "\xa6\x73\xd4\x99\xe7\x8b\xeb\x76\x19\x59\xd5\x84\xe0\xb6\x33\x2a\x7c" "\xbe\xa5\x72\x46\xec\xbf\x8e\xa7\x95\x98\xfe\x27\xff\x13\x04\x03\xb7" "\xb1\x51\xb0\x34\xd7\x9e\xd6\xd1\x68\x22\x86\x7c\xea\x10\x92\xcb\x03" "\x1d\xc6\x44\x1a\xd8\xd9\xeb\x39\xfa\x92\x66\xa3\x0b\x20\x82\x7b\x11" "\xd1\x73\x8b\xb0\x91\x7d\x25\x28\x25\x29\xb8\x3e\x53\x67\x4a\x33\xaa" "\x83\xd1\xb4\xc3\x1b\xe0\x31\xe9\xd2\x85\xbb\x6c\x1e\x89\xa5\xce\x9c" "\x3e\x54\xc7\x09\xa5\x13\xb9\xb4\x05\x42\xfb\x24\x62\x12\x8b\xb5\x60" "\x48\x62\x04\xf3\x50\x9a\x1b\x46\xce\x16\x15\x28\x02\x74\x2e\xfd\x79" "\xd8\x43\x5d\xa2\x2e\x14\xcd\x14\xe3\x0f\xa2\x8a\x19\xe3\xc1\xa7\x52" "\xac\x49\xdb\x4a\x81\xdb\x5b\xb2\x32\x3b\x3b\x29\x59\x61\x8e\x60\x5c" "\x25\xc1\xe6\x7b\x03\xfd\xf0\x76\x72\x9b\x94\xf8\x3f\x24\x16\x6d\xa0" "\xa6\xe4\xe3\x5b\x8b\x7d\x2e\x17\xe6\x5f\xc6\xa1\x9d\x88\xe7\xd6\x6d" "\xe2\x9b\x8b\xc4\xbe\x84\xb9\xaa\x95\x3d\x5b\x27\xfc\x26\x1a\x5b\xae" "\x99\x68\x23\xee\x9b\x20\x9f\x42\x08\x32\xf7\x79\x8a\x60\x5d\x3a\x5e" "\x15\x68\x91\xff\x4f\x1d\xce\xb5\xb1\xd4\xca\x98\xd2\xa9\x9b\xe1\xd9" "\xd4\x3c\x1e\x9a\x9a\x3a\x1d\xbe\x91\xd3\x73\x9e\x68\x27\x82\x1b\x6d" "\xe4\x5b\xf0\xaf\x48\x14\x12\x34\x62\xc8\xb5\xed\x80\xa0\xb2\xad\x49" "\xe2\xb6\x96\x62\xdf\xb1\x68\x9b\x73\xdd\xfb\x4e\x92\x49\x42\x4e\xca" "\x51\xf4\x8b\xfe\xf5\x8f\xed\xd3\x73\xca\x6c\xd2\x1c\xb9\x0e\x46\xd8" "\xf7\xed\xae\xd4\x65\xcb\x9b\xeb\xeb\xb3\xf2\x55\x3a\x03\x9c\x80\xb2" "\xe6\x2b\xf3\xc7\xc1\x43\x0f\xb5\xd0\x1b\x8d\xab\x19\x19\x5b\x67\x6e" "\x15\xeb\x6c\x5d\xba\x70\x4e\x56\xe9\x50\x27\xad\x92\xfb\x94\x32\x11" "\x6f\x5c\x5c\x38\x41\xf8\xb2\xb2\xdb\xb2\xac\x8f\x66\x7d\xa5\xc6\xe6" "\x51\x36\x7a\xe5\x11\xc1\x63\xc8\xd6\x39\x32\xec\xdd\x12\xc6\x07\x04" "\x8b\xf5\x6d\x5c\xe1\xc9\x23\xc6\x27\x97\xe4\xc7\xde\x3a\x90\xdf\x64" "\x2e\xdc\x1b\x51\x4e\xec\x52\x92\x09\xb7\xfb\xa9\xa8\x63\x14\x52\x80" "\x83\xd9\xa8\x20\x4e\x77\xfa\x79\x31\xda\xc2\x10\x52\x63\x64\xc8\x83" "\x76\x22\x29\x2b\x02\x63\xf6\xea\x11\x94\xf3\x49\xcf\x4d\xfc\x3a\xa6" "\x55\xe7\xd2\xe9\xf9\x1b\xb1\x1e\xa2\x8c\x51\x66\xd0\xb7\xb8\x4a\x7f" "\x7d\x6e\x04\x27\x82\x47\x08\xda\xc4\x2c\x8f\xf5\xb4\x20\xde\x2e\x3d" "\x17\x2f\x92\x31\x01\x01\x02\x9a\xdc\xe8\x7b\x9e\x70\x7c\xf0\x1a\x2e" "\x0d\xf8\x0f\xcf\x6e\x4e\x57\x24\xcf\xe4\xec\x88\x07\x2c\xc5\x22\x18" "\xed\xf0\x08\xc8\xb0\xd7\x9e\x3a\xcf\x5e\xf0\xf2\x62\xaa\xe5\xea\x6a" "\xea\x86\x30\x39\x9e\xd5\x98\x97\xf8\xd4\x45\xaf\xd2\x91\x0e\x41\x98" "\xc4\xd6\x6a\x4f\x8f\xa9\x07\x65\xb8\x06\x16\x34\x4d\x5b\x3c\x4d\xfa" "\xc5\x3c\x94\x76\x81\x5a\x8b\xce\x46\xb8\xa5\x27\xfc\xae\xd8\x36\x67" "\x3d\xd1\xa1\x0c\x21\x96\xc8\xef\x6b\x03\x45\x09\x69\xbe\x8c\xa1\x54" "\x2e\xa4\x92\x01\xf5\xb8\x98\x4e\x69\xed\x53\xdf\x5f\xe4\xab\xc8\x0a" "\xb0\x45\x2d\xc4\x5a\xc7\x74\x9c\xc3\x6d\x7e\xb0\xad\x2d\xc2\xc0\x9e" "\xbf\x3d\x6f\x75\x78\x78\x65\x6e\xe9\x58\xb5\x44\xbd\x50\x9e\x76\x99" "\x82\xb1\x1d\x92\x85\x99\x07\x77\x2e\x72\xca\x8f\x4a\xb0\xee\x53\xfb" "\x45\x5f\xc6\xed\xd7\x0a\x59\x70\x1c\xaf\x86\x97\xe8\xfd\x2b\x1d\xf7" "\x94\x3c\x8d\xad\x62\x49\x9b\x5c\x8c\xbd\x90\x22\x58\xb5\x68\x58\x18" "\x1e\x91\x69\xf8\x41\x17\x8b\xf9\x5f\x3f\x92\x6d\x22\x12\xaa\x9f\x68" "\xba\x23\xfc\xb6\xf9\x9b\xa5\xca\x01\x63\x34\xa4\x12\x1a\x93\x02\xcb" "\x5b\xd8\x20\x37\x62\xbd\x71\x61\x3b\x53\x8c\xeb\x1a\x76\x07\x59\x32" "\x3b\x08\xa5\x04\xcc\x96\xf9\x42\xbf\xf2\x56\x1c\x44\x54\x5f\x4c\xa5" "\xac\x3c\x10\xf5\x2f\x34\xef\xf4\xac\xb7\xbb\x59\x6a\xa3\xb7\x8a\xe1" "\x9c\xa7\x9a\x9d\x06\x0b\xff\x9b\x61\xea\xba\x9e\x8c\xca\xcd\xd3\x86" "\x8a\x89\xc9\x39\x6c\x96\x4e\x22\xf8\x55\x0f\xa3\xc4\x3b\x22\x0e\x90" "\xb5\x92\x8c\x1b\x23\x5a\x41\xd9\x0e\x53\xe8\xef\x08\x89\x7a\xd7\xe7" "\x35\xe2\xfb\x26\x4a\xf4\xf8\xf4\xf6\xc8\xd4\x12\x0c\x57\x9e\x88\x7e" "\x7c\x4f\x05\x04\xd4\xd6\x84\x48\x90\x1e\xb0\x8f\xec\x1f\x54\xee\x81" "\x06\x97\x40\x06\xdf\xf0\x07\x2a\x98\xab\x3b\x1d\x30\x53\x6f\xaa\xbe" "\x99\x9d\x19\xa1\x8f\xc7\x9a\x91\x56\xd2\xb4\x57\xa7\x9a\xdb\x96\x26" "\x69\x5b\x28\x5b\x28\x6b\xce\x9f\x72\x85\xd9\x67\x2a\xe9\x43\x66\x38" "\xdc\x92\x67\xed\xae\x13\x45\x20\x91\x89\xd9\x39\xa5\x36\x1c\x4c\x0e" "\x6b\x94\xb6\xaf\x3e\xff\xb7\xec\x6c\xb1\xe1\x98\x07\x45\x59\x63\x5f" "\xef\x46\xef\x68\x60\x0f\xd9\x02\xda\x31\x83\x77\x74\x8f\x30\x4e\x69" "\xda\x81\x59\x40\x32\x74\x04\x68\x0c\x25\x46\x97\xf9\x17\x80\x06\x80" "\x31\xde\xe9\x23\x4e\xde\x62\x84\x05\x92\x42\x98\xd2\xef\x35\xe4\x51" "\xb8\xad\x6b\x29\xef\x5e\x67\x1a\xc5\x4f\xa5\x0d\x6f\xf3\x1e\x27\xa8" "\xa9\x36\x82\xd7\xdf\x8e\xa6\x4c\xa6\x23\xba\xda\x92\x67\x7e\x8b\x4e" "\x09\xa2\x27\x22\x8a\x23\x7e\xbe\x41\xa9\xf1\x61\xae\x52\x75\xa1", 3824); syscall(__NR_ioctl, -1, 0xd000943e, 0x20000a40ul); break; case 6: syscall(__NR_sendmsg, -1, 0ul, 0x40850ul); break; case 7: res = syscall(__NR_socket, 0x10ul, 3ul, 0); if (res != -1) r[1] = res; break; case 8: *(uint64_t*)0x20000140 = 0; *(uint32_t*)0x20000148 = 0; *(uint64_t*)0x20000150 = 0x200001c0; *(uint64_t*)0x200001c0 = 0x20000180; *(uint32_t*)0x20000180 = 0x28; *(uint16_t*)0x20000184 = 0x10; *(uint16_t*)0x20000186 = 0x801; *(uint32_t*)0x20000188 = 0; *(uint32_t*)0x2000018c = 0; *(uint8_t*)0x20000190 = 0; *(uint8_t*)0x20000191 = 0; *(uint16_t*)0x20000192 = 0; *(uint32_t*)0x20000194 = 0; *(uint32_t*)0x20000198 = 0; *(uint32_t*)0x2000019c = 0x9effffff; *(uint16_t*)0x200001a0 = 8; *(uint16_t*)0x200001a2 = 0x1b; *(uint32_t*)0x200001a4 = 0; *(uint64_t*)0x200001c8 = 0x28; *(uint64_t*)0x20000158 = 1; *(uint64_t*)0x20000160 = 0; *(uint64_t*)0x20000168 = 0; *(uint32_t*)0x20000170 = 0; syscall(__NR_sendmsg, r[1], 0x20000140ul, 0ul); break; } } int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; }