// https://syzkaller.appspot.com/bug?id=cfcd564d1a32fcb10bc54f1dcbd9b2bd0afa0948 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif static unsigned long long procid; static __thread int clone_ongoing; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) { exit(sig); } uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0; int valid = addr < prog_start || addr > prog_end; if (skip && valid) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ ({ \ int ok = 1; \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } else \ ok = 0; \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ ok; \ }) static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } struct nlmsg { char* pos; int nesting; struct nlattr* nested[8]; char buf[4096]; }; static void netlink_init(struct nlmsg* nlmsg, int typ, int flags, const void* data, int size) { memset(nlmsg, 0, sizeof(*nlmsg)); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_type = typ; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; memcpy(hdr + 1, data, size); nlmsg->pos = (char*)(hdr + 1) + NLMSG_ALIGN(size); } static void netlink_attr(struct nlmsg* nlmsg, int typ, const void* data, int size) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_len = sizeof(*attr) + size; attr->nla_type = typ; if (size > 0) memcpy(attr + 1, data, size); nlmsg->pos += NLMSG_ALIGN(attr->nla_len); } static void netlink_nest(struct nlmsg* nlmsg, int typ) { struct nlattr* attr = (struct nlattr*)nlmsg->pos; attr->nla_type = typ; nlmsg->pos += sizeof(*attr); nlmsg->nested[nlmsg->nesting++] = attr; } static void netlink_done(struct nlmsg* nlmsg) { struct nlattr* attr = nlmsg->nested[--nlmsg->nesting]; attr->nla_len = nlmsg->pos - (char*)attr; } static int netlink_send_ext(struct nlmsg* nlmsg, int sock, uint16_t reply_type, int* reply_len, bool dofail) { if (nlmsg->pos > nlmsg->buf + sizeof(nlmsg->buf) || nlmsg->nesting) exit(1); struct nlmsghdr* hdr = (struct nlmsghdr*)nlmsg->buf; hdr->nlmsg_len = nlmsg->pos - nlmsg->buf; struct sockaddr_nl addr; memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; ssize_t n = sendto(sock, nlmsg->buf, hdr->nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr)); if (n != (ssize_t)hdr->nlmsg_len) { if (dofail) exit(1); return -1; } n = recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); if (reply_len) *reply_len = 0; if (n < 0) { if (dofail) exit(1); return -1; } if (n < (ssize_t)sizeof(struct nlmsghdr)) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type == NLMSG_DONE) return 0; if (reply_len && hdr->nlmsg_type == reply_type) { *reply_len = n; return 0; } if (n < (ssize_t)(sizeof(struct nlmsghdr) + sizeof(struct nlmsgerr))) { errno = EINVAL; if (dofail) exit(1); return -1; } if (hdr->nlmsg_type != NLMSG_ERROR) { errno = EINVAL; if (dofail) exit(1); return -1; } errno = -((struct nlmsgerr*)(hdr + 1))->error; return -errno; } static int netlink_send(struct nlmsg* nlmsg, int sock) { return netlink_send_ext(nlmsg, sock, 0, NULL, true); } static int netlink_query_family_id(struct nlmsg* nlmsg, int sock, const char* family_name, bool dofail) { struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = CTRL_CMD_GETFAMILY; netlink_init(nlmsg, GENL_ID_CTRL, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(nlmsg, CTRL_ATTR_FAMILY_NAME, family_name, strnlen(family_name, GENL_NAMSIZ - 1) + 1); int n = 0; int err = netlink_send_ext(nlmsg, sock, GENL_ID_CTRL, &n, dofail); if (err < 0) { return -1; } uint16_t id = 0; struct nlattr* attr = (struct nlattr*)(nlmsg->buf + NLMSG_HDRLEN + NLMSG_ALIGN(sizeof(genlhdr))); for (; (char*)attr < nlmsg->buf + n; attr = (struct nlattr*)((char*)attr + NLMSG_ALIGN(attr->nla_len))) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(uint16_t*)(attr + 1); break; } } if (!id) { errno = EINVAL; return -1; } recv(sock, nlmsg->buf, sizeof(nlmsg->buf), 0); return id; } static void netlink_add_device_impl(struct nlmsg* nlmsg, const char* type, const char* name, bool up) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; netlink_init(nlmsg, RTM_NEWLINK, NLM_F_EXCL | NLM_F_CREATE, &hdr, sizeof(hdr)); if (name) netlink_attr(nlmsg, IFLA_IFNAME, name, strlen(name)); netlink_nest(nlmsg, IFLA_LINKINFO); netlink_attr(nlmsg, IFLA_INFO_KIND, type, strlen(type)); } static void netlink_device_change(struct nlmsg* nlmsg, int sock, const char* name, bool up, const char* master, const void* mac, int macsize, const char* new_name) { struct ifinfomsg hdr; memset(&hdr, 0, sizeof(hdr)); if (up) hdr.ifi_flags = hdr.ifi_change = IFF_UP; hdr.ifi_index = if_nametoindex(name); netlink_init(nlmsg, RTM_NEWLINK, 0, &hdr, sizeof(hdr)); if (new_name) netlink_attr(nlmsg, IFLA_IFNAME, new_name, strlen(new_name)); if (master) { int ifindex = if_nametoindex(master); netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex)); } if (macsize) netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize); int err = netlink_send(nlmsg, sock); if (err < 0) { } } static struct nlmsg nlmsg; //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff(unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } #define NL802154_CMD_SET_SHORT_ADDR 11 #define NL802154_ATTR_IFINDEX 3 #define NL802154_ATTR_SHORT_ADDR 10 static const char* setup_802154() { const char* error = NULL; int sock_generic = -1; int sock_route = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock_route == -1) { error = "socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) failed"; goto fail; } sock_generic = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if (sock_generic == -1) { error = "socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) failed"; goto fail; } { int nl802154_family_id = netlink_query_family_id(&nlmsg, sock_generic, "nl802154", true); if (nl802154_family_id < 0) { error = "netlink_query_family_id failed"; goto fail; } for (int i = 0; i < 2; i++) { char devname[] = "wpan0"; devname[strlen(devname) - 1] += i; uint64_t hwaddr = 0xaaaaaaaaaaaa0002 + (i << 8); uint16_t shortaddr = 0xaaa0 + i; int ifindex = if_nametoindex(devname); struct genlmsghdr genlhdr; memset(&genlhdr, 0, sizeof(genlhdr)); genlhdr.cmd = NL802154_CMD_SET_SHORT_ADDR; netlink_init(&nlmsg, nl802154_family_id, 0, &genlhdr, sizeof(genlhdr)); netlink_attr(&nlmsg, NL802154_ATTR_IFINDEX, &ifindex, sizeof(ifindex)); netlink_attr(&nlmsg, NL802154_ATTR_SHORT_ADDR, &shortaddr, sizeof(shortaddr)); if (netlink_send(&nlmsg, sock_generic) < 0) { error = "NL802154_CMD_SET_SHORT_ADDR failed"; goto fail; } netlink_device_change(&nlmsg, sock_route, devname, true, 0, &hwaddr, sizeof(hwaddr), 0); if (i == 0) { netlink_add_device_impl(&nlmsg, "lowpan", "lowpan0", false); netlink_done(&nlmsg); netlink_attr(&nlmsg, IFLA_LINK, &ifindex, sizeof(ifindex)); if (netlink_send(&nlmsg, sock_route) < 0) { error = "netlink: adding device lowpan0 type lowpan link wpan0"; goto fail; } } } } fail: close(sock_route); close(sock_generic); return error; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 6; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 0 ? 4000 : 0) + (call == 2 ? 4000 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: NONFAILING(memcpy((void*)0x200000000040, "ext4\000", 5)); NONFAILING(memcpy((void*)0x200000000000, "./file2\000", 8)); NONFAILING(memcpy((void*)0x2000000000c0, "debug_want_extra_isize", 22)); NONFAILING(*(uint8_t*)0x2000000000d6 = 0x3d); NONFAILING(sprintf((char*)0x2000000000d7, "0x%016llx", (long long)0x80)); NONFAILING(*(uint8_t*)0x2000000000e9 = 0x2c); NONFAILING(memcpy((void*)0x2000000000ea, "grpjquota=", 10)); NONFAILING(*(uint8_t*)0x2000000000f4 = 0x2c); NONFAILING(memcpy((void*)0x2000000000f5, "oldalloc", 8)); NONFAILING(*(uint8_t*)0x2000000000fd = 0x2c); NONFAILING(memcpy((void*)0x2000000000fe, "errors=remount-ro", 17)); NONFAILING(*(uint8_t*)0x20000000010f = 0x2c); NONFAILING(memcpy((void*)0x200000000110, "orlov", 5)); NONFAILING(*(uint8_t*)0x200000000115 = 0x2c); NONFAILING(memcpy((void*)0x200000000116, "usrquota", 8)); NONFAILING(*(uint8_t*)0x20000000011e = 0x2c); NONFAILING(memcpy((void*)0x20000000011f, "stripe", 6)); NONFAILING(*(uint8_t*)0x200000000125 = 0x3d); NONFAILING(sprintf((char*)0x200000000126, "0x%016llx", (long long)0x622)); NONFAILING(*(uint8_t*)0x200000000138 = 0x2c); NONFAILING(*(uint8_t*)0x200000000139 = 0); NONFAILING(memcpy( (void*)0x200000001a00, "\x78\x9c\xec\xdd\xdf\x6b\x5b\xe5\x1b\x00\xf0\xe7\xa4\xed\x7e\x7f\xbf" "\xeb\x60\x0c\x15\x91\xc2\x2e\x9c\xcc\xa5\x6b\xeb\x8f\x09\x5e\xcc\x4b" "\xd1\xe1\x40\xef\x67\x68\xcf\xca\x68\xba\x8c\x26\x1d\x6b\x1d\xb8\x5d" "\xb8\x1b\x6f\x64\x08\x22\x0e\xc4\x7b\xbd\xf7\x72\xf8\x0f\xf8\x57\x0c" "\x74\x30\x74\x14\xbd\xf0\xa6\x72\xd2\x93\x2e\x6b\x93\x26\xdb\x62\x52" "\xcd\xe7\x03\xa7\xbc\xef\x39\x27\x7d\xcf\x9b\x73\x9e\x37\xcf\x9b\x93" "\x90\x00\x86\xd6\x44\xf6\xa7\x10\xf1\x7c\x44\x7c\x91\x44\x1c\x8e\x88" "\x24\xdf\x36\x1a\xf9\xc6\x89\x8d\xfd\xd6\x1e\x5e\x9f\xcd\x96\x24\xd6" "\xd7\x3f\xfc\x2d\xa9\xef\x97\xd5\x1b\xff\xab\xf1\xb8\x83\x79\xe5\xb9" "\x88\xf8\xe9\xb3\x88\x93\x85\xed\xed\x56\x57\x56\x17\x4a\xe5\x72\xba" "\x94\xd7\x27\x6b\x8b\x57\x26\xab\x2b\xab\xa7\x2e\x2d\x96\xe6\xd3\xf9" "\xf4\xf2\xf4\xcc\xcc\x99\xd7\x67\xa6\xdf\x7a\xf3\x8d\x9e\xf5\xf5\x95" "\xf3\x7f\x7e\xfd\xc1\xdd\x77\xcf\x7c\x7e\x7c\xed\xab\x1f\xee\x1f\xb9" "\x9d\xc4\xd9\x38\x94\x6f\x6b\xee\xc7\x33\xb8\xd1\x5c\x99\x88\x89\xfc" "\x39\x19\x8b\xb3\x5b\x76\x9c\xea\x41\x63\xbb\x49\x32\xe8\x03\xe0\xa9" "\x8c\xe4\x71\x3e\x16\xd9\x18\x70\x38\x46\xf2\xa8\x07\xfe\xfb\x3e\x8d" "\x88\x75\x60\x48\x25\xe2\x1f\x86\x54\x23\x0f\x68\xcc\xed\x77\x9e\x07" "\xff\xbf\x4f\x59\x49\xff\x3c\x78\x67\x63\x02\xb4\xbd\xff\xa3\x1b\xef" "\x8d\xc4\xbe\xfa\xdc\xe8\xc0\x5a\xf2\xd8\xcc\x28\x9b\xef\x8e\xf7\xa0" "\xfd\xac\x8d\x1f\x7f\xbd\x73\x3b\x5b\xa2\x77\xef\x43\x00\x74\x74\xe3" "\x66\x44\x9c\x1e\x1d\xdd\x3e\xfe\x25\xf9\xf8\xb7\x83\x0e\x6f\xfa\x9d" "\x6e\xbd\x7a\x5f\x73\x65\x6b\x1b\xc6\x3f\xe8\x9f\xbb\x59\xfe\xf3\x6a" "\xab\xfc\xa7\x50\x8f\xcd\xdf\xf3\x70\xdd\x9a\xff\x1c\x6c\x11\xbb\x4f" "\xa3\x73\xfc\x17\xee\xf7\xa0\x99\xb6\xb2\xfc\xef\xed\x96\xf9\xef\xe6" "\x4d\xab\xf1\x91\xbc\xf6\xbf\x7a\xce\x37\x96\x5c\xbc\x54\x4e\x4f\xe7" "\xd9\xf0\x89\x18\xdb\x9b\xd5\x77\xba\x9f\x73\x66\xed\xde\x7a\xbb\x6d" "\xcd\xf9\x5f\xb6\x64\xed\x37\x72\xc1\xfc\x38\xee\x8f\xee\x7d\xfc\x31" "\x73\xa5\x5a\xe9\x59\xfa\xdc\xec\xc1\xcd\x88\x17\x5a\xe6\xbf\xc9\x66" "\xfe\x9b\xb4\x38\xff\xd9\xf3\x71\xbe\xcb\x36\x8e\xa5\x77\x5e\x6a\xb7" "\xad\x73\xff\xff\x59\xeb\xdf\x45\xbc\xdc\xf2\xfc\x3f\x7a\x71\x4b\x76" "\xbe\x3f\x39\x59\xbf\x1e\x26\x1b\x57\xc5\x76\x7f\xdc\x3a\xf6\x73\xbb" "\xf6\x07\xdd\xff\xec\xfc\x1f\xd8\xb9\xff\xe3\x49\xf3\xfd\xda\xea\x93" "\xb7\xf1\xed\xbe\xbf\xd2\x76\xdb\x1e\xeb\x7f\x74\x7f\xfd\xef\x49\x3e" "\xaa\x97\xf7\xe4\xeb\xae\x95\x6a\xb5\xa5\xa9\x88\x3d\xc9\xfb\xdb\xd7" "\x4f\x3f\x7a\x6c\xa3\xde\xd8\x3f\xeb\xff\x89\xe3\xed\xc7\xbf\x76\xd7" "\xff\xfe\x88\xf8\xb8\xcb\xfe\xdf\x3a\xfa\xfd\x8b\x5d\xf5\x7f\x40\xe7" "\x7f\xee\x89\xce\xff\x93\x17\xee\xbd\xf7\xc9\x37\xed\xda\xef\x6e\xfc" "\x7b\xad\x5e\x3a\x91\xaf\xe9\x66\xfc\xeb\xf6\x00\x9f\xe5\xb9\x03\x00" "\x00\x00\x00\x00\x80\xdd\xa6\x10\x11\x87\x22\x29\x14\x37\xcb\x85\x42" "\xb1\xb8\xf1\xf9\x8e\xa3\x71\xa0\x50\xae\x54\x6b\x27\x2f\x56\x96\x2f" "\xcf\x45\xfd\xbb\xb2\xe3\x31\x56\x68\xdc\xe9\x3e\xdc\xf4\x79\x88\xa9" "\xfc\xf3\xb0\x8d\xfa\xf4\x96\xfa\x4c\x44\x1c\x89\x88\x2f\x47\xf6\xd7" "\xeb\xc5\xd9\x4a\x79\x6e\xd0\x9d\x07\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x80\x5d\xe2\x60\xfd\x3b\xff\x23\x9b\xf5\xc6" "\xf7\xff\x33\xbf\x8c\x0c\xee\xb8\x80\x3e\xf1\x93\xdf\x30\xbc\x3a\xc6" "\x7f\x2f\x7e\xe9\x09\xd8\x95\xbc\xfe\xc3\xf0\x12\xff\x30\xbc\xc4\x3f" "\x0c\x2f\xf1\x0f\xc3\x4b\xfc\xc3\xf0\x12\xff\x30\xbc\xba\x88\xff\x42" "\x3f\x8e\x03\xe8\x3f\xaf\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x53\xe7\xcf\x9d\xcb" "\x96\xf5\xb5\x87\xd7\x67\xb3\xfa\xdc\xd5\x95\xe5\x85\xca\xd5\x53\x73" "\x69\x75\xa1\xb8\xb8\x3c\x5b\x9c\xad\x2c\x5d\x29\xce\x57\x2a\xf3\xe5" "\xb4\x38\x5b\x59\xec\xf4\xff\xca\x95\xca\x95\xa9\xe9\x58\xbe\x36\x59" "\x4b\xab\xb5\xc9\xea\xca\xea\x85\xc5\xca\xf2\xe5\xda\x85\x4b\x8b\xa5" "\xf9\xf4\x42\x3a\xd6\x97\x5e\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\xc0\xbf\x4b\x75\x65\x75\xa1\x54\x2e\xa7\x4b\x0a" "\x0a\x4f\x55\x18\xdd\x1d\x87\xa1\xd0\xe3\xc2\xa0\x47\x26\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78" "\xe4\xef\x00\x00\x00\xff\xff\xc0\x36\x38\x8a", 1388)); NONFAILING(syz_mount_image( /*fs=*/0x200000000040, /*dir=*/0x200000000000, /*flags=MS_LAZYTIME|MS_STRICTATIME|MS_NOSUID|MS_NODEV|MS_MANDLOCK*/ 0x3000046, /*opts=*/0x2000000000c0, /*chdir=*/1, /*size=*/0x56c, /*img=*/0x200000001a00)); break; case 1: NONFAILING(memcpy((void*)0x2000000000c0, "./file1\000", 8)); NONFAILING(memcpy((void*)0x200000000080, "./file2\000", 8)); syscall(__NR_rename, /*old=*/0x2000000000c0ul, /*new=*/0x200000000080ul); break; case 2: NONFAILING(memcpy((void*)0x2000000000c0, "exfat\000", 6)); NONFAILING(memcpy((void*)0x200000000300, "./file1\000", 8)); NONFAILING( memcpy((void*)0x200000000440, "zero_size_dir,discard,keep_last_dots,allow_utime=" "00000000000000000003777,allow_utime=000000000000000000040," "errors=continue,iocharset=macroman,allow_utime=" "00000000000000000000007,discard,\000", 187)); NONFAILING(memcpy( (void*)0x200000001f80, "\x78\x9c\xec\xdc\x0b\x9c\x4d\x55\xfb\x38\xf0\xe7\x59\x6b\xed\x31\x26" "\xe9\x34\xc9\x65\x58\x6b\x3d\x9b\x93\x5c\x96\x49\x92\x48\x92\x5c\x92" "\xa4\x9b\x24\xb9\x25\x24\x4d\xf2\x4a\x42\x62\xc8\x2d\x69\x48\x42\x72" "\x19\x92\xcb\x10\x92\xcb\xc4\xa4\x71\xbf\xdf\xaf\x49\x92\x34\x49\x92" "\x5b\x6e\xc9\xfa\x7f\x26\xfc\xbd\xbd\xd5\xff\xfd\xbd\xbf\xde\xdf\xeb" "\xff\xf9\xcd\xf3\xfd\x7c\xf6\x67\xf6\x73\xd6\x7e\xd6\x5e\xfb\x3c\xfb" "\x9c\xb3\xf6\x76\x8e\xef\x3b\x0d\xae\xd9\xb0\x56\xb5\xfa\x44\x04\x7f" "\x09\x5e\xf8\x93\x0c\x00\xb1\x00\xd0\x1f\x00\xae\x01\x80\x00\x00\xca" "\xc7\x97\x8f\xcf\x6e\xcf\x2d\x31\xf9\xaf\xed\x84\xfd\x7b\x3d\x9a\x76" "\xa5\x47\xc0\xae\x24\xae\x7f\xce\xc6\xf5\xcf\xd9\xb8\xfe\x39\x1b\xd7" "\x3f\x67\xe3\xfa\xe7\x6c\x5c\xff\x9c\x8d\xeb\x9f\xb3\x71\xfd\x19\xcb" "\xc9\x36\x4e\x2d\x74\x2d\x2f\x39\x77\xe1\xfb\xff\x39\x19\x7f\xfe\xff" "\x2f\x92\x55\x66\xf4\xd7\xab\xcb\x5c\xdf\xf9\x5f\x48\xe1\xfa\xe7\x6c" "\x5c\xff\xff\xb5\x82\xff\xca\x46\x5c\xff\x9c\x8d\xeb\x9f\xb3\x71\xfd" "\x73\x36\xae\x7f\x4e\x90\xeb\x4f\x5b\xb8\xfe\x39\x1b\xd7\x9f\xb1\x9c" "\xec\x4a\xdf\x7f\xe6\xe5\xca\x2e\x57\xfa\xfc\x63\x8c\x31\xc6\x18\x63" "\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31" "\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18" "\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c" "\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6" "\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63" "\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31" "\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18" "\x63\x8c\x31\x96\x33\x9c\xf6\x97\x29\x00\xb8\xb4\x7e\xa5\xc7\xc5\x18" "\x63\x8c\x31\xc6\x18\x63\x8c\xb1\x7f\x1f\x9f\xeb\x4a\x8f\x80\x31\xc6" "\x18\x63\x8c\x31\xc6\x18\x63\xff\xf3\x10\x04\x48\x50\x10\x40\x0c\xe4" "\x82\x58\xc8\x0d\x71\x20\x00\xe0\x6a\xc8\x0b\xd7\x40\x04\xae\x85\x78" "\xb8\x0e\xf2\xc1\xf5\x90\x1f\x0a\x40\x41\x28\x04\x09\x50\x18\x8a\x80" "\x06\x03\x16\x08\x42\x28\x0a\xc5\x20\x0a\x37\x40\x71\xb8\x11\x4a\x40" "\x49\x28\x05\xa5\xc1\x41\x19\x48\x84\x9b\xa0\x2c\xdc\x0c\xe5\xe0\x16" "\x28\x0f\xb7\x42\x05\xb8\x0d\x2a\x42\x25\xb8\x1d\x2a\xc3\x1d\x50\x05" "\xee\x84\xaa\x70\x17\x54\x83\xbb\xa1\x3a\xd4\x80\x9a\x50\x0b\xee\x81" "\xda\x70\x2f\xd4\x81\xfb\xa0\x2e\xdc\x0f\xf5\xe0\x01\x78\x10\x1e\x82" "\x87\xe1\x11\xa8\x0f\x8f\x42\x03\x78\x0c\x1a\xc2\xe3\xd0\x08\x9e\x80" "\xc6\xd0\x04\x9a\x42\x33\x68\xfe\xdf\xca\x7f\x19\xba\xc1\x2b\xd0\x1d" "\x7a\x40\x32\xf4\x84\x5e\xf0\x2a\xf4\x86\x3e\xd0\x17\xfa\x41\x7f\x78" "\x0d\x06\xc0\xeb\x30\x10\xde\x80\x14\x18\x04\x83\xe1\x4d\x18\x02\x6f" "\xc1\x50\x78\x1b\x86\xc1\x70\x18\x01\xef\xc0\x48\x78\x17\x46\xc1\x68" "\x18\x03\x63\x21\x15\xc6\xc1\x78\x78\x0f\x26\xc0\xfb\x30\x11\x26\xc1" "\x64\x98\x02\x69\x30\x15\xa6\xc1\x07\x30\x1d\x66\xc0\x4c\xf8\x10\x66" "\xc1\x47\x30\x1b\xe6\xc0\x5c\x98\x07\xe9\xf0\x31\xcc\x87\x05\x90\x01" "\x9f\xc0\x42\xf8\x14\x32\x61\x11\x2c\x86\x25\xb0\x14\x96\xc1\x72\x58" "\x01\x2b\x61\x15\xac\x86\x35\xb0\x16\xd6\xc1\x7a\xd8\x00\x1b\x61\x13" "\x6c\x86\x2d\xb0\x15\xb6\xc1\x76\xd8\x01\x3b\xe1\x33\xd8\x05\x9f\xc3" "\x6e\xf8\x02\xf6\xc0\x97\xff\x62\xfe\xa9\x7f\xc8\xef\x8c\x80\x80\x02" "\x05\x2a\x54\x18\x83\x31\x18\x8b\xb1\x18\x87\x71\x98\x07\xf3\x60\x5e" "\xcc\x8b\x11\x8c\x60\x3c\xc6\x63\x3e\xcc\x87\xf9\x31\x3f\x16\xc4\x82" "\x98\x80\x09\x58\x04\x8b\xa0\x41\x83\x84\x84\x45\xb1\x28\x46\x31\x8a" "\xc5\xb1\x38\x96\xc0\x12\x58\x0a\x4b\xa1\x43\x87\x89\x98\x88\x65\xf1" "\x66\x2c\x87\xe5\xb0\x3c\x96\xc7\x0a\x58\x01\x2b\x62\x25\xac\x84\x95" "\xb1\x32\x56\xc1\x2a\x58\x15\xab\x62\x35\xac\x86\xd5\xb1\x3a\xd6\xc4" "\x9a\x78\x0f\xde\x83\x3d\xb1\x0e\xd6\xc1\xba\x58\x17\xeb\x61\xbd\x4b" "\xb7\xa7\xb0\x3e\xd6\xc7\x06\xd8\x00\x1b\x62\x43\x6c\x84\x8d\xb0\x31" "\x36\xc6\xa6\xd8\x14\x9b\x63\x73\x6c\x81\x2d\xb0\x25\xb6\xc4\xd6\xd8" "\x1a\xdb\x60\x1b\x6c\x8b\x6d\x31\x09\x93\xb0\x1d\xb6\xc3\xf6\xd8\x1e" "\x3b\x60\x07\xec\x88\x1d\xb1\x13\x76\xc2\xce\xd8\x05\xbb\xe0\xcb\xb9" "\x00\x5f\xc1\x57\xb0\x07\x56\x17\x3d\xb1\x17\xf6\xc2\xde\x98\x92\xab" "\x2f\xf6\xc3\x7e\xf8\x1a\x0e\xc0\xd7\xf1\x75\x7c\x03\x53\x70\x10\x0e" "\xc6\x37\xf1\x4d\x7c\x0b\x87\xe2\x49\x1c\x86\xc3\x71\x04\x8e\xc0\x2a" "\xe2\x5d\x1c\x85\xa3\x91\xc4\x58\x4c\xc5\x54\x1c\x8f\xe3\x71\x02\x4e" "\xc0\x89\x38\x09\x27\xe1\x14\x4c\xc3\xa9\x38\x0d\xa7\xe1\x74\x9c\x81" "\x33\xf0\x43\x9c\x85\x1f\xe1\x47\x38\x07\xe7\xe0\x3c\x4c\xc7\x74\x9c" "\x8f\x0b\x30\x03\x33\x70\x21\x9e\xc2\x4c\x5c\x84\x8b\x71\x09\x2e\xc5" "\x65\xb8\x14\x57\xe0\x4a\x5c\x81\xab\x71\x0d\xae\xc6\x75\xb8\x0e\x37" "\xe0\x06\xdc\x84\x9b\x70\x0b\x6e\xc1\x6d\xb8\x0d\x77\xa0\x02\xc0\xcf" "\xf0\x73\xfc\x1c\x53\x70\x0f\xee\xc1\xbd\xb8\x17\xf7\xe1\x3e\xdc\x8f" "\xfb\x31\x0b\xb3\xf0\x00\x1e\xc0\x83\x78\x10\x0f\xe1\x21\x3c\x8c\x87" "\xf1\x08\x1e\xc5\x63\x78\x14\x4f\xe0\x09\x3c\x89\xa7\xf0\x34\x9e\xc6" "\xb3\x78\x16\xcf\xe1\x8b\x09\xdf\x36\xd8\x51\x72\x55\x0a\x88\x6c\x4a" "\x28\x11\x23\x62\x44\xac\x88\x15\x71\x22\x4e\xe4\x11\x79\x44\x5e\x91" "\x57\x44\x44\x44\xc4\x8b\x78\x91\x4f\xe4\x13\xf9\x45\x7e\x51\x50\x14" "\x14\x09\x22\x41\x14\x11\x45\x84\x11\x46\x90\x08\x63\x00\x40\x44\x45" "\x54\x14\x17\xc5\x45\x09\x51\x42\x94\x12\xa5\x84\x13\x4e\x24\x8a\x44" "\x51\x56\x94\x15\xe5\x44\x39\x51\x5e\xdc\x2a\x2a\x88\xdb\x44\x45\x51" "\x49\xb4\x72\x95\x45\x65\x51\x45\xb4\x76\x55\xc5\x5d\xa2\x9a\xa8\x26" "\xaa\x8b\x1a\xa2\xa6\xa8\x25\x6a\x89\xda\xa2\xb6\xa8\x23\xea\x88\xba" "\xa2\xae\xa8\x27\xea\x89\x07\xc5\x43\xe2\x61\xd1\x13\xfb\xe2\xa3\x22" "\xbb\x32\x0d\xc5\x20\x6c\x24\x06\x63\x63\xd1\x44\xc8\x8b\xef\x60\x2d" "\xc4\x50\x6c\x29\x5a\x89\xd6\xe2\x69\x31\x1c\x87\x61\x5b\xd1\xc2\x25" "\x89\xe7\x44\x3b\xf1\x02\x5d\xd8\xe2\x05\xd1\x51\x8c\xc5\x4e\xe2\x25" "\xd1\x59\x74\x11\x5d\xc5\xcb\xa2\x9b\x68\xe9\xba\x8b\x1e\x62\x22\xf6" "\x14\xbd\xc4\x14\xec\x2d\xfa\x88\xbe\xa2\x9f\x98\x8e\x35\xc4\x87\x38" "\x2b\x77\x4d\xf1\x86\x48\x11\x83\xc4\x60\xf1\xa6\x98\x87\x6f\x89\xa1" "\xe2\x6d\x31\x4c\x0c\x17\x23\xc4\x3b\x62\xa4\x78\x57\x8c\x12\xa3\xc5" "\x18\x31\x56\xa4\x8a\x71\x62\xbc\x78\x4f\x4c\x10\xef\x8b\x89\x62\x92" "\x98\x2c\xa6\x88\x34\x31\x55\x4c\x13\x1f\x88\xe9\x62\x86\x98\x29\x3e" "\x14\xb3\xc4\x47\x62\xb6\x98\x23\xe6\x8a\x79\x22\x5d\x7c\x2c\xe6\x8b" "\x05\x22\x43\x7c\x22\x16\x8a\x4f\x45\xa6\x58\x24\x16\x8b\x25\x62\xa9" "\x58\x26\x96\x8b\x15\x62\xa5\x58\x25\x56\x8b\x35\x62\xad\x58\x27\xd6" "\x8b\x0d\x62\xa3\xd8\x24\x36\x8b\x2d\x62\xab\xd8\x26\xb6\x8b\x1d\x62" "\xa7\xf8\x4c\xec\x12\x9f\x8b\xdd\xe2\x0b\xb1\x47\x7c\x29\xf6\x8a\xaf" "\xc4\x3e\xf1\xb5\xd8\x2f\xbe\x11\x59\xe2\x5b\x71\x40\x7c\x27\x0e\x8a" "\xef\xc5\x21\xf1\x83\x38\x2c\x7e\x14\x47\xc4\x51\x71\x4c\x1c\x17\x27" "\xc4\x4f\xe2\xa4\x38\x25\x4e\x8b\x33\xe2\xac\xf8\x59\x9c\x13\xbf\x88" "\xf3\xc2\x0b\x90\x28\x85\x94\x52\xc9\x40\xc6\xc8\x5c\x32\x56\xe6\x96" "\x71\xf2\x2a\x99\x47\x06\x17\x9f\xdd\x6b\x65\xbc\xbc\x4e\xe6\x93\xd7" "\xcb\xfc\xb2\x80\x2c\x28\x0b\xc9\x04\x59\x58\x16\x91\x5a\x1a\x69\x25" "\xc9\x50\x16\x95\xc5\x64\x54\xde\x20\x8b\xcb\x1b\x65\x09\x59\x52\x96" "\x92\xa5\xa5\x93\x65\x64\xa2\xbc\x49\x96\x95\x37\xcb\x72\xf2\x16\x59" "\x5e\xde\x2a\x2b\xc8\xdb\x64\x45\x59\x49\xde\x2e\x2b\xcb\x3b\x64\x15" "\x79\xa7\x84\xc8\x85\x7d\x54\x97\x35\x64\x4d\x59\x4b\xde\x23\x6b\xcb" "\x7b\x65\x1d\x79\x9f\xac\x2b\xef\x97\xf5\xe4\x03\xf2\x41\xf9\x90\x7c" "\x58\x3e\x22\xeb\xcb\x47\x65\x03\xf9\x98\x6c\x28\x1f\x97\x8d\xe4\x13" "\xb2\xb1\x6c\x22\x9b\xca\x66\xb2\xb9\x7c\x52\xb6\x90\x4f\xc9\x96\xb2" "\x95\x6c\x2d\x9f\x96\x6d\xe4\x33\xb2\xad\x7c\x56\x26\xc9\xe7\x64\x3b" "\xe9\x2f\x9e\x22\x2f\xc8\x8e\xf2\x45\xd9\x49\xbe\x24\x3b\xcb\x2e\xb2" "\xab\xfc\x45\x9e\x97\x5e\x76\x97\x3d\x24\x40\x4f\xd9\x4b\xbe\x2a\x7b" "\xcb\x3e\xb2\xaf\xec\x27\xfb\xcb\xd7\xe4\x00\xf9\xba\x1c\x28\xdf\x90" "\x29\x72\x90\x1c\x2c\xdf\x94\x43\xe4\x5b\x72\xa8\x7c\x5b\x0e\x93\xc3" "\xe5\x08\xf9\x8e\x1c\x29\xdf\x95\xa3\xe4\x68\x39\x46\x8e\x95\xa9\x72" "\x9c\x1c\x2f\xdf\x93\x13\xe4\xfb\x72\xa2\x9c\x24\x27\xcb\x29\x32\x4d" "\x4e\x95\x7d\x2f\xf6\x34\x53\xca\x7f\x9a\xff\xde\x1f\xe4\x0f\xfc\x75" "\xef\x1b\xe4\x46\xb9\x49\x6e\x96\x5b\xe4\x56\xb9\x4d\x6e\x97\x3b\xe4" "\x4e\xb9\x53\xee\x92\xbb\xe4\x6e\xb9\x5b\xee\x91\x7b\xe4\x5e\xb9\x57" "\xee\x93\xfb\xe4\x7e\xb9\x5f\x66\xc9\x2c\x79\x40\x1e\x90\x07\xe5\x41" "\x79\x48\x1e\x92\x87\xe5\x61\x79\x44\x1e\x95\x67\xe4\x71\x79\x42\xfe" "\x24\x4f\xca\x53\xf2\x94\x3c\x23\xcf\xca\xb3\xf2\xdc\xc5\xe7\x00\x14" "\x2a\xa1\xa4\x52\x2a\x50\x31\x2a\x97\x8a\x55\xb9\x55\x9c\xba\x4a\xe5" "\x51\x57\xab\xbc\xea\x1a\x15\x51\xd7\xaa\x78\x75\x9d\xca\xa7\xae\x57" "\xf9\x55\x01\x55\x50\x15\x52\x09\xaa\xb0\x2a\xa2\xb4\x32\xca\x2a\x52" "\xa1\x2a\xaa\x8a\xa9\xa8\xba\x01\x2f\x9e\x30\xaa\x94\x2a\xad\x9c\x2a" "\xa3\x12\xd5\x4d\xff\x4a\xbe\x2a\xae\x6e\x54\x25\x54\xc9\xdf\xe4\x5f" "\x1a\x5f\xf2\x9f\x8c\xaf\xb9\x6a\xae\x5a\xa8\x16\xaa\xa5\x6a\xa9\x5a" "\xab\xd6\xaa\x8d\x6a\xa3\xda\xaa\xb6\x2a\x49\x25\xa9\x76\xaa\x9d\x6a" "\xaf\xda\xab\x0e\xaa\x83\xea\xa8\x3a\xaa\x4e\xaa\x93\xea\xac\x3a\xab" "\xae\xaa\xab\xea\xa6\xba\xa9\xee\xaa\xbb\x4a\x56\xc9\xaa\x97\x7a\x55" "\xf5\x56\x7d\x54\x5f\xd5\x4f\xf5\x57\xaf\xa9\x01\x6a\x80\x1a\xa8\x06" "\xaa\x14\x95\xa2\x06\xab\xc1\x6a\x88\x1a\xa2\x86\xaa\xa1\x6a\x98\x1a" "\xa6\x46\xa8\x11\x6a\xa4\x1a\xa9\x46\xa9\x51\x6a\x8c\x1a\xa3\x52\x55" "\xaa\x1a\xaf\xc6\xab\x09\x6a\x82\x9a\xa8\x26\xaa\xc9\x6a\xb2\x4a\x53" "\x69\x6a\x9a\x9a\xa6\xa6\xab\xe9\x6a\xa6\x9a\xa9\x66\xa9\x59\x6a\xb6" "\x9a\xad\xe6\xaa\xb9\x2a\x5d\xa5\xab\xf9\x6a\xbe\xca\x50\x19\x6a\xa1" "\x5a\xa8\x32\xd5\x22\xb5\x48\x2d\x51\x4b\xd4\x32\xb5\x4c\xad\x50\x2b" "\xd4\x2a\xb5\x4a\xad\x51\x6b\xd4\x3a\xb5\x4e\x65\xaa\x8d\x6a\xa3\xda" "\xac\x36\xab\xad\x6a\xab\xda\xae\xb6\xab\x9d\x6a\xa7\xda\xa5\x76\xa9" "\xdd\x6a\xb7\xda\xa3\xf6\xa8\xbd\x6a\xaf\xda\xa7\xf6\xa9\xfd\x6a\xbf" "\xca\x52\x59\xea\x80\x3a\xa0\x0e\xaa\x83\xea\x90\x3a\xa4\x0e\xab\xc3" "\xea\x88\x3a\xa2\x8e\xa9\x63\xea\x84\x3a\xa1\x4e\xaa\x93\xea\xb4\x3a" "\xad\xce\xaa\xb3\xea\x9c\x3a\xa7\xce\xab\xf3\xd9\xd3\xbe\x40\x04\x22" "\x50\x81\x0a\x62\x82\x98\x20\x36\x88\x0d\xe2\x82\xb8\x20\x4f\x90\x27" "\xc8\x1b\xe4\x0d\x22\x41\x24\x88\x0f\xe2\x83\x7c\xc1\xf5\x41\xfe\xa0" "\x40\x50\x30\x28\x14\x24\x04\x85\x83\x22\x81\x0e\x4c\x60\x03\x71\xb1" "\xe8\xd1\xe0\x86\xa0\x78\x70\x63\x50\x22\x28\x19\x94\x0a\x4a\x07\x2e" "\x28\x13\x24\x06\x37\x05\x65\x83\x9b\x83\x72\xc1\x2d\x41\xf9\xe0\xd6" "\xa0\x42\x70\x5b\x50\x31\xa8\x14\xdc\x1e\x54\x0e\xee\x08\xaa\x04\x77" "\x06\x55\x83\xbb\x82\x6a\xc1\xdd\x41\xf5\xa0\x46\x50\x33\xa8\x15\xdc" "\x13\xd4\x0e\xee\x0d\xea\x04\xf7\x05\x75\x83\xfb\x83\x7a\xc1\x03\xc1" "\x83\xc1\x43\xc1\xc3\xc1\x23\x41\xfd\xe0\xd1\xa0\x41\xf0\x58\xd0\x30" "\x78\x3c\x68\x14\x3c\x11\x34\x0e\x9a\x04\x4d\x83\x66\x41\xf3\x7f\x6b" "\xff\xde\x9f\x2c\xf0\x94\xeb\xae\x7b\xe8\x64\xdd\x53\xf7\xd2\xaf\xea" "\xde\xba\x8f\xee\xab\xfb\xe9\xfe\xfa\x35\x3d\x40\xbf\xae\x07\xea\x37" "\x74\x8a\x1e\xa4\x07\xeb\x37\xf5\x10\xfd\x96\x1e\xaa\xdf\xd6\xc3\xf4" "\x70\x3d\x42\xbf\xa3\x47\xea\x77\xf5\x28\x3d\x5a\x8f\xd1\x63\x75\xaa" "\x1e\xa7\xc7\xeb\xf7\xf4\x04\xfd\xbe\x9e\xa8\x27\xe9\xc9\x7a\x8a\x4e" "\xd3\x53\xf5\x34\xfd\x81\x9e\xae\x67\xe8\x99\xfa\x43\x3d\x4b\x7f\xa4" "\x67\xeb\x39\x7a\xae\x9e\xa7\xd3\xf5\xc7\x7a\xbe\x5e\xa0\x33\xf4\x27" "\x7a\xa1\xfe\x54\x67\xea\x45\x7a\xb1\x5e\xa2\x97\xea\x65\x7a\xb9\x5e" "\xa1\x57\xea\x55\x7a\xb5\x5e\xa3\xd7\xea\x75\x7a\xbd\xde\xa0\x37\xea" "\x4d\x7a\xb3\xde\xa2\xb7\xea\x6d\x7a\xbb\xde\xa1\x77\xea\xcf\xf4\x2e" "\xfd\xb9\xde\xad\xbf\xd0\x7b\xf4\x97\x7a\xaf\xfe\x4a\xef\xd3\x5f\xeb" "\xfd\xfa\x1b\x9d\xa5\xbf\xd5\x07\xf4\x77\xfa\xa0\xfe\x5e\x1f\xd2\x3f" "\xe8\xc3\xfa\x47\x7d\x44\x1f\xd5\xc7\xf4\x71\x7d\x42\xff\xa4\x4f\xea" "\x53\xfa\xb4\x3e\xa3\xcf\xea\x9f\xf5\x39\xfd\x8b\x3e\xaf\x7d\xf6\xe4" "\x3e\xfb\xe3\xdd\x28\xa3\x4c\x8c\x89\x31\xb1\x26\xd6\xc4\x99\x38\x93" "\xc7\xe4\x31\x79\x4d\x5e\x13\x31\x11\x13\x6f\xe2\x4d\x3e\x93\xcf\xe4" "\x37\xf9\x4d\x41\x53\xd0\x24\x98\x04\x53\xc4\x14\x31\xd9\xc8\x90\x29" "\x6a\x8a\x9a\xa8\x89\x9a\xe2\xa6\xb8\x29\x61\x4a\x98\x52\xa6\x94\x71" "\xc6\x99\x44\x93\x68\xca\x9a\xb2\xa6\x9c\x29\x67\xca\x9b\xf2\xa6\x82" "\xa9\x60\x2a\x9a\x8a\xe6\x76\x8f\x00\xe6\x0e\x73\xa7\xb9\xd3\xdc\x65" "\xee\x32\x77\x9b\xbb\x4d\x0d\x53\xc3\xd4\x32\xb5\x4c\x6d\x53\xdb\xd4" "\x31\x75\x4c\x5d\x53\xd7\xd4\x33\xf5\xcc\x83\xe6\x41\xf3\xb0\x79\xd8" "\xd4\x37\xf5\x4d\x03\xd3\xc0\x34\x34\x0d\x4d\x23\xd3\xc8\x34\x36\x8d" "\x4d\x53\xd3\xd4\x34\x37\xcd\x4d\x0b\xd3\xc2\xb4\x34\x2d\x4d\x6b\xd3" "\xda\xb4\x31\x6d\x4c\x5b\xd3\xd6\x24\x99\x24\xd3\xce\xb4\x33\xed\x4d" "\x7b\xd3\xc1\x74\x30\x1d\x4d\x47\xd3\xc9\x74\x32\x9d\x4d\x67\xd3\xd5" "\x74\x35\xdd\x4c\x37\xd3\xdd\x74\x37\xc9\x26\xd9\xf4\x32\xbd\x4c\x6f" "\xd3\xdb\xf4\x35\x7d\x4d\x7f\xd3\xdf\x0c\x30\x03\xcc\x40\x33\xd0\xa4" "\x98\x14\x33\xd8\x0c\x36\x43\xcc\x10\x33\xd4\x0c\x35\xc3\xcc\x70\x33" "\x22\x7b\xa2\x6a\xde\x35\xa3\xcc\x68\x33\xc6\x8c\x35\xa9\x26\xd5\x8c" "\x37\xe3\xcd\x04\x33\xc1\x4c\x34\x13\xcd\x64\x33\xd9\xa4\x99\x34\x33" "\xcd\x4c\x33\xd3\xcd\x74\x33\xd3\xcc\x34\xb3\xcc\x2c\x33\xdb\xcc\x36" "\x73\xcd\x5c\x93\x6e\xd2\xcd\x7c\x33\xdf\x64\x98\x0c\xb3\xd0\x2c\x34" "\x99\x26\xd3\x2c\x36\x8b\xcd\x52\xb3\xd4\x2c\x37\xcb\xcd\x4a\xb3\xd2" "\xac\x36\xab\xcd\x5a\x58\x6b\xd6\x9b\xf5\x66\xa3\xd9\x68\x36\x9b\xcd" "\x66\xab\xd9\x6a\xb6\x9b\xed\x66\xa7\xd9\x69\x76\x99\x5d\x66\xf7\x23" "\x60\xf6\x98\x3d\x66\xaf\xd9\x6b\xf6\x99\x7d\x66\xbf\xd9\x6f\xb2\x4c" "\x96\x39\x60\x0e\x98\x83\xe6\xa0\x39\x64\x0e\x99\xc3\xe6\xb0\x39\x62" "\x8e\x98\x63\xe6\x98\x39\x61\x4e\x98\x93\xe6\xa4\x39\x6d\x4e\x9b\xb3" "\xa6\xc0\xc5\xcf\x4b\x6f\x62\x6d\x6e\x1b\x67\xaf\xb2\x79\xec\xd5\x36" "\xaf\xbd\xc6\xfe\x63\x5c\xd0\x16\xb2\x09\xb6\xb0\x2d\x62\xb5\xcd\x6f" "\x0b\xfc\x26\x36\xd6\xda\x12\xb6\xa4\x2d\x65\x4b\x5b\x67\xcb\xd8\x44" "\x7b\xd3\xef\xe2\x8a\xb6\x92\xbd\xdd\x56\xb6\x77\xd8\x2a\xf6\x4e\x5b" "\xf5\x77\x71\x6d\x7b\xaf\xad\x63\xef\xb3\x75\xed\xfd\xb6\x96\xbd\xe7" "\x37\x71\x3d\xfb\x80\x3d\x7f\xe9\x7b\xea\xb6\x89\x6d\x60\x9b\xd9\x86" "\xf6\x71\xdb\xc8\x3e\x61\x1b\xdb\x26\xb6\xa9\x6d\x66\xdb\xd8\x67\x6c" "\x5b\xfb\xac\x4d\xb2\xcf\xd9\x76\xf6\xf9\xdf\xc5\xf3\xed\x02\xbb\xd2" "\xae\xb2\xab\xed\x1a\xbb\xcb\x7e\x6e\x4f\xdb\x33\xf6\xa0\xfd\xde\x9e" "\xb5\x3f\xdb\xee\xb6\x87\xed\x6f\x5f\xb3\x03\xec\xeb\x76\xa0\x7d\xc3" "\xa6\xd8\x41\xbf\x8b\x47\xd8\x77\xec\x48\xfb\xae\x1d\x65\x47\xdb\x31" "\x76\xec\xef\xe2\xc9\x76\x8a\x4d\xb3\x53\xed\x34\xfb\x81\x9d\x6e\x67" "\xfc\x2e\x4e\xb7\x1f\xdb\x59\x36\xc3\xce\xb6\x73\xec\x5c\x3b\xef\xd7" "\x38\x7b\x4c\x19\xf6\x13\xbb\xd0\x7e\x6a\x33\xed\x22\xbb\xd8\x2e\xb1" "\x4b\xed\x32\xbb\xdc\xae\xf8\xbf\x63\x5d\x62\xd7\xd9\xf5\x76\x83\xdd" "\x69\x3f\xb3\x9b\xed\x16\xbb\xd5\x6e\xb3\xdb\xed\x8e\x5f\xe3\xec\xe3" "\xd8\x6d\xbf\xb0\x7b\xec\x97\xf6\x80\xfd\xce\xee\xb3\x5f\xdb\xfd\xf6" "\x90\xcd\xb2\xdf\xfe\x1a\x67\x1f\xdf\x21\xfb\x83\x3d\x6c\x7f\xb4\x47" "\xec\x51\x7b\xcc\x1e\xb7\x27\xec\x4f\xf6\xa4\x3d\xf5\xeb\xf1\x67\x1f" "\xfb\x71\xfb\x8b\x3d\x6f\xbd\x05\x42\x02\x92\xa4\x28\xa0\x18\xca\x45" "\xb1\x41\x6e\x8a\xa3\xab\x28\x0f\x5d\x4d\x79\xe9\x1a\x8a\xd0\xb5\x14" "\x4f\xd7\x51\x3e\xba\x9e\xf2\x53\x01\x2a\x48\x85\x28\x81\x0a\x53\x11" "\xd2\x64\xc8\x12\x51\x48\x45\xa9\x18\x45\xe9\x06\xba\x34\x4f\x2f\x45" "\xa5\xc9\x51\x19\x4a\xa4\x9b\xa8\x2c\xdd\x4c\xe5\xe8\x16\x2a\x4f\xb7" "\x52\x05\xba\x8d\x2a\x52\x25\xba\x9d\x2a\xd3\x1d\x54\x85\xee\xa4\xaa" "\x74\x17\x55\xa3\xbb\xa9\x3a\xd5\xa0\x9a\x54\x8b\xee\xa1\xda\x74\x2f" "\xd5\xa1\xfb\xa8\x2e\xdd\x4f\xf5\xe8\x01\x7a\x90\x1e\xa2\x87\xe9\x11" "\xaa\x4f\x8f\x52\x03\x7a\x8c\x1a\xd2\xe3\xd4\x88\x9e\xa0\xc6\xd4\x84" "\x9a\x52\x33\x6a\x4e\x4f\x52\x0b\x7a\x8a\x5a\x52\x2b\x6a\x4d\x4f\x53" "\x1b\x7a\x86\xda\xd2\xb3\x94\x44\xcf\x51\x3b\x7a\x9e\xda\xd3\xdf\xa8" "\x03\xbd\x40\x1d\xe9\x45\xea\x44\x2f\x51\x67\xea\x42\x5d\xe9\x65\xea" "\x46\xaf\x50\x77\xea\x41\xc9\xd4\x93\x7a\xd1\xab\xd4\x9b\xfa\x50\x5f" "\xea\x47\xfd\xe9\x35\x1a\x40\xaf\xd3\x40\x7a\x83\x52\x68\x10\x0d\xa6" "\x37\x69\x08\xbd\x45\x43\xe9\x6d\x1a\x46\xc3\x69\x04\xbd\x43\x23\xe9" "\x5d\x1a\x45\xa3\x69\x0c\x8d\xa5\x54\x1a\x47\xe3\xe9\x3d\x9a\x40\xef" "\xd3\x44\x9a\x44\x93\x69\x0a\xa5\xd1\x54\x9a\x46\x1f\xd0\x74\x9a\x41" "\x33\xe9\x43\x9a\x45\x1f\xd1\x6c\x9a\x43\x73\x69\x1e\xa5\xd3\xc7\x34" "\x9f\x16\x50\x06\x7d\x42\x0b\xe9\x53\xca\xa4\x45\xb4\x98\x96\xd0\x52" "\x5a\x46\xcb\x69\x05\xad\xa4\x55\xb4\x9a\xd6\xd0\x5a\x5a\x47\xeb\x69" "\x03\x6d\xa4\x4d\xb4\x99\xb6\xd0\x56\xda\x46\xdb\x69\x07\xed\xa4\xcf" "\x68\x17\x7d\x4e\xbb\xe9\x0b\xda\x43\x5f\xd2\x5e\xfa\x8a\xf6\xd1\xd7" "\xb4\x9f\xbe\xa1\x2c\xfa\x96\x0e\xd0\x77\x74\x90\xbe\xa7\x43\xf4\x83" "\xef\x41\x3f\xd2\x11\x3a\x4a\xc7\xe8\x38\x9d\xa0\x9f\xe8\x24\x9d\xa2" "\xd3\x74\x86\xce\xd2\xcf\x74\x8e\x7e\xa1\xf3\xe4\x09\x42\x0c\x45\x28" "\x43\x15\x06\x61\x4c\x98\x2b\x8c\x0d\x73\x87\x71\xe1\x55\x61\x9e\xf0" "\xea\x30\x6f\x78\x4d\x18\x09\xaf\x0d\xe3\xc3\xeb\xc2\x7c\xe1\xf5\x61" "\xfe\xb0\x40\x58\x30\x2c\x14\x26\x84\x85\xc3\x22\xa1\x0e\x4d\x68\x43" "\x0a\xc3\xb0\x68\x58\x2c\x8c\x86\x37\x84\xc5\xc3\x1b\xc3\x12\x61\xc9" "\xb0\x54\x58\x3a\x74\x61\x99\x30\x31\xbc\x29\x2c\x1b\xde\x1c\x96\x0b" "\x6f\x09\xcb\x87\xb7\x86\x15\xc2\xdb\xc2\x8a\x61\xa5\xf0\xf1\xfb\x2b" "\x87\x77\x84\x55\xc2\x3b\xc3\xaa\xe1\x5d\x61\xb5\xf0\xee\xb0\x7a\x58" "\x23\xac\x19\xd6\x0a\xef\x09\x6b\x87\xf7\x86\x75\xc2\xfb\xc2\xba\xe1" "\xfd\x61\xb9\xf0\x81\xf0\xc1\xf0\xa1\xf0\xe1\xf0\x91\xb0\x7e\xf8\x68" "\xd8\x20\x7c\x2c\x6c\x18\x3e\x1e\x36\x0a\x9f\x08\x1b\x87\x4d\xc2\xa6" "\x61\xb3\xb0\x79\xf8\x64\xd8\x22\x7c\x2a\x6c\x19\xb6\x0a\x5b\x87\x4f" "\x87\x6d\xc2\x67\xc2\xb6\xe1\xb3\x61\x52\xf8\x5c\xd8\x2e\x7c\xfe\xd7" "\xf6\x07\x16\xfc\x79\x7b\x72\xd8\x33\xec\x15\xbe\x1a\xbe\x1a\x7a\x7f" "\x9f\x9c\x1b\x9d\x17\x4d\x8f\x7e\x1c\x9d\x1f\x5d\x10\xcd\x88\x7e\x12" "\x5d\x18\xfd\x34\x9a\x19\x5d\x14\x5d\x1c\x5d\x12\x5d\x1a\x5d\x16\x5d" "\x1e\x5d\x11\x5d\x19\x5d\x15\x5d\x1d\x5d\x13\x5d\x1b\x5d\x17\x5d\x1f" "\xdd\x10\xf5\xbe\x56\x2e\x70\xe8\x84\x93\x4e\xb9\xc0\xc5\xb8\x5c\x2e" "\xd6\xe5\x76\x71\xee\x2a\x97\xc7\x5d\xed\xf2\xba\x6b\x5c\xc4\x5d\xeb" "\xe2\xdd\x75\x2e\x9f\xbb\xde\xe5\x77\x05\x5c\x41\x57\xc8\x25\xb8\xc2" "\xae\x88\xd3\xce\x38\xeb\xc8\x85\xae\xa8\x2b\xe6\xa2\xee\x06\x57\xdc" "\xdd\xe8\x4a\xb8\x92\xae\x94\x2b\xed\x9c\x2b\xe3\x12\x5d\x33\xd7\xdc" "\x35\x77\x2d\xdc\x53\xae\xa5\x6b\xe5\x5a\xbb\xa7\xdd\xd3\xee\x19\xf7" "\x8c\x7b\xd6\x3d\xeb\x9e\x73\xed\xdc\xf3\xae\xbd\xfb\x9b\xeb\xe0\x5e" "\x70\x1d\xdd\x8b\xee\x45\xf7\x92\xeb\xec\xba\xb8\xae\xee\x65\xd7\xcd" "\x8d\xcb\x7b\xe1\x35\x99\xec\x7a\xb9\x5e\xae\xb7\xeb\xed\xfa\xba\xbe" "\xae\xbf\xeb\xef\x06\xb8\x01\x6e\xa0\x1b\xe8\x52\x5c\x8a\x1b\xec\x06" "\xbb\x21\x6e\x88\x1b\xea\x86\xba\x61\x6e\x98\x1b\xe1\x46\xb8\x91\x6e" "\xa4\x1b\xe5\x46\xb9\x31\x6e\x8c\x4b\x75\xa9\x6e\xbc\x1b\xef\x26\xb8" "\x09\x6e\xa2\x9b\xe8\x26\xbb\xc9\x2e\xcd\xa5\xb9\x69\x6e\x9a\x9b\xee" "\xa6\xbb\x2a\x33\x2e\xec\x65\xb6\x9b\xed\xe6\xba\xb9\x2e\xdd\xa5\xbb" "\xf9\x2e\x7b\xce\x98\xe1\x16\xba\x85\x2e\xd3\x65\xba\xc5\x6e\xb1\x5b" "\xea\x96\xba\xe5\x6e\xb9\x5b\xe9\x56\xba\xd5\x6e\xb5\x5b\xeb\xd6\xba" "\xf5\x6e\xbd\xdb\xe8\x36\xba\xcd\x6e\xb3\xdb\xea\xb6\xba\xed\x6e\xbb" "\xdb\xe9\x76\xba\x5d\xfe\x9a\x0b\x9d\xba\x3d\x6e\xaf\xdb\xeb\xf6\xb9" "\x7d\x6e\xbf\xfb\xc6\x65\xb9\x6f\xdd\x01\xf7\x9d\x3b\xe8\xbe\x77\x87" "\xdc\x0f\xee\xb0\xfb\xd1\x1d\x71\x47\xdd\x31\x77\xdc\x9d\x70\x3f\xb9" "\x93\xee\x94\x3b\xed\xce\xb8\xb3\xee\x67\x77\xce\xfd\xe2\xce\x3b\xef" "\x52\x23\xe3\x22\xe3\x23\xef\x45\x26\x44\xde\x8f\x4c\x8c\x4c\x8a\x4c" "\x8e\x4c\x89\xa4\x45\xa6\x46\xa6\x45\x3e\x88\x4c\x8f\xcc\x88\xcc\x8c" "\x7c\x18\x99\x15\xf9\x28\x32\x3b\x32\x27\x32\x37\x32\x2f\x92\x1e\xf9" "\x38\x32\x3f\xb2\x20\x92\x11\xf9\x24\xb2\x30\xf2\x69\x24\x33\xb2\x28" "\xb2\x38\xb2\x24\xb2\x34\xb2\x2c\xe2\x7d\xe1\xcd\xa1\x2f\xea\x8b\xf9" "\xa8\xbf\xc1\x17\xf7\x37\xfa\x12\xbe\xa4\x2f\xe5\x4b\x7b\xe7\xcb\xf8" "\x44\x7f\x93\x2f\xeb\x6f\xf6\xe5\xfc\x2d\xbe\xbc\xbf\xd5\x57\xf0\xb7" "\xf9\x8a\xbe\x92\xbf\xdd\x3f\xe1\x1b\xfb\x26\xbe\xa9\x6f\xe6\x9b\xfb" "\x27\x7d\x0b\xff\x94\x6f\xe9\x5b\xf9\xd6\xfe\x69\xdf\xc6\x3f\xe3\xdb" "\xfa\x67\x7d\x92\x7f\xce\xb7\xf3\xcf\xfb\xf6\xfe\x6f\xbe\x83\x7f\xc1" "\x77\xf4\x2f\xfa\x4e\xfe\x25\xdf\xd9\x77\xf1\x5d\xfd\xcb\xbe\x9b\x7f" "\xc5\x77\xf7\x3d\x7c\xb2\xef\xe9\x7b\xf9\x57\x7d\x6f\xdf\xc7\xf7\xf5" "\xfd\x7c\x7f\xff\x9a\x1f\xe0\x5f\xf7\x03\xfd\x1b\x3e\xc5\x0f\xf2\x83" "\xfd\x9b\x7e\x88\x7f\xcb\x0f\xf5\x6f\xfb\x61\x7e\xb8\x1f\x11\xf3\x8e" "\x1f\x79\xe9\x12\x19\xc6\xfa\x54\x3f\xce\x8f\xf7\xef\xf9\x09\xfe\x7d" "\x3f\xd1\x4f\xf2\x93\xfd\x14\x9f\xe6\xa7\xfa\x69\xfe\x03\x3f\xdd\xcf" "\xf0\x33\xfd\x87\x7e\x96\xff\xc8\xcf\xf6\x73\xfc\x5c\x3f\xcf\xa7\xfb" "\x8f\xfd\x7c\xbf\xc0\x67\xf8\x4f\xfc\x42\xff\xa9\xcf\xf4\x8b\x2e\xdd" "\x54\xf6\xcb\xfd\x0a\xbf\xd2\xaf\xf2\xab\xfd\x1a\xbf\xd6\xaf\xf3\xeb" "\xfd\x06\xbf\xd1\x6f\xf2\x9b\xfd\x16\xbf\xd5\x6f\xf3\xdb\xfd\x0e\xbf" "\xd3\x7f\xe6\x77\xf9\xcf\xfd\x6e\xff\x85\xdf\xe3\xbf\xf4\x7b\xfd\x57" "\x7e\x9f\xff\xda\xef\xf7\xdf\xf8\x2c\xff\xad\x3f\xe0\xbf\xbb\x2a\xbb" "\xaf\x43\xfe\x07\x7f\xd8\xff\xe8\x8f\xf8\xa3\xfe\x98\x3f\xee\x4f\xf8" "\x9f\xfc\x49\x7f\xca\x9f\xf6\x67\xfc\x59\xff\xb3\x3f\xe7\x7f\xf1\xe7" "\xf9\x37\x6b\x8c\x31\xc6\x18\x63\xff\x25\xe3\x2e\xaf\x8a\x3f\x6a\xef" "\xf9\x07\x8f\x89\xbf\xdb\xb8\x17\x00\x5c\xbd\xa5\x50\xd6\xdf\xb7\x67" "\xcf\x28\xd7\xe6\xbf\xb0\xde\x47\x24\xb4\x89\x00\xc0\x73\x3d\x3a\x3d" "\x7a\x69\xa9\x5e\x3d\x39\x39\xf9\xe2\xb6\x99\x12\x82\x62\x73\x00\x2e" "\xfd\x4b\x50\xb6\x18\xb8\x1c\x2f\x82\xd6\xf0\x0c\x24\x41\x2b\x28\xfb" "\x87\xe3\xef\x23\xba\x9c\xa5\x7f\xd2\x7f\xf4\x56\x80\xb8\xbf\xcb\x89" "\x85\xcb\xf1\xe5\xfe\xbf\xfa\x93\xfe\x9f\x7c\x7a\xc4\xfc\x0a\xe1\xe9" "\xf8\xff\x47\xff\x73\x00\x4a\x14\xbb\x9c\x93\x1b\x2e\xc7\x8b\xa0\xb5" "\xca\xfe\xdb\x0a\xca\xfd\x49\xff\x05\x5a\xfc\x93\xf1\xe7\xfe\x3a\x15" "\xa0\xe5\xdf\xe5\xe4\x81\xcb\xf1\xe5\xf1\x27\xc2\x53\xf0\x3c\x24\xfd" "\x66\x4b\xc6\x18\x63\x8c\x31\xc6\x18\x63\xec\x82\x3e\xe2\xf6\x0e\x97" "\xae\x3f\x2f\x7d\xe3\xf3\x8f\xae\xcf\x13\xd4\xe5\x9c\x5c\x70\x39\xfe" "\x67\xd7\xe7\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\xbb\xf2\x5e\xe8\xd2" "\xf5\xd9\x27\x93\x92\x5a\x75\xf8\xd7\x57\xaa\xfe\xb7\xb2\x78\xe5\xff" "\xd7\x15\xef\x01\x2e\x3d\xa2\x00\xe0\x2f\x76\x08\xf0\x1f\x3f\x8a\x4d" "\xff\x91\x7d\xa5\x5c\x7c\xe9\xfc\x63\xd3\xd2\x33\x3e\x80\xbf\xba\x0b" "\xbc\xf8\x2b\xda\x2b\x7f\x4a\x5c\xc9\x77\x25\xc6\x18\x63\x8c\x31\xc6" "\xd8\xff\x84\xcb\x93\xfe\xdf\x3e\xae\xae\xd4\x80\x18\x63\x8c\x31\xc6" "\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63" "\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\xb1" "\x1c\xe8\x3f\xf1\xdf\x89\x5d\xe9\x63\x64\x8c\x31\xc6\x18\x63\x8c\x31" "\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18" "\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c" "\x31\xc6\x18\x63\x8c\x31\xc6\xae\xb4\xff\x13\x00\x00\xff\xff\xe3\x06" "\x0b\xbf", 5391)); NONFAILING(syz_mount_image(/*fs=*/0x2000000000c0, /*dir=*/0x200000000300, /*flags=MS_NODIRATIME*/ 0x800, /*opts=*/0x200000000440, /*chdir=*/3, /*size=*/0x150f, /*img=*/0x200000001f80)); break; case 3: NONFAILING(memcpy((void*)0x200000000040, "./file1\000", 8)); res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000040ul, /*flags=O_SYNC|O_CREAT|FASYNC|O_RDWR*/ 0x103042, /*mode=*/0); if (res != -1) r[0] = res; break; case 4: NONFAILING(memset((void*)0x200000000140, 50, 1)); syscall(__NR_pwrite64, /*fd=*/r[0], /*buf=*/0x200000000140ul, /*count=*/0xfdeful, /*pos=*/0xfeccul); break; case 5: NONFAILING(memcpy( (void*)0x2000000005c0, "\023\023w\305\3745\324\024T\325\324\035)\255\032`)" "Y\201F\346\276\026nA\255\r\275@T\003<\2373\273\332\202$" "\242\363\327r\347cnH\263<\277p\203r\350\361\271\223>" "\305\022wC\276\"\006 \236\360-\371\313\362\366\350\200\3238/\000", 78)); NONFAILING(memcpy((void*)0x2000000002c0, ".\002\000", 3)); syscall(__NR_symlink, /*old=*/0x2000000005c0ul, /*new=*/0x2000000002c0ul); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if ((reason = setup_802154())) printf("the reproducer may not work as expected: 802154 injection setup " "failed: %s\n", reason); install_segv_handler(); for (procid = 0; procid < 5; procid++) { if (fork() == 0) { use_temporary_dir(); loop(); } } sleep(1000000); return 0; }