net/pptp: use-after-free in dst_release

From: Andrey Konovalov
Date: Mon Feb 20 2017 - 07:59:28 EST


Hi,

I've got the following error report while fuzzing the kernel with syzkaller.

On commit c470abd4fde40ea6a0846a2beab642a578c0b8cd (4.10).

A reproducer and .config are attached.

==================================================================
BUG: KASAN: use-after-free in dst_release+0xbb/0xc0 net/core/dst.c:304
at addr ffff8800390e14a0
Read of size 2 by task syz-executor5/12953
CPU: 0 PID: 12953 Comm: syz-executor5 Not tainted 4.10.0-rc8+ #201
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:15 [inline]
dump_stack+0x292/0x398 lib/dump_stack.c:51
kasan_object_err+0x1c/0x70 mm/kasan/report.c:162
print_address_description mm/kasan/report.c:200 [inline]
kasan_report_error mm/kasan/report.c:289 [inline]
kasan_report.part.1+0x20e/0x4e0 mm/kasan/report.c:311
kasan_report mm/kasan/report.c:330 [inline]
__asan_report_load2_noabort+0x29/0x30 mm/kasan/report.c:330
dst_release+0xbb/0xc0 net/core/dst.c:304
sk_dst_reset include/net/sock.h:1790 [inline]
sock_setbindtodevice net/core/sock.c:575 [inline]
sock_setsockopt+0x4e1/0x1db0 net/core/sock.c:672
SYSC_setsockopt net/socket.c:1784 [inline]
SyS_setsockopt+0x2fb/0x3a0 net/socket.c:1767
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x4458b9
RSP: 002b:00007f69bab40b58 EFLAGS: 00000292 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004458b9
RDX: 0000000000000019 RSI: 0000000000000001 RDI: 0000000000000005
RBP: 00000000006e22c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000020007000 R11: 0000000000000292 R12: 0000000000708000
R13: 0000000000000000 R14: 00007f69bab419c0 R15: 00007f69bab41700
Object at ffff8800390e1440, in cache ip_dst_cache size: 216
Allocated:
PID = 12953
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:502
set_track mm/kasan/kasan.c:514 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:605
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:544
slab_post_alloc_hook mm/slab.h:432 [inline]
slab_alloc_node mm/slub.c:2715 [inline]
slab_alloc mm/slub.c:2723 [inline]
kmem_cache_alloc+0x1af/0x250 mm/slub.c:2728
dst_alloc+0x11b/0x1a0 net/core/dst.c:210
rt_dst_alloc+0xf0/0x5a0 net/ipv4/route.c:1463
__mkroute_output net/ipv4/route.c:2145 [inline]
__ip_route_output_key_hash+0xc53/0x2eb0 net/ipv4/route.c:2355
__ip_route_output_key include/net/route.h:122 [inline]
ip_route_output_flow+0x29/0xa0 net/ipv4/route.c:2441
ip_route_output_ports include/net/route.h:159 [inline]
pptp_connect+0xc80/0x1220 drivers/net/ppp/pptp.c:454
SYSC_connect+0x251/0x590 net/socket.c:1579
SyS_connect+0x24/0x30 net/socket.c:1560
entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 0
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:502
set_track mm/kasan/kasan.c:514 [inline]
kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kmem_cache_free+0xb2/0x2c0 mm/slub.c:2980
dst_destroy+0x24c/0x3b0 net/core/dst.c:270
dst_destroy_rcu+0x15/0x40 net/core/dst.c:295
__rcu_reclaim kernel/rcu/rcu.h:118 [inline]
rcu_do_batch.isra.67+0x900/0xc50 kernel/rcu/tree.c:2780
invoke_rcu_callbacks kernel/rcu/tree.c:3043 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:3010 [inline]
rcu_process_callbacks+0x2b7/0xba0 kernel/rcu/tree.c:3027
__do_softirq+0x2fb/0xb7d kernel/softirq.c:284
Memory state around the buggy address:
ffff8800390e1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8800390e1400: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8800390e1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8800390e1500: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8800390e1580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Attachment: .config
Description: Binary data

// autogenerated by syzkaller (http://github.com/google/syzkaller)

#ifndef __NR_sendmsg
#define __NR_sendmsg 46
#endif
#ifndef __NR_socket
#define __NR_socket 41
#endif
#ifndef __NR_bind
#define __NR_bind 49
#endif
#ifndef __NR_getsockname
#define __NR_getsockname 51
#endif
#ifndef __NR_connect
#define __NR_connect 42
#endif
#ifndef __NR_setsockopt
#define __NR_setsockopt 54
#endif
#ifndef __NR_mmap
#define __NR_mmap 9
#endif

#define _GNU_SOURCE

#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>

#include <linux/capability.h>
#include <linux/if.h>
#include <linux/if_tun.h>
#include <linux/kvm.h>
#include <linux/sched.h>
#include <net/if_arp.h>

#include <assert.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

const int kFailStatus = 67;
const int kErrorStatus = 68;
const int kRetryStatus = 69;

__attribute__((noreturn)) void doexit(int status)
{
volatile unsigned i;
syscall(__NR_exit_group, status);
for (i = 0;; i++) {
}
}

__attribute__((noreturn)) void fail(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit(e == ENOMEM ? kRetryStatus : kFailStatus);
}

__attribute__((noreturn)) void exitf(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit(kRetryStatus);
}

static int flag_debug;

void debug(const char* msg, ...)
{
if (!flag_debug)
return;
va_list args;
va_start(args, msg);
vfprintf(stdout, msg, args);
va_end(args);
fflush(stdout);
}

__thread int skip_segv;
__thread jmp_buf segv_env;

static void segv_handler(int sig, siginfo_t* info, void* uctx)
{
uintptr_t addr = (uintptr_t)info->si_addr;
const uintptr_t prog_start = 1 << 20;
const uintptr_t prog_end = 100 << 20;
if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
(addr < prog_start || addr > prog_end)) {
debug("SIGSEGV on %p, skipping\n", addr);
_longjmp(segv_env, 1);
}
debug("SIGSEGV on %p, exiting\n", addr);
doexit(sig);
for (;;) {
}
}

static void install_segv_handler()
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}

#define NONFAILING(...) \
{ \
__atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
if (_setjmp(segv_env) == 0) { \
__VA_ARGS__; \
} \
__atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
}

#define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)

#define BITMASK_LEN_OFF(type, bf_off, bf_len) \
(type)(BITMASK_LEN(type, (bf_len)) << (bf_off))

#define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \
if ((bf_off) == 0 && (bf_len) == 0) { \
*(type*)(addr) = (type)(val); \
} else { \
type new_val = *(type*)(addr); \
new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \
new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \
*(type*)(addr) = new_val; \
}

static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
uintptr_t a2, uintptr_t a3,
uintptr_t a4, uintptr_t a5,
uintptr_t a6, uintptr_t a7,
uintptr_t a8)
{
switch (nr) {
default:
return syscall(nr, a0, a1, a2, a3, a4, a5);
}
}

static void setup_main_process()
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_IGN;
syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
install_segv_handler();

char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
fail("failed to mkdtemp");
if (chmod(tmpdir, 0777))
fail("failed to chmod");
if (chdir(tmpdir))
fail("failed to chdir");
}

static void loop();

static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
setsid();

struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);

unshare(CLONE_NEWNS);
unshare(CLONE_NEWIPC);
unshare(CLONE_IO);
}

static int do_sandbox_none(int executor_pid, bool enable_tun)
{
int pid = fork();
if (pid)
return pid;

sandbox_common();

loop();
doexit(1);
}

static void remove_dir(const char* dir)
{
DIR* dp;
struct dirent* ep;
int iter = 0;
retry:
dp = opendir(dir);
if (dp == NULL) {
if (errno == EMFILE) {
exitf("opendir(%s) failed due to NOFILE, exiting");
}
exitf("opendir(%s) failed", dir);
}
while ((ep = readdir(dp))) {
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
struct stat st;
if (lstat(filename, &st))
exitf("lstat(%s) failed", filename);
if (S_ISDIR(st.st_mode)) {
remove_dir(filename);
continue;
}
int i;
for (i = 0;; i++) {
debug("unlink(%s)\n", filename);
if (unlink(filename) == 0)
break;
if (errno == EROFS) {
debug("ignoring EROFS\n");
break;
}
if (errno != EBUSY || i > 100)
exitf("unlink(%s) failed", filename);
debug("umount(%s)\n", filename);
if (umount2(filename, MNT_DETACH))
exitf("umount(%s) failed", filename);
}
}
closedir(dp);
int i;
for (i = 0;; i++) {
debug("rmdir(%s)\n", dir);
if (rmdir(dir) == 0)
break;
if (i < 100) {
if (errno == EROFS) {
debug("ignoring EROFS\n");
break;
}
if (errno == EBUSY) {
debug("umount(%s)\n", dir);
if (umount2(dir, MNT_DETACH))
exitf("umount(%s) failed", dir);
continue;
}
if (errno == ENOTEMPTY) {
if (iter < 100) {
iter++;
goto retry;
}
}
}
exitf("rmdir(%s) failed", dir);
}
}

static uint64_t current_time_ms()
{
struct timespec ts;

if (clock_gettime(CLOCK_MONOTONIC, &ts))
fail("clock_gettime failed");
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static void test();

void loop()
{
int iter;
for (iter = 0;; iter++) {
char cwdbuf[256];
sprintf(cwdbuf, "./%d", iter);
if (mkdir(cwdbuf, 0777))
fail("failed to mkdir");
int pid = fork();
if (pid < 0)
fail("clone failed");
if (pid == 0) {
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
if (chdir(cwdbuf))
fail("failed to chdir");
test();
doexit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
int res = waitpid(-1, &status, __WALL | WNOHANG);
if (res == pid)
break;
usleep(1000);
if (current_time_ms() - start > 5 * 1000) {
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
while (waitpid(-1, &status, __WALL) != pid) {
}
break;
}
}
remove_dir(cwdbuf);
}
}

long r[137];
void test()
{
memset(r, -1, sizeof(r));
r[0] = execute_syscall(__NR_mmap, 0x20000000ul, 0x9000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
NONFAILING(*(uint64_t*)0x20005fc8 = (uint64_t)0x20003000);
NONFAILING(*(uint32_t*)0x20005fd0 = (uint32_t)0x10);
NONFAILING(*(uint64_t*)0x20005fd8 = (uint64_t)0x20001fa0);
NONFAILING(*(uint64_t*)0x20005fe0 = (uint64_t)0x6);
NONFAILING(*(uint64_t*)0x20005fe8 = (uint64_t)0x20005000);
NONFAILING(*(uint64_t*)0x20005ff0 = (uint64_t)0x9);
NONFAILING(*(uint32_t*)0x20005ff8 = (uint32_t)0x48000);
NONFAILING(*(uint16_t*)0x20003000 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20003002 = (uint16_t)0x214e);
NONFAILING(*(uint32_t*)0x20003004 = (uint32_t)0x100007f);
NONFAILING(*(uint8_t*)0x20003008 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20003009 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000300a = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000300b = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000300c = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000300d = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000300e = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000300f = (uint8_t)0x0);
NONFAILING(*(uint64_t*)0x20001fa0 = (uint64_t)0x20002000);
NONFAILING(*(uint64_t*)0x20001fa8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20001fb0 = (uint64_t)0x20004000);
NONFAILING(*(uint64_t*)0x20001fb8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20001fc0 = (uint64_t)0x20002f68);
NONFAILING(*(uint64_t*)0x20001fc8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20001fd0 = (uint64_t)0x20005fe7);
NONFAILING(*(uint64_t*)0x20001fd8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20001fe0 = (uint64_t)0x20000000);
NONFAILING(*(uint64_t*)0x20001fe8 = (uint64_t)0x1000);
NONFAILING(*(uint64_t*)0x20001ff0 = (uint64_t)0x20005000);
NONFAILING(*(uint64_t*)0x20001ff8 = (uint64_t)0x0);
NONFAILING(memcpy(
(void*)0x20000000,
"\x69\x96\x5a\x93\x57\x21\x84\x0d\x93\x9c\x48\x46\xc2\xa6\xc7\xee"
"\xf7\x9d\xec\xf3\x2f\x89\x9b\xbc\x23\x25\x6e\x91\x9c\x9c\x83\xc4"
"\x80\x33\xd9\xe6\x6e\xdd\xd0\x9e\x35\xd3\xd7\x1f\xd3\x27\xd1\x79"
"\x36\x63\xd8\xd4\x45\x59\x31\x28\xc6\xdb\x64\xb7\x96\xd4\x58\xb6"
"\xf1\x08\xf0\xea\x1d\x26\x93\x0a\x3a\x53\x2a\xc4\x71\xda\x69\xb9"
"\x4a\x29\x03\x05\x01\x7a\x5c\x44\x3a\x81\xaa\x12\x9b\x29\x3f\xf6"
"\xf0\x62\xd7\xb0\xb3\xd5\x46\x9e\xd0\xfd\x5c\xf6\x25\x5d\x2f\xfc"
"\x0b\x6e\x04\xd4\x88\x6a\x4e\x4f\xdf\x1a\x00\x12\x6b\x3b\xf4\x73"
"\x50\xa4\x53\x5e\x37\x17\xb3\x9e\xc8\xba\xd9\x3b\x7f\xf7\x43\x75"
"\xe4\x6a\x44\x66\xcd\x2e\x12\x8e\x96\x76\xb9\xc9\x57\x7f\xa7\xe7"
"\x42\xeb\x52\xc2\xee\x3e\xbc\x28\x51\xf4\xff\x71\xb3\x05\x90\xbd"
"\xa0\x07\x98\x92\x78\xb6\x88\x41\xe5\x2b\xf2\x53\x53\xc3\xb5\x62"
"\x0d\x1c\x36\x78\xbe\x12\x04\x3b\xac\xea\x52\xb6\xe3\xd0\x11\x1d"
"\x99\x11\x19\x2a\x16\x4f\x04\xe3\x17\x07\xef\xaa\x3a\xf4\x8a\x62"
"\xd4\x95\x06\x9c\x0c\xe9\xa7\x0a\xf1\xff\xdb\xba\xcb\xf3\x22\xb6"
"\xc5\x2f\xa6\x36\x82\x00\x9e\x37\xd5\x6d\xc1\x52\x42\x7d\x34\x9a"
"\x22\x29\x31\x75\xcf\xbe\x9f\x1f\x66\x35\x3b\x82\x01\xcb\x46\x27"
"\x8c\x5b\x62\xc1\xd6\xdd\x03\x5d\x0e\x5f\xcc\xae\xca\x66\x01\x37"
"\x5d\xd9\x53\x78\xcb\xa4\x36\x11\x6c\xc3\xae\xbf\x7d\xed\x4d\x01"
"\xb7\x72\x58\xff\x1f\x57\xbd\x0e\xd3\x2e\x12\x65\xc2\xea\x7f\xaf"
"\x45\xa0\x1c\xb1\x23\x82\x72\x5b\x80\x2d\xce\xcb\xb1\x3c\x3f\x05"
"\x0f\x67\x98\xfa\xf1\xb1\xf6\x9c\x64\xe6\x2d\x8e\x26\x5c\x95\x61"
"\xaa\x62\x4b\x10\x20\x96\xf9\xa7\xd2\xaf\xb0\x68\x9d\x28\xb8\x07"
"\xd2\xc7\x9c\x6f\xfd\x68\x28\xd8\x87\x4a\xdc\x0e\xef\x9a\x0a\x50"
"\x9e\xee\x2d\xe1\xf2\xfc\xb6\x59\xba\x1a\xc6\x62\x4b\x37\xf8\x4d"
"\x64\x16\x29\x30\x97\xf5\xb2\x72\xd1\xe0\x8a\xc9\x2e\x29\xb1\x18"
"\x1f\xa0\x02\x28\xa1\x7b\x7e\xc6\x9e\xfd\xa9\x99\xdf\x82\x29\x5f"
"\xbb\x64\x0e\x19\xaf\x81\x6e\x5d\x02\xd0\xe1\xa2\xc5\x14\x93\xf5"
"\xe4\xcc\x5f\x0b\xab\x49\xd4\xe8\xfc\x49\xbe\x72\xac\x56\xb1\xfc"
"\xe2\xd6\x38\xbe\x66\x82\x72\x76\xfd\xb2\x85\x9c\x6b\x58\xf0\xd6"
"\x7e\xaa\x4b\x8d\xbe\x07\xf1\xbf\xb7\xcf\x92\xde\xb2\xe3\x90\x51"
"\x23\x34\x5c\xaf\x6f\x57\x47\x67\xde\xa8\x6a\xda\xd9\x11\x54\xe8"
"\xd0\x80\xa0\xf6\x41\xa1\x6e\x43\x5a\x8d\x33\x08\x56\x9e\x91\xd2"
"\x34\x69\x0f\x27\xcf\xe6\x8c\x8b\x37\xa3\xc9\x5b\xdf\x41\xa7\xd8"
"\xc8\xfc\xea\x20\xd6\xc8\xa8\x57\xb2\xe0\x1a\xe4\x56\xcd\xf1\xec"
"\xb1\x25\x3b\xbc\x96\x5c\xbb\xb5\x9c\xd0\xc2\xec\xda\x4b\xcc\xbf"
"\xdb\x84\x5b\xfe\x78\x14\xde\x11\x6d\x80\x9e\x31\xc7\xbf\xdc\x86"
"\x45\x46\xef\x92\x8b\x31\xd3\x8e\x42\x30\xc0\x43\x67\x90\x05\xa9"
"\x9b\x6a\xfa\xf0\x1c\x76\xbf\x8a\x39\xac\x2c\xf0\x34\xee\x4a\x8c"
"\xfe\x97\x55\x7b\x9a\xbc\x52\x1c\xcc\x41\x41\x4c\x04\x21\xed\x38"
"\x3b\xab\xae\x0a\x4d\xce\x07\x5d\xab\x5e\x69\xaf\x35\xc0\x13\x41"
"\xb3\x77\xc3\x72\x3b\x23\x25\x7d\x35\x1f\xd2\x5d\x36\xa3\xed\xea"
"\x55\x55\x00\x47\x56\x2b\x00\xec\xc6\xfc\xa5\xfc\xa4\x98\xe2\xfb"
"\x41\x23\xa6\x03\xa2\xfd\xbf\xb9\x48\x49\x10\x45\xc2\x1e\x79\x1a"
"\xc1\x92\x15\xc2\xee\xf6\x20\x3e\x5a\x5e\xc6\x07\xff\xf4\x11\x9f"
"\x63\xe8\xa1\xe7\x75\xfa\x98\xb4\x03\xfc\x5c\x2a\xad\xa1\xca\x01"
"\xa0\x36\x34\x70\xd5\x19\x21\x3b\x31\xd6\xed\x04\x94\xae\xce\xd5"
"\x40\xc2\x10\x19\xbb\xd0\x96\x88\x35\x70\x99\xea\x5e\x5a\xcb\xd2"
"\x3c\x75\xf7\x4b\xee\x2b\x80\x99\x5b\xde\x1a\x1e\xdf\x69\xcf\xf5"
"\xef\x68\x12\x18\xad\xc9\xe3\x54\x6e\x4c\xe1\x86\xcc\x0c\x01\x9f"
"\xee\x6a\xe2\xcd\x39\xd3\x21\x38\x76\x8a\x59\xac\x2c\xf1\x5e\x41"
"\xe9\xe2\x26\x01\x70\xda\xac\xc0\x5e\xa1\x8a\x54\xd9\xe0\x2f\xc6"
"\x81\xb8\xc2\x48\xa6\x3e\x66\xac\xb4\x77\x8b\x8d\xdf\xfd\x01\x91"
"\xef\x81\xbb\xdd\xfe\x16\x4b\xb4\x7f\x2e\xd3\xe0\xae\xfc\x5a\xff"
"\xaf\x76\xbc\xbf\x51\x2b\x50\x3a\xc4\x7e\xb2\xc2\x0f\xae\xb7\x92"
"\x04\xfe\x2b\xd1\xce\x1f\xd3\xcd\xea\x06\x5a\xf7\x56\x35\x25\xa8"
"\x65\x52\x0f\x20\x20\xd0\xcd\xbf\xdf\x7b\x00\xbe\x3a\x52\x22\xa5"
"\xab\x94\xaa\xcd\x62\x0a\xdc\xda\x8c\xbe\xc4\x2b\x99\xb5\x70\x59"
"\xe1\xcf\x28\xe7\xf5\xad\x7f\xa5\xaa\x03\xeb\x84\x9a\x76\xa9\xfc"
"\x52\xee\x4f\xf2\xf9\x4d\xc8\x64\xd3\xf3\x8a\xcb\x58\x39\xf9\x8c"
"\x5d\x8d\x33\xc6\x9a\x9c\xa5\x92\x68\xf8\xb2\xae\x6e\x7a\x26\x4b"
"\xe1\x5e\x01\x12\x2a\x16\xce\xa7\x89\x36\x6d\xb6\xa2\x0a\x44\xb0"
"\x8e\x90\xc9\x94\xe4\x2b\x54\x53\xcf\xca\x5e\xa8\x61\xa6\xee\x2e"
"\x18\xca\x66\xcc\x66\x88\x8b\xf3\x1c\xbb\xa0\x1c\x2e\x45\xc6\xee"
"\x75\x43\xeb\xb2\x94\x39\x97\x35\x86\xdf\x09\x78\x6c\x87\xba\x86"
"\x37\x4b\x8e\xa6\xcc\x5c\x88\x82\x69\x3d\x80\xdf\x33\x73\x5f\xb3"
"\xc1\x4e\x73\xbe\x62\x82\xb2\xdf\x9d\x2d\xbf\x8e\xdd\x7e\x08\xe3"
"\x75\x27\x29\x48\x50\xac\x4a\x1f\xeb\xfb\x27\xc4\x05\x1c\xc7\xdd"
"\xec\x35\x6f\xe5\x08\x62\x9a\x64\x8f\xf1\x80\x3d\x38\x69\x32\x53"
"\xfb\xde\x68\x31\xa0\xed\xa5\x44\x55\x1f\x52\x64\x9f\x34\xe5\xd1"
"\x12\x8f\x78\xfc\x7f\x6d\x5a\xa6\x41\xb3\x37\x2a\x7e\x40\xce\x8e"
"\x69\xbf\x9d\x8b\xa5\xdd\xb7\x88\xdd\x8d\xd9\x92\x03\xb7\x86\x80"
"\x8e\xef\x1f\x02\x9a\x76\x76\x85\xad\x04\xea\xb0\xc4\x48\x21\xd7"
"\xce\xa1\x0e\xa6\x7c\xdb\x86\x6a\x8f\xa1\x67\xdb\x0a\x06\x12\xfd"
"\x2a\x06\x92\x22\xe1\x40\x1c\x49\x5b\x2a\xef\x8b\xeb\x76\x3c\xb5"
"\x9f\xd0\x61\xb4\x18\xc9\x3c\xc1\xd5\x6a\x47\x52\x14\x9f\x1f\x45"
"\x66\x4d\xde\x6b\x69\xb8\xd7\x01\x10\xff\xe3\xbe\xba\xa2\xc5\xf7"
"\x23\xb3\x08\xcd\x82\xed\xb8\x72\xd3\xa9\x44\xb7\xcf\x5c\xb3\x61"
"\xf6\x8f\x68\x4e\xe0\x31\x74\x7a\x06\xf2\xe5\xa3\x77\xb5\x4b\xf8"
"\x27\x52\x03\x04\xb8\x09\xa9\x89\x73\xa2\x27\x95\x4c\x4e\x91\x44"
"\x83\x19\x12\xbd\xf8\x66\x75\x51\xef\xc1\xb8\x44\xb4\x10\x41\x08"
"\x11\x1b\x47\x8e\xb0\x54\xf2\xdf\x7f\x97\x25\xcc\x97\xe6\xa1\x7c"
"\x18\x4c\x0d\x7d\x9d\xed\x9b\xe2\xe0\x30\x44\x7f\xd3\x44\x13\xc2"
"\x9b\x62\x36\xe8\xb8\xfb\x36\xb6\xdb\xfa\x57\x6d\x2f\xa7\x80\xa8"
"\x1a\xaa\x97\xff\x62\x71\xe7\x7b\xf5\xd9\x00\xbb\x72\xd4\xf2\x08"
"\xa0\xfc\x4e\x2b\xb5\x9f\xea\xcf\xd5\x28\xdb\xdf\x98\x03\x3c\x6e"
"\xc9\xf2\x29\x56\x5c\x20\x87\x00\x23\x6f\x3d\x32\xce\x6e\x29\xd4"
"\x3a\x25\xa8\x26\xc5\x62\xc1\xc9\xf3\x22\x39\x03\x36\x80\xdf\xbd"
"\xf9\x4b\x8c\xd7\x5f\xc6\x16\x2d\x12\x36\x3a\x05\x83\x61\xf8\x6f"
"\x63\xb5\xf0\x8f\xdc\x47\x36\xd5\x27\x38\x58\xc4\x91\xf4\x0e\xa3"
"\x8f\x90\xea\xb4\xe4\xe2\x88\x3b\xe2\x1a\x2f\x47\xd8\x0c\x98\x01"
"\x7f\xe5\xe3\x91\x39\x2d\xf4\x9c\x78\x2e\x0a\x9d\x88\x45\x76\xec"
"\x2c\x5b\x8f\xb2\xe0\x69\x03\x00\x3f\x88\x2c\x56\x00\xcc\x32\x24"
"\x43\x92\x1f\xac\x8b\x3c\x86\xc1\x07\x6b\xf7\x3a\xf4\xdf\x4b\x2b"
"\x4a\x33\xd3\x28\x9e\x50\xac\x98\xed\xd3\x68\x7f\x09\xf2\x01\x5e"
"\xf6\xa1\x5d\xca\x59\xbd\x0c\x00\x38\xca\x1e\x7f\x58\xe7\x0f\x2c"
"\xc7\x50\x3a\xf8\xb2\x37\xae\x53\x8d\x5e\x27\xc1\x0b\xf5\x4b\xe3"
"\x32\xd3\x0c\x0b\x0a\xc0\xca\x48\x45\x7a\x8d\x10\x7d\xad\x9c\x9e"
"\x95\x45\xe2\xe1\x2a\x55\xe6\x5b\xd7\x31\x45\x93\x46\xbd\x31\x83"
"\xda\x1a\x5f\x38\x94\x6b\x95\x24\x19\x4e\xe7\xe6\x89\x17\xf4\xa2"
"\x53\x65\xf7\x1a\x14\x0c\x4e\x06\x80\x3a\xa2\xb8\x13\x1d\xd5\x98"
"\x73\x81\x76\xfd\x87\xee\x64\x03\x37\x95\xf5\x2e\x00\x39\xc3\x68"
"\x4b\x8b\xaf\xe3\x65\x4d\xd4\x70\xae\xdf\xa1\x48\x67\x53\x89\x74"
"\xba\x58\x99\xf6\xb3\xe5\xa2\xf1\x3d\xa3\x4f\x70\xa5\x2d\x21\xeb"
"\x23\xad\xe3\x0a\xa8\x78\x41\x5f\xf6\xb3\xb1\x17\x81\x3e\x64\x54"
"\xe4\x23\x94\xdd\x84\xa9\xe5\x01\x28\x39\xfb\x40\x22\x4b\x3e\xe4"
"\xa4\xd3\x9a\xf9\xf1\x77\xac\xc6\xc6\xa7\x76\x91\x2e\xc3\x48\x09"
"\x81\xf7\xc1\x8a\xa2\x89\x27\xde\x5a\x34\x7f\xce\x7b\xbd\xde\xaa"
"\x91\xf8\xe1\x62\xfe\x94\xd3\x36\x4f\xaf\x58\x89\xde\x57\xd4\xdf"
"\xab\xca\xe7\x34\x90\x97\xf1\xe1\x8e\x19\x1b\x30\x0d\x86\x4d\xc0"
"\x14\x62\x94\xb9\x23\x01\xc2\x33\xc5\xf2\x1c\xbc\x82\x16\xb6\x19"
"\xcd\x58\xda\x50\x04\x25\xbb\x3c\x3a\x54\xaf\x73\x85\x1c\xf0\x2b"
"\x64\x88\xc4\x3e\x0b\x76\x07\x68\x2a\x27\x56\x09\xf6\x95\x9d\xae"
"\xfd\x29\x04\x53\xc1\xee\xf8\x84\xbe\xd4\xb1\x3c\x61\x2b\x3a\xb2"
"\x30\x11\x3f\x75\xc4\xe1\xc1\xda\x48\x28\x38\x47\xb3\x43\xa5\xc0"
"\x51\x9e\x13\x65\xcf\xe2\xc7\xb9\x05\x1c\xe8\x15\xef\xf9\x1f\x28"
"\x13\x43\x68\x3f\x6a\x08\xe5\x9b\x17\xff\xf1\x5e\x9c\xd5\x10\x1c"
"\xf4\x56\x6a\xaf\x23\xbd\x96\xc2\xa8\xa8\xd0\xef\x07\xa4\x61\x59"
"\xb2\x85\x3e\x6e\x64\xfc\x3f\x54\xc5\xef\xda\xa9\x3e\x41\x41\xd4"
"\x83\x93\x19\x60\x37\x58\x2c\x53\x08\xd4\xab\x38\x2e\x09\xcf\xa2"
"\xc0\xc8\xd5\x37\xe3\x4e\xc8\x83\x22\x81\x23\x22\xb5\xb9\xef\xbd"
"\x4e\x59\x96\x9c\x05\xde\x2e\x1d\x59\x4e\x20\xe0\xbe\x02\xe7\x7e"
"\xfe\x7c\x22\xf6\x4f\x6b\x25\xdb\xda\x29\xf4\x6e\x15\x14\x53\xde"
"\xe1\xf3\xfe\x50\x98\xdc\x46\x81\xef\xa2\x87\x0f\x94\x6b\x32\x11"
"\xfc\xab\x4e\x1e\xaa\x29\x8a\x4b\x4e\x98\x66\x4d\x3d\xa5\x92\x18"
"\xcf\x39\x1e\xa7\xc5\xc0\x5d\xc7\x59\x89\xb3\x8f\x09\xbd\x14\xce"
"\x2b\x38\xa1\x47\xfb\xa7\xc4\x04\x18\xc9\x1f\x9e\x91\x05\xf6\xb0"
"\x76\x04\xf2\x71\x01\x59\xd7\xea\x6c\x1e\xb7\xad\xb0\x91\xb9\x46"
"\xa9\xb7\x0c\xbe\x33\x8c\x60\x9d\x57\x69\x9b\x87\x7f\x1e\x1d\x70"
"\x10\x48\x19\xfe\x6b\x00\x12\x7f\x97\x34\xc5\xde\x4f\x6d\x82\xc9"
"\x0a\x8d\xdc\xe5\xbc\xc5\xef\x38\x0d\xeb\x2b\xb2\x08\x93\x4f\x7e"
"\x44\x4f\xbe\xca\xb2\x4a\xa3\xc9\x46\x3f\x63\x2d\x27\xfe\x6f\xf0"
"\xf3\x25\xc6\xb2\xb6\x7b\x7b\xb5\x8d\x6e\x9c\xf2\x08\xf1\x58\x16"
"\xc9\x70\x0e\xc2\xfd\x76\x08\x1e\x66\x36\x7f\x4a\x45\xab\x02\xd7"
"\x6c\x2e\x4e\x1c\xe6\xd2\x11\x23\x21\xcf\x6a\xdb\xe4\x53\x87\x94"
"\x2c\xbe\x90\x49\x2f\x2e\x45\x85\xce\x52\x00\x57\x57\xdb\xe0\xd7"
"\x1a\x66\x75\x43\xb5\x1d\xb4\x04\x84\x4d\x67\xf2\xf6\x60\x8c\xaa"
"\xbc\x1f\x00\x69\xa2\x78\x73\xe1\xd2\x09\x68\xac\x3a\xa9\x5b\x42"
"\x23\x45\x74\xab\xa9\x54\xe4\xae\x58\xfc\x07\x34\xfe\x94\x9a\x5a"
"\xff\x75\x79\xa9\xe4\xb3\x6f\x5d\x71\xd0\x57\xf5\xa7\xd8\x7c\x9f"
"\x6a\x90\xd6\x64\x9d\x6c\x4d\xf5\x61\x90\xeb\xee\x62\x1e\xdf\xec"
"\x69\x96\xa1\x01\x04\x4d\x1b\xc7\xee\x9d\x09\x0c\x7a\x5f\x90\xb5"
"\xc6\xb3\x44\xc6\x1f\x07\x1f\x53\x7a\x0a\xa0\x35\xcd\x6d\x11\xf9"
"\xf1\xbf\x16\x25\xf0\xe1\xa9\xed\x3e\x13\x0a\x42\xea\xd0\xea\x9b"
"\x84\x10\xfe\xe4\xe8\xae\x20\x9e\x92\xe3\xb0\xe5\x70\xf8\x9b\x3b"
"\x3d\x6b\x42\xae\x48\x5b\x6a\xbb\xd1\xd6\x38\x17\x45\x5e\xc9\xae"
"\x68\xf2\xab\x18\x92\x3f\x36\x62\x2f\xf0\xbe\xa3\x35\x23\x4d\x2e"
"\x93\xf2\xc2\x6d\x7c\xae\xa6\x7d\x52\x28\x1b\x39\x39\x56\x54\x63"
"\xe0\xd9\x09\xe1\xcc\x74\x7e\x69\xbc\x62\xfb\xe6\x43\xdd\x17\x3c"
"\x48\xce\x75\xcb\xd7\x71\xb7\xb5\x09\x3c\xe1\x21\x0e\xf9\x1d\xbc"
"\x9e\x8e\xae\x19\x38\x04\xdf\x33\x45\xbc\x40\x75\xdf\xe3\x5a\xff"
"\x01\x71\x81\x10\x0b\xdf\x57\xcf\xf8\xd2\x0b\xcb\x07\x1f\x05\xb8"
"\xa6\x6b\x33\x55\x2b\xf0\x09\x8d\xae\x07\x99\xb3\x9b\xfd\x9c\x32"
"\x75\x2d\xcb\x44\x26\x7d\xd6\xb9\x21\x6c\x63\x57\xec\x16\x88\x9f"
"\xed\x25\x5f\x6a\x71\x88\x14\x8a\xe1\xc3\x68\x05\x82\x4a\xc6\x50"
"\x99\x8d\xf4\x98\x69\x3f\x16\x8d\x57\x28\xeb\x0e\xd9\x60\xee\x4c"
"\xdf\x3d\xe4\xde\xa6\x24\x07\x34\x4d\x4b\x79\x96\x36\xe9\xad\x00"
"\x32\x83\xf0\x0d\xbc\xc9\xc0\x55\xc9\x0c\xc8\x1a\xf7\x32\xc0\x9f"
"\xb4\x3f\xcd\x85\x4f\xcc\xd1\x3d\x49\x11\xbf\xbe\xc5\x6a\x1d\xde"
"\x0f\x5d\x4f\x4a\xa5\x4d\x25\x78\xa2\x9a\xea\x5f\x37\xb4\xeb\x10"
"\x75\x13\xb6\x65\x91\x16\xbd\x84\x16\x33\x81\x1f\x57\x3d\xaf\xcb"
"\x8e\x82\x60\x96\xc0\x2f\x2f\x0f\x40\x19\xf2\x44\x50\xa3\x0a\x98"
"\xe6\x8b\x8a\xec\xd8\xd3\xa6\xb8\x53\x37\x23\x76\xbc\xd7\x76\x99"
"\xe8\x86\x99\x70\xd8\xef\x07\x8f\xec\xe3\x7f\xc7\x60\x4a\xf1\x78"
"\x66\x35\x39\xbe\x14\x40\xb2\xbf\x47\x72\xc7\xad\x3f\x2f\x07\xca"
"\x68\xd2\x4a\x0b\x3b\xa3\x5e\xea\x88\x73\x0f\xac\x77\xfd\x23\xc1"
"\xf4\x55\x8d\xa9\x57\x37\x0e\x0e\x1f\xa5\xc4\x60\x40\x2b\x69\x2e"
"\x05\xb8\x8c\x1a\x19\x4b\x84\x76\x67\x0b\x9b\x8f\xe2\x61\xac\x64"
"\x8d\xdd\x56\x3e\xd5\xfa\x18\x64\xba\x23\x84\x14\x5f\x56\x9d\x4a"
"\x07\x64\x36\xe5\x9f\xce\xba\x4f\xcd\x11\x34\xc0\xb1\x0a\xed\x90"
"\x58\x3c\xdf\x82\xbf\xa1\x32\x64\x27\xbd\x5f\x6b\x49\x44\x2c\x52"
"\x0f\xfb\xe7\x5c\xe1\x7a\xa6\x7a\xc1\x60\x0d\xae\xb0\x84\x22\x33"
"\x7f\xe8\xaa\xda\x6a\x7a\x63\x37\x5d\xc1\x04\xd0\x62\x60\xf5\x1a"
"\x0b\x70\x87\x13\x0c\xec\xa9\xd6\x86\x4d\xa3\xd1\x72\x17\xc1\xc7"
"\x67\xa8\xc6\xa6\x2a\x70\xce\x45\xa3\x31\xff\xbe\x7a\x83\xdc\x7c"
"\xbf\xb5\xa9\x70\xfe\xc3\xae\xa3\x47\xb2\xbe\xfa\x68\x20\xac\x40"
"\x23\x84\x08\xf9\x9f\x8a\xfc\x7d\x75\xa9\xcf\xe9\xf4\xd2\x0e\xea"
"\x85\xef\xbd\x9a\x19\x00\x74\x2f\x54\x6e\x28\x29\xf7\xd4\xdc\x19"
"\x5b\x65\xe7\xfd\x03\x0d\x24\x91\x9f\x2c\x07\x55\x62\x2f\x90\x73"
"\x2e\x88\x8d\x8e\x3a\xf4\x9a\x94\x55\x5d\x43\x9e\xd5\x4d\x8d\x3d"
"\x4c\x2d\x4d\xb9\x78\xf7\x43\x81\x99\x8d\x18\x4c\x35\x72\x43\xe3"
"\x38\x7d\x5a\x2a\x9f\xbe\x2e\xf1\xd2\x51\xb4\xb1\x7d\x29\xcb\x8b"
"\xdb\x66\xb7\x33\xb9\x5b\x41\xf1\xce\x38\x59\x80\xa5\x13\x39\x61"
"\x2d\x36\x03\xd5\x04\xc2\xf3\xe0\xe4\x58\xbd\x09\xbf\x09\xda\xd2"
"\x20\xb0\xd0\x1e\x5a\x4f\xad\xb3\x66\x26\xaf\xd1\xb3\x2f\x8f\x3f"
"\x56\x4f\x4a\xd3\xec\x7c\x78\x6a\x8c\xd5\x5d\xbe\x6a\xb3\xba\x7e"
"\x24\x10\x45\x02\x5a\x1d\x37\x76\xb2\xc8\xf7\x78\x9e\xc9\x46\x36"
"\x5e\xce\x07\xb6\xf3\x77\x57\x3c\xa1\x08\xdf\x6d\x64\x66\x01\xca"
"\xe0\xbe\x14\x1f\x60\xc0\xad\xec\x37\x01\xd5\xec\x91\x0b\x84\x23"
"\xa4\x01\xf8\xb5\xb9\xc1\x4a\x5b\x0a\x68\x8c\x0b\xef\x68\x19\x9b"
"\x86\x3e\xc5\xb2\x03\x16\x79\x58\xdd\x20\x00\x3f\xcf\x0e\x49\x36"
"\xf4\x33\xec\xed\x24\x01\x2a\xf0\xb2\x06\x89\xeb\xd4\x03\x22\xc9"
"\xa1\x1e\x1f\x1a\xf9\x13\x4e\x90\x67\xaf\xb7\x40\x44\x2f\x71\x46"
"\xce\x17\x1c\x72\x38\xb6\x17\x53\xa6\x61\xb8\xa8\x49\xe2\x1f\xee"
"\x28\x69\xcd\x64\xbf\x20\x35\xc1\x7b\xce\x05\x5f\x13\xa4\xd5\x0f"
"\x9c\x4c\x73\xa3\xc7\xc4\x63\xee\x9e\x68\x47\xfe\x87\x23\xcf\x45"
"\xb3\xfc\x0e\xdc\x5b\x0c\x31\xe4\xa6\x15\x1c\x09\x08\xf2\x2b\x9c"
"\x9a\x9c\x77\xf2\x07\x9d\x70\xe5\x1c\x84\xed\x50\x01\x21\x83\xb8"
"\xf6\xee\xe2\xec\x40\x5d\x42\x45\x24\x54\x70\x0c\xee\x2d\xf4\x5a"
"\x0e\x3c\xfd\x77\x62\xe9\x6b\x82\x0a\xc1\x7c\xa9\x23\xaf\xab\x20"
"\xed\xb7\x23\xdc\xa8\xaa\x7b\x47\x17\x08\xce\x7a\xe0\x35\xa2\xc3"
"\x59\xba\x21\xa8\x0e\x61\xdf\x9a\x96\xe5\xed\x10\x1b\xa5\xa8\xf6"
"\x75\x8f\x0e\x5f\x14\x9f\x3b\xbf\xdd\x53\x82\x9c\xed\x71\x7e\x23"
"\x51\x6f\x1b\x81\xa5\xb9\x08\xbf\xea\xc1\x75\x6f\x76\xc2\x8a\x3a"
"\x8b\xeb\x77\x5f\xee\x02\x85\x76\xe2\x65\x69\x1f\x99\xce\x94\x07"
"\x82\x6c\xd8\x2e\x6b\xe4\x37\x15\xf7\xd2\x90\xb8\x4e\x3d\x6f\x11"
"\x01\xfb\x3f\xce\xb0\xd2\x26\x05\x7f\x8f\x7d\xeb\x62\x8d\xb2\x20"
"\xff\xbc\x24\x64\x80\xbe\x66\x46\x69\x12\xe0\xb2\x49\xbd\x9e\xa2"
"\x72\xd4\xb5\xac\x8e\x57\x65\x51\xad\x11\x71\xd2\x30\x00\x55\x32"
"\xc5\x89\x7b\x01\x95\xa0\x8d\x0f\xf0\x74\x5d\x68\xc4\x67\x62\xf0"
"\x2e\x78\xf2\x87\xed\x9c\xee\x74\x14\xab\x31\x1a\x09\x3e\xfd\x2a"
"\x5e\xaf\x7c\xda\x50\x69\xf6\xbc\x0e\x1e\xa0\x78\x77\xd4\x6c\x3c"
"\xb7\x63\xf3\x9e\x14\x96\x09\x06\x1f\x9d\x27\xc1\x82\x64\x9f\x8e"
"\xfa\x5c\x6d\x0c\xa0\x0a\xb0\x79\x96\x64\x0f\x85\x2a\xb5\x33\x4e"
"\x21\xa3\x95\x17\x7c\x03\x1b\xe6\x8e\xeb\x6d\xe1\x22\x10\x0c\x08"
"\xa7\xb4\x89\xfb\xed\xb4\x8c\x96\xb4\x4d\x7e\x68\xe0\xcb\x46\x50"
"\xbf\xf5\x3a\x01\x85\x87\x7a\x0a\xaf\x11\x16\xdf\xd9\xb3\x23\xda"
"\xa9\x7a\x46\x5d\xd0\x43\x3f\xd1\xa4\x5b\xa7\xa4\xc7\x6d\x73\xef"
"\xf0\xa6\x74\x99\xa0\x51\xe3\x78\x27\xaf\x32\x23\x82\x5f\x88\xe0"
"\x73\xd0\xb9\xae\x1d\x42\x90\x0e\x10\x92\x05\x00\xc5\xb9\xfc\x5a"
"\x8a\x08\xa2\xd5\xdd\xe7\xaa\xd6\xf7\x43\x41\x1a\x82\xaf\x23\xb8"
"\x71\x8f\xc1\x7b\x21\xe1\xe2\x6a\xcf\x9f\x6e\x28\x28\x73\xa0\xb5"
"\xb7\x53\x8b\x33\x7e\x19\x98\x9d\x3b\xa7\xa3\x43\xe8\xde\x7d\xc6"
"\x61\x4c\xcf\x2c\x4b\x28\x3c\xb2\xda\xdd\x4d\xe7\x9f\x1d\x0b\xd6"
"\x31\x45\xbf\x7f\x82\xb7\x35\x18\x0f\x61\x8a\x7f\x7b\x90\xf3\xfc"
"\x70\x7a\x8b\xa8\x23\xe5\x94\x06\x5a\x8d\x7e\xd6\x38\x32\xcb\x36"
"\xf0\xda\xa9\xdb\xc2\x42\x8c\xc4\x10\xc6\x61\xef\x73\x49\x8a\x07"
"\xf1\x27\x2e\xac\x49\x37\xf8\xf8\xdd\xa1\xb7\x20\x82\x22\xd9\x83"
"\x69\x24\x61\x80\xf0\xca\xc1\xd4\xdc\x0f\x5d\x6f\x86\xc1\x0b\x60"
"\x6f\xa4\x51\x17\x9f\x3f\x86\xbb\x0d\xa8\x89\xfc\xc5\xa5\x2e\x41"
"\xad\x1a\x77\x66\x1f\xee\x9a\x17\x29\x4d\xa4\x54\xb4\x9b\xfb\x01"
"\x66\x3e\x16\xce\xcd\x94\x57\xc2\x47\x46\x93\xb6\xc3\x42\xfe\x34"
"\x72\x75\x18\x48\x1c\x22\x76\x07\x64\xb9\xac\x92\x0d\xb5\xda\xe3"
"\x9d\x32\x99\x02\xc5\xe9\x75\x18\x73\xf6\x10\x9e\x03\xa8\xf8\xd6"
"\xd7\xb7\x57\xa1\x6a\x02\x27\xe5\xe6\xc0\x64\xaf\x97\xf2\x0a\x0e"
"\x8b\x68\x99\x7b\x37\x11\x37\xff\xfc\x14\xff\x33\x44\x05\x17\x7e"
"\xcf\x56\xbc\xfa\x0b\x5f\x88\xb5\x63\x81\x9e\xf4\x2d\xba\x13\x0b"
"\x96\x87\x7f\x05\xbe\x48\x6a\xb5\x98\x74\xed\x65\xc9\x2d\xd0\x11"
"\x6f\x94\x6b\x69\x26\x9c\x28\xfa\x73\x9d\x1a\x4e\x5e\xcb\x36\xf9"
"\x70\xd9\xfc\x9a\x94\x5d\xb3\x2e\x83\x29\xb7\xbe\xe8\x90\xd5\xf2"
"\x56\x70\xab\xe3\xcb\x87\xe7\x1a\x06\x5d\x79\x3b\x59\x1e\x40\x5c"
"\x45\x4d\xc6\x65\x39\x8a\x77\x1f\xda\x84\xd0\x01\x41\x06\xcb\x7e"
"\xe8\xe7\xd9\x79\xab\xa9\x5c\x76\x6c\xc4\xac\x17\xa4\xcd\x39\x4e"
"\xa2\xc9\x08\x14\xc0\xf9\x58\x84\x97\xa1\x7f\xaf\x2c\xe3\x5a\x8b"
"\x02\x31\xf5\xde\x7e\x6f\x3d\x78\x88\x5a\x8d\x1a\xae\x35\x43\xd9"
"\x40\x8e\x89\xe2\x3e\x57\x11\x2a\xe6\xbd\xc1\xa7\x2c\x25\x63\x7e"
"\x35\x24\x50\xdf\x6f\x05\x91\x34\xcc\x7f\x7b\xb9\xfc\x1a\xd7\xf3"
"\xcb\x28\x1b\x0c\x06\xad\xfe\x8b\x8b\x86\xb5\x69\xbc\x16\x8b\x2a"
"\x79\x58\xc5\x03\x6b\xbb\x08\x6c\x6d\x78\x61\x9c\xf5\xc1\x6c\x5d"
"\xe4\xef\x4f\x69\xb1\x13\xdf\x85\x26\x04\x32\x23\x67\x79\xf2\x92"
"\x47\x90\xd0\xad\x98\xce\xef\x95\xb5\x9a\xb8\x93\x02\xa3\x37\xf3"
"\x32\x44\xc4\xf8\xac\x1b\x7c\xbd\x4a\xf6\x45\x8e\x65\xca\x41\x2c"
"\xb2\x21\x7f\x15\x7f\x53\xf7\xc5\xeb\x6a\xf6\x22\x44\x50\x0e\xbf"
"\x33\x58\x52\xa9\xaf\x98\xf6\x3c\x02\xe1\xea\x7f\xbf\x74\x0b\xd2"
"\x00\xd0\x88\x05\x8c\x38\x53\x19\xc7\xae\x54\xc6\x19\xec\x08\x79"
"\x8c\xb6\xf2\x3c\xad\x65\x6d\xcd\x55\x1a\x42\xe1\xbc\xd2\xba"
"\x27",
4096));
NONFAILING(*(uint64_t*)0x20005000 = (uint64_t)0x20);
NONFAILING(*(uint32_t*)0x20005008 = (uint32_t)0x84);
NONFAILING(*(uint32_t*)0x2000500c = (uint32_t)0x2);
NONFAILING(*(uint16_t*)0x20005010 = (uint16_t)0x91dc);
NONFAILING(*(uint16_t*)0x20005012 = (uint16_t)0x1);
NONFAILING(*(uint32_t*)0x20005014 = (uint32_t)0x0);
NONFAILING(*(uint32_t*)0x20005018 = (uint32_t)0x1475);
NONFAILING(*(uint32_t*)0x2000501c = (uint32_t)0x3);
NONFAILING(*(uint64_t*)0x20005030 = (uint64_t)0x30);
NONFAILING(*(uint32_t*)0x20005038 = (uint32_t)0x84);
NONFAILING(*(uint32_t*)0x2000503c = (uint32_t)0x1);
NONFAILING(*(uint16_t*)0x20005040 = (uint16_t)0x4);
NONFAILING(*(uint16_t*)0x20005042 = (uint16_t)0x101);
NONFAILING(*(uint16_t*)0x20005044 = (uint16_t)0x206);
NONFAILING(*(uint32_t*)0x20005048 = (uint32_t)0x8);
NONFAILING(*(uint32_t*)0x2000504c = (uint32_t)0x3b);
NONFAILING(*(uint32_t*)0x20005050 = (uint32_t)0x6);
NONFAILING(*(uint32_t*)0x20005054 = (uint32_t)0xffff);
NONFAILING(*(uint32_t*)0x20005058 = (uint32_t)0x8);
NONFAILING(*(uint32_t*)0x2000505c = (uint32_t)0x8);
NONFAILING(*(uint64_t*)0x20005060 = (uint64_t)0x20);
NONFAILING(*(uint32_t*)0x20005068 = (uint32_t)0x84);
NONFAILING(*(uint32_t*)0x2000506c = (uint32_t)0x2);
NONFAILING(*(uint16_t*)0x20005070 = (uint16_t)0x9);
NONFAILING(*(uint16_t*)0x20005072 = (uint16_t)0x2);
NONFAILING(*(uint32_t*)0x20005074 = (uint32_t)0x80);
NONFAILING(*(uint32_t*)0x20005078 = (uint32_t)0x94);
NONFAILING(*(uint32_t*)0x2000507c = (uint32_t)0x4);
NONFAILING(*(uint64_t*)0x20005090 = (uint64_t)0x20);
NONFAILING(*(uint32_t*)0x20005098 = (uint32_t)0x84);
NONFAILING(*(uint32_t*)0x2000509c = (uint32_t)0x2);
NONFAILING(*(uint16_t*)0x200050a0 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x200050a2 = (uint16_t)0x3);
NONFAILING(*(uint32_t*)0x200050a4 = (uint32_t)0x9);
NONFAILING(*(uint32_t*)0x200050a8 = (uint32_t)0x100);
NONFAILING(*(uint32_t*)0x200050ac = (uint32_t)0x6);
NONFAILING(*(uint64_t*)0x200050c0 = (uint64_t)0x20);
NONFAILING(*(uint32_t*)0x200050c8 = (uint32_t)0x84);
NONFAILING(*(uint32_t*)0x200050cc = (uint32_t)0x2);
NONFAILING(*(uint16_t*)0x200050d0 = (uint16_t)0x1);
NONFAILING(*(uint16_t*)0x200050d2 = (uint16_t)0x4);
NONFAILING(*(uint32_t*)0x200050d4 = (uint32_t)0xffff);
NONFAILING(*(uint32_t*)0x200050d8 = (uint32_t)0x4);
NONFAILING(*(uint32_t*)0x200050dc = (uint32_t)0x0);
NONFAILING(*(uint64_t*)0x200050f0 = (uint64_t)0x20);
NONFAILING(*(uint32_t*)0x200050f8 = (uint32_t)0x84);
NONFAILING(*(uint32_t*)0x200050fc = (uint32_t)0x2);
NONFAILING(*(uint16_t*)0x20005100 = (uint16_t)0x54);
NONFAILING(*(uint16_t*)0x20005102 = (uint16_t)0x203);
NONFAILING(*(uint32_t*)0x20005104 = (uint32_t)0x1ff);
NONFAILING(*(uint32_t*)0x20005108 = (uint32_t)0x7);
NONFAILING(*(uint32_t*)0x2000510c = (uint32_t)0x9);
NONFAILING(*(uint64_t*)0x20005120 = (uint64_t)0x18);
NONFAILING(*(uint32_t*)0x20005128 = (uint32_t)0x84);
NONFAILING(*(uint32_t*)0x2000512c = (uint32_t)0x0);
NONFAILING(*(uint16_t*)0x20005130 = (uint16_t)0x7f);
NONFAILING(*(uint16_t*)0x20005132 = (uint16_t)0x4);
NONFAILING(*(uint16_t*)0x20005134 = (uint16_t)0x1ff);
NONFAILING(*(uint16_t*)0x20005136 = (uint16_t)0x6);
NONFAILING(*(uint64_t*)0x20005150 = (uint64_t)0x30);
NONFAILING(*(uint32_t*)0x20005158 = (uint32_t)0x84);
NONFAILING(*(uint32_t*)0x2000515c = (uint32_t)0x1);
NONFAILING(*(uint16_t*)0x20005160 = (uint16_t)0x101);
NONFAILING(*(uint16_t*)0x20005162 = (uint16_t)0x100000000);
NONFAILING(*(uint16_t*)0x20005164 = (uint16_t)0x1);
NONFAILING(*(uint32_t*)0x20005168 = (uint32_t)0x8);
NONFAILING(*(uint32_t*)0x2000516c = (uint32_t)0x20);
NONFAILING(*(uint32_t*)0x20005170 = (uint32_t)0x0);
NONFAILING(*(uint32_t*)0x20005174 = (uint32_t)0x1);
NONFAILING(*(uint32_t*)0x20005178 = (uint32_t)0x1000);
NONFAILING(*(uint32_t*)0x2000517c = (uint32_t)0x7fffffff);
NONFAILING(*(uint64_t*)0x20005180 = (uint64_t)0x18);
NONFAILING(*(uint32_t*)0x20005188 = (uint32_t)0x84);
NONFAILING(*(uint32_t*)0x2000518c = (uint32_t)0x0);
NONFAILING(*(uint16_t*)0x20005190 = (uint16_t)0x1);
NONFAILING(*(uint16_t*)0x20005192 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20005194 = (uint16_t)0xff);
NONFAILING(*(uint16_t*)0x20005196 = (uint16_t)0x4);
r[110] =
execute_syscall(__NR_sendmsg, 0xfffffffffffffffful, 0x20005fc8ul,
0x20008800ul, 0, 0, 0, 0, 0, 0);
r[111] = execute_syscall(__NR_socket, 0x18ul, 0x0ul, 0x2ul, 0, 0, 0,
0, 0, 0);
NONFAILING(*(uint16_t*)0x20000fb8 = (uint16_t)0x6);
NONFAILING(
memcpy((void*)0x20000fba, "\x3b\x77\xfc\xed\x57\x2e\xde", 7));
NONFAILING(*(uint32_t*)0x20000fc4 = (uint32_t)0x400);
NONFAILING(
memcpy((void*)0x20000fc8, "\x28\x47\x5c\xbc\xef\xca\xfc", 7));
NONFAILING(
memcpy((void*)0x20000fcf, "\xd5\x06\xd3\x5b\xa5\xda\x78", 7));
NONFAILING(
memcpy((void*)0x20000fd6, "\x5f\xdd\x7f\x8d\xd3\x10\x1f", 7));
NONFAILING(
memcpy((void*)0x20000fdd, "\x70\xa3\x5f\x43\xfd\x2e\xed", 7));
NONFAILING(
memcpy((void*)0x20000fe4, "\x72\x00\x02\x04\x00\x00\x00", 7));
NONFAILING(
memcpy((void*)0x20000feb, "\x71\xb5\xe5\xc6\xdb\x7b\x03", 7));
NONFAILING(
memcpy((void*)0x20000ff2, "\xf6\x6d\x1f\x7c\x42\x2c\x22", 7));
NONFAILING(
memcpy((void*)0x20000ff9, "\x99\x5b\x7b\xe8\x1f\xb7\x3f", 7));
r[123] = execute_syscall(__NR_bind, r[111], 0x20000fb8ul, 0x48ul, 0,
0, 0, 0, 0, 0);
NONFAILING(*(uint32_t*)0x20001ffc = (uint32_t)0xc);
r[125] = execute_syscall(__NR_getsockname, r[111], 0x20000000ul,
0x20001ffcul, 0, 0, 0, 0, 0, 0);
NONFAILING(*(uint16_t*)0x20000000 = (uint16_t)0x27);
NONFAILING(*(uint32_t*)0x20000004 = (uint32_t)0x0);
NONFAILING(*(uint32_t*)0x20000008 = (uint32_t)0xfffffffffffffffc);
NONFAILING(*(uint32_t*)0x2000000c = (uint32_t)0x2);
NONFAILING(*(uint8_t*)0x20000010 = (uint8_t)0x800);
NONFAILING(*(uint8_t*)0x20000011 = (uint8_t)0xffff);
NONFAILING(memcpy(
(void*)0x20000012,
"\x12\x1f\x38\x58\x65\xd7\x24\x5d\x58\xf1\x56\xcd\xa1\x4f\xd7\xae"
"\xc1\x6c\xa2\x31\x4c\x9c\xde\x1d\x86\xa6\x0f\x8c\x16\xab\xfe\x19"
"\x6a\x1f\xca\xfa\x5c\x69\x1f\xfe\x0a\x4b\xc1\xab\x91\x3d\x94\xc8"
"\x5c\x07\x19\x17\x2a\x65\x6f\xe8\x97\xa4\x92\xd5\xd3\x9b\x47",
63));
NONFAILING(*(uint64_t*)0x20000058 = (uint64_t)0x4);
r[134] = execute_syscall(__NR_connect, r[111], 0x20000000ul, 0x60ul,
0, 0, 0, 0, 0, 0);
NONFAILING(memcpy((void*)0x20007000, "\x00", 1));
r[136] = execute_syscall(__NR_setsockopt, r[111], 0x1ul, 0x19ul,
0x20007000ul, 0x1ul, 0, 0, 0, 0);
}
int main()
{
int i;
for (i = 0; i < 8; i++) {
if (fork() == 0) {
setup_main_process();
int pid = do_sandbox_none(i, false);
int status = 0;
while (waitpid(pid, &status, __WALL) != pid) {
}
return 0;
}
}
sleep(1000000);
return 0;
}