// autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif static unsigned long long procid; //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler@alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff(unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } else if (strncmp(fs, "gfs2", 4) == 0 && (strstr(opts, "errors=panic") || strstr(opts, "debug"))) { strcat(opts, ",errors=withdraw"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // syz_mount_image$exfat arguments: [ // fs: ptr[in, buffer] { // buffer: {65 78 66 61 74 00} (length 0x6) // } // dir: ptr[in, buffer] { // buffer: {2e 2f 66 69 6c 65 32 00} (length 0x8) // } // flags: mount_flags = 0x10890 (8 bytes) // opts: ptr[inout, array[ANYUNION]] { // array[ANYUNION] { // } // } // chdir: int8 = 0xf7 (1 bytes) // size: len = 0x150d (8 bytes) // img: ptr[in, buffer] { // buffer: (compressed buffer with length 0x150d) // } // ] // returns fd_dir memcpy((void*)0x200000000280, "exfat\000", 6); memcpy((void*)0x200000001840, "./file2\000", 8); memcpy( (void*)0x200000001880, "\x78\x9c\xec\xdc\x09\xb8\x4f\xd5\xf7\x30\xf0\xb5\xf6\xde\x87\xeb\x66\xf8" "\x26\x99\xcf\xda\xeb\xf0\x4d\x86\x4d\x92\x84\x92\x64\x48\x92\x24\x24\x73" "\x42\x92\x24\x49\x92\xb8\x64\x4a\x42\x92\x64\xbc\x49\xc6\x1b\x32\xa7\x9b" "\xae\x79\x1e\x32\x27\xdd\xfc\x24\x49\x12\x12\x92\xec\xf7\xb9\x0d\xaf\x7f" "\xbf\xe1\xdf\x6f\xe8\xf7\xe8\x7d\xef\xfa\x3c\xcf\x79\xec\xe5\x9c\xb5\xcf" "\xda\x77\x3d\xdf\x7b\x86\xe7\xb9\xdf\xaf\xba\x8f\xa8\xd9\xa4\x56\xb5\x86" "\xcc\x0c\xff\x0e\xfd\xeb\x00\x7f\xfe\x27\x09\x00\x12\x00\x60\x30\x00\xe4" "\x02\x80\x00\x00\xca\xe7\x2e\x9f\x3b\x63\x7f\x36\x8d\x49\xff\xd6\x49\xc4" "\x7f\x49\xa3\x99\x97\xbb\x02\x71\x39\x49\xff\x33\x37\xe9\x7f\xe6\x26\xfd" "\xcf\xdc\xa4\xff\x99\x9b\xf4\x3f\x73\x93\xfe\x67\x6e\xd2\xff\xcc\x4d\xfa" "\x2f\x44\xa6\x96\x52\xe0\x4a\xd9\x32\xef\x26\xef\xff\xff\x1f\xa7\xfe\x93" "\x64\xb9\xfe\x67\x0a\xf8\x8f\x76\x48\xff\xff\x7f\xa3\xff\xa5\xa3\xa5\xff" "\x99\x9b\xf4\x3f\x73\x93\xfe\x67\x6e\xd2\xff\xcc\x2c\xb8\xdc\x05\x88\xcb" "\x4c\x3e\xff\x99\x9b\xf4\x5f\x88\x4c\xed\x0f\x7f\xa7\xbc\xe1\xdc\xe5\x7e" "\xa7\x2d\x5b\x81\x2b\x01\x62\xff\xe4\x71\x42\x08\x21\x84\x10\x42\x08\x21" "\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42" "\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84" "\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08" "\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10" "\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21" "\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42" "\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\xc4\x7f\xdf\x39\x7f\x89" "\x01\x80\x5f\xc7\x97\xbb\x2e\x21\x84\x10\x42\x08\x21\x84\x10\x42\xfc\x71" "\xfc\x3b\x97\xbb\x02\x21\x84\x10\x42\x08\x21\x84\x10\x42\xfc\xf7\x21\x28" "\xd0\x60\x20\x80\x2c\x90\x15\x12\x20\x1b\x24\xc2\x15\x90\x1d\x72\x40\x4e" "\xc8\x05\x31\xb8\x12\x72\xc3\x55\x90\x07\xae\x86\xbc\x90\x0f\xf2\x43\x01" "\x28\x08\x85\xa0\x30\x84\x40\x60\x81\x21\x82\x22\x50\x14\xe2\x70\x0d\x14" "\x83\x6b\xa1\x38\x94\x80\x92\x50\x0a\x1c\x94\x86\x32\x70\x1d\x94\x85\xeb" "\xa1\x1c\xdc\x00\xe5\xe1\x46\xa8\x00\x37\x41\x45\xa8\xf4\xd3\x39\x33\xdc" "\x0a\x55\xe1\x36\xa8\x06\xb7\x43\x75\xa8\x01\x35\xa1\x16\xdc\x01\xb5\xe1" "\x4e\xa8\x03\x77\x41\x5d\xb8\x1b\xea\xc1\x3d\x50\x1f\xee\x85\x06\x70\x1f" "\x34\x84\x46\xd0\x18\xee\x87\x26\xf0\x00\x34\x85\x66\xd0\x1c\x5a\x40\x4b" "\x68\x05\xad\x7f\x27\x3f\x39\xd7\xdf\xcb\x7f\x16\x7a\xc1\x73\xd0\x1b\xfa" "\x40\x12\xf4\x85\x7e\xf0\x3c\xf4\x87\x01\x30\x10\x06\xc1\x60\x78\x01\x86" "\xc0\x8b\x30\x14\x5e\x82\x61\x30\x1c\x46\xc0\xcb\x30\x12\x5e\x81\x51\xf0" "\x2a\x8c\x86\xd7\x60\x0c\xbc\x0e\x63\x61\x1c\x8c\x87\x09\x30\x11\x26\x41" "\x32\xbc\x01\x93\xe1\x4d\x98\x02\x6f\x3d\x90\x03\xa6\xc1\x74\x98\x01\x33" "\x61\x16\xa4\xc0\xdb\x30\x1b\xe6\xc0\x5c\x78\x07\xe6\xc1\x7c\x58\x00\xc9" "\xd9\x16\xc1\x62\x58\x02\xef\xc2\x52\x78\x0f\x52\xe1\x7d\x58\x06\x1f\x40" "\x1a\x2c\x87\x15\xb0\x12\x56\xc1\x6a\x58\x03\x6b\x61\x1d\xac\x87\x0d\xb0" "\x11\x36\xc1\x66\xd8\x02\x5b\x61\x1b\x7c\x08\xdb\x61\x07\xec\x84\x5d\xb0" "\x1b\xf6\xc0\x5e\xf8\x08\xf6\xc1\xc7\xb0\x1f\x3e\x81\x74\xfc\xf4\x5f\xcc" "\x3f\xfb\xdb\x7c\xe8\x81\x80\x80\x0a\x15\x1a\x34\x98\x05\xb3\x60\x02\x26" "\x60\x22\x26\x62\x76\xcc\x8e\x39\x31\x27\xc6\x30\x86\xb9\x31\x37\xe6\xc1" "\x3c\x98\x17\xf3\x62\x7e\xcc\x8f\x49\x58\x10\x0b\x63\x61\x24\x24\x64\x64" "\x2c\x82\x45\x30\x8e\x71\x2c\x86\xc5\xb0\x38\x16\xc7\x92\x58\x12\x1d\x3a" "\x2c\x83\x65\xb0\x2c\x5e\x8f\xe5\xb0\x1c\x96\xc7\xf2\x58\x01\x2b\x60\x45" "\xac\x84\x95\xf0\x66\xbc\x19\xab\x60\x15\xac\x8a\x55\xb1\x1a\x56\xc3\xea" "\x58\x1d\x6b\x62\x4d\xbc\x03\xef\xc0\x3b\xb1\x0e\xd6\xc1\xba\x58\x17\xeb" "\x61\x3d\xac\x8f\xf5\xb1\x01\x36\xc0\x86\xd8\x10\x1b\x63\x63\x6c\x82\x4d" "\xb0\x29\x36\xc5\xe6\xd8\x1c\x5b\x62\x4b\x6c\x8d\xad\xb1\x0d\xb6\xc1\xb6" "\xd8\x16\xdb\x63\x7b\xec\x80\x1d\xb0\x23\x76\xc4\x4e\xd8\x09\x3b\x63\x67" "\xec\x82\x5d\xb0\x2b\x76\xc5\x6e\xd8\x0d\xbb\x63\x77\xec\x81\xcf\xe0\x33" "\xf8\x2c\x3e\x8b\xcf\xe1\x73\xd8\x07\xab\xab\xbe\xd8\x0f\xfb\x61\x7f\xec" "\x8f\x03\x71\x10\x0e\xc2\x17\x70\x08\xbe\x88\x2f\xe2\x4b\x38\x0c\x87\xe3" "\x08\x7c\x19\x5f\xc6\x57\x70\x14\x9e\xc1\xd1\xf8\x1a\x8e\xc1\x31\x58\x45" "\x8d\xc3\xf1\x38\x01\x59\x4d\xc2\x64\x4c\xc6\xac\x30\x19\xa7\xe0\x14\x9c" "\x8a\xd3\x70\x1a\xce\xc0\x99\x38\x0b\x53\x30\x05\x67\xe3\x1c\x9c\x83\xef" "\xe0\x3c\x9c\x8f\xf3\x71\x21\x2e\xc4\xc5\xb8\x04\x97\xe0\x52\x7c\x0f\x53" "\x31\x15\x97\xe1\x59\x4c\xc3\xe5\xb8\x02\x57\xe2\x2a\x5c\x8d\xab\x70\x2d" "\xae\xc3\xb5\xb8\x01\x37\xe2\x06\xdc\x8c\x9b\x71\x2b\x6e\xc5\x0f\xf1\x43" "\xdc\x81\x3b\x70\x17\xee\xc2\x3d\xb8\x07\x3f\xc2\x8f\xf0\x63\xfc\x18\x87" "\x61\x3a\xa6\xe3\x01\x3c\x80\x07\xf1\x20\x1e\xc2\x43\x78\x18\x0f\xe3\x11" "\x3c\x82\x47\xf1\x28\x1e\xc3\x63\x78\x1c\x8f\xe3\x09\x3c\x89\xa7\xf0\x24" "\x9e\xc6\xd3\x78\x06\xcf\xe2\x39\x00\x38\x8f\xe7\xf1\x02\x5e\xc0\x8b\x78" "\x31\xe3\xc3\xaf\x32\x18\x65\x54\x16\x95\x45\x25\xa8\x04\x95\xa8\x12\x55" "\x76\x95\x5d\xe5\x54\x39\x55\x4c\xc5\x54\x6e\x95\x5b\xe5\x51\x79\x54\x5e" "\x95\x57\xe5\x57\xf9\x55\x41\x55\x50\x15\x56\x85\x15\x29\x52\xac\x22\x55" "\x44\x15\x51\x71\x15\x57\xc5\x54\x31\x55\x5c\x15\x57\x25\x55\x49\xe5\x94" "\x53\x65\x54\x19\x55\x56\x95\x55\xe5\x54\x39\x55\x5e\xdd\xa8\x2a\xa8\x9b" "\x54\x45\x55\x49\xb5\x73\x37\xab\x9b\x55\x15\xd5\xde\x55\x55\xb7\xa9\x6a" "\xaa\x9a\xaa\xae\x6a\xa8\x9a\xaa\x96\xaa\xa5\x6a\xab\xda\xaa\x8e\xaa\xa3" "\xea\xaa\xba\xaa\x9e\xaa\xa7\xea\xab\x7b\x55\x03\xd5\x17\x07\x62\x23\x95" "\xd1\x99\x26\x6a\x38\x36\x55\x23\xb0\xb9\x6a\xa1\x5a\xaa\x56\xea\x15\x7c" "\x50\xb5\x51\xa3\xb0\xad\x6a\xa7\xda\xab\x87\xd5\x6b\x38\x1a\x3b\xaa\x36" "\xae\x93\x7a\x4c\x75\x56\xe3\xdb\x75\x51\x4f\xa8\x09\xf8\xa4\xea\xa6\x26" "\x61\x77\xf5\xb4\xea\xa1\x9e\x51\x3d\xd5\xb3\xaa\x97\x6a\xeb\x7a\xab\x3e" "\x6a\x2a\xf6\x55\xfd\xd4\x0c\xec\xaf\x06\xa8\x81\x6a\x90\x9a\x8d\x35\x54" "\x46\xc7\x6a\xaa\x97\xd4\xb3\x59\x87\xab\x11\xea\x65\xb5\x18\x5f\x51\xa3" "\xd4\xab\x6a\xb4\x7a\x4d\x8d\x51\xaf\xab\xb1\x6a\x9c\x1a\xaf\x26\xa8\x89" "\x6a\x92\x4a\x56\x6f\xa8\xc9\xea\x4d\x35\x45\xbd\xa5\xa6\xaa\x69\x6a\xba" "\x9a\xa1\x66\xaa\x59\x2a\x45\xbd\xad\x66\xab\x39\x6a\xae\x7a\x47\xcd\x53" "\xf3\xd5\x02\xb5\x50\x2d\x52\x8b\xd5\x12\xf5\xae\x5a\xaa\xde\x53\xa9\xea" "\x7d\xb5\x4c\x7d\xa0\xd2\xd4\x72\xb5\x42\xad\x54\xab\xd4\x6a\xb5\x46\xad" "\x55\xeb\xd4\x7a\xb5\x41\x6d\x54\x9b\xd4\x66\xb5\x45\x6d\x55\xdb\xd4\x87" "\x6a\xbb\xda\xa1\x76\xaa\x5d\x6a\xb7\xda\xa3\xf6\xaa\x8f\xd4\x3e\xf5\xb1" "\xda\xaf\x3e\x51\xe9\xea\x53\x75\x40\xfd\x45\x1d\x54\x9f\xa9\x43\xea\x73" "\x75\x58\x7d\xa1\x8e\xa8\x2f\xd5\x51\xf5\x95\x3a\xa6\xbe\x56\xc7\xd5\x37" "\xea\x84\x3a\xa9\x4e\xa9\x6f\xd5\x69\xf5\x9d\x3a\xa3\xce\xaa\x73\xea\x7b" "\x75\x5e\xfd\xa0\x2e\xa8\x1f\xd5\x45\xe5\x15\x68\xd4\x4a\x6b\x6d\x74\xa0" "\xb3\xe8\xac\x3a\x41\x67\xd3\x89\xfa\x0a\x9d\x5d\xe7\xd0\x39\x75\x2e\x1d" "\xd3\x57\xea\xdc\xfa\x2a\x9d\x47\x5f\xad\xf3\xea\x7c\x3a\xbf\x29\xa0\x0b" "\xea\x42\xba\xb0\x0e\x35\x69\xab\x59\x47\xba\x88\x2e\xaa\xe3\xfa\x1a\x5d" "\x4c\x5f\xab\x8b\xeb\x12\xba\xa4\x2e\xa5\x9d\x2e\xad\xcb\xe8\xeb\x74\x59" "\x7d\xbd\x2e\xa7\x6f\xd0\xe5\xf5\x8d\xba\x82\xbe\x49\x57\xd4\x95\x74\x65" "\x0f\xfa\x16\x5d\x45\xdf\xaa\xab\xea\xdb\x74\x35\x7d\xbb\xae\xae\x6b\xe8" "\x9a\xba\x96\xbe\x43\xd7\xd6\x77\xea\x3a\xfa\x2e\x5d\x57\xdf\xad\xeb\xe9" "\x7b\x74\x7d\x7d\xaf\x6e\xa0\xef\xd3\x0d\x75\x23\xdd\x58\xdf\xaf\x9b\xe8" "\x07\x74\x53\xdd\x4c\x37\xd7\x2d\x74\x4b\xdd\x4a\xb7\xd6\x0f\xea\x36\xfa" "\x21\xdd\x56\xb7\xd3\xed\xf5\xc3\xba\x83\x7e\x44\x77\xd4\x8f\xea\x4e\xfa" "\x31\xdd\x59\x3f\xae\xbb\xe8\x27\x74\x5f\x78\x52\x77\xd3\x4f\xe9\xee\xfa" "\x69\xdd\x43\x3f\xa3\x7b\xea\x1f\xf5\x45\xed\x75\x6f\xdd\x47\x27\xe9\xbe" "\xba\x9f\x7e\x5e\xf7\xd7\x03\xf4\x40\x3d\x48\x0f\xd6\x2f\xe8\x21\xfa\x45" "\x3d\x54\xbf\xa4\x87\xe9\xe1\x7a\x84\x7e\x59\x8f\xd4\xaf\xe8\x51\xfa\x55" "\x3d\x5a\xbf\xa6\xc7\xe8\xd7\xf5\x58\x3d\x4e\x8f\xd7\x13\xf4\x44\x3d\x49" "\x27\xeb\x37\xf4\x64\xfd\xa6\x9e\xa2\xdf\xd2\x53\xf5\x34\x3d\x5d\xcf\xd0" "\x33\xf5\x2c\x3d\xf0\x97\x99\xe6\xfe\x13\xf9\x6f\xfe\x9d\xfc\xa1\x3f\x9d" "\x7d\xab\xde\xa6\x3f\xd4\xdb\xf5\x0e\xbd\x53\xef\xd2\xbb\xf5\x1e\xbd\x57" "\xef\xd5\xfb\xf4\x3e\xbd\x5f\xef\xd7\xe9\x3a\x5d\x1f\xd0\x07\xf4\x41\x7d" "\x50\x1f\xd2\x87\xf4\x61\x7d\x58\x1f\xd1\x47\xf4\x51\x7d\x54\x1f\xd3\xc7" "\xf4\x71\x7d\x5c\x9f\xd0\x27\xf5\xf7\xfa\x5b\x7d\x5a\x7f\xa7\xcf\xe8\xb3" "\xfa\xac\xfe\x5e\x9f\xd7\xe7\xf5\x85\x5f\x7e\x06\x60\xd0\x28\xa3\x8d\x31" "\x81\xc9\x62\xb2\x9a\x04\x93\xcd\x24\x9a\x2b\x4c\x76\x93\xc3\xe4\x34\xb9" "\x4c\xcc\x5c\x69\x72\x9b\xab\x4c\x1e\x73\xb5\xc9\x6b\xf2\x99\xfc\xa6\x80" "\x29\x68\x0a\x99\xc2\x26\x34\x64\xac\x61\x13\x99\x22\xa6\xa8\x89\x9b\x6b" "\x4c\x31\x73\xad\x29\x6e\x4a\x98\x92\xa6\x94\x71\xa6\xb4\x29\x63\xae\xfb" "\x8f\xf3\x7f\xaf\xbe\xd6\xa6\xb5\x69\x63\xda\x98\xb6\xa6\xad\x69\x6f\xda" "\x9b\x0e\xa6\x83\xe9\x68\x3a\x9a\x4e\xa6\x93\xe9\x6c\x3a\x9b\x2e\xa6\x8b" "\xe9\x6a\xba\x9a\x6e\xa6\x9b\xe9\x6e\xba\x9b\x1e\xa6\x87\xe9\x69\x7a\x9a" "\x5e\xa6\x97\xe9\x6d\x7a\x9b\x24\x93\x64\xfa\x99\xe7\x4d\x7f\x33\xc0\x0c" "\x34\x83\xcc\x60\xf3\x82\x19\x62\x86\x98\xa1\x66\xa8\x19\x66\x86\x99\x11" "\x66\x84\x19\x69\x46\x9a\x51\x66\x94\x19\x6d\x46\x9b\x31\x66\x8c\x19\x6b" "\xc6\x9a\xf1\x66\xbc\x99\x68\x26\x9a\x64\x9f\xcb\x4c\x36\x93\xcd\x14\x33" "\xc5\x4c\x35\x53\xcd\xf4\xc1\xb9\xcc\x4c\x33\xd3\xa4\x98\x14\x33\xdb\xcc" "\x36\x73\xcd\x5c\x33\xcf\xcc\x33\x0b\xcc\x02\xb3\xc8\x2c\x32\x4b\xcc\x12" "\xb3\xd4\x2c\x35\xa9\x26\xd5\x2c\x33\xcb\x4c\x9a\x59\x6e\x96\x9b\x95\x66" "\xa5\x59\x6d\x56\x9b\xb5\x66\xad\x59\x6f\xd6\x9b\x8d\x66\xa3\xd9\x6c\x36" "\x9b\x34\xb3\xcd\x6c\x33\xdb\xcd\x76\xb3\xd3\xec\x34\xbb\xcd\x6e\xb3\xd7" "\xec\x35\xfb\xcc\x3e\xb3\xdf\xec\x37\xe9\x26\xdd\x1c\x30\x07\xcc\x41\x73" "\xd0\x1c\x32\x87\xcc\x61\x73\xd8\x1c\x31\x47\xcc\x51\x73\xd4\x1c\x33\xc7" "\xcc\x71\x73\xdc\x9c\x30\x27\xcc\x29\x73\xca\x9c\x36\xa7\xcd\x19\x73\xc6" "\x9c\x33\xe7\xcc\x79\x73\xde\x5c\x30\x17\xcc\x45\x73\x31\xe3\xb6\x2f\x50" "\x81\x0a\x4c\x60\x82\x2c\x41\x96\x20\x21\x48\x08\x12\x83\xc4\x20\x7b\x90" "\x3d\xc8\x19\xe4\x0c\x62\x41\x2c\xc8\x1d\xe4\x0e\xf2\x04\x57\x07\x79\x83" "\x7c\x41\xfe\xa0\x40\x50\x30\x28\x14\x14\x0e\xc2\x80\x02\x1b\x70\x10\x05" "\x45\x82\xa2\x41\x3c\xb8\x26\x28\x16\x5c\x1b\x14\x0f\x4a\x04\x25\x83\x52" "\x81\x0b\x4a\x07\x65\x82\xeb\x82\xb2\xc1\xf5\x41\xb9\xe0\x86\xa0\x7c\x70" "\x63\x50\x21\xb8\x29\xa8\x18\x54\x0a\x2a\x07\x37\x07\xb7\x04\x55\x82\x5b" "\x83\xaa\xc1\x6d\x41\xb5\xe0\xf6\xa0\x7a\x50\x23\xa8\x19\xd4\x0a\xee\x08" "\x6a\x07\x77\x06\x75\x82\xbb\x82\xba\xc1\xdd\x41\xbd\xe0\x9e\xa0\x7e\x70" "\x6f\xd0\x20\xb8\x2f\x68\x18\x34\x0a\x1a\x07\xf7\x07\x4d\x82\x07\x82\xa6" "\x41\xb3\xa0\x79\xd0\x22\x68\x19\xb4\x0a\x5a\xff\xa1\xf3\x7b\x7f\x26\xdf" "\x43\xae\x77\xd8\x27\x4c\x0a\xfb\x86\xfd\xc2\xe7\xc3\xfe\xe1\x80\x70\x60" "\x38\x28\x1c\x1c\xbe\x10\x0e\x09\x5f\x0c\x87\x86\x2f\x85\xc3\xc2\xe1\xe1" "\x88\xf0\xe5\x70\x64\xf8\x4a\x38\x2a\x7c\x35\x1c\x1d\xbe\x16\x8e\x09\x5f" "\x0f\xc7\x86\xe3\xc2\xf1\xe1\x84\x70\x62\x38\x29\x4c\x0e\xdf\x08\x27\x87" "\x6f\x86\x53\xc2\xb7\xc2\xa9\xe1\xb4\x70\x7a\x30\x23\x9c\x19\xce\x0a\x53" "\xc2\xb7\xc3\xd9\xe1\x9c\x70\x6e\xf8\x4e\x38\x2f\x9c\x1f\x2e\x08\x17\x86" "\x8b\xc2\xc5\x21\xfe\x7c\x4b\x0c\xa9\xe1\xfb\xe1\xb2\xf0\x83\x30\x2d\x5c" "\x1e\xae\x08\x57\x86\xab\xc2\xd5\xe1\x9a\x70\x6d\xb8\x2e\x5c\x1f\x6e\x08" "\x37\x86\x9b\xc2\xcd\xe5\x87\xfc\x7c\x68\xb8\x3d\xdc\x11\xee\x0c\x77\x85" "\xbb\xc3\x3d\xe1\xde\xf0\xa3\x70\x5f\xf8\x71\xb8\x3f\xfc\x24\x4c\x0f\x3f" "\x0d\x0f\x84\x7f\x09\x0f\x86\x9f\x85\x87\xc2\xcf\xc3\xc3\xe1\x17\xe1\x91" "\xf0\xcb\xf0\x68\xf8\x55\x78\x2c\xfc\x3a\x3c\x1e\x7e\x13\x9e\x08\x4f\x86" "\xa7\xc2\x6f\xc3\xd3\xe1\x77\xe1\x99\xf0\x6c\x78\x2e\xfc\x3e\x3c\x1f\xfe" "\x10\x5e\x08\x7f\x0c\x2f\x86\x3e\xe3\xe6\x3e\xe3\xf2\x4e\x86\x0c\x65\xa1" "\x2c\x94\x40\x09\x94\x48\x89\x94\x9d\xb2\x53\x4e\xca\x49\x31\x8a\x51\x6e" "\xca\x4d\x79\x28\x0f\xe5\xa5\xbc\x94\x9f\xf2\x53\x41\x2a\x48\x85\xa9\x30" "\x65\x60\x62\x2a\x42\x45\x28\x4e\x71\x2a\x46\xc5\xa8\x38\x15\xa7\x92\x54" "\x92\x1c\x39\x2a\x43\x65\xa8\x2c\x95\xa5\x72\x54\x8e\xca\x53\x79\xaa\x40" "\x15\xa8\x22\x55\xa4\xca\x54\x99\x6e\xa1\x5b\xe8\x56\xba\x95\x6e\xa3\xdb" "\xe8\x76\xba\x9d\x6a\x50\x0d\xaa\x45\xb5\xa8\x36\xd5\xa6\x3a\x54\x87\xea" "\x52\x5d\xaa\x47\xf5\xa8\x3e\xd5\xa7\x06\xd4\x80\x1a\x52\x43\x6a\x4c\x8d" "\xa9\x09\x35\xa1\xa6\xd4\x94\x9a\x53\x73\x6a\x49\x2d\xa9\x35\xb5\xa6\x36" "\xd4\x86\xda\x52\x5b\x6a\x4f\xed\xa9\x03\x75\xa0\x8e\xd4\x91\x3a\x51\x27" "\xea\x4c\x9d\xa9\x0b\x75\xa1\xae\xd4\x95\xba\x51\x37\xea\x4e\xdd\xa9\x07" "\xf5\xa0\x9e\xd4\x93\x7a\x51\x2f\xea\x4d\xbd\x29\x89\x92\xa8\x1f\xf5\xa3" "\xfe\xd4\x9f\x06\xd2\x40\x1a\x4c\x83\x69\x08\x0d\xa1\xa1\x34\x94\x86\xd1" "\x30\x1a\x41\x23\x68\x24\x8d\xa4\x51\x34\x8a\x46\xd3\x6b\x34\x86\x5e\xa7" "\xb1\x34\x8e\xc6\xd3\x04\x9a\x48\x93\x28\x99\x92\x69\x32\x4d\xa6\x29\x34" "\x85\xa6\xd2\x54\x9a\x4e\xd3\x69\x26\xcd\xa4\x14\x4a\xa1\xd9\x34\x9b\xe6" "\xd2\x5c\x9a\x47\xf3\x68\x01\x2d\xa0\x45\xb4\x88\x96\xd0\x12\x5a\x4a\x4b" "\x29\x95\x52\x69\x19\x2d\xa3\x34\x4a\xa3\x15\xb4\x82\x56\xd1\x2a\x5a\x43" "\x6b\x68\x1d\xad\xa3\x0d\xb4\x81\x36\xd1\x26\xda\x42\x5b\x68\x1b\x6d\xa3" "\xed\xb4\x9d\x76\xd2\x4e\xda\x4d\xbb\x69\x2f\xed\xa5\x7d\xb4\x8f\xf6\xd3" "\x7e\x4a\xa7\x74\x3a\x40\x07\xe8\x20\x1d\xa4\x43\x74\x88\x0e\xd3\x61\x3a" "\x42\x47\xe8\x28\x1d\xa5\x63\x74\x8c\x8e\xd3\x71\x3a\x41\x27\xe8\x14\x9d" "\xa2\xd3\x74\x9a\xce\xd0\x19\x3a\x47\xe7\xe8\x3c\xfd\x40\x17\xe8\x47\xba" "\x48\x9e\x12\x6c\x36\x9b\x68\xaf\xb0\xd9\x6d\x0e\x9b\xd3\xe6\xb2\x7f\x1d" "\xe7\xb7\x05\x6c\x41\x5b\xc8\x16\xb6\xa1\xcd\x6b\xf3\xfd\x26\x26\x6b\x6d" "\x71\x5b\xc2\x96\xb4\xa5\xac\xb3\xa5\x6d\x19\x7b\xdd\xdf\xc4\x15\x6d\x25" "\x5b\xd9\xde\x6c\x6f\xb1\x55\xec\xad\xb6\xaa\xad\x68\xb3\xc1\xff\x8c\x6b" "\xdb\x3b\x6d\x1d\x7b\x97\xad\x6b\xef\xb6\xb5\xec\x1d\xbf\x89\xeb\xd9\x7b" "\x6c\x7d\xfb\x80\x6d\x60\x9b\xd9\x86\xb6\x85\x6d\x6c\x5b\xd9\x26\xf6\x01" "\xdb\xd4\x36\xb3\xcd\x6d\x0b\xdb\xd2\xb6\xb2\x1d\xec\x23\xb6\xa3\x7d\xd4" "\x76\xb2\x8f\xd9\xce\xf6\xf1\xbf\x89\x97\xda\xf7\xec\x3a\xbb\xde\x6e\xb0" "\x1b\xed\x3e\xfb\xb1\x3d\x67\xbf\xb7\x47\xed\x57\xf6\xbc\xfd\xc1\xf6\xb6" "\x7d\xec\x60\xfb\x82\x1d\x62\x5f\xb4\x43\xed\x4b\x76\x98\x1d\xfe\xdb\x18" "\xc0\x8e\xb1\xaf\xdb\xb1\x76\x9c\x1d\x6f\x27\xd8\x89\x76\xd2\xdf\xc4\xd3" "\xed\x0c\x3b\xd3\xce\xb2\x29\xf6\x6d\x3b\xdb\xce\xf9\x9b\x78\x89\x7d\xd7" "\xce\xb3\xa9\x76\x81\x5d\x68\x17\xd9\xc5\x3f\xc5\x19\x35\xa5\xda\xf7\xed" "\x32\xfb\x81\x4d\xb3\xcb\xed\x0a\xbb\xd2\xae\xb2\xab\xed\x1a\xbb\xf6\xff" "\xd6\xba\xd2\x6e\xb6\x5b\xec\x56\xbb\xd7\x7e\x64\xb7\xdb\x1d\x76\xa7\xdd" "\x65\x77\xdb\x3d\x3f\xc5\x19\xeb\xd8\x6f\x3f\xb1\xe9\xf6\x53\x7b\xc4\x7e" "\x69\x0f\xda\xcf\xec\x21\x7b\xcc\x1e\xb6\x5f\xfc\x14\x67\xac\xef\x98\xfd" "\xda\x1e\xb7\xdf\xd8\x13\xf6\xa4\x3d\x65\xbf\xb5\xa7\xed\x77\xf6\x8c\x3d" "\xfb\xd3\xfa\x33\xd6\xfe\xad\xfd\xd1\x5e\xb4\xde\x02\x23\x2b\xd6\x6c\x38" "\xe0\x2c\x9c\x95\x13\x38\x1b\x27\xf2\x15\x9c\x9d\x73\x70\x4e\xce\xc5\x31" "\xbe\x92\x73\xf3\x55\x9c\x87\xaf\xe6\xbc\x9c\x8f\xf3\x73\x01\x2e\xc8\x85" "\xb8\x30\x87\x4c\x6c\x99\x39\xe2\x22\x5c\x94\xe3\x7c\x0d\x17\xe3\x6b\xb9" "\x38\x97\xe0\x92\x5c\x8a\x1d\x97\xe6\x32\x7c\x1d\x97\xe5\xeb\xb9\x1c\xdf" "\xc0\xe5\xf9\x46\xae\xc0\x37\x71\x45\xae\xc4\x95\xf9\x66\xbe\x85\xab\xf0" "\xad\x5c\x95\x6f\xe3\x6a\x7c\x3b\x57\xe7\x1a\x5c\x93\x6b\xf1\x1d\x5c\x9b" "\xef\xe4\x3a\x7c\x17\xd7\xe5\xbb\xb9\x1e\xdf\xc3\xf5\xf9\x5e\x6e\xc0\xf7" "\x71\x43\x6e\xc4\x8d\xf9\x7e\x6e\xc2\x0f\x70\x53\x6e\xc6\xcd\xb9\x05\xb7" "\xe4\x56\xdc\x9a\x1f\xe4\x36\xfc\x10\xb7\xe5\x76\xdc\x9e\x1f\xe6\x0e\xfc" "\x08\x77\xe4\x47\xb9\x13\x3f\xc6\x9d\xf9\x71\xee\xc2\x4f\x70\x57\x7e\x92" "\xbb\xf1\x53\xdc\x9d\x9f\xe6\x1e\xfc\x0c\xf7\xe4\x67\xb9\x17\x3f\xc7\xbd" "\xb9\x0f\x27\x71\x5f\xee\xc7\xcf\x73\x7f\x1e\xc0\x03\x79\x10\x0f\xe6\x17" "\x78\x08\xbf\xc8\x43\xf9\x25\x1e\xc6\xc3\x79\x04\xbf\xcc\x23\xf9\x15\x1e" "\xc5\xaf\x1a\x00\xe0\x31\xfc\x3a\x8f\xe5\x71\x3c\x9e\x27\xf0\x44\x9e\xc4" "\xc9\xfc\x06\x4f\xe6\x37\x79\x0a\xbf\xc5\x53\x79\x1a\x4f\xe7\x19\x3c\x93" "\x67\x71\x0a\xbf\xcd\xb3\x79\x0e\xcf\xe5\x77\x78\x1e\xcf\xe7\x05\xbc\x90" "\x17\xf1\x62\x5e\xc2\xef\xf2\x52\x7e\x8f\x53\xf9\x7d\x5e\xc6\x1f\x70\x1a" "\x2f\xe7\x15\xbc\x92\x57\xf1\x6a\x5e\xc3\x6b\x79\x1d\xaf\xe7\x0d\xbc\x91" "\x37\xf1\x66\xde\xc2\x5b\x79\x1b\x7f\xc8\xdb\x79\x07\xef\xe4\x5d\xbc\x9b" "\xf7\xf0\x5e\xfe\x88\xf7\xf1\xc7\xbc\x9f\x3f\xe1\x74\xfe\x94\x0f\xf0\x5f" "\xf8\x20\x7f\xc6\x87\xf8\x73\x3e\xcc\x5f\xf0\x11\xfe\x92\x8f\xf2\x57\x7c" "\x8c\xbf\xe6\xe3\xfc\x0d\x9f\xe0\x93\x7c\x8a\xbf\xe5\xd3\xfc\x1d\x9f\xe1" "\xb3\x7c\x8e\xbf\xe7\xf3\xfc\x03\x5f\xe0\x1f\xf9\x22\x7b\x86\x08\x23\x15" "\xe9\xc8\x44\x41\x94\x25\xca\x1a\x25\x44\xd9\xa2\xc4\xe8\x8a\x28\x7b\x94" "\x23\xca\x19\xe5\x8a\x62\xd1\x95\x51\xee\xe8\xaa\x28\x4f\x74\x75\x94\x37" "\xca\x17\xe5\x8f\x0a\x44\x05\xa3\x42\x51\xe1\x28\x8c\x28\xb2\x11\x47\x51" "\x54\x24\x2a\x1a\xc5\xa3\x6b\xa2\x62\xd1\xb5\x51\xf1\xa8\x44\x54\x32\x2a" "\x15\xb9\xa8\x74\x54\x26\xba\x2e\x2a\x1b\x5d\x1f\x95\x8b\x6e\x88\xca\x47" "\x37\x46\x15\xa2\x9b\xa2\x8a\x51\xa5\xa8\x72\x74\x73\x74\x4b\x54\x25\xba" "\x35\xaa\x1a\xdd\x16\x55\x8b\x6e\x8f\xaa\x47\x35\xa2\x9a\x51\xad\xe8\x8e" "\xa8\x76\x74\x67\x54\x27\xba\x2b\xaa\x1b\xdd\x1d\x95\x8b\xee\x89\xea\x47" "\xf7\x46\x0d\xa2\xfb\xa2\x86\x51\xa3\xa8\x71\x74\x7f\xd4\x24\x7a\x20\x6a" "\x1a\x35\x8b\x9a\x47\x2d\xa2\x96\x51\xab\xa8\x75\xf4\x60\xd4\x26\x7a\x28" "\x6a\x1b\xb5\x8b\xda\x47\x0f\x47\x1d\xa2\x47\xa2\x8e\xd1\xa3\x51\xa7\xe8" "\xb1\xa8\x73\xf4\xf8\xa5\xfd\x25\x82\x9f\xaf\xa6\x7f\xb5\x3f\x29\xea\x1b" "\xe9\x5f\xde\x90\xdd\xa5\x17\xc5\x17\xc7\x97\xc4\xdf\x8d\x2f\x8d\xbf\x17" "\x4f\x8d\xbf\x1f\x5f\x16\xff\x20\x9e\x16\x5f\x1e\x5f\x11\x5f\x19\x5f\x15" "\x5f\x1d\x5f\x13\x5f\x1b\x5f\x17\x5f\x1f\xdf\x10\xdf\x18\xdf\x14\xdf\x1c" "\xdf\x12\xdf\x1a\xf7\xbe\x56\x56\x70\x98\xf1\x20\x0c\xc6\x05\x2e\x8b\xcb" "\xea\x12\x5c\x36\x97\xe8\xae\x70\xd9\x5d\x0e\x97\xd3\xe5\x72\x31\x77\xa5" "\xcb\xed\xae\x72\x79\xdc\xd5\x2e\xaf\xcb\xe7\xf2\xbb\x02\xae\xa0\x2b\xe4" "\x0a\xbb\xd0\x91\xb3\x8e\x5d\xe4\x8a\xb8\xa2\x2e\xee\xae\x71\xc5\xdc\xb5" "\xae\xb8\x2b\xe1\x4a\xba\x52\xce\xb9\xd2\xae\x8c\x6b\xe5\x5a\xbb\xd6\xae" "\x8d\x7b\xc8\xb5\x75\xed\x5c\x7b\xf7\xb0\x7b\xd8\x3d\xe2\x1e\x71\x8f\x26" "\xfc\x52\xb8\xeb\xe2\x9e\x70\x5d\xdd\x93\xae\x9b\x7b\xca\x3d\xe5\x9e\x76" "\x3d\xdc\x33\xae\xa7\x7b\xd6\xf5\x72\xcf\xb9\xde\xae\x8f\x4b\x72\x49\xae" "\x9f\xeb\xe7\xfa\xbb\xfe\x6e\xa0\x1b\xe8\x06\xbb\xc1\x6e\x88\x1b\xe2\x86" "\xba\xa1\x6e\x98\x1b\xe6\x46\xb8\x11\x6e\xa4\x1b\xe9\x46\xb9\x51\x6e\xb4" "\x1b\xed\xc6\xb8\x31\x6e\xac\x1b\xeb\xc6\xbb\xf1\x6e\xa2\x9b\xe8\x92\x5d" "\xb2\x9b\xec\x26\xbb\x29\x6e\x8a\x9b\xea\xa6\xba\xe9\x6e\xba\x9b\xe9\x66" "\xba\x14\x97\xe2\x66\xbb\xd9\x6e\xae\x9b\xeb\xe6\xb9\x79\x6e\x81\x5b\xe0" "\x16\xb9\x45\x6e\x89\x5b\xe2\x96\xba\xa5\x2e\xd5\xa5\xba\x65\x6e\x99\x4b" "\x73\x69\x6e\x85\x5b\xe1\x56\xb9\x55\x6e\x8d\x5b\xe3\xd6\xb9\x75\x6e\x83" "\xdb\xe0\x36\xb9\x4d\x6e\x8b\xdb\xe2\xb6\xb9\x6d\x6e\xbb\xdb\xee\x76\xba" "\x9d\x6e\xb7\xdb\xed\xf6\xba\xbd\x6e\x9f\xdb\xe7\xf6\xbb\xfd\x2e\xdd\xa5" "\xbb\x03\xee\x80\x3b\xe8\x0e\xba\x43\xee\x73\x77\xd8\x7d\xe1\x8e\xb8\x2f" "\xdd\x51\xf7\x95\x3b\xe6\xbe\x76\xc7\xdd\x37\xee\x84\x3b\xe9\x4e\x39\xaf" "\x4f\xbb\xef\xdc\x19\x77\xd6\x9d\x73\xdf\xbb\xf3\xee\x07\x77\xc1\xfd\xe8" "\x2e\x3a\xef\x92\x63\x6f\xc4\x26\xc7\xde\x8c\x4d\x89\xbd\x15\x9b\x1a\x9b" "\x16\x9b\x1e\x9b\x11\x9b\x19\x9b\x15\x4b\x89\xbd\x1d\x9b\x1d\x9b\x13\x9b" "\x1b\x7b\x27\x36\x2f\x36\x3f\xb6\x20\xb6\x30\xb6\x28\xb6\x38\xb6\x24\xf6" "\x6e\x6c\x69\xec\xbd\x58\x6a\xec\xfd\xd8\xb2\xd8\x07\xb1\xb4\xd8\xf2\xd8" "\x8a\xd8\xca\xd8\xaa\xd8\xea\x98\xf7\x85\xb6\x47\xbe\x88\x2f\xea\xe3\xfe" "\x1a\x5f\xcc\x5f\xeb\x8b\xfb\x12\xbe\xa4\x2f\xe5\x9d\x2f\xed\xcb\xf8\xeb" "\x7c\x59\x7f\xbd\x2f\xe7\x6f\xf0\xe5\xfd\x8d\xbe\x82\xbf\xc9\x57\xf4\x95" "\x7c\x65\xdf\xcc\x37\xf7\x2d\x7c\x4b\xdf\xca\xb7\xf6\x0f\xfa\x36\xfe\x21" "\xdf\xd6\xb7\xf3\xed\xfd\xc3\xbe\x83\x7f\xc4\x77\xf4\x8f\xfa\x4e\xfe\x31" "\xdf\xd9\x3f\xee\xbb\xf8\x27\x7c\x57\xff\xa4\xef\xe6\x9f\xf2\xdd\xfd\xd3" "\xf3\x7f\xe9\xb2\xef\xe5\x9f\xf3\x10\xeb\xe3\x93\x7c\x5f\xdf\xcf\x3f\xef" "\xfb\xfb\x01\x7e\xa0\x1f\xe4\x07\xfb\x17\xfc\x10\xff\xa2\x1f\xea\x5f\xf2" "\xc3\xfc\x70\x3f\xc2\xbf\xec\x47\xfa\x57\xfc\x28\xff\xaa\x1f\xed\x5f\xf3" "\x63\xfc\xeb\x7e\xac\x1f\xe7\xc7\xfb\x09\x7e\xa2\x9f\xe4\x93\xfd\x1b\x7e" "\xb2\x7f\xd3\x4f\xf1\x6f\xf9\xa9\x7e\x9a\x9f\xee\x67\xf8\x99\x7e\x96\x4f" "\xf1\x6f\xfb\xd9\x7e\x8e\x9f\xeb\xdf\xf1\xf3\xfc\x7c\xbf\xc0\x2f\xf4\x8b" "\xfc\x62\xbf\xc4\xbf\xeb\x97\xfa\xf7\x7c\xaa\x7f\xdf\x2f\xf3\x1f\xf8\x34" "\xbf\xdc\xaf\xf0\x2b\xfd\x2a\xbf\xda\xaf\xf1\x6b\xfd\x3a\xbf\xde\x6f\xf0" "\x1b\xfd\x26\xbf\xd9\x6f\xf1\x5b\xfd\x36\xff\xa1\xdf\xee\x77\xf8\x9d\x7e" "\x97\xdf\xed\xf7\xf8\xbd\xfe\x23\xbf\xcf\x7f\xec\xf7\xfb\x4f\x7c\xba\xff" "\xd4\x1f\xf0\x7f\xf1\x07\xfd\x67\xfe\x90\xff\xdc\x1f\xf6\x5f\xf8\x23\xfe" "\x4b\x7f\xd4\x7f\xe5\x8f\xf9\xaf\xfd\x71\xff\x8d\x3f\xe1\x4f\xfa\x53\xfe" "\x5b\x7f\xda\x7f\xe7\xcf\xf8\xb3\xfe\x9c\xff\xde\x9f\xf7\x3f\xf8\x0b\xfe" "\x47\x7f\x51\xfe\x66\x4d\x08\x21\x84\x10\xe2\x9f\xa2\x7f\x67\x7f\xdf\xbf" "\xf3\x7f\xea\x97\x2d\x43\x3f\x00\xc8\xb1\xa3\xc0\xe1\xbf\x9e\x73\x53\xde" "\x9f\xc7\x03\xd4\xbe\xce\xb1\x04\x80\xc7\xfa\x74\x6f\xf4\xeb\xd6\xa8\x51" "\x52\x52\xd2\x2f\xc7\xa6\x69\x08\x8a\x2e\x04\x80\xd8\xa5\xfc\x9f\xbe\x7f" "\xe0\x97\x78\x39\xb4\x87\x47\xa0\x13\xb4\x83\xb2\x7f\xb7\xbe\x01\xaa\xf2" "\x4f\xf7\x7d\xff\xdb\xfc\xf1\x1b\x01\x12\x01\xb2\xfd\x9a\x93\xf1\x78\x94" "\x08\x7f\x3d\xff\xf5\xff\x60\xfe\x66\xef\xf2\xef\xcd\xbf\x10\xa0\x78\xd1" "\x4b\x39\x19\x27\xfa\x35\xbe\x34\x7f\xb9\x7f\x30\xff\x9e\x0e\xbf\x33\x7f" "\xb6\xcf\x92\x01\xda\xfe\x8f\x9c\xec\x70\x29\xbe\x34\x7f\x19\x78\x08\x1e" "\x87\x4e\xbf\x39\x52\x08\x21\x84\x10\x42\x08\x21\x84\xf8\xd9\x00\x75\xbe" "\xc7\xef\x3d\xdf\x66\x3c\x9f\x17\x34\x97\x72\xb2\xc2\xa5\xf8\xf7\x9e\xcf" "\x7f\x47\xd5\x3f\x62\x0d\x42\x08\x21\x84\x10\x42\x08\x21\x84\xf8\xdf\x3d" "\xf9\x4c\xcf\x47\x1f\xec\xd4\xa9\x5d\xd7\x7f\x6d\x80\x00\xf0\xaf\x67\x5d" "\xae\x41\xd6\x3f\x47\x19\x7f\x82\x41\x46\xdf\xfe\x04\x65\xc8\xe0\xcf\x3f" "\xb8\xdc\xbf\x99\x84\x10\x42\x08\x21\x84\x10\x7f\xb4\x4b\x37\xfd\x97\xbb" "\x12\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84" "\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08" "\x21\x84\x10\x22\xf3\xfa\xf7\xbf\x21\x4c\xfd\xd3\x07\x03\x64\xb9\xdc\xcb" "\x14\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08" "\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10" "\x42\x08\x21\x84\x10\x42\x08\x21\x84\x10\x42\x08\x21\x2e\xab\xff\x13\x00" "\x00\xff\xff\xe7\x2b\x51\x08", 5389); syz_mount_image( /*fs=*/0x200000000280, /*dir=*/0x200000001840, /*flags=MS_POSIXACL|MS_SYNCHRONOUS|MS_NODIRATIME|MS_DIRSYNC*/ 0x10890, /*opts=*/0x200000000240, /*chdir=*/0xf7, /*size=*/0x150d, /*img=*/0x200000001880); // openat arguments: [ // fd: fd_dir (resource) // file: ptr[in, buffer] { // buffer: {2e 2f 66 69 6c 65 31 00} (length 0x8) // } // flags: open_flags = 0x42 (4 bytes) // mode: open_mode = 0x0 (2 bytes) // ] // returns fd memcpy((void*)0x200000000040, "./file1\000", 8); res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000040ul, /*flags=O_CREAT|O_RDWR*/ 0x42, /*mode=*/0); if (res != -1) r[0] = res; // ioctl$EXT4_IOC_MOVE_EXT arguments: [ // fd: fd (resource) // cmd: const = 0x40305839 (4 bytes) // arg: ptr[in, move_extent] { // move_extent { // reserved: const = 0x17c04 (4 bytes) // donor_fd: fd (resource) // orig_start: int64 = 0x5 (8 bytes) // donor_start: int64 = 0x1c01 (8 bytes) // len: int64 = 0xc0 (8 bytes) // moved_len: int64 = 0x0 (8 bytes) // } // } // ] *(uint32_t*)0x200000000080 = 0x17c04; *(uint32_t*)0x200000000084 = -1; *(uint64_t*)0x200000000088 = 5; *(uint64_t*)0x200000000090 = 0x1c01; *(uint64_t*)0x200000000098 = 0xc0; *(uint64_t*)0x2000000000a0 = 0; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x40305839, /*arg=*/0x200000000080ul); return 0; }