// https://syzkaller.appspot.com/bug?id=a1954eed3adfde914df9a0a2d0b7d1ecb876072f // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff(unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; retry: const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } void execute_one(void) { memcpy((void*)0x200000c0, "exfat\000", 6); memcpy((void*)0x20001540, "./file0\000", 8); *(uint64_t*)0x20000200 = 0; sprintf((char*)0x20000208, "0x%016llx", (long long)0); memcpy((void*)0x2000021a, ",dmask=00000000000000000000152,iocharset=cp864,gid=", 51); sprintf((char*)0x2000024d, "0x%016llx", (long long)0); memcpy((void*)0x2000025f, ",allow_utime=0000004,umask=00000p00000000000001777,\000", 52); *(uint64_t*)0x20000293 = -1; *(uint32_t*)0x2000029b = -1; *(uint8_t*)0x2000029f = -1; *(uint32_t*)0x200002a0 = -1; *(uint8_t*)0x200002a4 = -1; memcpy( (void*)0x200035c0, "\x78\x9c\xec\xdc\x0b\x98\xce\x55\xd7\x30\xf0\xbd\xf6\xde\x7f\x86\x26\xdd" "\x4d\x72\x18\xf6\xda\xeb\xcf\x9d\x06\xdb\x24\x49\x0e\x09\x39\x24\x49\x92" "\x24\x39\x25\x24\x4d\x92\x24\x24\x86\x9c\x92\x86\x24\xe4\x38\x49\x0e\x43" "\x48\x0e\xd3\x98\x34\xce\xe7\x43\xce\x49\x93\x47\x9a\x24\xc9\x29\xa7\xb0" "\xbf\x4b\x4f\xcf\xeb\x79\xde\xde\xe7\xed\x7b\xbf\xa7\xf7\xf3\x7d\xef\xac" "\xdf\x75\xed\xeb\xde\xcb\xff\x5e\xeb\xde\xdb\x9a\x6b\xfe\x87\xeb\xbe\xe6" "\x87\x1e\x23\xeb\x36\xaf\x57\xab\x29\x11\x89\x7f\x09\xfc\xf5\x25\x59\x08" "\x11\x23\x84\x18\x2a\x84\xb8\x41\x08\x11\x08\x21\x2a\xc6\x55\x8c\xbb\x72" "\x3c\x9f\x82\xe4\x7f\xed\x43\xd8\x9f\xeb\xd1\xb4\x6b\xbd\x02\x76\x2d\x71" "\xff\x73\x37\xee\x7f\xee\xc6\xfd\xcf\xdd\xb8\xff\xb9\x1b\xf7\x3f\x77\xe3" "\xfe\xe7\x6e\xdc\xff\xdc\x8d\xfb\xcf\x58\x6e\xb6\x6d\x76\xd1\x1b\x79\xe4" "\xde\xc1\xcf\xff\x73\x33\x3e\xff\xff\x0f\x92\x53\x6e\xd2\x37\x1b\xca\xdd" "\xdc\xf3\xbf\x90\xc2\xfd\xcf\xdd\xb8\xff\xb9\x1b\xf7\x3f\x77\xe3\xfe\xe7" "\x6e\xdc\xff\xdc\x8d\xfb\xff\x3f\x5f\xcd\xff\xe4\x18\xf7\x3f\x77\xe3\xfe" "\x33\x96\x9b\xfd\xb7\x3e\x5f\x06\x21\xc4\xff\x03\xcf\xb8\x79\xfc\xf3\x71" "\xad\x7f\xfe\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6" "\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c" "\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18" "\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31" "\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63" "\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6" "\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c" "\x31\xc6\x18\x63\x8c\xe5\x0e\xe7\xfc\x55\x5a\x08\x71\xe5\x35\xb8\xd6\x8b" "\x62\x8c\x31\xc6\x18\x63\x8c\x31\xc6\xd8\x9f\xca\xe7\xbd\xd6\x2b\x60\x8c" "\x31\xc6\x18\x63\x8c\x31\xc6\xd8\x7f\x3f\x10\x52\x28\xa1\x45\x20\xf2\x88" "\xbc\x22\x46\xe4\x13\xf9\xc5\x75\x22\x56\x5c\x2f\x0a\x88\x1b\x44\x44\xdc" "\x28\xe2\xc4\x4d\xa2\xa0\xb8\x59\x14\x12\x85\x45\x11\x51\x54\xc4\x8b\x62" "\xa2\xb8\x30\x02\x85\x15\x24\x42\x51\x42\x94\x14\x51\x71\x8b\x28\x25\x6e" "\x15\x09\xa2\xb4\x28\x23\xca\x0a\x27\xca\x89\x44\x71\x9b\x28\x0f\x42\x24" "\x8b\x3b\x44\x45\x71\xa7\xa8\x24\xee\x12\x95\x45\x15\x51\x55\x54\x13\x77" "\x8b\xea\xe2\x1e\x51\x43\xd4\x14\xb5\xc4\xbd\xa2\xb6\xa8\x23\xea\x8a\x7a" "\xe2\x3e\x51\x5f\xdc\x2f\x1a\x88\x07\x44\x43\xf1\xa0\x68\x24\x1e\x12\x8d" "\xc5\xc3\xa2\x89\x78\x44\x34\x15\x8f\x8a\x66\xe2\x31\xd1\x5c\x3c\x2e\x5a" "\x88\x27\x44\x4b\xd1\x4a\xb4\x16\x6d\x44\xdb\xff\xa3\xfc\x57\x44\x1f\xf1" "\xaa\xe8\x2b\xfa\x89\x64\xd1\x5f\x0c\x10\xaf\x89\x81\x62\x90\x18\x2c\x86" "\x88\xa1\xe2\x75\x31\x4c\xbc\x21\x86\x8b\x37\x45\x8a\x18\x21\x46\x8a\xb7" "\xc4\x28\xf1\xb6\x18\x2d\xde\x11\x63\xc4\x58\x31\x4e\xbc\x2b\xc6\x8b\x09" "\x62\xa2\x98\x24\x26\x8b\x29\x22\x55\xbc\x27\xa6\x8a\xf7\xc5\x34\xf1\x81" "\x98\x2e\x66\x88\x99\x62\x96\x48\x13\xb3\xc5\x1c\xf1\xa1\x98\x2b\xe6\x89" "\xf9\xe2\x23\xb1\x40\x7c\x2c\x16\x8a\x45\x62\xb1\x58\x22\xd2\xc5\x27\x22" "\x43\x2c\x15\x99\xe2\x53\xb1\x4c\x7c\x26\xb2\xc4\x72\xb1\x42\xac\x14\xab" "\xc4\x6a\xb1\x46\xac\x15\xeb\xc4\x7a\xb1\x41\x6c\x14\x9b\xc4\x66\xb1\x45" "\x6c\x15\xdb\xc4\xe7\x62\xbb\xd8\x21\x76\x8a\x5d\x62\xb7\xd8\x23\xf6\x8a" "\x2f\xc4\x3e\xf1\xa5\xd8\x2f\xbe\x12\xd9\xe2\xeb\xff\x62\xfe\xd9\x7f\x97" "\xdf\x13\x04\x08\x90\x20\x41\x83\x86\x3c\x90\x07\x62\x20\x06\xf2\x43\x7e" "\x88\x85\x58\x28\x00\x05\x20\x02\x11\x88\x83\x38\x28\x08\x05\xa1\x10\x14" "\x82\x22\x50\x04\xe2\x21\x1e\x8a\x43\x71\x40\x40\x20\x20\x28\x01\x25\x20" "\x0a\x51\x28\x05\xa5\x20\x01\x12\xa0\x0c\x94\x01\x07\x0e\x12\x21\x11\xca" "\xc3\xed\x50\x01\x2a\x40\x45\xa8\x08\x95\xa0\x12\x54\x86\x2a\x50\x05\xaa" "\x41\x35\xa8\x0e\xd5\xa1\x06\xd4\x80\x5a\x50\x0b\x6a\x43\x6d\xa8\x0b\x75" "\xe1\x3e\xb8\x0f\xee\x87\x06\xd0\x00\x1a\x42\x43\x68\x04\x8d\xa0\x31\x34" "\x86\x26\xd0\x04\x9a\x42\x53\x68\x06\xcd\xa0\x39\x34\x87\x16\xd0\x02\x5a" "\x42\x4b\x68\x0d\xad\xa1\x2d\xb4\x85\x76\xd0\x0e\xda\x43\x7b\xe8\x08\x1d" "\xa1\x13\x74\x82\xce\xd0\x19\x92\x20\x09\xba\x40\x17\xe8\x0a\x5d\xa1\x1b" "\x74\x83\xee\xd0\x1d\x7a\x40\x0f\xe8\x09\xbd\xa0\x17\xbc\x02\xaf\xc0\xab" "\xf0\x2a\xf4\x83\xda\xb2\x3f\x0c\x80\x01\x30\x10\x06\xc2\x60\x18\x02\x43" "\xe0\x75\x18\x06\x6f\xc0\x1b\xf0\x26\xa4\xc0\x08\x18\x09\x6f\xc1\x5b\xf0" "\x36\x8c\x86\x33\x30\x06\xc6\xc2\x38\x18\x07\xd5\xe5\x04\x98\x08\x93\x80" "\xe4\x14\x48\x85\x54\x98\x0a\x53\x61\x1a\x4c\x83\xe9\x30\x03\x66\xc0\x2c" "\x48\x83\xd9\x30\x07\xe6\xc0\x5c\x98\x07\xf3\xe0\x23\x58\x00\x1f\xc3\xc7" "\xb0\x08\x16\xc1\x12\x48\x87\x74\xc8\x80\xa5\x90\x09\x99\xb0\x0c\xce\x42" "\x16\x2c\x87\x15\xb0\x12\x56\xc1\x6a\x58\x05\x6b\x61\x1d\xac\x85\x0d\xb0" "\x11\x36\xc0\x66\xd8\x0c\x5b\x61\x2b\x7c\x0e\x9f\xc3\x0e\xd8\x01\xbb\x60" "\x17\xec\x81\x3d\xf0\x05\x7c\x01\x5f\xc2\x97\x90\x02\xd9\x90\x0d\x07\xe0" "\x00\x1c\x84\x83\x70\x08\x0e\x41\x0e\xe4\xc0\x61\x38\x0c\x47\xe0\x08\x1c" "\x85\xa3\x70\x0c\x8e\xc1\x71\x38\x01\x27\xe1\x04\x9c\x86\xd3\x70\x06\xce" "\xc2\x39\x38\x07\x17\xe0\x02\x5c\x84\x97\xe2\xbf\x6b\xb6\xa7\xf4\xfa\x14" "\x21\xaf\xd0\x52\xcb\x3c\x32\x8f\x8c\x91\x31\x32\xbf\xcc\x2f\x63\x65\xac" "\x2c\x20\x0b\xc8\x88\x8c\xc8\x38\x19\x27\x0b\xca\x82\xb2\x90\x2c\x24\x8b" "\xc8\x22\x32\x5e\xc6\xcb\xe2\xb2\xb8\x44\x89\x92\x64\x28\x4b\xc8\x12\x32" "\x2a\xa3\xb2\x94\x2c\x25\x13\x64\x82\x2c\x23\xcb\x48\x27\x9d\x4c\x94\x89" "\xb2\xbc\x2c\x2f\x2b\xc8\x0a\xb2\xa2\xbc\x53\x56\x92\x77\xc9\xca\xb2\x8a" "\xec\xe0\xaa\xc9\x6a\xb2\xba\xec\xe8\x6a\xc8\x9a\xb2\x96\xac\x25\x6b\xcb" "\x3a\xb2\xae\xac\x27\xeb\xc9\xfa\xb2\xbe\x6c\x20\x1b\xc8\x86\xb2\xa1\x6c" "\x24\x1b\xc9\xc6\xf2\x61\xd9\x44\xf6\x87\xc1\xf0\xa8\xbc\xd2\x99\xe6\x72" "\x04\xb4\x90\x23\xa1\xa5\x6c\x25\x5b\xcb\x36\xf2\x6d\x78\x52\xb6\x93\xa3" "\xa1\xbd\xec\x20\x3b\xca\xa7\xe5\x58\x18\x03\x9d\x65\x3b\x97\x24\x9f\x93" "\x5d\xe4\x44\xe8\x2a\x5f\x90\x93\xe0\x45\xd9\x5d\x4e\x81\x1e\xf2\x65\xd9" "\x53\xf6\x92\xbd\xe5\x2b\xb2\x8f\x6c\xef\xfa\xca\x7e\x72\x3a\xf4\x97\x03" "\xe4\x2c\x18\x28\x07\xc9\xc1\x72\x88\x9c\x0b\x75\xe4\x95\x8e\xd5\x95\x6f" "\xca\x14\x39\x42\x8e\x94\x6f\xc9\x25\xf0\xb6\x1c\x2d\xdf\x91\x63\xe4\x58" "\x39\x4e\xbe\x2b\xc7\xcb\x09\x72\xa2\x9c\x24\x27\xcb\x29\x32\x55\xbe\x27" "\xa7\xca\xf7\xe5\x34\xf9\x81\x9c\x2e\x67\xc8\x99\x72\x96\x4c\x93\xb3\xe5" "\x1c\xf9\xa1\x9c\x2b\xe7\xc9\xf9\xf2\x23\xb9\x40\x7e\x2c\x17\xca\x45\x72" "\xb1\x5c\x22\xd3\xe5\x27\x32\x43\x2e\x95\x99\xf2\x53\xb9\x4c\x7e\x26\xb3" "\xe4\x72\xb9\x42\xae\x94\xab\xe4\x6a\xb9\x46\xae\x95\xeb\xe4\x7a\xb9\x41" "\x6e\x94\x9b\xe4\x66\xb9\x45\x6e\x95\xdb\xe4\xe7\x72\xbb\xdc\x21\x77\xca" "\x5d\x72\xb7\xdc\x23\xf7\xca\x2f\xe4\x3e\xf9\xa5\xdc\x2f\xbf\x92\xd9\xf2" "\x6b\x79\x40\xfe\x45\x1e\x94\xdf\xc8\x43\xf2\x5b\x99\x23\xbf\x93\x87\xe5" "\xf7\xf2\x88\xfc\x41\x1e\x95\x3f\xca\x63\xf2\x27\x79\x5c\x9e\x90\x27\xe5" "\x29\x79\x5a\xfe\x2c\xcf\xc8\xb3\xf2\x9c\x3c\x2f\x2f\xc8\x5f\xe4\x45\x79" "\x49\x5e\x96\x5e\x0a\x05\x4a\x2a\xa5\xb4\x0a\x54\x1e\x95\x57\xc5\xa8\x7c" "\x2a\xbf\xba\x4e\xc5\xaa\xeb\x55\x01\x75\x83\x8a\xa8\x1b\x55\x9c\xba\x49" "\x15\x54\x37\xab\x42\xaa\xb0\x2a\xa2\x8a\xaa\x78\x55\x4c\x15\x57\x46\xa1" "\xb2\x8a\x54\xa8\x4a\xa8\x92\x2a\xaa\x6e\x51\xa5\xd4\xad\x2a\x41\x95\x56" "\x65\x54\x59\xe5\x54\x39\x95\xa8\x6e\x53\xe5\xd5\xed\xaa\x82\xba\x43\x55" "\x54\x77\xaa\x4a\xea\x2e\x55\x59\x55\x51\x55\x55\x35\x75\xb7\xaa\xae\xee" "\x51\x35\x54\x4d\x55\x4b\xdd\xab\x6a\xab\x3a\xaa\xae\xaa\xa7\xee\x53\xf5" "\xd5\xfd\xaa\x01\xfc\x76\x6a\x52\x0f\xa9\xc6\xea\x61\xd5\x44\x3d\xa2\x9a" "\xaa\x47\x55\x33\xf5\x98\x6a\xae\x1e\x57\x2d\xd4\x13\xaa\xa5\x6a\xa5\x5a" "\xab\x36\xaa\xad\x7a\x52\xb5\x53\x4f\xa9\xf6\xaa\x83\xea\xa8\x9e\x56\x9d" "\xd4\x33\xaa\xb3\x7a\x56\x25\xa9\xe7\x54\x17\xf5\xbc\xea\xaa\x5e\x50\xdd" "\xd4\x8b\xaa\xbb\x7a\x49\xf5\x50\x2f\xab\x9e\xaa\x97\xea\xad\x2e\xa9\xcb" "\xca\xab\xbe\xaa\x9f\x4a\x56\xfd\xd5\x00\xf5\x9a\x1a\xa8\x06\xa9\xc1\x6a" "\x88\x1a\xaa\x5e\x57\xc3\xd4\x1b\x6a\xb8\x7a\x53\xa5\xa8\x11\x6a\xa4\x7a" "\x4b\x8d\x52\x6f\xab\xd1\xea\x1d\x35\x46\x8d\x55\xe3\xd4\xbb\x6a\xbc\x9a" "\xa0\x26\xaa\x49\x6a\xb2\x9a\xa2\x52\xd5\x7b\x6a\xaa\x7a\x5f\x4d\x53\x1f" "\xa8\xe9\x6a\x86\x9a\xa9\x66\xa9\x34\x35\x5b\x0d\xfe\xad\xd2\xfc\xff\x8d" "\xfc\xf7\xff\x83\xfc\xe1\xbf\x7e\xfa\x56\xb5\x4d\x7d\xae\xb6\xab\x1d\x6a" "\xa7\xda\xa5\x76\xab\x3d\x6a\xaf\xda\xab\xf6\xa9\x7d\x6a\xbf\xda\xaf\xb2" "\x55\xb6\x3a\xa0\x0e\xa8\x83\xea\xa0\x3a\xa4\x0e\xa9\x1c\x95\xa3\x0e\xab" "\xc3\xea\x88\x3a\xa2\x8e\xaa\xa3\xea\x98\x3a\xa6\x8e\xab\x13\xea\xbc\x3a" "\xa5\x4e\xab\x9f\xd5\x19\x75\x56\x9d\x55\xe7\xd5\x05\x75\x41\x5d\xfc\xed" "\xff\x40\x68\xd0\x52\x2b\xad\x75\xa0\xf3\xe8\xbc\x3a\x46\xe7\xd3\xf9\xf5" "\x75\x3a\x56\x5f\xaf\x0b\xe8\x1b\x74\x44\xdf\xa8\xe3\xf4\x4d\xba\xa0\xbe" "\x59\x17\xd2\x85\x75\x11\x5d\x54\xc7\xeb\x62\xba\xb8\x36\x1a\xb5\xd5\xa4" "\x43\x5d\x42\x97\xd4\x51\x7d\x8b\x2e\xa5\x6f\xd5\x09\xba\xb4\x2e\xa3\xcb" "\x6a\xa7\xcb\xe9\x44\x7d\xdb\xbf\x9c\xff\x47\xeb\x6b\xab\xdb\xea\x76\xba" "\x9d\x6e\xaf\xdb\xeb\x8e\xba\xa3\xee\xa4\x3b\xe9\xce\xba\xb3\x4e\xd2\x49" "\xba\x8b\xee\xa2\xbb\xea\xae\xba\x9b\xee\xa6\xbb\xeb\xee\xba\x87\xee\xa1" "\x7b\xea\x9e\xba\xb7\xee\xad\xfb\xe8\x3e\xba\xaf\xee\xab\x93\x75\xb2\x1e" "\xa0\x5f\xd3\x03\xf5\x20\x3d\x58\x0f\xd1\x43\xf5\xeb\x7a\x98\x1e\xa6\x87" "\xeb\xe1\x3a\x45\xa7\xe8\x91\x7a\xa4\x1e\xa5\x47\xe9\xd1\x7a\xb4\x1e\xa3" "\xc7\xe8\x71\x7a\x9c\x1e\xaf\xc7\xeb\x89\x7a\xa2\x9e\xac\x27\xeb\x54\x9d" "\xaa\xa7\xea\xa9\x7a\x9a\x9e\xa6\xa7\xeb\xe9\x7a\xa6\x9e\xa9\xd3\x74\x9a" "\x9e\xa3\xe7\xe8\xb9\x7a\xae\x9e\xaf\xe7\xeb\x05\x7a\x81\x5e\xa8\x17\xea" "\xc5\x7a\xb1\x4e\xd7\xe9\x3a\x43\x67\xe8\x4c\x9d\xa9\x97\xe9\x65\x3a\x4b" "\x2f\xd7\xcb\xf5\x4a\xbd\x52\xaf\xd6\xab\xf5\x5a\xbd\x56\xaf\xd7\xeb\xf5" "\x46\xbd\x51\x6f\xd6\x9b\x75\x96\xde\xa6\xb7\xe9\xed\x7a\xbb\xde\xa9\x77" "\xea\xdd\x7a\xb7\xde\xab\xf7\xea\x7d\x7a\x9f\xde\xaf\xf7\xeb\x6c\x9d\xad" "\x0f\xe8\x03\xfa\xa0\x3e\xa8\x0f\xe9\x43\x3a\x47\xe7\xe8\xc3\xfa\xb0\x3e" "\xa2\x8f\xe8\xa3\xfa\xa8\x3e\xa6\x8f\xe9\xe3\xfa\xb8\x3e\xa9\x4f\xea\xd3" "\xfa\xb4\x3e\xa3\xcf\xe8\x73\xfa\x9c\xbe\xa0\x2f\xe8\x8b\xfa\xa2\xbe\xac" "\x2f\x5f\xb9\xec\x0b\x64\x20\x03\x1d\xe8\x20\x4f\x90\x27\xf8\xdb\x77\x3f" "\x63\x83\xd8\xa0\x40\x50\x20\x88\x04\x91\x20\x2e\x88\x0b\x0a\x06\x37\x07" "\x85\x82\xc2\x41\x91\xa0\x68\x10\x1f\x14\x0b\x8a\x07\x26\xc0\xc0\x06\x14" "\x84\x41\x89\xa0\x64\x10\x0d\x6e\x09\x4a\x05\xb7\x06\x09\x41\xe9\xa0\x4c" "\x50\x36\x70\x41\xb9\x20\x31\xb8\x2d\x28\x1f\xdc\x1e\x54\x08\xee\x08\x2a" "\x06\x77\x06\x95\x82\xbb\x82\xca\x41\x95\xa0\x6a\x50\x2d\xb8\x3b\xa8\x1e" "\xdc\x13\xd4\x08\x6a\x06\xb5\x82\x7b\x83\xda\x41\x9d\xa0\x6e\x50\x2f\xb8" "\x2f\xa8\x1f\xdc\x1f\x34\x08\x1e\x08\x1a\x06\x0f\x06\x8d\x82\x87\x82\xc6" "\xc1\xc3\x41\x93\xe0\x91\xa0\x69\xf0\x68\xd0\x2c\x78\x2c\x68\x1e\x3c\x1e" "\xb4\x08\x9e\x08\x5a\x06\xad\x82\xd6\x41\x9b\xa0\xed\x9f\x5a\xdf\xfb\x33" "\x85\x9f\x72\x7d\x4d\x3f\x93\x6c\xfa\x9b\x01\xe6\x35\x33\xd0\x0c\x32\x83" "\xcd\x10\x33\xd4\xbc\x6e\x86\x99\x37\xcc\x70\xf3\xa6\x49\x31\x23\xcc\x48" "\xf3\x96\x19\x65\xde\x36\xa3\xcd\x3b\x66\x8c\x19\x6b\xc6\x99\x77\xcd\x78" "\x33\xc1\x4c\x34\x93\xcc\x64\x33\xc5\xa4\x9a\xf7\xcc\x54\xf3\xbe\x99\x66" "\x3e\x30\xd3\xcd\x0c\x33\xd3\xcc\x32\x69\x66\xb6\x99\x63\x3e\x34\x73\xcd" "\x3c\x33\xdf\x7c\x64\x16\x98\x8f\xcd\x42\xb3\xc8\x2c\x36\x4b\x4c\xba\xf9" "\xc4\x64\x98\xa5\x26\xd3\x7c\x6a\x96\x99\xcf\x4c\x96\x59\x6e\x56\x98\x95" "\x66\x95\x59\x6d\xd6\x98\xb5\x66\x9d\x59\x6f\x36\x98\x8d\x66\x93\xd9\x6c" "\xb6\x98\xad\x66\x9b\xf9\xdc\x6c\x37\x3b\xcc\x4e\xb3\xcb\xec\x36\x7b\xcc" "\x5e\xf3\x85\xd9\x67\xbe\x34\xfb\xcd\x57\x26\xdb\x7c\x6d\x0e\x98\xbf\x98" "\x83\xe6\x1b\x73\xc8\x7c\x6b\x72\xcc\x77\xe6\xb0\xf9\xde\x1c\x31\x3f\x98" "\xa3\xe6\x47\x73\xcc\xfc\x64\x8e\x9b\x13\xe6\xa4\x39\x65\x4e\x9b\x9f\xcd" "\x19\x73\xd6\x9c\x33\xe7\xcd\x05\xf3\x8b\xb9\x68\x2e\x99\xcb\xc6\x5f\xb9" "\xb8\xbf\x72\x7a\x47\x8d\x1a\xf3\x60\x1e\x8c\xc1\x18\xcc\x8f\xf9\x31\x16" "\x63\xb1\x00\x16\xc0\x08\x46\x30\x0e\xe3\xb0\x20\x16\xc4\x42\x58\x08\x8b" "\x60\x11\x8c\xc7\x78\x2c\x8e\xc5\xf1\x0a\x42\xc2\x12\x58\x02\xa3\x18\xc5" "\x52\x58\x0a\x13\x30\x01\xcb\x60\x19\x74\xe8\x30\x11\x13\xb1\x3c\x96\xc7" "\x0a\x58\x01\x2b\x62\x45\xac\x84\x95\xb0\x32\x56\xc6\xaa\x58\x15\xef\xc6" "\xbb\xf1\x1e\xbc\x07\x6b\x62\x4d\xbc\x17\xef\xc5\x3a\x58\x07\xeb\x61\x3d" "\xac\x8f\xf5\xb1\x01\x36\xc0\x86\xd8\x10\x1b\x61\x23\x6c\x8c\x8d\xb1\x09" "\x36\xc1\xa6\xd8\x14\x9b\x61\x33\x6c\x8e\xcd\xb1\x05\xb6\xc0\x96\xd8\x12" "\x5b\x63\x6b\x6c\x8b\x6d\xb1\x1d\xb6\xc3\xf6\xd8\x1e\x3b\x62\x47\xec\x84" "\x9d\xb0\x33\x76\xc6\x24\x4c\xc2\x2e\xd8\x05\xbb\x62\x57\xec\x86\xdd\xb0" "\x3b\x76\xc7\x1e\xd8\x03\x7b\x62\x4f\xec\x8d\xbd\xb1\x0f\xf6\xc1\xbe\xd8" "\x17\x93\x31\x19\x07\xe0\x00\x1c\x88\x03\x71\x30\x0e\xc6\xa1\x38\x14\x87" "\xe1\x30\x1c\x8e\xc3\x31\x05\x53\x70\x24\x8e\xc4\x51\x38\x0a\x47\xe3\x68" "\x1c\x83\x63\x71\x1c\xbe\x8b\xe3\x71\x02\x4e\xc4\x49\x38\x19\xa7\x60\x2a" "\xa6\xe2\x54\x9c\x8a\xd3\x70\x1a\x4e\xc7\xe9\x38\x13\x67\x62\x1a\xa6\xe1" "\x1c\x9c\x83\x73\x71\x2e\xce\xc7\xf9\xb8\x00\x17\xe0\x42\x5c\x88\x8b\x71" "\x31\xa6\x63\x3a\x66\x60\x06\x66\x62\x26\x2e\xc3\x65\x98\x85\x59\xb8\x02" "\x57\xe0\x2a\x5c\x85\x6b\x70\x0d\xae\xc3\x75\xb8\x01\x37\xe0\x26\xdc\x84" "\x5b\x70\x0b\x6e\xc3\x6d\xb8\x1d\xb7\xe3\x4e\xdc\x89\xbb\x71\x37\xee\xc5" "\xbd\xb8\x0f\xf7\xe1\x7e\xdc\x8f\xd9\x98\x8d\x07\xf0\x00\x1e\xc4\x83\x78" "\x08\x0f\x61\x0e\xe6\xe0\x61\x3c\x8c\x47\xf0\x08\x1e\xc5\xa3\x78\x0c\x8f" "\xe1\x71\x3c\x8e\x27\xf1\x24\x9e\xc6\xd3\x78\x06\xcf\xe0\x39\x3c\x87\x17" "\xf0\x17\xbc\x88\x97\xf0\x32\x7a\x8c\xb1\x52\xe4\xb7\xd7\xd9\x58\x7b\xbd" "\x2d\x60\x6f\xb0\x31\x36\x9f\xfd\xfb\xb8\x88\x2d\x6a\xe3\x6d\x31\x5b\xdc" "\x1a\x5b\xc8\x16\xfe\x87\x18\xad\xb5\x09\xb6\xb4\x2d\x63\xcb\x5a\x67\xcb" "\xd9\x44\x7b\xdb\xef\xe2\xca\xb6\x8a\xad\x6a\xab\xd9\xbb\x6d\x75\x7b\x8f" "\xad\xf1\xbb\xb8\xbe\xbd\xdf\x36\xb0\x0f\xd8\x86\xf6\x41\x5b\xcf\xde\xf7" "\x0f\x71\x23\xfb\x90\x6d\x6c\x1f\xb7\x4d\xec\x13\xb6\xa9\x6d\x65\x9b\xd9" "\x36\xb6\xb9\x7d\xdc\xb6\xb0\x4f\xd8\x96\xb6\x95\x6d\x6d\xdb\xd8\x4e\xf6" "\x19\xdb\xd9\x3e\x6b\x93\xec\x73\xb6\x8b\x7d\xfe\x77\x71\x86\x5d\x6a\xd7" "\xd9\xf5\x76\x83\xdd\x68\xf7\xd9\x2f\xed\x39\x7b\xde\x1e\xb1\x3f\xd8\x0b" "\xf6\x17\xdb\xd7\xf6\xb3\x43\xed\xeb\x76\x98\x7d\xc3\x0e\xb7\x6f\xda\x14" "\x3b\xe2\x77\xf1\x38\xfb\xae\x1d\x6f\x27\xd8\x89\x76\x92\x9d\x6c\xa7\xfc" "\x2e\x9e\x69\x67\xd9\x34\x3b\xdb\xce\xb1\x1f\xda\xb9\x76\xde\xef\xe2\x74" "\xfb\x89\x5d\x60\x33\xed\x42\xbb\xc8\x2e\xb6\x4b\x7e\x8d\xaf\xac\x29\xd3" "\x7e\x6a\x97\xd9\xcf\x6c\x96\x5d\x6e\x57\xd8\x95\x76\x95\x5d\x6d\xd7\xd8" "\xb5\xff\xb6\xd6\x95\x76\xb3\xdd\x62\xb7\xda\xbd\xf6\x0b\xbb\xdd\xee\xb0" "\x3b\xed\x2e\xbb\xdb\xee\xf9\x35\xbe\xb2\x8f\xfd\xf6\x2b\x9b\x6d\xbf\xb6" "\x87\xed\xf7\xf6\xa0\xfd\xc6\x1e\xb2\x47\x6d\x8e\xfd\xee\xd7\xf8\xca\xfe" "\x8e\xda\x1f\xed\x31\xfb\x93\x3d\x6e\x4f\xd8\x93\xf6\x94\x3d\x6d\x7f\xb6" "\x67\xec\xd9\x5f\xf7\x7f\x65\xef\xa7\xec\x25\x7b\xd9\x7a\x2b\x08\x48\x92" "\x22\x4d\x01\xe5\xa1\xbc\x14\x43\xf9\x28\x3f\x5d\x47\xb1\x74\x3d\x15\xa0" "\x1b\x28\x42\x37\x52\x1c\xdd\x44\x05\xe9\x66\x2a\x44\x85\xa9\x08\x15\xa5" "\x78\x2a\x46\xc5\xc9\x10\x92\x25\xa2\x90\x4a\x50\x49\x8a\xd2\x2d\x54\x8a" "\x6e\xa5\x04\x2a\x4d\x65\xa8\x2c\x39\x2a\x47\x89\x74\x1b\x95\xa7\xdb\xa9" "\x02\xdd\x41\x15\xe9\x4e\xaa\x44\x77\x51\x65\xaa\x42\x55\xa9\x1a\xdd\x4d" "\xd5\xe9\x1e\xaa\x41\x35\xa9\x16\xdd\x4b\xb5\xa9\x0e\xd5\xa5\x7a\x74\x1f" "\xd5\xa7\xfb\xa9\x01\x3d\x40\x0d\xe9\x41\x6a\x44\x0f\x51\x63\x7a\x98\x9a" "\xd0\x23\xd4\x94\x1e\xa5\x66\xf4\x18\x35\xa7\xc7\xa9\x05\x3d\x41\x2d\xa9" "\x15\xb5\xa6\x36\xd4\x96\x9e\xa4\x76\xf4\x14\xb5\xa7\x0e\xd4\x91\x9e\xa6" "\x4e\xf4\x0c\x75\xa6\x67\x29\x89\x9e\xa3\x2e\xf4\x3c\x75\xa5\x17\xa8\x1b" "\xbd\x48\xdd\xe9\x25\xea\x41\x2f\x53\x4f\xea\x45\xbd\xe9\x15\xea\x43\xaf" "\x52\x5f\xea\x47\xc9\xd4\x9f\x06\xd0\x6b\x34\x90\x06\xd1\x60\x1a\x42\x43" "\xe9\x75\x1a\x46\x6f\xd0\x70\x7a\x93\x52\x68\x04\x8d\xa4\xb7\x68\x14\xbd" "\x4d\xa3\xe9\x1d\x1a\x43\x63\x69\x1c\xbd\x4b\xe3\x69\x02\x4d\xa4\x49\x34" "\x99\xa6\x50\x2a\xbd\x47\x53\xe9\x7d\x9a\x46\x1f\xd0\x74\x9a\x41\x33\x69" "\x16\xa5\xd1\x6c\x9a\x43\x1f\xd2\x5c\x9a\x47\xf3\xe9\x23\x5a\x40\x1f\xd3" "\x42\x5a\x44\x8b\x69\x09\xa5\xd3\x27\x94\x41\x4b\x29\x93\x3e\xa5\x65\xf4" "\x19\x65\xd1\x72\x5a\x41\x2b\x69\x15\xad\xa6\x35\xb4\x96\xd6\xd1\x7a\xda" "\x40\x1b\x69\x13\x6d\xa6\x2d\xb4\x95\xb6\xd1\xe7\xb4\x9d\x76\xd0\x4e\xda" "\x45\xbb\x69\x0f\xed\xa5\x2f\x68\x1f\x7d\x49\xfb\xe9\x2b\xca\xa6\xaf\xe9" "\x00\xfd\x85\x0e\xd2\x37\x74\x88\xbe\xa5\x1c\xfa\x8e\x0e\xd3\xf7\x74\x84" "\x7e\xa0\xa3\xf4\x23\x1d\xa3\x9f\xe8\x38\x9d\xa0\x93\x74\x8a\x4e\xd3\xcf" "\x74\x86\xce\xd2\x39\x3a\x4f\x17\xe8\x17\xba\x48\x97\xe8\x32\x79\x12\x21" "\x84\x32\x54\xa1\x0e\x83\x30\x4f\x98\x37\x8c\x09\xf3\x85\xf9\xc3\xeb\xc2" "\xd8\xf0\xfa\xb0\x40\x78\x43\x18\x09\x6f\x0c\xe3\xc2\x9b\xc2\x82\xe1\xcd" "\x61\xa1\xb0\x70\x58\x24\x2c\x1a\xc6\x87\xc5\xc2\xe2\xa1\x09\x31\xb4\x21" "\x85\x61\x58\x22\x2c\x19\x46\xc3\x5b\xc2\x52\xe1\xad\x61\x42\x58\x3a\x2c" "\x13\x96\x0d\x5d\x58\x2e\x4c\x0c\x6f\x0b\xcb\x87\xb7\x87\x15\xc2\x3b\xc2" "\x8a\xe1\x9d\x61\xa5\xf0\xae\xb0\x72\x58\x25\x7c\xfc\xc1\x6a\xe1\xdd\x61" "\xf5\xf0\x9e\xb0\x46\x58\x33\xac\x15\xde\x1b\xd6\x0e\xeb\x84\x75\xc3\x7a" "\xe1\x7d\x61\xfd\xf0\xfe\xb0\x41\xf8\x40\xd8\x30\x7c\x30\xac\x10\x3e\x14" "\x36\x0e\x1f\x0e\x9b\x84\x8f\x84\x4d\xc3\x47\xc3\x66\xe1\x63\x61\xf3\xf0" "\xf1\xb0\x45\xf8\x44\xd8\x32\x6c\x15\xb6\x0e\xdb\x84\x6d\xc3\x27\xc3\x76" "\xe1\x53\x61\xfb\xb0\x43\xd8\x31\x7c\x3a\xec\x14\x3e\x13\x76\x0e\x9f\x0d" "\x93\xc2\xe7\xc2\x2e\xe1\xf3\x7f\x78\x3c\x39\xec\x1f\x0e\x08\x5f\x0b\x5f" "\x0b\xbd\x7f\x40\x2d\x8e\x2e\x89\xa6\x47\x3f\x89\x66\x44\x97\x46\x33\xa3" "\x9f\x46\x97\x45\x3f\x8b\x66\x45\x97\x47\x57\x44\x57\x46\x57\x45\x57\x47" "\xd7\x44\xd7\x46\xd7\x45\xd7\x47\x37\x44\x37\x46\x37\x45\x37\x47\xb7\x44" "\xb7\x46\xbd\xaf\x97\x57\x38\x70\xd2\x29\xa7\x5d\xe0\xf2\xb8\xbc\x2e\xc6" "\xe5\x73\xf9\xdd\x75\x2e\xd6\x5d\xef\x0a\xb8\x1b\x5c\xc4\xdd\xe8\xe2\xdc" "\x4d\xae\xa0\xbb\xd9\x15\x72\x85\x5d\x11\x57\xd4\xc5\xbb\x62\xae\xb8\x33" "\x0e\x9d\x75\xe4\x42\x57\xc2\x95\x74\x51\x77\x8b\x2b\xe5\x6e\x75\x09\xae" "\xb4\x2b\xe3\xca\x3a\xe7\xca\xb9\x44\xd7\xc6\xb5\x75\x6d\x5d\x3b\xf7\x94" "\x6b\xef\x3a\xb8\x8e\xee\x69\xf7\xb4\x7b\xc6\xfd\xed\x0b\x3d\x5d\xdc\xf3" "\xae\xab\x7b\xc1\x75\x73\x2f\xba\xee\xee\x25\xf7\x92\x7b\xd9\xf5\x74\xbd" "\x5c\x6f\xf7\x8a\xeb\xe3\x5e\x75\x7d\x5d\x3f\x97\xec\x92\xdd\x00\x37\xc0" "\x0d\x74\x03\xdd\x60\x37\xd8\x0d\x75\x43\xdd\x30\x37\xcc\x0d\x77\xc3\x5d" "\x8a\x4b\x71\x23\xdd\x48\x37\xca\x8d\x72\xa3\xdd\x68\x37\xc6\x8d\x71\xe3" "\xdc\x38\x37\xde\x8d\x77\x13\xdd\x44\x37\xd9\x4d\x76\xa9\x2e\xd5\x4d\x75" "\x53\xdd\x34\x37\xcd\x4d\x77\xd3\xdd\x4c\x37\xd3\xa5\xb9\x34\x37\xc7\xcd" "\x71\x73\xdd\x5c\x37\xdf\xcd\x77\x0b\x12\x16\xb8\x85\x6e\xa1\x5b\xec\x16" "\xbb\x74\x97\xee\x32\x5c\x86\xcb\x74\x99\x6e\x99\x5b\xe6\xb2\x5c\x96\x5b" "\xe1\x56\xb8\x55\x6e\x95\x5b\xe3\xd6\xb8\x75\x6e\x9d\xdb\xe0\x36\xb8\x4d" "\x6e\x93\xdb\xe2\xb6\xb8\x6d\x6e\x9b\xdb\xee\xb6\xbb\x9d\x6e\xa7\xdb\xed" "\x76\xbb\xbd\x6e\xaf\xdb\xe7\xf6\xb9\xfd\x6e\xbf\xcb\x76\xd9\xee\x80\x3b" "\xe0\x0e\xba\x83\xee\x90\xfb\xd6\xe5\xb8\xef\xdc\x61\xf7\xbd\x3b\xe2\x7e" "\x70\x47\xdd\x8f\xee\x98\xfb\xc9\x1d\x77\x27\xdc\x49\x77\xca\x9d\x76\x3f" "\xbb\x33\xee\xac\x3b\xe7\xce\xbb\x0b\xee\x17\x77\xd1\x5d\x72\x97\x9d\x77" "\xa9\x91\xf7\x22\x53\x23\xef\x47\xa6\x45\x3e\x88\x4c\x8f\xcc\x88\xcc\x8c" "\xcc\x8a\xa4\x45\x66\x47\xe6\x44\x3e\x8c\xcc\x8d\xcc\x8b\xcc\x8f\x7c\x14" "\x59\x10\xf9\x38\xb2\x30\xb2\x28\xb2\x38\xb2\x24\x92\x1e\xf9\x24\x92\x11" "\x59\x1a\xc9\x8c\x7c\x1a\x59\x16\xf9\x2c\x92\x15\x59\x1e\x59\x11\x59\x19" "\x59\x15\x59\x1d\xf1\xbe\xd8\xf6\xd0\x97\xf0\x25\x7d\xd4\xdf\xe2\x4b\xf9" "\x5b\x7d\x82\x2f\xed\xcb\xf8\xb2\xde\xf9\x72\x3e\xd1\xdf\xe6\xcb\xfb\xdb" "\x7d\x05\x7f\x87\xaf\xe8\xef\xf4\x95\xfc\x5d\xbe\xb2\xaf\xe2\xab\xfa\x27" "\x7c\x4b\xdf\xca\xb7\xf6\x6d\x7c\x5b\xff\xa4\x6f\xe7\x9f\xf2\xed\x7d\x07" "\xdf\xd1\x3f\xed\x3b\xf9\x67\x7c\x67\xff\xac\x4f\xf2\xcf\xf9\x2e\xfe\x79" "\xdf\xd5\xbf\xe0\xbb\xf9\x17\x7d\x77\xff\x92\xef\xe1\x5f\xf6\x3d\x7d\x2f" "\xdf\xdb\xbf\xe2\xfb\xf8\x57\x7d\x5f\xdf\xcf\x27\xfb\xfe\x7e\x80\x7f\xcd" "\x0f\xf4\x83\xfc\x60\x3f\xc4\x0f\xf5\xaf\xfb\x61\xfe\x0d\x3f\xdc\xbf\xe9" "\x53\xfc\x08\x3f\xd2\xbf\xe5\x47\xf9\xb7\xfd\x68\xff\x8e\x1f\xe3\xc7\xfa" "\x71\xfe\x5d\x3f\xde\x4f\xf0\x13\xfd\x24\x3f\xd9\x4f\xf1\xa9\xfe\x3d\x3f" "\xd5\xbf\xef\xa7\xf9\x0f\xfc\x74\x3f\xc3\xcf\xf4\xb3\x7c\x9a\x9f\xed\xe7" "\xf8\x0f\xfd\x5c\x3f\xcf\xcf\xf7\x1f\xf9\x05\xfe\x63\xbf\xd0\x2f\xf2\x8b" "\xfd\x12\x9f\xee\x3f\xf1\x19\x7e\xa9\xcf\xf4\x9f\xfa\x65\xfe\x33\x9f\xe5" "\x97\xfb\x15\x7e\xa5\x5f\xe5\x57\xfb\x35\x7e\xad\x5f\xe7\xd7\xfb\x0d\x7e" "\xa3\xdf\xe4\x37\xfb\x2d\x7e\xab\xdf\xe6\x3f\xf7\xdb\xfd\x0e\xbf\xd3\xef" "\xf2\xbb\xfd\x1e\xbf\xd7\x7f\xe1\xf7\xf9\x2f\xfd\x7e\xff\x95\xcf\xf6\x5f" "\xfb\x03\xfe\x2f\xfe\xa0\xff\xc6\x1f\xf2\xdf\xfa\x1c\xff\x9d\x3f\xec\xbf" "\xf7\x47\xfc\x0f\xfe\xa8\xff\xd1\x1f\xf3\x3f\xf9\xe3\xfe\x84\x3f\xe9\x4f" "\xf9\xd3\xfe\x67\x7f\xc6\x9f\xf5\xe7\xfc\x79\x7f\xc1\xff\xe2\x2f\xfa\x4b" "\xfe\xb2\xf7\xfe\x1a\x3d\x40\x67\x8c\x31\xc6\x18\xfb\xff\x8a\xfa\x83\xe3" "\xfd\xff\x36\xd1\x57\xff\x4d\xfe\x36\xae\x18\x20\x84\xb8\x7e\x47\xd1\x9c" "\x7f\x5f\x73\x53\xa1\xbf\xce\x07\xc9\xf8\x4e\x11\x21\xc4\x73\xfd\x7a\x3c" "\xfa\xb7\x51\xbb\x76\x72\x72\xf2\x6f\xef\xcd\x52\x22\x28\xb9\x48\x08\x11" "\xb9\x9a\x9f\x47\x5c\x8d\x97\x8b\x8e\xe2\x19\x91\x24\x3a\x88\xf2\xff\xe1" "\xfa\x06\xc9\x5e\x17\xe8\x0f\xea\x47\xef\x14\x22\xff\xdf\xe5\xc4\x88\xab" "\xf1\xd5\xfa\xb7\xff\x93\xfa\x4f\x3e\x3d\x2e\xa3\x52\x78\x2e\xee\x3f\xa9" "\xbf\x48\x88\x84\x92\x57\x73\xf2\x89\xab\xf1\xd5\xfa\x15\xfe\x49\xfd\xc2" "\xed\xfe\x60\xfd\xf9\xbe\x49\x15\xa2\xfd\xdf\xe5\xc4\x8a\xab\xf1\xd5\xfa" "\x89\xe2\x29\xf1\xbc\x48\xfa\x87\x77\x32\xc6\x18\x63\x8c\x31\xc6\x18\x63" "\x7f\x35\x48\x56\xed\xf6\x47\xf7\xcf\x57\xee\xcf\xe3\xff\xee\xfe\x3f\xaf" "\xb8\x1a\xff\xd1\xfd\x39\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\xae\xbd\x17" "\x7b\xf5\x7e\xf6\xc9\xa4\xa4\x0e\xdd\x78\xc2\x13\x9e\xf0\xe4\xdf\x26\xd7" "\xfa\x37\x13\x63\x8c\x31\xc6\x18\x63\xec\xcf\x76\xf5\xa2\xff\x5a\xaf\x84" "\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18" "\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31" "\xc6\x18\xcb\xbd\xfe\x6f\xfc\x39\xb1\x6b\xbd\x47\xc6\x18\x63\x8c\x31\xc6" "\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c" "\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18" "\x63\x8c\x31\xc6\x18\x63\xec\x5a\xfb\x5f\x01\x00\x00\xff\xff\x5d\xf0\x32" "\xf5", 5365); syz_mount_image( /*fs=*/0x200000c0, /*dir=*/0x20001540, /*flags=MS_NOEXEC|MS_NODIRATIME|MS_NODEV|MS_MANDLOCK|0x20000000*/ 0x2000084c, /*opts=*/0x20000200, /*chdir=*/1, /*size=*/0x14f5, /*img=*/0x200035c0); memcpy((void*)0x200001c0, "./file0\000", 8); memcpy((void*)0x20000580, "debugfs\000", 8); syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x200001c0ul, /*type=*/0x20000580ul, /*flags=*/0ul, /*data=*/0ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); use_temporary_dir(); loop(); return 0; }