// https://syzkaller.appspot.com/bug?id=eaf2836e848d856b93361d3f3a86b36830f9c045 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include unsigned long long procid; static __thread int skip_segv; static __thread jmp_buf segv_env; static void segv_handler(int sig, siginfo_t* info, void* ctx) { uintptr_t addr = (uintptr_t)info->si_addr; const uintptr_t prog_start = 1 << 20; const uintptr_t prog_end = 100 << 20; if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && (addr < prog_start || addr > prog_end)) { _longjmp(segv_env, 1); } exit(sig); } static void install_segv_handler(void) { struct sigaction sa; memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_IGN; syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); memset(&sa, 0, sizeof(sa)); sa.sa_sigaction = segv_handler; sa.sa_flags = SA_NODEFER | SA_SIGINFO; sigaction(SIGSEGV, &sa, NULL); sigaction(SIGBUS, &sa, NULL); } #define NONFAILING(...) \ { \ __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ if (_setjmp(segv_env) == 0) { \ __VA_ARGS__; \ } \ __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ } static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); if (pthread_create(&th, &attr, fn, arg)) exit(1); pthread_attr_destroy(&attr); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0" "\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e" "\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba" "\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01" "\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22" "\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00" "\x00\x00\x00\xd0\x00"; const char kvm_asm64_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66" "\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0" "\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22" "\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7" "\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f" "\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22" "\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89" "\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3" "\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48" "\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2" "\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e" "\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7" "\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48" "\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0" "\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0" "\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7" "\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0" "\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00" "\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48" "\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7" "\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0" "\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00" "\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00" "\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0" "\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79" "\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48" "\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c" "\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c" "\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00" "\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00" "\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7" "\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0" "\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00" "\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00" "\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20" "\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7" "\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e" "\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40" "\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00" "\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48" "\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7" "\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0" "\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00" "\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12" "\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68" "\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00" "\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00" "\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48" "\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7" "\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0" "\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff" "\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff" "\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f" "\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c" "\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48" "\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00" "\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00" "\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7" "\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0" "\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00" "\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f" "\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0" "\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20" "\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18" "\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31" "\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44" "\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48" "\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7" "\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3" "\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e" "\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24" "\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08" "\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; NONFAILING(dt[index] = sd); NONFAILING(lt[index] = sd); } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; NONFAILING(dt[index + 1] = 0); NONFAILING(lt[index + 1] = 0); } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 6: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); int i; for (i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static uintptr_t syz_kvm_setup_cpu(uintptr_t a0, uintptr_t a1, uintptr_t a2, uintptr_t a3, uintptr_t a4, uintptr_t a5, uintptr_t a6, uintptr_t a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = 0; const void* text = 0; uintptr_t text_size = 0; NONFAILING(text_type = text_array_ptr[0].typ); NONFAILING(text = text_array_ptr[0].text); NONFAILING(text_size = text_array_ptr[0].size); uintptr_t i; for (i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } NONFAILING(*(host_mem + ADDR_TEXT) = 0xf4); host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); NONFAILING(pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS); sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; NONFAILING(*(host_mem + ADDR_TEXT) = 0xf4); host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); NONFAILING(pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS); sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); NONFAILING(pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr); NONFAILING(pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr); NONFAILING(pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS); sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; NONFAILING(*((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON); NONFAILING(*((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS); NONFAILING(memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1)); NONFAILING(*((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE); text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); NONFAILING(memcpy(tss16_addr, &tss16, sizeof(tss16))); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); NONFAILING(memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16))); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); NONFAILING(memcpy(tss32_addr, &tss32, sizeof(tss32))); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); NONFAILING(memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32))); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); NONFAILING(memcpy(tss64_addr, &tss64, sizeof(tss64))); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); NONFAILING(memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64))); if (text_size > 1000) text_size = 1000; if (text_prefix) { NONFAILING(memcpy(host_text, text_prefix, text_prefix_size)); void* patch = 0; NONFAILING(patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4)); if (patch) NONFAILING(*((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6); uint16_t magic = PREFIX_SIZE; patch = 0; NONFAILING(patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic))); if (patch) NONFAILING(*((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size); } NONFAILING(memcpy((void*)(host_text + text_prefix_size), text, text_size)); NONFAILING(*(host_text + text_prefix_size + text_size) = 0xf4); NONFAILING(memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size)); NONFAILING(*(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4); NONFAILING(*(host_mem + ADDR_VAR_HLT) = 0xf4); NONFAILING(memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3)); NONFAILING(memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3)); NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0); NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0); if (opt_count > 2) opt_count = 2; for (i = 0; i < opt_count; i++) { uint64_t typ = 0; uint64_t val = 0; NONFAILING(typ = opt_array_ptr[i].typ); NONFAILING(val = opt_array_ptr[i].val); switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; NONFAILING(tss16_addr->flags ^= val); NONFAILING(tss16_cpl3_addr->flags ^= val); NONFAILING(tss32_addr->flags ^= val); NONFAILING(tss32_cpl3_addr->flags ^= val); break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff)); NONFAILING(*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16)); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { DIR* dp; struct dirent* ep; int iter = 0; retry: while (umount2(dir, MNT_DETACH) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, MNT_DETACH) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, MNT_DETACH)) exit(1); } } closedir(dp); int i; for (i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, MNT_DETACH)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } #define SYZ_HAVE_SETUP_TEST 1 static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); } #define SYZ_HAVE_RESET_TEST 1 static void reset_test() { int fd; for (fd = 3; fd < 30; fd++) close(fd); } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; int collide = 0; again: for (call = 0; call < 7; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (collide && (call % 2) == 0) break; event_timedwait(&th->done, 45); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); if (!collide) { collide = 1; goto again; } } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); reset_test(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { long res; switch (call) { case 0: NONFAILING(memcpy((void*)0x20000380, "/dev/kvm", 9)); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000380, 0, 0); if (res != -1) r[0] = res; break; case 1: res = syscall(__NR_ioctl, r[0], 0xae01, 0); if (res != -1) r[1] = res; break; case 2: res = syscall(__NR_ioctl, r[1], 0xae41, 0); if (res != -1) r[2] = res; break; case 3: NONFAILING(*(uint64_t*)0x20000000 = 0x40); NONFAILING(*(uint64_t*)0x20000008 = 0x20000500); NONFAILING(memcpy((void*)0x20000500, "\x0f\x08\x66\xb8\xed\x00\x8e\xc0\x66\xba\x40\x00\xb0\x00" "\xee\xd2\xa8\x07\x00\x00\x00\x41\x0f\x01\xca\xb9\x8e\x0b" "\x00\x00\xb8\x62\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x30" "\xb9\x0b\x08\x00\x00\x0f\x32\x0f\xc7\x2a\x8f\x2a\x60\x12" "\x8f\x00\x00\x00\x00\x00\x30\x00\x00\x0f\xc7\xaa\x00\x10" "\x00\x00", 72)); NONFAILING(*(uint64_t*)0x20000010 = 0x48); syz_kvm_setup_cpu(r[1], -1, 0x20000000, 0x20000000, 1, 0, 0x20000080, 0); break; case 4: NONFAILING(*(uint64_t*)0x20000200 = 0x40); NONFAILING(*(uint64_t*)0x20000208 = 0x20000040); NONFAILING(memcpy((void*)0x20000040, "\xb9\x80\x00\x00\xc0\x0f\x32\x35\x00\x10\x00\x00\x0f\x30" "\xf2\x4c\x0f\x2c\x49\xe8\x42\x6d\xc4\x02\x7d\x34\x93\xb8" "\x08\x00\x00\x36\x26\x66\x0f\x7e\x67\x6d\x66\x0f\x16\x78" "\xb0\x6c\xc4\x03\xf9\xdf\xbe\xb7\x00\x00\x00\x0b\xc7\x44" "\x24\x00\xf5\x00\x00\x00\xc7\x44\x24\x02\x84\xd1\x78\xbc" "\xff\x1c\x24\xf2\xf3\x47\xdb\xe1", 78)); NONFAILING(*(uint64_t*)0x20000210 = 0x4e); syz_kvm_setup_cpu(-1, r[2], 0x20000000, 0x20000200, 0x77, 0x48, 0x20000140, 0x1000000000000390); break; case 5: NONFAILING(*(uint16_t*)0x20000580 = 0); NONFAILING(*(uint16_t*)0x20000582 = 0); NONFAILING(*(uint32_t*)0x20000584 = 0x2080); NONFAILING(*(uint64_t*)0x20000588 = 0); NONFAILING(*(uint64_t*)0x20000590 = 0xf000); NONFAILING(*(uint16_t*)0x20000598 = 0); NONFAILING(*(uint8_t*)0x200005a0 = 0); NONFAILING(*(uint8_t*)0x200005a1 = 0); NONFAILING(*(uint8_t*)0x200005a2 = 0); NONFAILING(*(uint8_t*)0x200005a3 = 0); NONFAILING(*(uint8_t*)0x200005a4 = 0); NONFAILING(*(uint8_t*)0x200005a5 = 0); NONFAILING(*(uint8_t*)0x200005a6 = 0); NONFAILING(*(uint8_t*)0x200005a7 = 0); NONFAILING(*(uint8_t*)0x200005a8 = 0); NONFAILING(*(uint8_t*)0x200005a9 = 0); NONFAILING(*(uint8_t*)0x200005aa = 0); NONFAILING(*(uint8_t*)0x200005ab = 0); NONFAILING(*(uint8_t*)0x200005ac = 0); NONFAILING(*(uint8_t*)0x200005ad = 0); NONFAILING(*(uint8_t*)0x200005ae = 0); NONFAILING(*(uint8_t*)0x200005af = 0); NONFAILING(*(uint8_t*)0x200005b0 = 0); NONFAILING(*(uint8_t*)0x200005b1 = 0); NONFAILING(*(uint8_t*)0x200005b2 = 0); NONFAILING(*(uint8_t*)0x200005b3 = 0); NONFAILING(*(uint8_t*)0x200005b4 = 0); NONFAILING(*(uint8_t*)0x200005b5 = 0); NONFAILING(*(uint8_t*)0x200005b6 = 0); NONFAILING(*(uint8_t*)0x200005b7 = 0); NONFAILING(*(uint8_t*)0x200005b8 = 0); NONFAILING(*(uint8_t*)0x200005b9 = 0); NONFAILING(*(uint8_t*)0x200005ba = 0); NONFAILING(*(uint8_t*)0x200005bb = 0); NONFAILING(*(uint8_t*)0x200005bc = 0); NONFAILING(*(uint8_t*)0x200005bd = 0); NONFAILING(*(uint8_t*)0x200005be = 0); NONFAILING(*(uint8_t*)0x200005bf = 0); NONFAILING(*(uint8_t*)0x200005c0 = 0); NONFAILING(*(uint8_t*)0x200005c1 = 0); NONFAILING(*(uint8_t*)0x200005c2 = 0); NONFAILING(*(uint8_t*)0x200005c3 = 0); NONFAILING(*(uint8_t*)0x200005c4 = 0); NONFAILING(*(uint8_t*)0x200005c5 = 0); NONFAILING(*(uint8_t*)0x200005c6 = 0); NONFAILING(*(uint8_t*)0x200005c7 = 0); NONFAILING(*(uint8_t*)0x200005c8 = 0); NONFAILING(*(uint8_t*)0x200005c9 = 0); NONFAILING(*(uint8_t*)0x200005ca = 0); NONFAILING(*(uint8_t*)0x200005cb = 0); NONFAILING(*(uint8_t*)0x200005cc = 0); NONFAILING(*(uint8_t*)0x200005cd = 0); NONFAILING(*(uint8_t*)0x200005ce = 0); NONFAILING(*(uint8_t*)0x200005cf = 0); NONFAILING(*(uint8_t*)0x200005d0 = 0); NONFAILING(*(uint8_t*)0x200005d1 = 0); NONFAILING(*(uint8_t*)0x200005d2 = 0); NONFAILING(*(uint8_t*)0x200005d3 = 0); NONFAILING(*(uint8_t*)0x200005d4 = 0); NONFAILING(*(uint8_t*)0x200005d5 = 0); NONFAILING(*(uint8_t*)0x200005d6 = 0); NONFAILING(*(uint8_t*)0x200005d7 = 0); NONFAILING(*(uint8_t*)0x200005d8 = 0); NONFAILING(*(uint8_t*)0x200005d9 = 0); NONFAILING(*(uint8_t*)0x200005da = 0); NONFAILING(*(uint8_t*)0x200005db = 0); NONFAILING(*(uint8_t*)0x200005dc = 0); NONFAILING(*(uint8_t*)0x200005dd = 0); NONFAILING(*(uint8_t*)0x200005de = 0); NONFAILING(*(uint8_t*)0x200005df = 0); NONFAILING(*(uint8_t*)0x200005e0 = 0); NONFAILING(*(uint8_t*)0x200005e1 = 0); NONFAILING(*(uint8_t*)0x200005e2 = 0); NONFAILING(*(uint8_t*)0x200005e3 = 0); NONFAILING(*(uint8_t*)0x200005e4 = 0); NONFAILING(*(uint8_t*)0x200005e5 = 0); NONFAILING(*(uint8_t*)0x200005e6 = 0); NONFAILING(*(uint8_t*)0x200005e7 = 0); NONFAILING(*(uint8_t*)0x200005e8 = 0); NONFAILING(*(uint8_t*)0x200005e9 = 0); NONFAILING(*(uint8_t*)0x200005ea = 0); NONFAILING(*(uint8_t*)0x200005eb = 0); NONFAILING(*(uint8_t*)0x200005ec = 0); NONFAILING(*(uint8_t*)0x200005ed = 0); NONFAILING(*(uint8_t*)0x200005ee = 0); NONFAILING(*(uint8_t*)0x200005ef = 0); NONFAILING(*(uint8_t*)0x200005f0 = 0); NONFAILING(*(uint8_t*)0x200005f1 = 0); NONFAILING(*(uint8_t*)0x200005f2 = 0); NONFAILING(*(uint8_t*)0x200005f3 = 0); NONFAILING(*(uint8_t*)0x200005f4 = 0); NONFAILING(*(uint8_t*)0x200005f5 = 0); NONFAILING(*(uint8_t*)0x200005f6 = 0); NONFAILING(*(uint8_t*)0x200005f7 = 0); NONFAILING(*(uint8_t*)0x200005f8 = 0); NONFAILING(*(uint8_t*)0x200005f9 = 0); NONFAILING(*(uint8_t*)0x200005fa = 0); NONFAILING(*(uint8_t*)0x200005fb = 0); NONFAILING(*(uint8_t*)0x200005fc = 0); NONFAILING(*(uint8_t*)0x200005fd = 0); NONFAILING(*(uint8_t*)0x200005fe = 0); NONFAILING(*(uint8_t*)0x200005ff = 0); NONFAILING(memcpy( (void*)0x20000600, "\x36\x2a\x82\x5b\x2d\x00\x75\x35\x1c\xb2\x3b\xb0\xf5\x84\x74\x63\xe1" "\xf4\xfb\xc2\xea\x7a\x23\x2b\x0b\xcf\xc3\x2b\x9f\x58\x7e\x67\xb3\x9c" "\x89\x4b\xeb\xc7\x10\x30\xfb\x13\x7e\x18\xa7\x4d\x61\x72\xe2\x93\xb5" "\x45\x5c\x81\x84\xc9\x30\xb6\x5d\xfa\x93\x35\x4d\x82\xac\x08\xc1\xcc" "\xb1\xa4\x2c\xe4\x52\x39\x15\xf1\xc3\xc9\xf1\x7a\xc2\xf0\x04\x66\xc3" "\xf4\x56\x00\x3c\x91\xc3\x73\x4d\x97\x39\xea\x11\x4b\x56\x03\xe0\x3d" "\xd2\x6b\x02\xf9\xb4\xee\x43\x0e\x39\xb2\x03\xd7\x7f\xde\xa3\x0c\x27" "\xda\x40\xfc\x27\x51\xe8\x4f\x64\x59\x0f\x4a\x2e\xd1\x92\xdf\xda\xe0" "\x6c\x7a\x61\x13\x4a\x1d\xb5\x20\x33\x32\xf5\x9d\xe8\xfb\x4a\x66\xaa" "\xd2\x68\x91\x04\x0e\x00\x17\x8b\xa4\x8e\x1d\xcc\x99\xb5\x3c\x6e\x90" "\x2d\xfb\x90\x36\xe8\x5d\x77\x7d\x09\x20\x1e\xf6\x70\x98\xed\x93\xc4" "\xb9\x04\x56\x49\xd4\xdf\xa6\x14\xde\xf1\x7e\x65\x4a\x67\xbe\x7c\xf6" "\x10\x3b\xff\x00\xdb\x02\x19\xd2\x01\x24\x37\x76\x12\x25\x85\x1c\x52" "\xfa\xbd\x65\x2d\x24\x04\x34\x44\xb0\x26\xdc\x08\x5a\x41\xad\x65\x66" "\x75\xd3\x38\xd7\x3b\x3b\x54\x33\x97\x9a\x2e\x7b\xfb\x32\x9c\xac\x8c" "\x8b\xd5\xb5\xbd\x92\x2d\xe3\xac\x41\xe4\x69\x07\x66\x94\x58\x33\xbc" "\x7f\xb1\xd7\x69\x2a\xc2\xee\xbc\xc7\x9a\xfc\x97\xf9\x1b\x42\xa5\x5c" "\x7e\x89\xcf\x0c\x1d\xa9\xae\x4f\x4f\xdf\xe9\x64\xd7\x5c\xb5\x90\xf6" "\x6d\x85\x00\x62\x52\xb0\x68\x8f\x18\x89\xea\x4c\xa6\x2c\x73\x25\xec" "\x85\x32\x65\x95\xbc\xbf\xa0\x14\x4f\x34\x92\x48\x2b\xaf\x72\x44\xef" "\xc1\xba\x1c\x05\x12\x86\xed\xfd\xe6\x24\x73\x47\xc9\x04\xfa\xba\x9c" "\x19\xa6\xb2\x92\x27\x0d\x73\xba\xb8\x1d\x40\xe8\x22\x10\x35\x4f\x3b" "\x6b\x82\x8a\x01\xf3\x66\x5e\x69\x45\xa4\xe4\xac\xa8\x6a\x53\xb1\xcb" "\xc3\xd8\x93\x1e\x2a\x78\xac\x7e\x78\xcb\x39\x7d\x75\xa6\xd5\xda\x24" "\xcf\xb4\x64\xea\xc6\x64\xf4\xef\x35\x5c\xc3\xcf\x35\x4f\x63\x12\x19" "\x1c\x51\x9d\x34\x29\x4c\xad\x30\xcf\xb9\x01\xed\x08\x23\xfe\xe3\x08" "\x3a\x4c\xa6\x8e\x6a\x39\x4b\xbe\xfe\xb0\x98\x6d\xd2\x20\x79\x72\x64" "\x9c\x99\x40\x97\x02\x93\x60\xeb\x93\x72\xee\x80\xec\xe9\x2a\x00\xc8" "\x40\x06\xcd\x60\x7a\x2b\xea\xb5\xaf\x63\xaa\x84\x17\x7b\xed\x25\x85" "\xb7\xbf\xd3\x5c\x27\xba\x52\x0f\x7f\xa4\xbf\xae\x7d\x98\xc0\x1b\x50" "\x5d\xaf\xcf\x31\x7d\xc8\xf7\xb3\x1c\xe0\x7e\x78\x1b\xfe\x36\xa9\x9c" "\xb9\xe1\x1b\xf8\xbc\xbb\x14\xb1\x44\x2f\x6c\xa6\x75\x7c\x7e\x87\xa5" "\xa9\xf1\x7b\x64\xb5\x23\xe6\x9b\x73\x32\xf4\xe6\x69\x29\x9c\xed\x7e" "\x5e\x28\x6f\x39\x5c\x2e\x0a\xd1\xf3\xe8\xd9\x5c\xab\x38\xcc\x20\x8b" "\xfa\x2a\x35\x4f\x25\x98\x0d\x18\x2c\x77\x02\xd0\xce\xf1\xbe\xee\xf8" "\x38\x9f\xf1\x85\xf1\x17\xd4\xbf\xb4\x5a\xde\x2c\x7e\x55\x31\xce\x71" "\xf0\x37\xef\x38\xb8\x4e\x36\xe2\x82\x5b\x87\x55\x3b\xc5\xc7\xe5\x35" "\xbf\x45\xb2\x81\x56\x53\xac\xcc\x39\x20\xd0\xdd\x71\x6e\xfc\xfd\x60" "\x6c\x67\x96\x08\x19\x9b\xb4\xc0\xdb\x28\x38\x9a\xf2\x05\xeb\xd8\x7b" "\xfc\x7a\x36\x8d\xb1\x5f\xc6\x2f\x2b\x80\x8d\x06\x2f\x19\xd3\xb9\x2c" "\x5d\xe5\xa6\x27\xb3\xb7\xde\xb7\xe0\x3a\xc3\x87\xc3\x8b\x4f\x9f\xa3" "\xdc\x90\x9f\x35\x6d\x14\x5d\xf9\x86\xd3\x99\x3e\xbf\x73\x26\xf7\x97" "\xf7\x7d\x5a\xe0\x40\x6e\x10\xca\x9d\xa1\xbd\xc0\x48\x12\x1c\xa1\xc4" "\x4d\xec\xfd\x9a\xa7\x4d\xc1\x32\x7e\x72\x4d\xcf\xec\x66\x4b\x3d\x4a" "\xe5\xf5\x26\x00\x93\x70\xc8\xd3\xb0\xf9\xca\x55\x57\x7f\x0c\xf1\x34" "\x85\xcf\x4b\x78\xea\x45\x86\xeb\xc4\xbc\x13\x50\xdb\x79\x28\xf7\x04" "\xad\xd5\x2c\xd8\x51\x9c\xbe\x68\x4c\x09\x74\x43\x32\x20\x55\x80\x7d" "\x7c\x5f\xf6\xfa\xe9\x3a\x20\x5e\x19\x02\xab\x62\xb6\xb0\x7b\x7f\x62" "\xa8\xc2\xc4\x7d\x89\xed\x9a\xf9\xc1\xf9\x4f\x46\xe0\x26\x8f\xca\x12" "\x83\x93\x6d\x1f\x60\x38\x36\x65\x12\xa0\x4d\x40\xd2\x7f\x71\xa4\x5c" "\xc6\x4f\x5d\xcd\xea\x54\x13\x09\x4a\xc8\x23\x8f\x5c\xa3\xa6\x7b\x81" "\x26\x1b\x4c\x33\x69\x5a\x1f\x3b\x53\x0d\x8e\x9a\xac\x30\x2c\x9a\xf8" "\x34\xde\xf4\xb7\xd2\xb5\xe5\x30\xfd\xc5\x00\xe4\xd4\xc5\x94\xd3\x03" "\xde\x6e\x94\x01\x60\x40\xb7\x83\x28\xee\xb0\xc7\x4a\xf7\x6f\x5e\x4f" "\x10\xd4\xf6\xae\x92\x04\xe7\x5a\xec\x4f\x4d\x24\x1f\x24\x6b\x80\x94" "\x3a\x9c\x8e\x85\xc1\x44\xa8\xf1\xde\x9d\xc4\x7c\xc8\xe9\x35\xd9\xcc" "\xb2\x4a\xe3\x8c\x4c\x27\xff\xa8\xbc\xda\xf4\x5f\xa1\x6a\x3d\xe2\xc6" "\xb0\x50\x4a\x58\x52\xae\xfc\x80\x09\xbc\x23\xd5\xaa\x42\xfe\x27\xeb" "\xfe\x55\xe6\xa0\x84\x24\x1a\xb9\x35\xf1\x52\x88\x83\x21\xa6\x3b\xcb" "\x3c\xfa\x6a\x76\x65\xe1\xca\x37\xd8\x53\x4c\x71\x9e\xa1\xca\x35\x03" "\xae\xda\xe5\x5b\x5d\x57\x40\xfe\x22\x13\x0b\xe3\x71\xa9\x1d\x40\x1b" "\x80\x33\xff\x1a\x31\xec\x32\x8f\x0e\xc2\x9f\x1b\x8a\x28\x20\xb7\x62" "\x3d\xf9\x93\x2a\x89\xea\x0a\x91\x88\xc6\x7c\xd9\xe0\xcb\x61\xed\x82" "\x11\xdd\x4b\x8a\x6d\xd8\xbb\x0c\x48\x43\x03\x74\xa3\xbc\x7d\xdc\xfa" "\x8d\x93\x78\x74\xe0\x33\x72\xb1\x74\xae\x1f\xd4\xfe\xa0\xfa\xeb\xf1" "\xcc\xd5\xa2\xed\xc4\x1f\xe7\xb4\xfd\xd3\xbc\x9e\x9d\x81\x4e\xa2\x21" "\x24\xbe\x02\x7a\xad\x68\xcd\x2f\x07\x80\x72\xc0\x48\x3e\xbf\x9e\x37" "\x3d\x3a\xcd\x90\x62\xd5\x01\x94\xb7\xd2\x94\x34\x43\x9e\xac\x91\x50" "\x1b\x1b\x7a\x68\xe9\xc6\x9b\x4f\x5a\x9a\xb2\x7f\x43\xfc\x35\xcd\x30" "\x31\xe9\x3f\x87\xea\x3a\x9c\x62\xbb\xf5\x0f\x3c\xc1\x75\x2c\xbe\x84" "\xe7\x1e\xec\x22\x26\x95\xd5\xb6\x4b\xaa\x3e\x46\x5c\xbe\x16\xf0\x71" "\xac\x0e\x5c\x43\xe0\x9f\x70\x26\x46\x0f\x6b\x36\x6d\x00\xd8\x6e\x91" "\x1a\xe9\x2d\x65\xe8\xd4\x7c\x3a\x6d\x83\xc0\x2a\x1e\xe6\x1c\xbf\x38" "\x19\x5c\x1c\x84\x78\x23\x8c\x6d\xee\x05\xb9\x83\x42\x11\xd8\x06\x41" "\x86\xb2\x16\xc2\xc9\xbc\xbe\x0c\xbf\x20\xc9\xcd\x84\xfe\x57\x33\xec" "\x2a\x02\x29\x95\xf7\xf2\xe8\xf9\x51\xac\x0d\x79\xcf\x83\x47\xf2\xe9" "\xbb\x8d\x91\xc5\x96\x20\xde\x03\x8a\x71\xb3\xaf\xc0\x01\x49\x52\xae" "\x2f\xdd\x2c\x86\xee\xcb\x2b\xf2\x03\x35\xba\x37\x12\x08\x83\x01\xf7" "\xd0\x4e\xc4\x31\xcc\x46\xaa\x53\xa3\xa5\x67\x40\x26\xcc\xc9\xfb\x94" "\xcf\xd3\x0f\xc9\xfc\xba\xa7\xa8\x72\x93\x81\x4d\x59\x99\xe2\x7e\x70" "\x6b\x56\x66\x28\x6d\xaa\x88\xc9\x31\x81\xa0\x53\x5a\xcd\xeb\x73\xd5" "\x36\x53\xc0\x67\xa9\xd7\x6f\xc2\x2e\x26\xcb\xc1\x4b\x72\xad\x27\xf4" "\xbe\xe2\x26\x4f\x83\x22\xac\x00\x4f\x5d\x00\xef\x3d\xa8\x35\xba\x88" "\x72\x5d\x99\xe6\x93\x0e\x38\xb7\x44\x33\x51\xf7\xdd\x06\x63\x29\x1a" "\x3d\xb6\x14\x3b\x61\x38\x0d\x7c\x76\xe9\x64\xc4\x02\xd7\x6a\x54\x2d" "\x69\x68\x4e\x52\x28\x37\x7a\x6f\xe2\x2c\x99\x6b\x02\x11\xd3\xfa\xa9" "\xd8\xfb\x27\x37\xeb\x49\x24\x31\x5a\xf1\x25\xc0\x6c\x78\x0b\x49\x5a" "\xcc\xcb\x4a\xaf\x51\x6e\x39\x1d\x57\x73\xaa\x63\x6b\x4b\xf4\x90\x40" "\x46\x00\x1a\x2a\x2a\xe9\xb8\x50\x00\x01\x57\xc4\x08\x8c\x7b\x1e\x1f" "\x78\xd0\xe0\x45\x72\x29\xea\xd7\x64\x5e\x64\x09\x94\x16\x08\x87\x99" "\x45\x6e\x0d\x02\x12\x16\xe1\xdd\x31\x2a\xa0\x5d\x08\x21\x8d\xdc\xf5" "\x30\xd3\xf3\x07\x33\xbb\x6f\xb0\xe3\x87\x85\xd9\x2c\x1a\x67\xd4\x3e" "\x11\xba\x35\x4d\xa0\x8a\x7f\x80\x6d\xc7\x54\x79\x60\x10\x4c\xa1\xa5" "\x5d\x2b\x5d\x35\x42\x12\xa1\xd5\x35\x01\x5d\xa6\x35\x68\xef\x24\x85" "\x1b\xeb\x08\xf9\x22\x1e\xcf\x2e\x74\x49\xe0\x32\x7d\x20\x37\x3f\x61" "\x76\x9a\x0a\xe8\x1d\x49\x2c\x45\x49\x3d\xc9\x85\xfc\x33\x7e\x3e\xdb" "\xc7\xab\x54\x89\x3c\x79\x8e\xfa\x73\x4e\xc2\xbb\xd3\x8d\xcd\x06\xa5" "\xc2\x69\xe2\xcf\x2a\x48\xf2\xfa\xeb\x4e\xdd\x2d\xff\x45\x06\xd8\xb0" "\xdf\xc9\x73\xaf\x15\xff\xfb\x8c\xcb\xb1\x4a\x83\x01\x1a\xf4\xbf\x27" "\x60\x2d\x6a\xe1\x29\x96\x82\xdc\x73\xc2\x0f\x4c\x84\x70\x7e\xd7\x0a" "\x4e\xaf\x67\x88\xea\x81\x0d\x0b\x1c\x70\xd4\x56\x91\xd8\x7a\x57\x19" "\x4d\x50\x1d\x4c\x25\xe5\xd5\x18\xf0\x30\xcf\xbb\x90\xc1\x13\x4e\xa8" "\x11\xa6\x2a\x2f\xb8\x5d\x0a\x6d\x70\x19\x90\x5d\xfd\xa7\x45\x9c\xac" "\x30\xcd\x60\x01\x82\xe5\xa2\x7d\xbc\x04\x05\xfb\x7f\x86\xc5\x5d\x7a" "\x07\xe2\x4f\x74\xc5\xdd\x68\xfc\x4d\x35\xcf\x87\xf6\xf2\xcc\x03\x08" "\x5a\x15\x33\x9b\x3a\x82\x65\xac\x4c\x91\x1d\xe8\xf1\xb3\x03\x2a\xad" "\x2e\x1a\x24\x58\xad\x50\x5c\x3e\x9c\x47\x1b\x12\x09\x17\x7d\xd1\xbc" "\x95\xa1\xf9\x3a\x17\x9e\xf2\xdc\xb0\xbc\xf5\x17\xf4\x15\x47\xcc\xbc" "\x12\x8e\xf5\xa3\xd0\x60\xb5\x9e\x66\x8a\x87\x8c\x93\xbd\x2d\xd0\x1a" "\xc9\xe9\x99\x4c\x3b\xfc\x96\xe3\xe7\x0d\x07\x9e\x2d\xe8\x7e\xb1\xed" "\x42\xda\xf7\xc7\x19\xec\xec\x54\x2d\xcc\x7d\xcd\x5d\x80\x49\xcd\x36" "\x53\x5e\x94\x5b\x94\x2a\xc3\xfb\xc9\x91\x30\xb3\x41\x8a\xc5\x44\xd4" "\xfb\xa6\xaf\xde\xfb\xef\x29\x4e\xfb\xbc\xa1\x71\xeb\xb1\xb9\x53\xf5" "\x70\xed\x5b\xe5\x04\xe5\x80\x04\x02\x6e\x4f\xd5\xfe\x4e\x09\x38\xa4" "\xf7\x8a\x1c\x17\x54\x7c\x40\x21\x59\x95\xac\xdf\x52\xd4\x29\xbe\xbc" "\xe1\x07\xd5\xdd\x75\xab\xe4\xdc\x75\x55\x40\x7f\xb7\xdb\xd7\xa7\x45" "\xb5\xd6\x79\x98\x0a\x8b\xd4\x68\xd9\x08\xe3\xaa\x8d\xe4\x98\xe1\x00" "\xf0\xbd\x12\x4b\x73\xf1\xa7\x21\x8b\x9e\x58\xc4\x79\x73\xe7\x63\xd1" "\xca\xbe\xa6\x7a\x8c\xb8\x4d\x47\x15\xa5\xd3\x18\xcf\x5b\x41\x2c\x30" "\xba\x68\x84\xa5\x34\xd4\xdd\x7f\x83\x1f\x2d\x1f\x38\x35\x9a\x01\xbe" "\xb3\x14\x5e\xc5\x5e\x2a\xa2\x6b\xd3\xb7\x8a\xfd\xf0\x5e\x41\x1e\x2b" "\x3f\xd4\x84\x15\xc8\xd3\xed\x68\xbd\x20\x8b\xc6\xc1\xec\xda\x3a\x16" "\xf7\x53\x4c\x7e\x4a\xd3\x11\xc9\xb7\xa8\x91\x75\xde\xd5\x61\x2d\x22" "\x2b\xcf\xbf\x51\xad\xc1\x02\x5d\x28\xa5\x4c\x36\x5e\xf4\x30\x72\xf7" "\xa6\xcb\xdf\xf5\xa4\x27\x25\xbe\x2b\xe1\xa8\xa6\x05\x64\x9d\x72\x43" "\x44\xb3\xc0\xfe\xaa\x9f\x05\x2a\xfa\xef\x95\xa1\xe4\x9b\xf5\x81\xc4" "\x03\x24\xb8\x29\xf2\xba\x4a\xf4\x75\xba\xa9\x73\xfe\x30\x74\x51\x01" "\xf2\xc3\x0f\x77\xe2\x1a\x04\xef\x15\x30\x65\x6f\xc4\xfc\xbf\x12\xe4" "\x5f\x7b\x26\x1c\xa6\x4f\x69\x89\x5f\x48\x5e\x46\xce\x16\x0e\xef\x96" "\x07\x12\xc3\x90\xe6\x62\x8b\xb5\x6d\xf2\x93\xd5\xf1\xe9\x56\x03\x5b" "\xc3\xc7\xb8\x91\x61\x35\xaf\xbd\x42\x91\xd5\x0d\x55\xed\xdf\x12\xdb" "\x06\x0d\x4d\x1f\x1b\x3f\x30\xe1\x10\xf4\x93\x1c\x47\x63\x2f\x60\xe3" "\xbf\x43\xd1\xed\xe7\xcc\x46\xa7\xf5\xa6\x0e\x88\x6c\xf6\xc7\x67\x0c" "\x49\xe3\xb8\xfe\x99\x51\x1f\xa7\x66\x91\x76\x09\xa3\x42\xe6\x96\x78" "\xd1\xc5\x4b\x72\x2b\xd6\x3b\x4e\x61\x0a\x65\xfa\x79\xfd\xc5\x23\x56" "\xc6\x3d\x45\xf8\x67\x44\x20\x62\xf0\x01\xf7\x38\x6e\xe8\x9d\x23\xec" "\x40\xc0\x20\x7b\x36\x33\x80\x33\x43\x4d\x0f\xa3\x4a\x40\x7c\x8e\x44" "\x11\x15\xec\x74\x46\x98\x8e\x7e\x29\xd1\x6e\x33\xd8\x67\x16\x0a\xf2" "\x73\x01\xc0\xbc\x98\xdb\x30\x0e\x70\xfd\x44\x3d\xa5\xac\x36\x62\xb0" "\x08\xcd\x4c\x7b\x55\xb2\xbc\x82\xe4\xed\x02\xc6\x3d\x40\x43\xa5\x38" "\xd4\x0e\xc7\x2c\x2a\x73\xae\x1b\xb0\xf8\xe4\xb1\x01\x1a\x98\x39\xad" "\xc5\xaa\x5f\x0d\x90\xc8\x88\xf6\xdd\xfe\x1a\x42\xd0\xff\xc0\x4d\x2e" "\x15\x60\x63\x55\x70\x0d\xcc\x53\x0b\xf3\x8b\x65\x08\xa0\x2a\xae\x68" "\x9f\xe5\x9f\xbf\x33\xd8\x31\xf9\x05\x5d\xfd\x22\x82\x52\xf1\x62\xe2" "\x45\x14\x19\x8d\xa7\x2d\xdc\xfd\x47\x8d\x19\x79\x0f\xb7\xb0\x5b\x2b" "\x92\x9d\xf5\xaa\x9e\xee\x00\xb9\x9e\xeb\xa3\x80\x18\xcb\xe1\x1d\x1c" "\x47\xaf\x1b\xe6\x5d\xdf\x03\x0d\x3d\x8b\x5f\x0c\x61\xb4\x81\x3a\xa7" "\x06\xc9\x09\x16\xb0\x4b\xf2\x71\x6b\xd5\x38\x68\x17\xed\x12\x0e\x5c" "\xd3\xe8\x92\xcc\xaa\x88\x3e\x31\x59\xaf\xfa\x04\xf9\x5a\x52\xac\x6c" "\xf1\xc9\xe7\xbb\x6c\xe9\x26\x1d\xf5\x70\xca\x1a\x00\x2d\x5f\xfe\xeb" "\xf5\x12\xe7\xa5\x08\xd7\xb6\x8e\x23\x8b\xc8\x21\xdc\x80\xd2\xa2\x98" "\x01\xab\x19\xba\x4d\xa8\xc3\xd7\x3d\xc7\xa8\x3c\xed\x45\x62\x36\x2d" "\x77\x14\x28\xfa\x83\x1a\xde\x0e\x18\xdb\x2f\x0f\x93\x08\x53\xc7\x01" "\x36\xb9\x36\x78\x13\x9e\x5c\x08\xf1\x11\x34\x40\xfe\x96\x0e\x90\x96" "\xab\xc1\x48\xd6\x62\x6c\xf3\x00\x69\xb2\x29\x74\xf8\x0e\x31\xdb\x97" "\x84\xe5\x4d\xd0\x9a\x83\xd2\xf5\xb7\x7e\xef\xc0\x7a\x52\x9f\x09\x03" "\x62\x77\x79\x9b\xe4\xb4\x70\x9f\x79\xf2\x17\x10\xf1\xd5\x9f\xae\x01" "\x81\xb3\x12\x1d\x2e\x1c\x8e\x49\xe2\xb8\x39\x30\x3a\x23\x4b\x3f\x98" "\x01\x26\x29\x1a\xfd\x02\x83\xab\x29\x6c\x21\xae\x90\xd7\x5f\x7c\x5c" "\x2a\xa2\x43\xc7\x64\x80\x0e\x8f\xed\x35\xcf\xf4\xc8\x4d\x31\xe7\x07" "\x0a\x6a\xd2\x45\x6e\x50\xd4\xe1\x61\xe4\x00\x5c\xbd\xc3\x78\xae\x06" "\xcb\x98\xc8\xf0\x9a\x33\x8f\xe4\x55\x93\x6c\x68\x84\x3c\x83\x0a\x0f" "\xd6\x91\xa4\x90\xa0\x07\x52\x01\x3d\xb1\xdd\x60\xfe\x24\xc3\xf9\x1d" "\xc1\x0b\xb8\x1e\x47\x15\xba\xb6\x6e\x2a\xe7\x1c\xc7\x92\x14\x2f\xb4" "\xab\x3c\x72\xf1\x15\x08\xcf\x0c\x48\x67\x9e\x90\x0c\x0b\x1d\xe3\x93" "\xce\x7d\x7f\x55\xad\x00\xbe\x17\x07\x4b\x73\x25\xdd\xc8\xe6\xf1\x60" "\x20\xa4\xcf\x29\x36\xdd\xe5\x0c\x7c\x02\x9d\xa4\x28\xea\xcd\xf2\xbd" "\xd8\x32\x8c\x29\xae\xe1\xc4\x0b\x3b\x6d\x27\x8c\xfc\x30\x16\x4f\x1d" "\xfa\xbe\xbc\x1e\xa1\x92\xa3\x4b\x04\xdf\x43\x3b\x59\x76\xc1\x51\x61" "\x52\x55\x60\x9d\x0a\x89\xa8\x00\x4b\xd8\xa7\xac\x12\xc3\xe1\x81\xbb" "\x6d\xe7\x10\xaa\xe1\xc7\x67\x6d\xfd\x2e\xd5\x7f\x3b\x35\x53\x29\x43" "\xdc\xa4\x47\x3d\xd1\x91\xbc\x41\xde\x55\xa2\xdb\x01\x3a\x73\x1a\x3f" "\x37\xe3\xaa\xbd\xe8\xf3\x58\xbb\xdf\xf5\x80\x5c\x22\x06\xc2\x14\xf5" "\x9a\x10\x31\x3c\xee\x9d\x50\x66\xb1\xf9\xc2\x2c\xa4\x3b\xe4\x08\xd7" "\x73\x32\x34\x9a\x17\x41\x3f\x29\x57\x60\xcf\xd1\xb6\x5e\x24\xda\xd1" "\x0f\xe7\x24\x27\xb5\x66\x47\x4c\xd0\x31\xda\x08\xc9\xd7\x15\x5e\x12" "\x7b\xb8\x85\x83\x3d\x53\x01\xd5\xfb\xf9\x1d\xad\x22\x68\x23\x86\x3f" "\xce\x53\x8f\xa6\xee\xb5\x76\x5f\xe3\x15\xe1\x9b\x7d\xe5\x9f\xd8\x7b" "\x1d\xa3\xe5\xaf\x84\x2c\x6c\x5b\xa1\x68\x5f\x45\x00\xe4\xc4\x83\x2c" "\xf5\xf3\x04\xbd\x7c\x44\x38\x3d\x09\x5f\x8d\xca\x62\xdc\xac\xa1\xd6" "\xe2\x87\x3a\xb9\x7e\x2e\x82\xde\xc4\xf9\xc3\xca\x22\xaa\x01\xc8\x81" "\x82\xcf\x36\x1d\x40\x51\x80\xd6\xe3\xe8\x69\x90\x6d\x8d\xe3\xcc\x4f" "\x3f\x24\xb1\x0c\xb5\x95\xe9\x47\xc0\xfd\x3d\x45\xaa\xf1\xf3\xe4\xa2" "\x09\xca\xa4\xf7\xff\xe6\x4a\xdc\xf9\x4d\x7b\x83\x60\xe5\xc2\xe3\xf9" "\xa5\x39\xf0\x15\xcd\x9b\x97\x9c\xa5\x57\x8c\xb0\x2d\x23\x5e\x7c\xbe" "\x4a\x79\x73\x55\x0e\xd4\xa4\xa8\x2d\xaa\xd6\x93\xa2\x24\xab\x87\x89" "\x93\x24\x76\x33\x35\xa9\xe9\x43\xed\xd0\xd1\x6e\x81\xe6\x4f\x0e\x76" "\xec\x9f\x7c\x85\x04\x7a\xce\xa9\x86\x40\x8b\xd0\x53\x15\x63\x6d\x9e" "\x59\x15\xf1\xc2\x98\x17\x03\xec\xc4\x32\xbd\x82\x92\xdb\x3d\x3a\x27" "\x93\xf6\x18\x22\x4d\x23\xdd\x4e\xfc\xc0\x89\x59\xd8\x66\x84\xbb\x6a" "\x43\x67\x32\x9d\x4c\x41\xb6\x38\x38\x88\x3b\x67\x55\x9c\xac\xf4\x75" "\x55\xe1\xdc\xdc\xa6\xa4\x27\xc1\x9f\x6f\x3b\xde\x6a\x40\x51\xb0\x43" "\xc7\xec\x57\xff\x75\x54\x63\xf2\xaa\x9a\xa8\x1f\x2f\xd6\x7a\x40\xb4" "\x5b\x5c\x9d\x72\x5e\x28\xe6\xb0\x83\x2f\x54\x79\x9d\xa3\x0e\xba\xd6" "\x7d\xa1\x4e\x0f\x1c\xa5\xdb\xfd\x33\x00\xe4\xbc\x70\xa2\x27\x8c\xe7" "\xad\x04\x82\xf2\xf3\x4c\x39\x01\x8a\x3b\x47\x95\xd4\xcc\xae\xf2\x10" "\x26\xb6\x68\x9b\x9e\x7e\x8a\x40\xa2\x3c\xa7\xc9\x95\xbb\x72\xf2\x63" "\xb5\x11\xb4\x8b\xb1\xad\xb9\x05\x13\x66\xf3\x79\x67\xff\x31\x74\x6d" "\x56\x92\x25\xef\xbd\x92\xf5\xe8\x6c\x84\xf7\x5b\x06\xb6\xaa\x12\x2c" "\xb8\xc4\x81\x12\x22\xe7\x03\x11\x6f\x0d\x7c\x30\x2f\x9d\x57\xb4\xf8" "\x02\x74\x45\x38\x7d\x6c\x2b\xa3\xa8\xc3\x3a\x1f\x7f\xaa\xa3\xb3\x29" "\xbe\x09\x91\x7a\xa1\x82\xfa\x82\x71\x14\x9b\x37\xb4\x46\xf3\xd4\xbd" "\x67\x79\x30\xf2\x36\xd3\x4e\x11\x2e\xbb\xc2\x8f\x46\xb3\x73\x78\xbc" "\x58\xb1\xab\xb7\xf2\x2c\x07\xca\xda\x9c\x8f\xa8\xcb\x11\xd1\x82\x0e" "\x31\xfc\x60\xf6\xa2\xdc\x53\x5d\x62\x85\x83\x1e\xd5\xe7\x3b\xdb\x44" "\xb0\x3c\xf6\x64\xfa\xf5\xcf\xf0\x12\xde\x41\x45\xc7\xbf\x76\x2e\x9c" "\x32\xaa\xd4\x2f\xcc\x22\xc1\xf2\x6d\x8c\xb1\x7f\x43\xfa\xe4\xea\xc6" "\x06\x11\x22\xbb\x32\x48\x80\x28\xfc\x12\x8a\x7a\x15\x4e\xeb\x0e\x99" "\x36\x1f\xa8\x37\xf5\xf6\xb0\x86\xf9\x6d\xaf\x9d\xb9\x3f\x08\xb7\x2e" "\x51\xab\xc2\x4f\x6b\x21\x54\x8a\xec\x67\x37\x2c\xec\xcf\xd7\xa9\xd2" "\x18\xbd\xca\xa5\x6f\xec\x76\x92\x5c\x57\xdb\xb6\xcb\x57\xc7\x4f\x42" "\x4e\xf4\x50\x53\x24\xce\x54\x02\xd8\xa0\x9a\x59\x10\x8d\x52\x32\x2f" "\x63\x28\x8b\x64\x95\xbb\x2c\xad\xa8\xc5\xc2\xe6\x98\xe9\x4a\x18\xe1" "\x18\x2b\x71\x98\xa1\x92\x49\x36\xea\xb3\x3f\x6e\x96\x0a\xe5\xe1\xf8" "\x9a\xc3\xed\xc6\x57\x1d\xd8\xf6\xcc\x30\x07\x23\x50\xfa\xba\x68\x8e" "\x71\xf0\x01\x8b\x72\xaf\xb1\x65\xed\x1c\xaf\x52\x12\xb7\xd7\x11\x33" "\x26\x84\x53\x09\x31\x40\x37\x4e\x4d\xaa\x8c\xbc\xa1\x4e\xe1\xc1\xf4" "\x7b\x3f\xdf\x74\x63\x0a\x12\x68\x0f\x54\xe1\xeb\x76\xd8\xf8\x00\x8a" "\x53\x50\xc0\xf1\xf0\x74\x18\xf8\x03\x21\xa0\x64\x98\x11\x58\x6a\x78" "\xa3\xa2\x8d\xa4\x04\x6d\xb0\x67\xaf\x9c\x7f\x89\x4e\x04\x01\xe7\x50" "\xaa\xc8\x99\x05\x4d\x2e\x8c\x80\x80\xc1\x01\x42\x68\x4e\x5a\x91\xe9" "\x19\x55\xe5\x24\x0f\xd1\x88\x71\x14\xbd\x65\xcb\xd8\xeb\x36\xaa\x63" "\x46\x1b\xee\xc2\xff\x9d\x90\x42\xd9\xbc\x9a\x28\x6b\xe3\x76\x6a\xef" "\x41\xd5\xbb\xa9\xfb\xbd\x18\xd3\x3d\x60\x80\x28\xd3\x2a\x3f\xad\xa7" "\xb0\x39\x0b\x6c\x69\xb2\x78\x43\x61\x36\xa7\xd6\x31\xb0\x58\x2b\x04" "\x52\x2f\xf9\xbf\x0f\xf5\x7a\x2c\xf0\x70\x23\xa2\x70\x54\x02\x75\xf6" "\x13\xce\xf5\x03\x2e\xab\x53\xcc\x2e\x09\x4c\x50\x0c\xad\x34\xa4\xf5" "\xe7\x75\xb5\xef\xc2\x5f\xac\xbe\x43\x29\x51\xdd\x20\xfd\xe5\x51\xa8" "\x84\xc7\x1a\x36\xff\x3d\xdb\x5b\x83\x22\x05\x77\x42\xf4\x87\xbc\x77" "\x09\xfe\xdc\xf5\xc7\xf6\x0b\xe6\xda\xf9\x6d\x16\xec\x37\x58\xf4\xfd" "\x9d\x75\xc0\x21\xc7\x3c\xd9\x48\x98\xf4\xbd\xef\xd1\x54\x7c\xad\x5b" "\xda\xab\xf2\x8c\xc6\xb9\x45\x86\x32\x9c\x0e\xbf\x79\xc9\x1f\x72\xaf" "\xb1\xb1\xc4\xf5\x46\xd9\x0a\xcc\x09\xc0\x9c\xef\x72\xb3\x03\x6d\x72" "\xa2\x34\x44\xf3\xdb\x56\x83\x79\x67\x40\xc8\x4f\x41\x09\xfd\xe7\xbe" "\x1c\x49\x39\x2c\x76\xe7\xcf\x1f\xaf\xad\x34\xcc\x1d\x5c\x93\x6a\x8c" "\x5f\xa7\xb4\xfc\xb2\x81\x9e\xe0\x04\x07\x51\x77\x8b\xc2\x49\x3a\x64" "\xbd\xd5\x6c\x41\xc9\x87\x4d\x0c\x2b\x24\x75\x2b\x00\x72\xdf\xd5\x32" "\x6b\x13\xd7\x56\x39\xaa\x08\x3c\xb8\x08\x92\x23\x32\x51\x1c\x29\xe0" "\x37\x94\x2d\x1c\x7d\xc1\x2c\xd6\xf6\x4c\x35\x57\x81\x1c\x8e\x2e\x5c" "\x1b\x49\x9f\x95\x45\x8b\x66\xe3\xe4\x0f\xe2\x8e\x59\xd0\x8b\x35\x4f" "\x84\x04\x96\x6e\xf2\xed\xd1\x4e\x2a\x9d\x11\xec\x87\x6d\xa7\xbc", 4096)); NONFAILING(memcpy( (void*)0x20001600, "\x1f\x0b\x9e\x51\x3a\x42\xec\x67\x9e\xbf\xd4\x1b\x28\x32\x41\x18\xd4" "\xc1\x62\x8f\xe0\x2a\x97\xc6\x13\xf3\x13\x57\x1d\xd0\xef\xd6\x3d\x67" "\x9e\xb1\x02\x4d\xda\xc2\x0c\x2e\x38\xea\x13\x40\xa5\x1c\x47\x9e\x35" "\x4d\x14\xa4\xae\xda\x95\x9b\x8c\xda\x34\xc8\xed\xb7\xd6\x27\x98\x5d" "\x89\xc8\x5d\xff\x22\xf8\xb6\xb1\xa3\x3f\x2e\xa9\x02\xfe\x64\xea\x14" "\x07\x1d\x78\xa2\xf2\xa5\x9f\x5f\x43\xff\x3d\xc5\xa5\xd0\xd1\x29\x2f" "\xad\xca\x2c\x61\x12\x56\x14\x85\xce\x3e\x23\xa1\x54\x84\x08\x6b\xde" "\x5e\x6c\xba\x08\xc0\xa2\xb6\x53\xd9\x7d\x08\x9e\x25\x9b\x0e\x04\xeb" "\x6b\x2f\xa6\x1b\xc5\x1a\x83\x4d\x22\xc0\xe9\x04\xf7\xc4\x3f\xdb\xf5" "\x3f\x05\x5d\x7d\x0b\x1f\x19\x69\x15\xc2\x3e\x0e\x5d\x1e\xdc\x3c\x11" "\x0c\xa2\x19\x61\xd4\xb0\x97\xdb\x18\x84\x9e\x10\x16\x53\x6c\xa5\xf4" "\x24\xba\xec\x55\x43\xef\x5b\x0c\xe5\x6a\xa6\x3f\x52\x53\x38\x3d\x7d" "\x7b\xe6\xaa\x1b\x96\x7f\x14\xb0\x08\x1c\x76\x83\x12\x0d\x19\x54\x4f" "\x8d\x30\x3e\x1d\x26\xc5\xe8\x4e\xb6\xae\xfa\x23\xaa\x33\x33\xca\xcc" "\xb0\x4f\x32\xc5\x14\xb4\xe7\xe6\xf7\x32\x39\x22\x69\x90\x82\x7e\x11" "\x85\x17\x30\xf3\x2f\x3a\x9c\x85\x2e\xfb\x05\xdc\x52\xcc\xcb\xf7\x82" "\x93\x33\xc9\x04\x1c\x12\x2d\x22\x11\x02\x06\xef\x09\xea\x31\xdf\xa8" "\x16\x9a\x1f\x29\x09\x96\x7a\x3d\x7d\xe2\x54\x2c\xd8\x79\xeb\x93\x56" "\x3a\xdc\x11\x82\x75\xad\xed\x4c\xdb\xe0\x9b\x4d\x4b\x12\x86\xfa\x17" "\x78\xaf\x4a\x4c\x85\x0b\x45\xf3\xb7\xde\x86\xf8\xe6\x77\xe5\x1c\x13" "\x89\x7a\x38\x80\xa1\x92\x4c\xb8\x27\x99\x52\xfd\x9e\x05\x2d\x0f\x3e" "\xe1\x36\x26\xc5\xf3\xfe\x52\xd3\x03\x38\xe6\xb3\x7a\x95\x93\x31\xd6" "\xed\xf0\xf4\x7d\x3e\x33\x53\xf9\xd7\x76\xc2\xea\xbc\x8b\x84\x45\x46" "\x39\xe2\x8f\xc0\x80\x02\x97\x3d\x0f\x51\x87\x07\x7a\x1a\x63\x04\x10" "\xd2\x45\x29\x13\x31\xb1\x52\xdb\x41\x20\x5e\x5f\xc5\x18\x8c\x7b\xb5" "\x3d\xd7\xf9\x1a\x6d\xdc\x74\x96\x16\x71\x9d\xe9\x00\xe9\xe5\x96\x81" "\x98\x3f\x3e\x27\x21\x4d\x79\xb7\x4e\xc8\x36\x4f\xd4\x0b\x99\x46\xb0" "\xc1\x2d\x7b\x88\x44\xb5\xa3\x5e\x79\x58\x0d\xdb\x84\x45\x2f\x8f\xc1" "\xf7\xe3\x27\x72\x6a\xd7\x88\x11\x98\xc6\x39\xc0\xbc\x3e\x83\x00\x24" "\x6e\x3c\xde\x72\xea\x43\x22\x7b\xb8\x43\x0d\xa2\xd7\xa7\xe5\xb4\x68" "\xac\xb5\x56\x83\x3d\xa0\x77\x31\x20\x5c\xf0\x0e\x8e\xaa\x5a\x0a\xcb" "\x1d\xb0\x3c\xa5\x1f\x30\xac\x7c\x5a\x61\x67\x19\xb3\xa8\x05\x76\x00" "\xbe\x4c\x3b\x5b\x28\x4e\x64\x4a\x4b\xf2\x39\x9a\x1d\x26\x68\xf3\x0c" "\x7f\x0d\xe6\x55\x80\x8a\xb3\x09\x6b\xda\xfd\x9d\xcc\x6e\xbf\x76\xfa" "\x3a\x1f\xeb\xf3\x11\xcf\x7d\x78\x81\x2b\x64\x9f\xe4\xba\x04\x73\xcb" "\x65\xa3\x4c\x5c\x38\x0c\x78\xec\xb0\xdd\xd8\xa8\x17\xf2\x16\x37\x57" "\x55\x75\xe1\xd7\x40\x75\xad\x74\xea\x68\xb2\x26\xbe\x01\x95\x0d\x3a" "\xd5\xa8\x4a\x19\xd8\x4a\x1c\x23\xc3\xda\x76\x4e\x51\x2b\x97\xe0\x0b" "\x99\xfa\x1e\x2c\x67\x52\x73\xf9\x15\x1e\x15\xf8\x38\xd1\x30\x33\x20" "\xdb\xd4\x6e\x69\xf5\x49\xf0\x4f\x13\x37\xe9\xe4\x90\x42\x78\x63\x27" "\x08\x88\xf7\xcc\x52\x5f\x5a\x55\xda\xa6\x0a\x73\x67\xe2\x91\x2f\x6e" "\x5a\xdd\x37\x3d\x1a\xaa\xa1\x1a\x66\xe8\x9b\xcc\x97\xca\x16\x46\xa8" "\xd8\xac\xc4\x0d\x66\x44\xef\xce\x3b\x56\x33\x14\xae\x41\xc6\xa2\x06" "\x53\x78\x81\x54\x06\x4c\x53\xc8\xf9\x88\x5c\xf8\x47\xb3\xeb\x4a\x54" "\xdc\x7a\x30\x4a\x33\x54\xdb\x7f\xd6\xd7\xa2\x2e\xff\xc1\x9b\x01\x0c" "\x44\x88\xa5\xf3\x35\x29\x52\x7f\x9a\x95\x7f\x1f\xae\x7a\xc0\x46\x88" "\x19\x43\x90\x6f\x07\xdb\xb0\x8e\x84\x8c\x01\xe4\x32\x49\x96\xaf\x4e" "\xbb\x78\xbd\x21\x10\xc6\x6f\xfe\xd0\x93\x9f\xe5\x94\x9a\x52\x20\x0c" "\x7f\xd3\xfc\x44\x78\x9f\xd1\x76\x57\x65\x46\x88\x27\x4d\x65\x85\x1a" "\xd1\x68\x5b\x9d\x03\x7b\xad\x5d\x3c\x9f\xa4\xca\x4e\x1b\xa0\x84\x8b" "\xae\x22\x05\xe3\x26\x4a\xf2\xe6\x09\x04\xa9\x75\x24\xfc\xea\xf8\xa3" "\x05\x02\x28\x7b\x58\x3e\xe8\xca\xb9\x7b\xd4\x5b\x3c\x4a\xbc\x1b\x53" "\x69\x83\x98\xf3\xd9\x46\x65\xb7\x5f\x1c\x48\x5b\x3d\x58\x20\xbe\x16" "\xd1\x4f\xe5\xc8\xfb\x2d\x76\xf5\x9c\xae\x6d\xcd\x89\x2d\x3d\x19\x56" "\xb9\x86\x46\xfa\x0c\x02\xa0\xbf\x0b\x9b\x18\x2c\x70\xe7\x1c\x7c\xb8" "\x2c\x21\xc8\x25\x48\x7c\x41\xd7\xc7\xf9\x54\xfd\x6e\x0b\x7b\xf8\x04" "\xb9\x54\x41\x1e\x66\xa5\x5c\xf9\x5a\x07\xb6\x48\x55\x9e\x09\x56\x22" "\x6d\xad\xb0\x3b\x76\x01\x5d\x1c\xaf\xf9\x1a\x71\xba\x88\xbf\x93\x85" "\xdc\x2c\xa5\x9b\x84\x29\x2e\xac\x5a\xc0\x9c\x7a\x4e\x90\xd1\x87\x22" "\x09\xeb\xb5\x90\xa6\x8d\x54\xce\xe3\x5d\x8d\x6c\xcb\x8d\xdd\xff\x7b" "\x06\x2e\x56\x72\x6a\x92\xb3\xa1\x98\x62\x52\x58\x6c\xd7\xbb\xb5\x6e" "\xe8\xb8\x1e\xbc\x65\xd2\x12\x52\x69\x7f\x2b\x01\xb7\xee\xb9\xe7\x67" "\xd6\x92\xfa\xdf\x37\x3e\x2a\x85\x9a\x1d\xd2\xb1\xa6\x60\xc4\x1f\xf3" "\x03\x5e\xd6\x37\x79\x1d\xa2\xf3\x43\xff\x22\x60\xdc\x78\xc2\xc5\x8b" "\xe4\x08\xe5\x94\x0b\xb2\x5f\x8e\xb4\xdb\x66\x6b\xf7\x63\x2b\xd7\x70" "\x5e\xf3\xe3\x14\xe0\x11\x1d\x85\x04\x21\x53\x0d\x76\x03\x71\x23\xc1" "\x2b\x26\x53\x26\x3f\x16\x58\x81\x91\x63\x0e\x75\x92\xd5\x38\x90\x17" "\xd3\xb1\x7e\x83\xdd\xbf\x57\x9c\x73\xbf\xf2\xd5\x1a\x88\x86\x17\x43" "\xa2\xce\xcd\xe3\xe5\x12\xe0\x82\xde\xc7\x10\x54\xdb\x4a\x3f\x75\x3f" "\xa0\x84\x58\x51\xa2\xf9\xcb\x42\x63\x5c\x25\x67\x07\xa9\x19\x31\x2a" "\x26\x37\xff\xc8\x26\x71\xa2\x85\x79\x0f\x0f\xe3\x92\x13\x33\x78\xb5" "\xc4\xa5\x0e\x78\x02\x21\x24\x58\xc9\xdd\x30\xab\x52\xe4\xed\x52\x39" "\x7a\x67\xc9\x2c\x87\x18\xcc\x1b\xfa\xef\x14\xf1\x1d\xfd\xe8\x22\x2f" "\x6c\x89\xd0\x74\x15\xec\x4f\xae\x48\x46\xda\x25\x0b\xb5\xa7\xeb\xfb" "\xd8\x4f\x25\xbb\xba\x99\x21\x66\x7d\x8a\xf3\xbd\x56\x22\xff\x3b\x7d" "\x6b\xf9\x3a\xc9\xc8\x90\x72\xe4\x11\x5b\xc0\xb4\x75\x54\x85\xa9\x52" "\xda\x61\x83\x31\x18\x74\x05\x1b\x83\x29\x91\xc1\xb3\x49\x0f\xf9\xcf" "\x19\x8a\xd3\x85\xa5\x00\x9f\xaa\x1d\x7f\xc6\xd4\xd9\x63\xb3\xc6\x4e" "\xac\xc5\x61\x36\x35\x6b\x52\xd9\xc6\x61\xbf\xd9\x05\x1e\xe1\x19\x26" "\x40\x57\x26\xd0\xbf\xd6\x16\xea\xa7\x2f\x49\x77\x3d\x57\xa8\x0c\xf8" "\xdf\xc0\x88\xbb\x6c\xad\xe1\x5f\x4f\x50\xdc\x72\xaf\x7f\x09\x1f\x0c" "\x9a\xb0\x73\x7e\xaa\x60\x30\xcc\x00\xc5\x67\xdb\x26\xb9\x94\xe1\x2b" "\x9d\xdb\xb4\xd8\xb3\x40\xfb\x8b\xca\x28\x12\x5c\x30\x0b\x92\x5a\xa0" "\xdd\x43\xaf\x4e\x16\x7c\xa4\xec\x37\xc5\xdf\xff\x55\xed\x85\xcb\x90" "\xe3\x74\x45\x25\x49\x2c\x9b\x08\xd0\x43\x4d\x2a\x26\x43\xa6\xdc\x79" "\xbb\x4e\xe2\x95\xf0\x47\xc3\x19\x5e\x03\xe0\xb0\x16\x29\xaf\xfc\x57" "\x74\x18\x1d\x09\xcd\xd0\xe6\xc6\x81\x63\x07\xb3\xe8\x94\x3c\xaf\xd1" "\xf3\xac\x6f\xc7\xf4\xd7\x7d\x61\xa3\x86\xf9\x84\x15\xd6\x7c\xe0\x2b" "\x80\xe0\x1f\x28\x49\xcf\x74\x0a\x73\x1a\xae\x2b\xc2\x6d\xe3\xb1\x1e" "\x5c\xe3\x7f\x6d\x22\x83\xba\xd9\xdb\x85\x5f\x30\xde\x91\xfc\xa2\xf8" "\xfe\x78\x0f\x30\x56\xd2\xc6\x92\x4e\x99\x07\xac\xe9\x77\xeb\x24\x83" "\xf9\xac\xd1\x01\xc2\x1c\x8d\xe0\xf0\x8d\x54\xc5\x6e\xca\x96\xa4\x10" "\xf7\x37\x5a\xde\x38\xcf\xbd\x5a\xb9\x8c\x7f\xb3\x2e\x60\xfa\x4b\x6f" "\xd0\x77\xa7\x82\x7f\xbf\x72\x5a\x32\xdc\x13\x4c\xb0\x06\x08\x4f\x4b" "\x77\xdb\x72\xbc\xf6\xd2\xe5\xa0\x69\x98\xe8\xe2\xe3\xf0\xd3\x72\xbf" "\xb4\x94\x26\x0a\x2e\x4c\x43\xe1\x77\x84\x2e\xc4\x7d\x6b\xad\x1b\x77" "\x8b\x93\x61\x20\x1d\xbf\x05\x4d\x36\x0b\x05\x4b\x5b\x68\x9e\xc6\x84" "\xdf\xac\x02\xdd\xfe\xd5\x61\xe7\xbb\xb9\xad\xcf\xb1\xb9\xb4\x73\x18" "\x69\xc8\x60\x4e\xf5\x86\xf2\xa1\xec\x8e\x48\x06\x60\x8f\xe1\xc9\xd4" "\xbd\x80\x37\xf3\x4e\x38\xdd\x80\x64\xfa\x8b\x6b\xe3\x5d\xd2\x1a\xd6" "\x42\x42\x02\xfa\x00\xaf\x97\x93\x6b\xfc\x1b\xbd\x88\x19\x27\xbb\xbd" "\x8a\xd9\xd4\xe7\xb6\x44\x54\x3a\x1c\xd0\x27\xa2\xdb\x3d\x7d\xd5\x3b" "\x6e\xcd\x99\xaf\x6c\xdb\x46\x78\x9b\xba\xf3\x1f\x86\x9a\x12\xbf\x8c" "\x90\x4b\x49\xe2\x86\xe7\xad\x97\xea\x2a\x9d\x3d\x27\xe3\xa3\x60\xc5" "\x3e\x61\x63\xfd\xf0\x59\x23\x4f\x54\xb3\x90\xee\xcc\x47\xc6\x34\x53" "\x17\x27\x26\xe2\xc9\x47\xeb\xc1\x82\xf4\xb6\x8a\x57\x15\x91\xc4\xc8" "\x69\xa1\xfd\x88\x40\x66\xb6\x59\xa6\x81\x12\xbc\x70\x8e\x85\x64\x27" "\xa5\x1e\x04\x9b\xdf\xf3\xc7\xe0\xc4\xdd\xdf\x8e\x40\xd6\x93\xc2\x2b" "\x29\xc3\x52\x54\xce\x4d\xc0\xda\x58\xa2\xaf\xaf\x20\xb8\x31\x6e\x61" "\x5c\x20\x26\xef\xc8\x59\xe5\x7d\x0f\xd9\xc8\x0f\x24\x00\x2b\xc3\x09" "\xe5\x98\x41\xef\x46\xea\x8f\x3c\xc3\x69\xd3\x65\x4d\xdd\x2a\x9d\x3b" "\x4f\x26\x79\x37\x66\xef\x01\xb8\x35\xfd\x2e\x80\x9f\xde\xef\xdf\x34" "\xeb\x90\xae\xe4\x4a\xaf\x80\xb8\x96\x46\x04\xd5\x65\xe6\x3b\x23\x6b" "\x85\x7f\x57\x1f\x5c\xc4\xaa\x3b\x4b\x6e\x7f\xfb\x7b\x77\x1b\xea\xa8" "\x83\xbc\xa1\x27\xb0\xb5\x5f\xf7\xc0\xce\xa7\x6e\x47\xb8\xb6\xb2\x89" "\xaa\xd3\x6a\xde\x22\x97\xaf\x1a\xd7\x0d\x06\x83\x4a\xa4\xe6\x8e\x87" "\x84\x23\xa1\x52\x4a\xdd\x21\x46\x12\x75\x1c\x28\x58\x39\x8d\xa5\x65" "\x1d\xba\xa6\xd4\xac\x1e\x1f\x7b\xf4\xb0\xb1\x53\x3f\xb7\xf2\x55\x88" "\x7c\x6a\x59\x64\xd8\x7f\x38\x77\x84\x2e\x15\x94\xfd\xc9\x4a\x61\xd5" "\x09\x34\x37\x80\xa8\x66\xe6\x02\x84\x6f\xf5\x2e\x20\x9b\x28\xc8\xa9" "\xf1\xd9\x69\x34\x41\x3d\x84\x49\x93\xfb\x90\x0a\xaa\x1b\x2a\x5b\x25" "\x9a\xdb\x41\x84\xe6\xaa\xf8\x02\xeb\x31\xf1\x0e\xfe\x6f\x33\x9a\x92" "\x99\x50\x67\x7f\xec\x48\x19\x9f\xed\xe2\x30\xe3\xb0\x1d\xfe\x4d\x58" "\xff\x22\x7f\xa8\x21\xd9\x78\xdc\xb6\x41\xbe\x0b\x0e\x21\xf5\xbc\x0c" "\xfb\x9d\xcd\xc6\x6f\x7d\x78\x83\x48\x3b\x53\xcd\x0b\x04\x38\x9e\x91" "\xe5\x16\xf9\x01\x75\x28\x8a\xc3\x0f\x0b\x7b\xc0\x0e\x9c\x0f\x5c\x1a" "\xdb\xac\x2a\x8f\x89\x4e\x96\x78\xb4\xae\x8e\x56\x5e\xfa\xae\x2c\x60" "\x57\xdc\x06\x6a\xc4\xbb\xb5\x6f\x82\xcc\xa1\x3e\x78\xd6\x38\xcd\x17" "\x03\xa8\xeb\x68\x71\xca\x63\xaf\x19\x91\x91\x74\xa6\xdc\x8d\xbd\xa2" "\x2b\xf7\xd9\x89\xfc\x70\x11\x5b\x41\x53\xbd\xcb\x72\x56\xea\xd7\xe1" "\x7b\x69\x5d\x0b\xbf\x98\x97\x43\xe7\x94\x40\x66\x22\xdc\xde\xc0\xe0" "\xd6\xee\xb5\xe2\x63\x51\x5b\x2c\x86\x85\x28\x7d\x0f\xde\x05\x07\xac" "\x46\x89\x71\xd8\x5e\x50\x29\x7c\xae\xb1\x3b\xa1\x08\x05\x3c\x6a\xa3" "\x3b\x7e\xa2\x61\x8e\x59\xee\xd1\x35\xa8\x24\xc9\xbd\x08\x18\x41\x4b" "\x0e\x6e\x0c\x46\xf2\x20\x86\x98\x06\x65\xf8\xe9\x51\x7d\x00\x3d\xaf" "\x0e\xe6\xb5\x9c\x7a\x33\xd1\xca\x60\x57\x8a\xcc\x71\x63\x9e\x23\xc9" "\x58\x89\x6c\xd5\x30\x5c\xfb\x0d\x63\xba\xb6\x4d\x94\x83\xf0\x11\x12" "\x69\xef\x16\x5d\x54\x0e\x4c\xd4\x40\x68\x06\x2c\x7d\xcc\x09\xe3\x06" "\x6d\xe0\xc9\x03\x3a\xe0\x67\xa0\x39\x00\xa2\xbd\x73\xfb\x67\xe1\xd3" "\x40\xad\xb9\x69\xd2\xbe\x16\x9f\xc0\x59\xa1\x83\x4a\x6f\x85\xf3\xac" "\x65\x1f\xed\x22\x79\x00\x6b\x45\xca\x0e\x6f\xa7\xe5\x33\x2a\x1a\x68" "\xd8\xd0\xd7\x7b\xf6\x2c\xb2\xe1\xd9\xa0\xd0\x44\x2a\xaf\x9a\x98\x9d" "\x81\x92\x05\xd0\x11\x9b\x0a\x07\x07\x3a\x13\xb6\xfc\x7c\xff\x49\x0c" "\x53\x1f\xbc\xcb\x48\xa4\x49\xf5\x45\x16\x8e\xcd\x67\x3c\x28\x8c\x9c" "\x64\xc4\x83\x43\x0b\x20\x79\x84\x68\x4a\xff\xf2\xd0\xc6\x02\x7c\x86" "\xfc\x10\x74\xe9\x63\xc4\x80\x35\x5b\x6d\x17\xc6\xb0\x0a\x98\xd9\x1e" "\xcc\x0a\xa6\x20\x74\x92\xfe\xe5\x20\x12\x31\x7c\xb6\x48\x56\x16\x27" "\xcf\xd7\xa6\xeb\xdf\x92\xd2\xfb\x0b\x75\x64\x5d\x69\x9f\x8d\xea\x51" "\x5b\xc7\x42\x08\x1e\x63\x26\x8e\x62\xe9\xd4\xa7\x26\x87\x5c\x5c\xc7" "\x68\xe5\xba\xed\xd0\x0d\x54\x6a\x49\x50\x93\xcc\x4d\x79\xa9\x40\xf1" "\x00\x6e\x66\xcc\x14\x99\x8e\xce\x51\xbc\x18\x81\x94\x25\xe7\xdf\x60" "\x47\xbd\x01\x8d\xa9\x81\xb7\x1c\x6e\x47\xe5\x11\x50\x95\x04\xf0\x6d" "\xa6\x7a\xcf\x7f\x4a\x4c\x84\x53\x46\xf1\x60\x1c\x6a\x4f\x29\xc4\xbd" "\x30\x89\x6b\x0a\x0e\x06\x61\x8c\x8b\x32\xbd\x8f\xa8\xe8\x25\x6d\xbb" "\x86\xa6\x57\x4d\x32\x4f\x75\x64\x6a\x83\x61\x77\xc6\xa8\x33\xe7\x8a" "\x39\x26\xaf\x3e\xd9\xc8\xed\x36\x3a\xe9\x22\x4b\x75\x23\xd8\xb9\x34" "\xea\xe9\x69\x80\x1e\x09\x0a\x15\x60\xf4\x6a\x95\x42\xc1\x74\xaf\x01" "\x12\xd1\xd3\xc2\xac\xe7\x3a\xb1\x51\x0d\x3a\x62\xde\x7a\x17\x1a\x85" "\xe5\x9b\x31\xf2\xb3\x42\x7f\xbb\x25\x05\x87\x6b\xb5\x1e\xfc\xa7\x6a" "\xe5\xcb\xfc\x73\x0c\x06\xb0\x58\x17\x3a\xd3\x9b\xc8\x05\x09\xee\xfc" "\x19\xdd\x47\xcb\x7e\x5f\xee\x84\x88\xa0\xe9\x90\xd8\xe6\xc0\x04\xf1" "\xaf\x86\xd4\x83\xf5\xde\x85\x8e\xd2\x6b\xca\x32\xa2\x5c\x35\x28\x63" "\x6c\x62\x83\x5a\xcf\x02\xe9\x5d\xdf\xce\x3f\x91\xd3\x92\x4f\xc1\xdb" "\xe2\x84\x46\x29\xb7\x80\xd1\x4a\xd1\x43\x43\x7c\x60\x12\x8b\xf5\x5b" "\x1b\xbf\x76\x5b\x99\xb0\xd7\xcc\x6b\xef\xa7\x77\xd3\x1d\x61\xe5\x58" "\x38\x79\x41\xfc\x41\x8e\xd9\xc6\xc1\x33\x28\x75\x48\xb7\xd7\xb5\x00" "\x8a\x98\xb1\x4e\x61\x55\x00\xb1\xab\x2f\x7d\xf8\x57\x82\xda\xca\x43" "\xb2\xa3\xea\x87\x12\xd2\xff\xc6\xfa\x73\x4e\x91\x58\xda\x06\xdd\x4f" "\xbe\xd0\xf6\x7d\x30\x86\xed\x8c\x58\x82\x5b\x04\x57\xe9\xf2\x8b\x53" "\x17\x1e\x5b\xa0\xb3\x32\xd0\x1f\x94\xa4\x74\x08\x9d\x17\xf4\x6b\x60" "\xdb\x0d\x3e\x5e\xb2\x2a\x38\xc6\xe2\x6b\xc1\x11\x86\xad\x5d\xcf\x62" "\xbd\x0b\xf1\x0f\x96\x64\x94\x5e\x99\xd9\x0c\xeb\xa3\xfe\x90\xae\xe9" "\x91\xe5\xf7\xcc\x3b\xd5\x56\x9f\x99\x50\x06\x7c\xff\x31\xd7\xd2\x04" "\x0f\x5f\xa5\x13\x2b\xb3\x14\xb8\x7d\x5b\xf0\x41\xd0\xbe\x43\x1b\x54" "\x66\x4d\x3c\x6a\xf2\x55\xff\xf3\xb6\x8c\xe7\x5b\xab\x62\xd8\x66\x79" "\x29\xfc\x6a\xbc\xcd\xae\x8a\xfa\xc8\x9c\x2e\x80\x00\xe7\xf2\x2c\x68" "\xfc\x85\x22\x12\xda\xee\x06\xd3\xb7\xb2\xbb\x51\x69\xa8\xbe\x3b\xfb" "\x1d\x61\x68\xad\x23\xc5\x23\xaf\x3d\x6d\x04\x67\xb4\x35\x61\x05\x3a" "\xfe\x77\x6a\x8a\x94\xe2\xb8\xe5\xda\xde\x18\x4b\xe5\xf3\x4f\x1b\x09" "\x7f\x2c\x7a\x8b\x40\x46\x4e\x38\x86\xf9\xd0\xe0\xe1\x25\x96\xcf\x01" "\x7c\x94\x43\xde\xa6\x99\xa3\xa8\x93\x6d\x6c\x2d\x73\xe4\x92\x4a\x48" "\x1c\xb8\xaf\x9c\x69\x59\x55\x89\xd1\x5a\x0d\x46\x41\x52\x5d\xf7\x29" "\x93\x88\x7d\xd1\x61\x92\xd1\xb6\xfa\x01\x46\xa4\xc8\x2f\x28\xc5\xa9" "\xd5\x84\x9e\xf5\xfd\x77\x2f\x69\x66\x87\x5e\xa0\xed\x1f\x1c\x0e\xfc" "\xb2\xe4\x5e\x59\x67\x05\x2e\x14\x14\xb4\xde\x23\x6c\x3d\xa4\xe0\x5c" "\x61\x6b\x88\xa5\xf1\x47\xff\x1d\x99\x3e\xe4\x65\x09\x0c\x7e\xc1\x80" "\xfa\x6a\xdb\x8f\x1a\xcb\xac\xcc\xeb\xca\x4a\x21\x58\x43\xae\xea\x79" "\xe4\x75\x27\x60\x57\x7b\x75\xe5\xf3\x9e\xca\x7a\x92\x1e\xce\x10\xf8" "\x36\x15\x39\x3d\xbe\x9c\xf1\xc1\xef\xc2\x15\xc4\xac\x88\x9d\xe1\xe1" "\x0a\x71\xec\x31\x46\xe9\x42\xbd\xa0\xa3\xc9\xab\xc8\x76\x16\x91\x4d" "\xa3\xdb\xb1\xa6\xee\x54\xcd\xc5\x9b\xea\x74\x71\x94\xd2\x12\x16\x3f" "\x42\x16\x33\xa5\xa6\xef\xf9\xff\x1d\xa0\x55\x62\x6a\xea\x50\x73\x4b" "\x71\x06\x9a\x83\x06\x44\x84\x49\x94\x2c\x62\xbc\x64\x3a\x7c\x81\xe8" "\xe3\x58\x13\xb9\xba\x5e\x28\x01\x2a\x55\x87\x8a\x4c\x4f\x66\x53\xb9" "\x7c\x7d\x32\x8f\x90\x1c\x4e\x6e\x04\xd6\x85\x82\x31\xb0\xef\xc3\x28" "\x0f\x2f\x85\x92\xc6\x13\xe1\x16\x3d\x90\xe8\xcc\xf9\xbf\x6c\x62\x4d" "\x60\x6b\x19\xcb\x7e\x8f\x29\x7b\x8f\x53\x72\x5e\xdc\xfa\xb8\x15\x3f" "\x27\xa1\x47\x81\x08\x33\x8c\xf8\xe5\x06\x82\x70\xb3\xa4\xd6\xb8\xc7" "\x2c\x7c\xe5\x5d\xa0\xa0\x23\xa5\x49\x49\xc2\x21\x87\x4d\x75\x52\x7c" "\x2a\xa6\xcf\x6f\x39\x41\xf4\x90\x7b\xf1\x7d\xba\xbc\xac\x95\x77\xa8" "\xac\x8a\xb0\xca\x49\x0e\x7d\x01\x31\x75\x9a\x36\x5b\xe6\x7e\xa0\x22" "\xea\x3a\x32\x4a\xd8\x19\xbc\x48\xd5\x70\xf3\xe5\xef\xa2\xbd\xcc\x22" "\xd5\xfb\x1b\x86\xbf\x97\xc3\x03\x4e\xc6\x94\x8e\xd4\xfb\x2e\x36\xfd" "\x4b\xe4\x3c\x22\xd4\xa5\x0d\xcd\xbf\xfa\x7c\x19\x38\x63\x15\x4b\x41" "\x7f\x24\xa2\x91\xbf\x19\xa0\x49\xab\xe1\x4e\x68\xdb\xcb\xe3\x3d\x95" "\x14\xda\x91\x81\xd5\xba\xf1\xe0\xd4\x95\x0f\x29\x86\xd5\xb5\x74\x44" "\x78\xdc\xa2\x94\x11\xaf\x66\x53\x72\xf9\xb9\xd6\x2e\xa0\xc4\x22\xac" "\xa3\xd6\x75\xcc\x7f\xb3\xdb\x9d\xfe\xae\x4f\x3f\xf4\x50\xe1\x1d\xaf" "\x20\xc8\xa5\x33\xd3\x0d\xc0\x83\x7b\x6c\xfe\x66\xcc\xc3\xe0\x8f\xac" "\x9c\xf7\x11\x91\x14\xab\x9f\xf9\xc0\x6e\x70\xdb\xf0\x9a\x8b\xd1\x46" "\x0e\x7c\x71\xe9\x1b\x77\x77\xfa\xd1\xdc\x3c\xff\xab\x2d\x1b\xac\x90" "\xd6\x99\x2a\x4d\x2e\xf4\x93\xe1\xfd\x30\xbd\x50\xc9\x7e\xe1\x7e\x3c" "\x3c\x67\x3e\xd1\x7e\x39\xe0\x93\x24\x4d\x8f\x6d\x7c\x3e\x62\x66\x39" "\x05\x4a\x51\x85\xef\x0c\x9b\x40\x2d\x47\x0c\xbd\x6f\x2b\x0e\x61\x4d" "\xaa\xe5\x62\xc0\x3b\xb8\xec\x08\x98\x99\x65\xcc\xa1\xb4\xc8\x01\x92" "\xc2\x78\xdf\x55\x69\x0a\x21\xd5\xb5\x12\xc0\x7e\x36\x50\xf0\x74\x1d" "\x41\x4f\x32\x44\x37\xb6\x3c\xf0\xe5\xc4\xc0\xe3\x53\x13\x96\x1b\x0a" "\x7c\x3f\xc3\x03\xa4\xe6\x60\xfd\x9a\x33\x68\x1d\x78\x78\x1f\x8f\x2d" "\xb5\xa6\xb1\x15\x88\x06\x3c\x8c\x33\x77\x8b\x3d\x64\x58\x9a\x24\x33" "\x75\x7b\x4d\xa2\xaa\x32\x45\xfb\xec\xdb\x09\x78\xcc\x1c\xc2\x6e\xb3" "\x46\xad\x38\xb7\x46\x9e\x3c\x0d\x87\x4f\xc1\xaa\xc9\x46\x54\x88\x2e" "\xdc\x13\xf8\x2a\xbf\xba\x20\xfb\xec\x53\x57\x8f\x24\xf1\xb1\x45\x8e" "\x0f\x24\xa8\x8e\x5e\x5c\xd1\xbe\x97\x21\xe3\x32\xbb\xa4\xc7\x24\x79" "\x28\x19\xbb\x69\x6b\x49\x2d\x6e\xbb\xcc\xbe\x48\x76\x0a\x89\x1f\xdb" "\x4b\x11\x8a\x94\xf6\xe8\xd1\x6d\x0b\x18\x4e\xdf\x71\x3e\xaf\x11\xd5" "\x95\xde\xb5\xb2\x34\xdd\x56\x67\x70\xd6\xff\xbd\x7f\xcc\x4c\x32\xc0" "\x9b\xdb\x42\x0c\xd3\x8f\xe8\x0c\xcc\xe3\xf3\x7c\x41\xc2\x60\xc1\x52" "\x7f\xd0\x99\x47\xee\x84\x57\xfe\xcc\x4d\xa3\x08\xc2\xcf\x19\x64\x85" "\x81\xc1\xb0\xd3\xfd\xe0\xf6\x45\xce\xa0\xcf\x78\x50\xd5\x51\x1b\x21" "\x98\x2e\x4c\x7c\xda\x76\x96\xe8\x90\x94\x9a\xc5\x3a\xed\x5e\x9e\xf1" "\x6a\xf8\x53\x66\x97\xc1\x3b\x1d\xb9\x87\x5c\x8d\xdb\xd1\x39\x5a\xc7" "\xa6\xa4\x8e\x1d\xe6\x52\xd7\x1a\x94\x22\x74\x0e\xde\xa1\x6a\xbb\xf2" "\xad\x6b\xcb\xc1\x98\xaa\x14\x18\xeb\x9e\xda\x00\x0a\xf5\x5a\x17\x24" "\x3e\x08\x37\xa9\x09\x27\x56\x13\xa1\x71\xeb\x2f\x49\xf4\x5e\x7c\x2f" "\xce\xd8\x4b\xfb\x5f\x4b\x28\xc3\xda\xa8\xca\x08\x68\x0b\x27\x09\x5e" "\x74\x69\x0c\xc9\x94\x27\xec\x01\xa8\x82\x53\xb1\x24\x56\xcd\x8c\xb8" "\xc2\xc4\xaf\x6a\x2c\xe0\xd5\x97\xf4\x06\xef\xe4\x95\x03\x79\x9e\x61" "\x48\x98\x5c\xce\x9a\xb3\x9f\x0f\x9d\xa9\x1f\x79\x65\x1f\x0c\x38\x05" "\x26\xd2\x28\xf7\x54\xf2\xea\xa5\xba\xc5\x57\xe1\x7e\x9f\xe0\xea\xf8" "\x1e\x36\xe7\x7b\x63\xe7\x62\x65\xd1\xd0\x18\xff\xc7\x9a\xac\x1b\xdf" "\xf5\xec\x5b\x35\x76\x45\x51\xac\x38\xef\x56\xe3\xf3\x4c\xcf\x30", 4096)); syscall(__NR_ioctl, r[2], 0x4080aebf, 0x20000580); break; case 6: syscall(__NR_ioctl, r[2], 0xae80, 0); break; } } int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); install_segv_handler(); for (procid = 0; procid < 6; procid++) { if (fork() == 0) { use_temporary_dir(); loop(); } } sleep(1000000); return 0; }