// https://syzkaller.appspot.com/bug?id=da7fcbd38e8a38be1f09949ab54ba23e1249dd8a // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif static unsigned long long procid; static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static int netlink_add_addr(struct nlmsg* nlmsg, int sock, const char* dev, const void* addr, int addrsize) { struct ifaddrmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ifa_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ifa_prefixlen = addrsize == 4 ? 24 : 120; hdr.ifa_scope = RT_SCOPE_UNIVERSE; hdr.ifa_index = if_nametoindex(dev); netlink_init(nlmsg, RTM_NEWADDR, NLM_F_CREATE | NLM_F_REPLACE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, IFA_LOCAL, addr, addrsize); netlink_attr(nlmsg, IFA_ADDRESS, addr, addrsize); return netlink_send(nlmsg, sock); } static void netlink_add_addr4(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in_addr in_addr; inet_pton(AF_INET, addr, &in_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in_addr, sizeof(in_addr)); if (err < 0) { } } static void netlink_add_addr6(struct nlmsg* nlmsg, int sock, const char* dev, const char* addr) { struct in6_addr in6_addr; inet_pton(AF_INET6, addr, &in6_addr); int err = netlink_add_addr(nlmsg, sock, dev, &in6_addr, sizeof(in6_addr)); if (err < 0) { } } static void netlink_add_neigh(struct nlmsg* nlmsg, int sock, const char* name, const void* addr, int addrsize, const void* mac, int macsize) { struct ndmsg hdr; memset(&hdr, 0, sizeof(hdr)); hdr.ndm_family = addrsize == 4 ? AF_INET : AF_INET6; hdr.ndm_ifindex = if_nametoindex(name); hdr.ndm_state = NUD_PERMANENT; netlink_init(nlmsg, RTM_NEWNEIGH, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); netlink_attr(nlmsg, NDA_DST, addr, addrsize); netlink_attr(nlmsg, NDA_LLADDR, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static struct nlmsg nlmsg; static int tunfd = -1; #define TUN_IFACE "syz_tun" #define LOCAL_MAC 0xaaaaaaaaaaaa #define REMOTE_MAC 0xaaaaaaaaaabb #define LOCAL_IPV4 "172.20.20.170" #define REMOTE_IPV4 "172.20.20.187" #define LOCAL_IPV6 "fe80::aa" #define REMOTE_IPV6 "fe80::bb" #define IFF_NAPI 0x0010 static void initialize_tun(void) { tunfd = open("/dev/net/tun", O_RDWR | O_NONBLOCK); if (tunfd == -1) { printf("tun: can't open /dev/net/tun: please enable CONFIG_TUN=y\n"); printf("otherwise fuzzing or reproducing might not work as intended\n"); return; } const int kTunFd = 200; if (dup2(tunfd, kTunFd) < 0) exit(1); close(tunfd); tunfd = kTunFd; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, TUN_IFACE, IFNAMSIZ); ifr.ifr_flags = IFF_TAP | IFF_NO_PI; if (ioctl(tunfd, TUNSETIFF, (void*)&ifr) < 0) { exit(1); } char sysctl[64]; sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/accept_dad", TUN_IFACE); write_file(sysctl, "0"); sprintf(sysctl, "/proc/sys/net/ipv6/conf/%s/router_solicitations", TUN_IFACE); write_file(sysctl, "0"); int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock == -1) exit(1); netlink_add_addr4(&nlmsg, sock, TUN_IFACE, LOCAL_IPV4); netlink_add_addr6(&nlmsg, sock, TUN_IFACE, LOCAL_IPV6); uint64_t macaddr = REMOTE_MAC; struct in_addr in_addr; inet_pton(AF_INET, REMOTE_IPV4, &in_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in_addr, sizeof(in_addr), &macaddr, ETH_ALEN); struct in6_addr in6_addr; inet_pton(AF_INET6, REMOTE_IPV6, &in6_addr); netlink_add_neigh(&nlmsg, sock, TUN_IFACE, &in6_addr, sizeof(in6_addr), &macaddr, ETH_ALEN); macaddr = LOCAL_MAC; netlink_device_change(&nlmsg, sock, TUN_IFACE, true, 0, &macaddr, ETH_ALEN, NULL); close(sock); } static int runcmdline(char* cmdline) { int ret = system(cmdline); if (ret) { } return ret; } #define MAX_FDS 30 //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff(unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, loopfd = -1, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } errno = err; return res; } static void setup_common() { if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) { } } static void setup_binderfs() { if (mkdir("/dev/binderfs", 0777)) { } if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) { } } static void loop(); static void sandbox_common() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setsid(); struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = (200 << 20); setrlimit(RLIMIT_AS, &rlim); rlim.rlim_cur = rlim.rlim_max = 32 << 20; setrlimit(RLIMIT_MEMLOCK, &rlim); rlim.rlim_cur = rlim.rlim_max = 136 << 20; setrlimit(RLIMIT_FSIZE, &rlim); rlim.rlim_cur = rlim.rlim_max = 1 << 20; setrlimit(RLIMIT_STACK, &rlim); rlim.rlim_cur = rlim.rlim_max = 128 << 20; setrlimit(RLIMIT_CORE, &rlim); rlim.rlim_cur = rlim.rlim_max = 256; setrlimit(RLIMIT_NOFILE, &rlim); if (unshare(CLONE_NEWNS)) { } if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { } if (unshare(CLONE_NEWIPC)) { } if (unshare(0x02000000)) { } if (unshare(CLONE_NEWUTS)) { } if (unshare(CLONE_SYSVSEM)) { } typedef struct { const char* name; const char* value; } sysctl_t; static const sysctl_t sysctls[] = { {"/proc/sys/kernel/shmmax", "16777216"}, {"/proc/sys/kernel/shmall", "536870912"}, {"/proc/sys/kernel/shmmni", "1024"}, {"/proc/sys/kernel/msgmax", "8192"}, {"/proc/sys/kernel/msgmni", "1024"}, {"/proc/sys/kernel/msgmnb", "1024"}, {"/proc/sys/kernel/sem", "1024 1048576 500 1024"}, }; unsigned i; for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++) write_file(sysctls[i].name, sysctls[i].value); } static int wait_for_loop(int pid) { if (pid < 0) exit(1); int status = 0; while (waitpid(-1, &status, __WALL) != pid) { } return WEXITSTATUS(status); } static void drop_caps(void) { struct __user_cap_header_struct cap_hdr = {}; struct __user_cap_data_struct cap_data[2] = {}; cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; cap_hdr.pid = getpid(); if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1); const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE); cap_data[0].effective &= ~drop; cap_data[0].permitted &= ~drop; cap_data[0].inheritable &= ~drop; if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1); } static int do_sandbox_none(void) { if (unshare(CLONE_NEWPID)) { } int pid = fork(); if (pid != 0) return wait_for_loop(pid); setup_common(); sandbox_common(); drop_caps(); if (unshare(CLONE_NEWNET)) { } write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535"); initialize_tun(); setup_binderfs(); loop(); exit(1); } static void close_fds() { for (int fd = 3; fd < MAX_FDS; fd++) close(fd); } static void setup_binfmt_misc() { if (mount(0, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, 0)) { } write_file("/proc/sys/fs/binfmt_misc/register", ":syz0:M:0:\x01::./file0:"); write_file("/proc/sys/fs/binfmt_misc/register", ":syz1:M:1:\x02::./file0:POC"); } #define SWAP_FILE "./swap-file" #define SWAP_FILE_SIZE (128 * 1000 * 1000) static void setup_swap() { swapoff(SWAP_FILE); unlink(SWAP_FILE); int fd = open(SWAP_FILE, O_CREAT | O_WRONLY | O_CLOEXEC, 0600); if (fd == -1) { exit(1); return; } fallocate(fd, FALLOC_FL_ZERO_RANGE, 0, SWAP_FILE_SIZE); close(fd); char cmdline[64]; sprintf(cmdline, "mkswap %s", SWAP_FILE); if (runcmdline(cmdline)) { exit(1); return; } if (swapon(SWAP_FILE, SWAP_FLAG_PREFER) == 1) { exit(1); return; } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void loop(void) { intptr_t res = 0; memcpy((void*)0x20000040, "ext4\000", 5); memcpy((void*)0x20000500, "./file1\000", 8); memcpy( (void*)0x20003e80, "\x00\xbf\x60\x42\xaa\xa5\xc8\x9f\x1a\xa1\xfc\xbc\xbb\xaa\x9c\xac\x31\xb2" "\x82\x40\x14\x8a\x0a\x68\x82\x7e\xb0\x83\xa3\x81\xba\xbc\xd2\x1f\x75\x03" "\xdf\x50\x11\x14\xd7\x94\x02\x00\x00\x00\x00\x00\x00\x00\xf9\x25\x56\x71" "\x3c\x0f\xe3\xf4\xe1\x3f\xa3\x61\x84\xa1\x61\x44\x77\x56\xdd\x0c\xf8\xdc" "\x7d\x5c\xea\x09\x88\xba\xf0\x3e\xfe\xbb\x63\xbd\x7a\x59\x83\xf0\x81\xf8" "\x11\xf1\x97\xb7\x8a\x5f\x5e\x95\x83\x8c\xc9\x0e\x64\x46\xd8\x18\x9c\x91" "\x21\xb3\xcc\xf5\xb2\x4d\x46\x84\x24\x2b\x4f\x85\xf6\xd4\x32\x31\xb7\xb9" "\x24\x0f\x74\xbd\xac\xf3\x4b\x21\x79\x65\xc0\x2b\x7b\xe4\x19\x32\x6a\x31" "\x68\xc7\xdf\x4e\xb8\xdc\x2e\x7c\xc0\xd1\xc7\x08\xa1\x50\x28\x78\x63\x3e" "\xca\x49\xf3\x58\xe5\xb8\x55\x51\xff\x6e\x49\x77\x65\x08\xbf\x45\xb3\xc7" "\x1a\xf4\x15\x80\x00\x00\x00\xab\xd9\x9b\xb3\x4d\x1c\x23\x03\xb5\x1c\x29" "\xd0\x2f\xae\x2c\x7f\x03\x7b\xe4\xb4\xbc\x63\xea\xa6\x8a\x1e\x08\xe3\xfb" "\xc0\x77\x44\xa5\xdd\x13\x55\x53\xdb\x00\x6f\x1e\x0a", 229); memcpy( (void*)0x20000540, "\x78\x9c\xec\xdd\xdf\x6b\x5b\xd7\x1d\x00\xf0\xef\xbd\xb6\xb2\xfc\x70\x66" "\x67\xdb\x43\x16\x58\x16\x96\x0c\x27\x6c\x91\xec\x78\x49\xcc\x1e\xb2\x0c" "\xc6\xf2\x14\xd8\x96\xbd\x67\x9e\x2d\x1b\x63\xd9\x32\x96\x9c\xc4\x26\x0c" "\x87\xfd\x01\x83\x31\xd6\x42\x9f\xfa\xd4\x97\x42\xff\x80\x42\xc9\x9f\x50" "\x0a\x81\xf6\xbd\xb4\xa5\xa5\xb4\x49\xfb\xd0\x87\xb6\x2a\x92\xae\xd2\xc4" "\x95\x62\x87\xc8\xbe\x60\x7f\x3e\x70\x7c\xcf\xb9\x57\xd2\xf7\x7b\x6c\x74" "\x75\xcf\xbd\xc7\xba\x01\xec\x5b\xa7\x22\xe2\x6a\x44\x0c\x44\xc4\xb9\x88" "\x18\xce\xd6\xa7\x59\xb9\xd6\x6c\x6c\xb4\x1f\xf7\xe8\xe1\xdd\xe9\x66\x49" "\xa2\xd1\xb8\xf1\x59\x12\x49\xb6\xae\xf3\x5a\x49\xb6\x3c\xd2\x7e\x4a\x1c" "\x8c\x88\xbf\x5d\x8b\xf8\x67\xf2\xc3\xb8\xb5\xb5\xf5\x85\xa9\x4a\xa5\xbc" "\x92\xb5\x4b\xf5\xc5\xe5\x52\x6d\x6d\xfd\xfc\xfc\xe2\xd4\x5c\x79\xae\xbc" "\x34\x31\x31\x7e\x69\xf2\xf2\xe4\xc5\xc9\xb1\xbe\xf4\x73\x24\x22\xae\xfc" "\xe9\xa3\xff\xff\xe7\xb5\x3f\x5f\x79\xeb\xb7\xb7\xdf\xbf\xf9\xc9\xd9\x7f" "\x35\xd3\x1a\xca\xb6\x3f\xd9\x8f\x7e\x6a\x77\xbd\xd0\xfa\x5d\x74\x0c\x46" "\xc4\xca\x4e\x04\xcb\xc1\x40\xb6\x2c\xe4\x9c\x07\x00\x00\xdb\xd3\x3c\xc6" "\xff\x49\x44\xfc\xaa\x75\xfc\x3f\x1c\x03\xad\xa3\x53\x00\x00\x00\x60\x2f" "\x69\xfc\x61\x28\xbe\x4e\x22\x1a\x00\x00\x00\xc0\x9e\x95\xb6\xe6\xc0\x26" "\x69\x31\x9b\x0b\x30\x14\x69\x5a\x2c\xb6\xe7\xf0\xfe\x2c\x0e\xa7\x95\x6a" "\xad\xfe\x9b\xd9\xea\xea\xd2\x4c\x7b\xae\xec\x48\x14\xd2\xd9\xf9\x4a\x79" "\x2c\x9b\x2b\x3c\x12\x85\xa4\xd9\x1e\xcf\xe6\xd8\x76\xda\x17\x36\xb5\x27" "\x22\xe2\x58\x44\xfc\x6f\xf8\x50\xab\x5d\x9c\xae\x56\x66\xf2\x3e\xf9\x01" "\x00\x00\x00\xfb\xc4\x91\x4d\xe3\xff\x2f\x87\xdb\xe3\x7f\x00\x00\x00\x60" "\x8f\x19\xc9\x3b\x01\x00\x00\x00\x60\xc7\x19\xff\x03\x00\x00\xc0\xde\x67" "\xfc\x0f\x00\x00\x00\x7b\xda\x5f\xae\x5f\x6f\x96\x46\xe7\xfe\xd7\x33\xb7" "\xd6\x56\x17\xaa\xb7\xce\xcf\x94\x6b\x0b\xc5\xc5\xd5\xe9\xe2\x74\x75\x65" "\xb9\x38\x57\xad\xce\xb5\xbe\xb3\x6f\x71\xab\xd7\xab\x54\xab\xcb\xbf\x8b" "\xa5\xd5\x3b\xa5\x7a\xb9\x56\x2f\xd5\xd6\xd6\x6f\x2e\x56\x57\x97\xea\x37" "\xe7\x9f\xba\x05\x36\x00\x00\x00\xb0\x8b\x8e\xfd\xf2\xfe\x7b\x49\x44\x6c" "\xfc\xfe\x50\xab\x34\x1d\xc8\x3b\x29\x60\x57\x24\xcf\xf3\xe0\x0f\x77\x2e" "\x0f\x60\xf7\x0d\xe4\x9d\x00\x90\x9b\xc1\xbc\x13\x00\x72\x53\xc8\x3b\x01" "\x20\x77\x5b\x9d\x07\xe8\x39\x79\xe7\xed\xfe\xe7\x02\x00\x00\xec\x8c\xd1" "\x9f\xf7\xbe\xfe\xef\xdc\x00\xec\x6d\x69\xde\x09\x00\x00\xbb\xce\xf5\x7f" "\xd8\xbf\x0a\x66\x00\xc2\xbe\xf7\xe3\x2d\xb6\xbf\xf8\xf5\xff\x46\xe3\xb9" "\x12\x02\x00\x00\xfa\x6e\xa8\x55\x92\xb4\x98\x5d\x0b\x1c\x8a\x34\x2d\x16" "\x23\x8e\xb6\x6e\x0b\x50\x48\x66\xe7\x2b\xe5\xb1\x6c\x7c\xf0\xee\x70\xe1" "\x47\xcd\xf6\x78\xeb\x99\xc9\xf3\xfd\xef\x30\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xec\x63\x8d\x46\x12\x0d" "\x00\x00\x00\x60\x4f\x8b\x48\x3f\x4e\x5a\xdf\xe6\x1f\x31\x3a\x7c\x66\x68" "\xf3\xf9\x81\x03\xc9\x57\xc3\xad\x65\x44\xdc\x7e\xe5\xc6\x4b\x77\xa6\xea" "\xf5\x95\xf1\xe6\xfa\xcf\x1f\xaf\xaf\xbf\x9c\xad\xbf\x90\xc7\x19\x0c\x00" "\x00\x00\x60\xb3\xce\x38\xbd\x33\x8e\x07\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x7e\x7a\xf4\xf0\xee\x74\xa7" "\xec\x66\xdc\x4f\xff\x18\x11\x23\xdd\xe2\x0f\xc6\xc1\xd6\xf2\x60\x14\x22" "\xe2\xf0\x17\x49\x0c\x3e\xf1\xbc\x24\x22\x06\xfa\x10\x7f\xe3\x5e\x44\x1c" "\xef\x16\x3f\x69\xa6\x15\x23\x59\x16\xdd\xe2\x1f\xca\x31\x7e\x1a\x11\x47" "\xfa\x10\x1f\xf6\xb3\xfb\xcd\xfd\xcf\xd5\x6e\xef\xbf\x34\x4e\xb5\x96\xdd" "\xdf\x7f\x83\x59\x79\x51\xbd\xf7\x7f\xe9\xe3\xfd\xdf\x40\x8f\xfd\xcf\xd1" "\x6d\xc6\x38\xf1\xe0\x8d\x52\xcf\xf8\xf7\x22\x4e\x0c\x76\xdf\xff\x74\xe2" "\x27\x3d\xe2\x9f\xde\x66\xfc\x7f\xfc\x7d\x7d\xbd\xd7\xb6\xc6\xab\x11\xa3" "\x5d\x3f\x7f\x92\xa7\x62\x95\xea\x8b\xcb\xa5\xda\xda\xfa\xf9\xf9\xc5\xa9" "\xb9\xf2\x5c\x79\x69\x62\x62\xfc\xd2\xe4\xe5\xc9\x8b\x93\x63\xa5\xd9\xf9" "\x4a\x39\xfb\xd9\x35\xc6\x7f\x7f\xf1\xe6\xb7\xcf\xea\xff\xe1\x1e\xf1\x47" "\xb6\xe8\xff\x99\x6d\xf6\xff\x9b\x07\x77\x1e\xfe\xb4\x5d\x2d\x74\x8b\x7f" "\xf6\x74\xf7\xcf\xdf\xe3\x3d\xe2\xa7\xd9\x67\xdf\xaf\xb3\x7a\x73\xfb\x68" "\xa7\xbe\xd1\xae\x3f\xe9\xe4\xeb\xef\x9c\x7c\x56\xff\x67\x7a\xf4\x7f\xab" "\xbf\xff\xd9\x6d\xf6\xff\xdc\x5f\xff\xfd\xc1\x36\x1f\x0a\x00\xec\x82\xda" "\xda\xfa\xc2\x54\xa5\x52\x5e\x51\x51\x51\x51\x79\x5c\xc9\x7b\xcf\x04\x00" "\x00\xf4\xdb\xf7\x07\xfd\x79\x67\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\xfb\xd7\x6e\x7c\x9d\xd8\xe6\x98\x1b\xf9\x74\x15" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\xe0\x99\xbe\x0b\x00\x00\xff\xff\xf7\xa0\xd4\xed", 1204); syz_mount_image(/*fs=*/0x20000040, /*dir=*/0x20000500, /*flags=*/0x4500, /*opts=*/0x20003e80, /*chdir=*/0x12, /*size=*/0x4b4, /*img=*/0x20000540); memcpy((void*)0x20000180, "./bus\000", 6); res = syscall(__NR_open, /*file=*/0x20000180ul, /*flags=*/0x14d27eul, /*mode=*/0ul); if (res != -1) r[0] = res; syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x600000ul, /*prot=*/0x27ffffful, /*flags=*/0x4002011ul, /*fd=*/r[0], /*offset=*/0ul); syscall(__NR_fallocate, /*fd=*/r[0], /*mode=*/0ul, /*off=*/0x8947ul, /*len=*/7ul); memcpy((void*)0x20000380, "/dev/loop", 9); *(uint8_t*)0x20000389 = 0x30; *(uint8_t*)0x2000038a = 0; memcpy((void*)0x20000140, "./bus\000", 6); syscall(__NR_mount, /*src=*/0x20000380ul, /*dst=*/0x20000140ul, /*type=*/0ul, /*flags=*/0x1000ul, /*data=*/0ul); memcpy((void*)0x20000000, "./bus\000", 6); res = syscall(__NR_open, /*file=*/0x20000000ul, /*flags=*/0x14113eul, /*mode=*/0ul); if (res != -1) r[1] = res; *(uint64_t*)0x20003640 = 0; *(uint32_t*)0x20003648 = 0; *(uint64_t*)0x20003650 = 0x20003300; *(uint64_t*)0x20003300 = 0; *(uint64_t*)0x20003308 = 0; *(uint64_t*)0x20003310 = 0; *(uint64_t*)0x20003318 = 0; *(uint64_t*)0x20003320 = 0; *(uint64_t*)0x20003328 = 0; *(uint64_t*)0x20003330 = 0; *(uint64_t*)0x20003338 = 0; *(uint64_t*)0x20003340 = 0x20002e80; memcpy( (void*)0x20002e80, "\xfa\x6a\x31\x20\xa4\x78\x45\xf4\xd1\xea\x64\x22\x71\x59\x1a\x02\xa5\xe4" "\x5b\xf0\xdd\xe9\xdd\xfe\xf0\x44\xe0\x19\xfa\x7a\x89\xe6\xc5\xfc\x62\xfd" "\x3b\xd9\x8d\x56\x73\xd0\xea\x63\xbd\xdd\xa2\x0c\xfe\x71\x4f\xf1\x56\x6b" "\x31\x56\x7b\x79\x22\x9e\x09\x94\x49\x5e\x07\xa9\x30\x07\x40\x93\xec\x24" "\xf8\x12\xed\x76\x46\x5c\x17\xfd\x8d\x73\x6b\xa6\xdd\x7f\x06\x96\x49\xef" "\xfa\x73\x98\xcf\x6e\x6c\xeb\x6f\x40\x89\xdd\x36\x99\x09\x78\xcf\x03\x0b" "\x6f\x0b\x0d\x62\x87\x36\x80\x39\x77\xb6\x49\x9f\x27\x1e\xbc\x6f\x15\xd5" "\x73\xb2\x3e\xfb\x24\x6e\x75\x8c\x7f\xf6\x83\x77\xe3\x86\xa9\x19\xd5\x5f" "\x8d\xd8\x64\x45\x1f\xda\x65\x43\x55\x16\x10\xbc\xd4\x57\x65\x3b\xb0\x60" "\x7a\x6b\x36\xdb\x49\x63\xfc\x6d\x39\x5b\x9f\x7b\xb1\x4c\xb9\x9d\x07\xaa" "\xb3\x9c\xb5\x38\x3f\x53\xf3\x36\xad\xb9\xe8\x32\x1a\xb0\xa6\x87\xae\xa5" "\x3c\x9e\x2b\xc1\xbc\x4d\x79\x4c\xde\xc7\xf5\x56\xc8\x4c\x5f\xfd\xfd\xb3" "\x74\x0a\x5c\x54\xb3\xfe\x7e\xc3\xc7\xe0\x40\x59\x78\x5d\x41\x95\x25\x2f" "\x41\x0e\xa7\xd1\xbf\x75", 240); *(uint64_t*)0x20003348 = 0xf0; *(uint64_t*)0x20003350 = 0; *(uint64_t*)0x20003358 = 0; *(uint64_t*)0x20003360 = 0x20003f80; memcpy( (void*)0x20003f80, "\x9b\x53\x92\x69\xd8\xd0\xde\x81\xa2\x5c\xa7\x5a\x89\x32\xd9\xa3\x81\x4b" "\x65\xa1\xb7\x87\x0a\xfb\xf6\x67\x8c\xac\x61\x69\xf9\x42\x74\xb4\xee\x67" "\x12\x02\xa0\xab\xec\xa2\xbd\x50\x4b\x6d\x70\xad\xc6\xcd\x1e\x7c\x46\xe8" "\x6f\xdc\x97\x7c\x31\xd1\x2f\x2b\xa1\x00\xae\x88\x06\xae\x21\x0f\x8a\x7a" "\x1d\x01\x82\xcd\x19\xba\xa5\x35\xcd\x21\x81\x54\x9d\x08\x0f\x7e\x2d\xd3" "\x3a\xe8\xbe\x7f\xfa\x33\x97\x9e\x8c\x54\x7f\x47\x68\x96\x39\x53\x93\xc2" "\x1c\x48\x1d\x31\x2a\x8b\xfa\x8f\x64\xa8\x63\x72\xa9\xd2\xdd\x2c\x00\x72" "\x6e\xb7\x69\x16\x66\xb9\x4d\xa9\x53\xed\xb1\xfd\x58\x46\xf1\x98\xca\x8f" "\xda\x10\x4c\xc0\x90\xc8\x9b\x83\x4e\x1c\x9f\x4a\xf9\x09\xc6\x9d\x50\xd6" "\x73\x3d\x6d\x88\x17\x5e\x17\xb2\x80\x52\xd8\xe7\xe6\xe8\xf0\x9e\x61\x5e" "\xb6\xd1\x43\x98\xfd\x44\x37\xe9\x61\x61\xce\xaf\xed\xf4\x4b\xbe\x70\x35" "\x0e\xfc\x00\xf1\xfe\x7d\xca\x0f\xa5\x6f\x67\xe0\x50\x73\xab\x0e\x42\xd5" "\x0e\x4a\x48\x79\x41\xc0\x89\x87\xaf\x92\x3a\xb0\xb0\xb4\x7d\x81\x75\xe9" "\x11\xef\xf4\x5f\x2d\x98\x1f\x3c\xed\x7a\x00\x13\xae\x6c\xc3\x6b\x4a\x2a" "\x1e\xbd\xd4\xb9\x5f\x11\x78\x19\x8d\xe7\x26\x2f\x62\xfb\x39\x78\xaf\xc0" "\x2f\xc6\xc8\xdf\xa9\xa8\x79\x94\xa4\x35\xe6\xde\x0c\x08\xd5\xf4\x69\xb4" "\xed\xe5\x47\xd3\xdb\x13\x26\x86\xad\x43\x21\x2a\xb4\x0b\x1c\x95\xf8\xad" "\xf4\x41\x5a\x48\xb0\x59\x94\x1f\xbc\x6e\xf6\xd2\x1c\x15\xe9\x64\xf9\xe0" "\x39\x93\x62\xbc\xbb\x5f\x72\x88\x99\x7b\x8a\x9f\xfd\x61\xfc\x11\x0a\x75" "\xc3\x89\xf9\xe1\xc8\x62\x0e\x72\x32\x03\x76\x62\x47\xb0\x95\xac\xaf\xe0" "\x3d\xa2\xc6\x80\xd8\x3d\x5b\x06\xf5\xae\x8d\x65\x24\x56\xa8\xea\x62\x4f" "\x7a\xed\x2f\x29\xd9\xa7\xee\x2c\xad\x0e\x04\x5b\x14\xe2\xe6\x08\xca\x2f" "\x85\xef\xa4\xef\xdf\x37\x92\x28\x94\x74\x51\xc4\xe2\x75\xd4\x53\x3e\x6b" "\xa7\x98\xe4\xad\x13\xca\x05\x3d\x7f\xb4\x92\x6c\xd1\xd1\xdf\xe7\x50\x87" "\x15\x93\xbf\xe5\x83\x7d\xd8\x38\x66\xd6\xa6\xf0\x21\x74\xf8\xd0\x62\xf1" "\x28\x5b\x47\xa8\x5a\x25\x7b\xbf\x13\x89\xb3\xa0\x85\xf0\x44\xbd\xdc\xd2" "\xa0\x04\xcc\x09\xaf\x62\x86\xa5\x6a\x70\x0b\xb7\xcb\xe4\x90\xff\x15\xb3" "\xd3\x78\xae\x5c\xe1\x54\x04\x05\x83\x0a\x87\x1d\x15\x5f\x0a\x30\x29\x24" "\x03\x56\x72\x07\x7f\x71\x1f\x75\x7d\x04\xd0\x1f\xb4\x04\xc7\x95\x9c\x03" "\x9c\xa3\xb8\x3a\xbe\xa4\x0d\x0b\x94\x37\xe1\x2c\xd0\x19\xa0\x6c\x5b\xa2" "\x40\x9e\x21\x78\xcd\x4c\x90\x45\x52\x7e\x35\x82\x91\xf0\xdf\x43\xb4\x26" "\x0b\xf2\x77\xcf\x91\xf0\xe1\x50\x7b\xad\x0f\x66\xb7\x47\xe0\x95\xe1\xb9" "\x5b\x53\xf1\x98\xdb\xf1\x98\x6a\x65\xc2\x19\x0b\xce\x23\xb2\x36\x0a\x8b" "\x0d\x59\x5c\x50\x20\xff\x68\x5b\xaa\xec\x98\x85\xde\x26\xf2\x8f\xcb\xd5" "\xe1\xe8\xf7\x65\xe5\xa0\x3c\x51\x94\xe7\x16\xb4\x4e\xdc\x04\xff\x37\xa0" "\xa8\xa6\x48\xca\x4f\x27\xe9\xd1\x80\xd0\xba\xe3\x16\x9f\x68\xc4\x02\x94" "\x8c\x20\x9f\xc6\x5b\x9f\xd6\x9f\x74\x0c\xa8\xf3\xf7\x73\x38\xac\x5e\x18" "\xd9\xfa\x5b\x27\xef\x52\x77\xe6\xe5\xb3\x38\x1f\xef\x6f\xc5\x64\x43\xee" "\x0d\xe4\xa0\x75\xb9\x65\x01\xb0\xd3\x14\xbb\xac\x87\xcd\x55\x8f\x50\xd9" "\x1b\xe7\x25\xa1\xe8\x3e\x2d\xec\x13\x11\x8c\xf9\x98\xc2\x38\x3e\xa5\x23" "\x5b\x5d\x81\x8d\x04\xaa\x1b\x03\xf7\x58\xeb\x13\xfb\x22\x57\xef\x07\xab" "\x77\x29\x7b\xf4\xf2\x7d\x07\x07\xa9\x78\x3e\x34\x00\xe6\xc7\x17\xa5\x21" "\xc7\xb0\x37\x22\x94\x4e\xa6\xda\x5d\xca\xa2\xd3\xe0\xfa\x5b\x83\xe8\x22" "\x8e\x40\xd7\x83\xa9\x4b\xef\x65\x59\x10\x13\xdf\x62\x86\xf1\xf7\x9c\xc5" "\xda\xd3\xec\xfe\x04\x86\xe9\xac\x98\x59\xc9\x04\x6c\xf0\x29\xd1\x0b\x9e" "\xea\x25\xb1\xe6\x0d\x88\x59\x1d\xc0\x3b\x54\x95\x54\x44\xcd\xda\x69\x20" "\x03\x3e\xae\xbb\x84\xb1\x80\x41\xa4\x5f\xd2\xf0\x96\x20\x56\xab\xa7\x0e" "\x2d\x00\xf6\x48\xce\xf1\xab\x8a\x5d\x5b\xd6\xaf\xed\x37\xc8\xa3\xdd\x12" "\x48\x83\xa4\x9b\x40\x83\x7f\x83\xfa\xa2\xd4\x59\xac\xc7\x4b\xa6\x06\x9c" "\x38\x45\x69\x86\x1e\xdd\x44\xf1\xa8\x11\x46\xfe\x9c\x04\x99\x96\xb0\xdf" "\x12\x5e\x27\x55\xea\x69\xf4\x03\x32\x05\x67\x78\x7e\xaf\x25\x70\xe8\x18" "\x1e\x96\xb3\x48\x8e\x95\x98\x77\xb5\xc0\x04\x6d\xec\xe2\x87\x5a\x2f\xf3" "\x0b\xd0\xa0\x73\x76\xe5\xc6\xec\xb4\x74\xf7\xf0\x29\xfb\xa8\xe8\x50\x8d" "\xc7\x51\x60\x3f\xe7\x17\xd8\x01\x16\x97\x5d\x83\xf5\xf9\x4f\x4e\x4d\x2d" "\xcd\xac\xdf\x10\x96\xb3\x06\x0c\x95\xd6\xd6\x76\x60\x06\xe6\xc8\xec\x12" "\xe5\x94\x4f\x08\x6c\x85\xe8\x18\x8c\x01\x0b\xc2\x88\x71\x03\x9f\x11\x36" "\x26\x99\xd4\x0b\x9e\xcd\xb8\xd4\xf2\xdc\x5a\xe8\xe3\xe6\xcc\xe5\x93\xdb" "\xe2\xaa\x5e\x47\x64\xc9\x8e\x66\x1f\x85\xc2\xad\x52\xb8\x67\xa0\xe0\xde" "\x01\xc0\x5a\xf5\x17\x7d\x74\xca\xbf\xe8\x35\xbc\x02\x3c\x3b\xa9\x2f\x4b" "\x1d\x18\x84\xed\x5d\x9f\x9e\x89\x77\x2e\x69\x75\x2b\x6a\x08\x39\xfa\xd8" "\x34\x92\x44\x54\x96\xbd\x9e\xd9\x6d\xe9\x1c\xd5\xef\x27\x0e\x02\xa0\xaf" "\x2e\x6e\x25\x87\x48\x36\xd8\x9a\x11\x8b\x72\xce\x83\xd5\x47\x09\x28\xd5" "\x1c\xc7\x84\xaa\x04\xc6\x68\x82\xf6\x73\x1f\xfa\x5e\x72\x53\xa5\x71\x87" "\x47\xeb\x1d\xdc\xbb\x86\xc8\x11\x9d\x20\xf0\x56\x44\x15\xf8\xcd\x40\x18" "\xf3\x96\xe1\x8b\xc3\x9f\x09\xaf\xce\x23\x34\x5d\x38\x51\xf0\x13\xd3\x2a" "\x87\x92\x30\x8d\x0c\x36\xbc\xa1\xb0\xd5\x98\x14\xbf\xc3\xcc\x6f\x47\x00" "\x62\x80\x83\x84\x59\xcd\x54\x5d\xb9\x4b\xad\xc0\x4c\x12\xc7\x48\x32\xa7" "\x59\x97\x4f\xb6\xbc\x38\xf8\x54\x0c\xb9\x7c\x7f\x49\xd9\xd9\x20\x61\x8d" "\x89\x8d\xdf\x5c\x38\x77\xf4\x36\xf4\xdc\x00\x4e\x38\x05\x29\x3d\xc4\x9f" "\x75\x36\xfe\x4d\x7d\x9a\xf3\xad\x53\x6f\xd1\x97\x6a\x62\x96\x00\xcc\x41" "\x67\xc3\xb2\x5a\xa0\xf8\xfc\x63\xf8\x21\xc5\xeb\x19\xe5\xbd\xe3\x98\xf2" "\xf1\x89\x1d\x0c\x4d\x0c\x2b\x8d\x3c\x7e\x39\x35\xca\x68\xcd\x84\x5b\x86" "\x4b\x95\x8c\xb6\xbf\x1a\xf3\xec\x97\xe3\xf5\x70\x5e\xdd\x95\x77\x59\x50" "\xde\x0e\xca\x15\xd1\xe6\xee\xb0\x40\xad\x08\x65\x0c\x90\x19\x84\xc9\x3f" "\x54\x4b\x4e\x15\x70\x70\x01\x58\xc1\xf5\x78\x7e\xd9\xe1\x9f\xa7\x5e\xfb" "\xb6\x01\xdf\xdd\x0a\x82\x89\x97\xa4\x65\xf1\x12\x0a\xe4\x86\x26\x4a\xa3" "\x51\x46\x89\x8b\x38\xc8\x5b\x29\x31\x33\x1d\xfa\xad\x00\x0e\x5a\x59\xf0" "\x55\x18\x3a\x76\xd7\x98\x8a\x67\x4d\x5a\x7a\x92\x38\xf9\xce\x4a\x70\x57" "\x2c\x5b\x34\xe0\x44\xe7\xe0\x27\x76\xf1\xe3\xa8\xbf\xda\x7b\xf6\xfb\x05" "\x56\x99\x36\xb3\xd2\x35\x20\x18\xe3\xd6\x8a\x38\x44\x38\x9b\xe7\x0c\x75" "\xc5\x53\x6c\x2c\xf1\x02\x7d\xa3\x57\x12\x4d\x57\xe4\xc6\x15\xb5\x0c\x9a" "\x60\xf2\x8b\xc0\xdb\x59\x34\x46\x04\x1d\x00\x97\x5d\xf6\x44\xf1\xad\x07" "\xcc\xb2\x2b\x54\x39\x24\x10\x69\xff\x43\xfb\x12\x55\xb5\xc4\xb3\x60\xf7" "\xfe\xa5\x7f\x32\x9e\x25\x5a\xd4\x7b\x8d\xcd\xa5\xbb\x13\xad\x5f\x5a\x14" "\xa6\xb8\xa2\xa7\x3c\x66\xc5\xfb\x49\x18\x1d\x3c\x87\xf0\x2d\x1e\xab\x25" "\x96\x65\xb8\x1d\x83\xb7\xc8\x8c\xdb\x84\xbe\x28\x15\xd1\xbb\xb9\x58\x33" "\xc9\x5e\xdf\xa5\xfe\x14\xfc\x77\x08\xd3\x75\x8d\x0c\x01\x87\x2b\xa8\xb4" "\x9c\x34\x88\x61\x2d\xe9\x39\xb5\x14\x42\x3a\xe5\x10\xc3\x1d\x3e\xed\x2c" "\x2b\x5f\x5c\x74\xe4\xa0\x8b\x32\xed\xd5\x78\x2c\xc0\xee\xf9\x5c\x99\x86" "\x09\xb2\x58\xe1\x4d\x5a\xd7\xf9\xe1\x04\xf8\xd3\x2c\x9f\x18\xad\xec\x3d" "\x74\x17\xd0\xa9\xdd\x3a\xc5\xed\x69\x56\x7c\x37\x41\xd3\xbd\x69\x2b\xea" "\xf0\xd9\x09\x70\xcb\x4b\x39\x8b\x80\xc2\xc9\x12\x12\x1f\xba\x08\xf5\x25" "\xd7\xce\xbb\x15\x01\x70\x32\xda\xd4\xc6\x11\x7d\xa5\x97\xab\xbc\xe7\x2b" "\xea\x0f\xe1\xa3\x8a\x9e\x56\x70\x51\xe9\x60\x71\xc9\x17\x3a\x03\x2e\x12" "\xb4\x9a\xde\xc3\x82\x53\x88\xc1\x5d\x2e\x1a\x83\x85\xb8\xa6\x6a\xc0\xe4" "\x1d\xe5\x0f\xd7\xdf\xde\xfa\x74\xd7\xc4\xad\x80\xe8\x69\x1e\x68\x71\x1a" "\x7c\x74\x1c\x57\x66\xaa\xba\x3a\xcb\x87\xec\x75\xa5\x48\x82\x7b\xd2\xff" "\x77\x75\x18\x69\xd2\x1b\xaa\x7e\x39\x08\x36\x3f\x5c\xee\xa9\x36\x40\x88" "\x52\x69\xa7\xcd\xc9\xb3\x8f\xd7\x77\x4a\xe7\x4e\xb8\x54\x37\xec\xa0\xb9" "\x96\x17\xb5\x56\x8e\x3b\xbc\xfc\x29\x92\x6a\x90\x19\x80\xbd\x0b\x74\x87" "\xeb\x00\x82\x4f\xb1\x66\xde\xcf\xc9\x8f\xd5\x0d\x2b\x17\xc0\x65\x87\x78" "\xf2\x51\x87\xd5\x17\x5c\x25\x48\xee\xd5\x97\x69\x61\xff\x1a\xeb\x5d\xbf" "\xa2\x9c\xeb\x90\x10\x88\xb0\x65\xee\x62\xf2\xd8\xe1\xb0\x1c\x0f\x10\x9a" "\xd8\xe1\xd9\x7e\xce\x2e\x0b\x4f\x03\x22\x32\xba\x17\xe0\xef\x73\x48\x99" "\x54\x96\xea\x02\xd4\x1e\xcc\x66\x3f\x94\xdc\x79\xf7\xe9\x5d\x49\xab\x65" "\xba\x18\xca\xb1\x96\x0a\xdf\xa8\xa2\x92\x72\xc4\xdc\xc8\xcd\xcd\x89\x7d" "\x84\x1f\xd7\x88\xbc\xff\xe1\x2a\x29\xcf\x02\xda\x12\xa8\x21\xdc\x34\x8b" "\xef\xe4\xd5\x17\x7b\xc3\x7a\x0d\x01\x4c\x5e\x9e\x05\x65\xc9\xf4\xac\x1b" "\x2c\xe9\x84\xac\x05\x5a\x22\x64\x7f\xf5\x17\xb0\xe4\x17\x72\xa9\xf4\x44" "\x86\xb7\xa9\x58\xff\xd0\xd5\x8d\x38\x0e\xe8\xa7\xd1\x6c\xca\x0f\x44\xdf" "\x32\x1b\x0d\x4f\x18\x2d\xd1\x8c\xdf\x08\xcf\x30\xb5\x02\x99\x23\xdf\xf6" "\x00\xfb\x81\xca\xcf\x97\xea\x9e\xa4\x89\x84\x3c\xdf\x18\xd1\xd9\x28\xc6" "\x62\xb3\x26\xee\x67\xfc\x11\x91\xf5\x25\x74\x35\x0e\x8d\xd8\x92\xa1\x7b" "\x6c\x61\xa0\x36\x40\x31\x05\x0d\xec\x2a\xbe\x83\xbf\xad\xa2\x25\x80\x28" "\xee\x1e\x5c\xee\x29\x02\xad\x72\x01\xd1\xb2\x35\x2c\xcb\x83\xa4\x41\x98" "\x64\xa9\xcd\xef\x1d\x83\xe6\x0f\x5d\x22\xc0\x77\x96\xa1\xc0\x57\x6b\xf9" "\x89\x97\xe1\xf1\x94\x83\xe8\x6d\x11\xe9\xfb\x4e\xcc\x96\x0f\xe0\x31\xb9" "\x11\xb8\x94\x1d\x29\xb8\x35\xcc\x9b\x5d\xc5\x49\x76\x98\x91\x84\x58\x58" "\x76\xd6\x95\x21\xfa\xf7\xba\x56\x1e\x39\x6e\xaf\x48\xc8\x20\xcf\xfd\x73" "\x2a\x10\x26\x30\x1a\xa8\x2a\xea\xef\x88\x20\x97\xc8\xa6\xd7\xd6\x8f\x5b" "\x5e\xa7\xdc\xc2\xeb\x40\x3e\xa2\x0b\x66\xd3\x4a\x47\x0e\xf9\x65\x2a\xfb" "\xb7\xc2\x32\x98\x61\x12\x6d\xcd\xc2\xfe\x68\x17\xfc\x2e\x39\x6f\x1c\x05" "\x7d\xbf\xbe\xdd\xb9\x4e\x44\x3c\xb2\x74\x69\x9b\xd2\x68\x51\x5e\x47\x16" "\x4e\x84\x14\x0e\xee\x7c\x80\x31\xfa\x3a\x11\x6c\x32\x8c\xc8\xb5\xc0\x50" "\xe3\xba\x32\xef\x0d\x26\x90\x41\xa3\x92\xf6\x64\xf9\xd8\x80\xdb\xdc\x96" "\x5b\x7e\x6a\xb3\xde\xd6\x61\x2a\x4c\x8b\x94\xd5\x2e\xa6\xff\x70\x17\x9a" "\x93\x12\xd1\xd5\xc1\x93\x48\x75\x2f\x95\x5b\x8c\xb4\x6f\x4b\xc1\xbc\x5b" "\x78\x7f\x37\xb4\x9c\x87\x5f\x31\x13\x4b\x95\x24\x38\x29\xcf\xed\x50\x5b" "\xe5\x2a\x3d\xc9\x8f\xbb\xb9\xc6\xea\xab\x77\xac\x0f\xdc\x68\xcf\x84\x81" "\x03\x7b\x9d\xc5\xe3\x0a\x6e\x12\x6c\xcc\xda\x72\xeb\x2f\xaa\x49\x22\xe9" "\x4f\xfb\xd3\x2f\x30\xba\x65\xc3\xcb\x68\x8a\x2f\x21\x38\xec\xaf\x0a\x93" "\x72\x15\x78\xc3\x9f\x18\x31\xf1\x71\x91\xa4\x51\x72\x4e\xb7\x74\x63\xd9" "\x93\xc0\x90\x88\x03\x7c\x6c\xe2\x0d\x6d\xb8\x3c\x17\x5b\x61\x2c\xef\x1f" "\xc0\x14\x55\x9f\x68\xff\xb2\x14\x78\x78\x61\x93\xc0\x59\xaf\xcb\x18\xd1" "\x36\xdc\x43\xf3\x9f\xfc\x3e\x46\xbf\xea\x4f\x76\x00\x13\xe8\x50\x7c\xef" "\x32\xb5\xa4\x4c\x7d\x74\x2c\x4c\x3f\x59\x8e\x69\x26\x76\xe6\x33\x9e\x0a" "\xed\xda\x61\xa6\x25\x24\x70\x43\xc2\x89\xdd\xd2\x98\x41\xf8\xd6\xac\x08" "\x9e\x27\x55\x80\xe2\xf0\x97\xd0\x2e\x34\xaf\xfa\x0d\xbe\x31\xbc\x6a\x26" "\x7c\x13\x7d\x8e\x19\xf1\x87\xe5\x66\xdd\x7b\xa5\xa0\xcc\x84\xfd\x3d\x5e" "\xbf\xa0\xf8\x86\x4d\xa4\xb4\xea\xee\x5d\x0e\x2d\x10\x7b\x83\xd0\x61\x3d" "\xda\xbe\xc0\x84\x4e\x6d\x8d\xf1\x7e\x82\x07\x80\x17\x84\xba\x04\xbe\x7a" "\x34\x92\xa8\x95\x5e\x2f\x73\xc7\xf9\x11\x69\xdb\xb0\x88\x75\x38\x1b\x50" "\x1c\xdf\xbf\xf7\x74\x4f\x64\x81\x9e\xd2\xda\x08\x90\x1c\xdc\xe1\x81\xcf" "\xbd\x26\xe9\x1e\x39\x25\x70\x61\x27\x83\xd6\x2f\x8a\xaa\xc7\x1c\x2c\x81" "\xfc\x55\x0d\xe3\x83\x6c\xf6\x99\x0c\x08\x35\x4c\xc2\xda\x6e\x6d\xf9\x79" "\xe1\x0c\x88\xf4\x84\x57\x6c\x10\xd2\x36\x9c\xf4\x2f\xed\xe3\x48\x27\x54" "\xab\x1c\x25\x67\x3b\xed\xf8\xae\xa6\x0a\x84\x13\x0d\x10\xb2\x12\x84\xf8" "\xa5\x69\xe7\x80\xeb\x4f\x0c\xc3\x29\x0e\x07\x8d\x96\xa7\x5b\x74\x4a\x8a" "\x2f\x9c\x92\xc2\xe5\x07\xd4\x95\xcb\x36\xb9\xb9\x10\xc5\x3c\x8e\x49\xcd" "\x4e\xfe\xe0\x93\xfe\x04\x6a\x36\x9d\xfe\x9d\x2a\xe4\xd9\x0e\xe2\x04\x7d" "\xd3\x64\x5d\x44\x9f\x9f\x9a\x4a\x0b\x3c\x2d\x70\x12\x9f\x21\xba\x94\x10" "\xec\xd4\xd6\x89\x38\x26\xf0\x9c\xbd\x02\xc7\x1a\xe2\x53\xa9\x2d\x62\xf3" "\xce\x67\x5f\xbd\x60\xc3\x30\x2a\xb9\xb8\xa0\x2c\xa7\xd9\x0b\x34\xee\x4c" "\x64\x95\x10\x6b\x9b\x9e\x26\xe1\x97\x5e\xbc\xf6\x39\xda\x4d\x7d\x8e\x70" "\x3d\x7c\x01\xca\x07\xcc\xd0\x95\xb3\xad\x4f\x18\x59\xc6\xf0\x42\x13\xe5" "\xe2\xce\x0b\x9c\xbc\x29\x9c\x4b\x9b\xc7\x61\x9a\x88\x84\x40\xd5\x61\x73" "\x52\x02\xb7\xe6\x06\x12\x30\x30\x98\xc5\x26\x40\x28\xb8\x60\xc5\x96\x64" "\xb5\x9b\x82\x16\x1a\xd1\x63\xa7\xdb\x2d\x37\x5f\x23\xbe\xc3\xc3\x0c\xea" "\x08\x11\x10\x61\xb9\xe0\x82\x33\xfe\xf1\x3c\x04\x19\x31\xad\xf5\x5e\xa6" "\xf2\x8e\xac\x48\xe0\xa2\xb9\xb2\x13\xf5\x0a\x24\xa3\xc8\x5e\x93\xaf\x30" "\x00\x42\xee\x10\xa1\xe3\x80\x39\xc6\xb7\xd1\x8f\x91\x14\x73\x67\xa1\x80" "\xcf\x87\x85\xbf\x67\xba\x8c\x73\x16\xc8\x9b\xf6\x66\x6a\x3e\x4a\xd9\x42" "\xce\x3e\xbe\x90\x14\x5f\x2c\xfa\x2b\x74\x92\xad\x90\x0b\x08\x33\x6d\x3e" "\x7e\xb9\x9c\x9c\x69\x6c\x35\xd0\x36\x7e\xdf\xed\x1f\x08\xb5\xe4\xf5\x6d" "\x48\xae\x90\x1a\x67\x6b\xc3\x1f\x3c\x57\xe6\xa8\x91\x10\x40\x5c\x9c\xae" "\xfb\x36\x6f\x45\xf6\x01\x96\x11\xee\x52\xbe\x6e\x16\xc1\x31\xa3\x28\x25" "\x37\x01\xf3\xf9\x42\x8f\xc5\x4f\x82\x51\xc9\xac\x21\x88\x2e\x37\xf2\x12" "\x2d\x15\x07\x46\xdf\xc1\x50\x20\x1c\xe0\xf5\xd1\x89\xd7\x08\xeb\xcd\xab" "\x30\x2d\x93\x24\x7f\x60\xe2\x9c\xb1\x0f\x31\x13\x4e\xef\xab\xdd\x27\xca" "\xf1\xbb\xbd\x7c\xd5\x8f\x34\x2d\x43\xb7\xc8\x52\xb7\x3d\xf3\xba\x6c\x16" "\x66\x84\x28\xa5\x57\xe8\x6f\x55\x6a\x95\x21\x47\xd0\xff\xc2\xdd\x05\x22" "\xc6\xf9\x44\x80\x37\x66\xe1\x14\xd0\x61\xed\x02\xec\xa3\x53\xa5\x46\x79" "\xb7\x1d\x49\x1b\x79\xfe\xbb\xba\x9d\xe8\xa4\x19\x8b\xf6\x00\x1c\x44\x10" "\x68\xc0\xd4\xf6\x6f\x1f\x8e\xc9\x5b\x05\x04\x5f\x2f\x16\xc2\xda\xb6\xfc" "\x62\xec\x97\x71\x10\xb3\xc9\xf8\x27\x73\xb7\xd1\x70\x3e\xb7\x4b\x5e\xbc" "\xc3\x23\xf7\xf9\x54\x58\xeb\x52\x6b\xf6\x72\xe2\x08\xed\x6f\x51\x0c\xe8" "\xb6\x06\x01\x6e\x59\x5f\xc7\xf8\xd7\x68\x54\x98\x97\x58\x1d\x4f\x88\x77" "\x70\x4a\xa4\xf6\xc2\x94\xbf\x9f\x09\xf4\x17\x57\xf6\x8f\x03\x9e\xee\x8c" "\xa0\x63\xd7\x8b\xc1\xd2\xe8\x2c\x47\xa3\x3e\x30\xf8\xc0\xfa\xa7\xfd\x3a" "\x3b\x61\x7e\x1b\xe5\x2d\x0e\x97\x58\xa6\x67\x64\xab\x92\xc5\xb6\x78\x7b" "\x4a\x95\x5c\xa1\x40\xf3\x58\x04\x11\x49\x24\x73\x4a\x64\xd8\xfd\x41\x1d" "\xf2\x34\xe8\x60\x10\xfa\x87\xd8\x37\x20\xc3\xcc\xdb\xf9\x49\xb4\x4a\x13" "\x3e\xc7\xa8\xf9\x4b\xc0\x00\xf0\x87\x8d\xaf\x66\xae\x43\xd0\x6a\x6b\x06" "\xef\x37\xe2\xce\x2b\x31\x4f\x64\x39\xf1\x7e\xb6\x8d\x05\x78\xab\x33\x4a" "\x7d\xc1\x15\xfd\xf7\xea\xed\xe8\x2f\x56\xe8\xd8\xc8\xb4\x27\x8e\xc6\x2b" "\xe0\x5c\xb3\x24\x86\xf0\xbf\x39\x3c\x18\x83\xcd\x88\xf0\xaf\x2f\xbc\x23" "\xa0\x35\x4c\x7f\xb1\xe4\xad\xdf\x40\xed\x48\xbf\xae\x51\x97\xfc\x0f\xef" "\x43\x6d\x5b\x4f\x7c\x06\x11\xb2\xd8\x09\x37\x2c\x58\xe2\x95\x8d\xc1\x07" "\xe8\x15\xa6\x1b\x6e\x24\x0f\xc8\xe5\x7f\x0b\x6f\xea\xe6\x2d\x3a\xb3\x7f" "\x03\x52\x47\xfd\xb3\xf9\x0c\x99\x38\x09\xcd\x88\xe6\x09\xd4\x28\x25\xbd" "\x5d\x8e\xed\x5b\xe9\x1e\x3a\x7c\x10\x4b\x18\x01\x5b\x27\x7d\x8a\x03\x89" "\x22\x70\x8f\x92\x33\x39\xce\x7c\x1e\x8a\xbb\xe3\x52\x5c\xa9\xa8\xb9\xd7" "\x2f\x0a\xaa\x6e\x3c\xe1\xfa\xdc\xc6\x6c\x94\x68\x9b\x09\xe5\xa2\xd8\xe4" "\x41\xa8\x3f\xb4\x59\xe1\xb0\x64\x9a\x47\xbf\xf7\xd3\x3e\x73\xe7\xd0\x9c" "\x8b\x7e\x73\x02\x19\x50\xab\x77\x42\x82\xfe\xf9\x26\x37\xeb\x31\x51\x2c" "\x71\x04\xee\x61\x5d\xf7\x98\xa6\x5e\x96\x4e\xeb\x8b\xf2\xb2\x09\xf4\xec" "\x5c\x6e\x17\x1d\xa8\x7a\x0e\xa0\x05\x8f\x0c\xa4\x5f\x42\x85\x78\x95\xb2" "\x20\x7f\xe4\x75\x46\x87\xe7\x6b\xc9\xb5\xd4\x7c\xfb\xf7\x15\x3f\x5d\x38" "\xd6\x2f\x26\x2c\x8f\xc8\x77\xbd\x41\x8f\xc1\xd6\xa0\x79\xec\xfc\x4a\x6f" "\xad\xc9\x5b\x6c\x14\xd3\x6c\x0d\xab\x1f\x8b\x57\x7b\x1f\xd9\xbb\xae\x69" "\x1e\x8c\x7b\x63\xad\x7c\xd0\xa8\x78\xed\x70\x2f\x2b\xb0\xe2\x90\x36\x8f" "\xf0\x0d\x44\xbd\x16\x41\x51\x3b\xbc\xb5\xca\x0d\x98\x79\xec\x41\x76\x17" "\x5d\xf2\x8b\xf4\x7c\x8c\x63\xca\xf5\xbd\x8f\xff\xd4\x29\xe7\x15\x5f\x6b" "\x1c\xf5\x35\x2c\xcd\x6e\x6d\x26\x62\x02\x83\x52\x96\x72\xf3\x13\x8b\x85" "\x22\x22\xd4\x6d\xe7\x69\x45\x84\xf8\xce\x77\x3d\x2c\x93\x82\x2b\x8a\x0c" "\x8f\x07\xd1\x2e\xf0\xda\x5e\xd5\xc1\x8e\x21\x57\xc5\xcf\x1e\xa4\x42\xf6" "\x88\xbf\x43\xc0\x58\x34\xab\xbe\x2f\xce\x98\x62\x9b\x23\xa4\x27\x53\x19" "\xc8\x48\xa0\x8b\x0f\xae\xce\x6b\xf8\xbd\xb6\x7d\x69\xf7\x54\x33\x7b\xf6" "\x56\xa1\xdc\x68\x1b\xf6\x85\xca\x20\x67\xaf\xf8\x04\x83\x1b\xcb\x38\xc7" "\x3f\xbc\xee\xf6\x74\xe6\xe4\x21\x3e\x1a\xc8\x4f\x6a\xb5\xff\x28\xa6\x44" "\x91\x19\x25\x49\x6c\x42\xf9\xf5\x4f\xb5\xf6\xe6\x0e\xbe\x35\x30\xe9\x75" "\x9d\xb3\x8c\x66\x62\x2f\x75\x9f\x0a\x11\x3f\xf4\x1c\xac\x08\x37\xcd\x46" "\x4a\x7e\xde\x68\x23\x22\xa6\x3f\x47\xe1\x13\xc7\xef\x10\xde\x79\x13\xfa" "\x6d\x6c\xcf\x2e\xd5\x8d\x90\x3b\x5b\x3c\x74\xb9\x0a\x0b\x6c\xfc\x1a\x2c" "\xf0\xa3\x73\xbf\x12\x80\xe0\x5f\x38\x44\x0b\xed\x3c\x7d\x8b\x63\x80\xe9" "\xb6\x35\x41\x55\xad\x3e\x30\x89\x76\x19\x5c\xc2\x01\xaf\xf6\xd3\xaa\x2e" "\x51\x37\x80\x77\x9a\xf3\x23\xc4\x85\x21\xa6\x27\xbb\xba\x45\x7a\x48\x18" "\x72\xc5\x7b\x97\xe3\x0a\xaa\x09\x92\xdb\x76\x29\x07\x0d\xc1\xe9\x26\xdf" "\xff\x4d\x53\x4c\x4c\x1d\x04\x95\x23\x94\xb5\x29\x2e\x64\xae\x49\x97\x7a" "\x03\x4b\xbe\x5f\x3b\x58\x3a\x70\x59\xf5\xb3\xb4\xf1\x18\x73\x78\x12\x34" "\x10\x37\xeb\xcf\xf4\x1a\xed\x9e\x2c\xf6\xd2\xd0\x7d\x64\xc4\x20\x1f\x9a" "\xab\x54\xa9\x61\xc8\x7b\xec\xb1\x16\x41\x4b\xf1\xd6\x81\x77\x41\x3e\x13" "\x4c\x63\xe2\xae\xc7\xac\xfa\xfa\x95\xfb\xa5\xab\x3d\xba\xcf\xb0\xf4\x08" "\x2c\x87\x90\x8e\xab\xa9\xf1\x02\x00\x5a\xf2\x46\x24\x0d\x87\xf1\xdf\x04" "\xea\x72\x43\x4f\x07\x06\xf8\xcf\x0d\x62\xab\x41\xa3\xea\xbf\xf9\x47\x33" "\x61\x74\xc1\xaf\xa4\xe0\x2c\xbf\x9f\xa3\x9e\x09\x8c\x25\xf0\xb8\x2d\x71" "\x12\xe4\x51\x64\x20\x21\xce\xfd\x38\x5b\x41\xe2\xf5\x80\x9c\x5c\x60\x62" "\x19\x7d\xab\xe5\xc5\x9e\x5f\xf7\x61\x19", 4096); *(uint64_t*)0x20003368 = 0x1000; *(uint64_t*)0x20003370 = 0; *(uint64_t*)0x20003378 = 0; *(uint64_t*)0x20003380 = 0; *(uint64_t*)0x20003388 = 0; *(uint64_t*)0x20003390 = 0; *(uint64_t*)0x20003398 = 0; *(uint64_t*)0x20003658 = 0xa; *(uint64_t*)0x20003660 = 0; *(uint64_t*)0x20003668 = 0; *(uint32_t*)0x20003670 = 0; *(uint32_t*)0x20003678 = 0; *(uint64_t*)0x20003680 = 0; *(uint32_t*)0x20003688 = 0; *(uint64_t*)0x20003690 = 0; *(uint64_t*)0x20003698 = 0; *(uint64_t*)0x200036a0 = 0; *(uint64_t*)0x200036a8 = 0; *(uint32_t*)0x200036b0 = 0; *(uint32_t*)0x200036b8 = 0; syscall(__NR_sendmmsg, /*fd=*/r[1], /*mmsg=*/0x20003640ul, /*vlen=*/2ul, /*f=*/0x810ul); syscall(__NR_write, /*fd=*/r[1], /*data=*/0x20002a40ul, /*len=*/0x156a396ul); { int i; for (i = 0; i < 64; i++) { syscall(__NR_write, /*fd=*/r[1], /*data=*/0x20002a40ul, /*len=*/0x156a396ul); } } close_fds(); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); setup_binfmt_misc(); setup_swap(); use_temporary_dir(); do_sandbox_none(); return 0; }