net/sctp: list double add warning in sctp_endpoint_add_asoc

From: Andrey Konovalov
Date: Tue Apr 04 2017 - 09:28:31 EST


Hi,

I've got the following error report while fuzzing the kernel with syzkaller.

On commit a71c9a1c779f2499fb2afc0553e543f18aff6edf (4.11-rc5).

A reproducer and .config are attached.

------------[ cut here ]------------
WARNING: CPU: 0 PID: 4033 at lib/list_debug.c:31 __list_add_valid+0xca/0x120
list_add double add: new=ffff8800681b1198, prev=ffff8800681b1198,
next=ffff880067316098.
Modules linked in:
CPU: 0 PID: 4033 Comm: a.out Not tainted 4.11.0-rc5+ #199
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x292/0x398 lib/dump_stack.c:52
__warn+0x19f/0x1e0 kernel/panic.c:549
warn_slowpath_fmt+0xe0/0x120 kernel/panic.c:564
__list_add_valid+0xca/0x120 lib/list_debug.c:29
__list_add ./include/linux/list.h:59
list_add_tail ./include/linux/list.h:92
sctp_endpoint_add_asoc+0x161/0x3e0 net/sctp/endpointola.c:220
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1293
sctp_side_effects net/sctp/sm_sideeffect.c:1175
sctp_do_sm+0x21b5/0x6a50 net/sctp/sm_sideeffect.c:1147
sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:88
sctp_sendmsg+0x26ec/0x3b20 net/sctp/socket.c:1954
inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:633
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0xa73/0xb90 net/socket.c:1997
__sys_sendmsg+0x138/0x320 net/socket.c:2031
SYSC_sendmsg net/socket.c:2042
SyS_sendmsg+0x2d/0x50 net/socket.c:2038
entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:204
RIP: 0033:0x7f19dd797b79
RSP: 002b:00007f19da6b5d98 EFLAGS: 00000206 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f19da6b69c0 RCX: 00007f19dd797b79
RDX: 0000000000004000 RSI: 000000002047a000 RDI: 0000000000000003
RBP: 00007f19ddc63220 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 00007f19da6b69c0 R14: 00007f19de08e040 R15: 0000000000000003
---[ end trace 19c5e4b11b8569c4 ]---
==================================================================
BUG: KASAN: use-after-free in sctp_do_sm+0x6704/0x6a50 at addr ffff8800681b13c0
Read of size 8 by task a.out/4033
CPU: 1 PID: 4033 Comm: a.out Tainted: G W 4.11.0-rc5+ #199
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x292/0x398 lib/dump_stack.c:52
kasan_object_err+0x1c/0x70 mm/kasan/report.c:164
print_address_description mm/kasan/report.c:202
kasan_report_error mm/kasan/report.c:291
kasan_report+0x252/0x510 mm/kasan/report.c:347
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:368
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1514
sctp_side_effects net/sctp/sm_sideeffect.c:1175
sctp_do_sm+0x6704/0x6a50 net/sctp/sm_sideeffect.c:1147
sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:88
sctp_sendmsg+0x26ec/0x3b20 net/sctp/socket.c:1954
inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:633
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0xa73/0xb90 net/socket.c:1997
__sys_sendmsg+0x138/0x320 net/socket.c:2031
SYSC_sendmsg net/socket.c:2042
SyS_sendmsg+0x2d/0x50 net/socket.c:2038
entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:204
RIP: 0033:0x7f19dd797b79
RSP: 002b:00007f19da6b5d98 EFLAGS: 00000206 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f19da6b69c0 RCX: 00007f19dd797b79
RDX: 0000000000004000 RSI: 000000002047a000 RDI: 0000000000000003
RBP: 00007f19ddc63220 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 00007f19da6b69c0 R14: 00007f19de08e040 R15: 0000000000000003
Object at ffff8800681b1100, in cache kmalloc-4096 size: 4096
Allocated:
PID = 4031
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:513
set_track mm/kasan/kasan.c:525
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2745
kmalloc ./include/linux/slab.h:490
kzalloc ./include/linux/slab.h:663
sctp_association_new+0x114/0x2130 net/sctp/associola.c:304
sctp_sendmsg+0x160d/0x3b20 net/sctp/socket.c:1836
inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:633
sock_sendmsg+0xca/0x110 net/socket.c:643
SYSC_sendto+0x660/0x810 net/socket.c:1696
SyS_sendto+0x40/0x50 net/socket.c:1664
entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:204
Freed:
PID = 4040
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:513
set_track mm/kasan/kasan.c:525
kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589
slab_free_hook mm/slub.c:1357
slab_free_freelist_hook mm/slub.c:1379
slab_free mm/slub.c:2961
kfree+0xe8/0x2b0 mm/slub.c:3882
sctp_association_destroy net/sctp/associola.c:430
sctp_association_put+0x217/0x310 net/sctp/associola.c:879
sctp_transport_destroy net/sctp/transport.c:183
sctp_transport_put+0x15f/0x1d0 net/sctp/transport.c:328
sctp_backlog_rcv+0x239/0xd50 net/sctp/input.c:356
sk_backlog_rcv ./include/net/sock.h:898
__release_sock+0x127/0x3a0 net/core/sock.c:2069
release_sock+0xa5/0x2b0 net/core/sock.c:2564
sctp_close+0x735/0x9f0 net/sctp/socket.c:1539
inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
sock_release+0x8d/0x1e0 net/socket.c:597
sock_close+0x16/0x20 net/socket.c:1072
__fput+0x332/0x7f0 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:245
task_work_run+0x19b/0x270 kernel/task_work.c:116
tracehook_notify_resume ./include/linux/tracehook.h:191
exit_to_usermode_loop+0x1c2/0x200 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:191
syscall_return_slowpath+0x3d3/0x420 arch/x86/entry/common.c:260
entry_SYSCALL_64_fastpath+0xc0/0xc2 arch/x86/entry/entry_64.S:239
Memory state around the buggy address:
ffff8800681b1280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8800681b1300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8800681b1380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8800681b1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8800681b1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#ifndef __NR_mmap
#define __NR_mmap 9
#endif
#ifndef __NR_socket
#define __NR_socket 41
#endif
#ifndef __NR_setsockopt
#define __NR_setsockopt 54
#endif
#ifndef __NR_bind
#define __NR_bind 49
#endif
#ifndef __NR_sendto
#define __NR_sendto 44
#endif
#ifndef __NR_sendmsg
#define __NR_sendmsg 46
#endif
#ifndef __NR_listen
#define __NR_listen 50
#endif
#ifndef __NR_accept
#define __NR_accept 43
#endif

#define _GNU_SOURCE

#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>

#include <linux/capability.h>
#include <linux/if.h>
#include <linux/if_tun.h>
#include <linux/kvm.h>
#include <linux/sched.h>
#include <net/if_arp.h>

#include <assert.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

const int kFailStatus = 67;
const int kErrorStatus = 68;
const int kRetryStatus = 69;

__attribute__((noreturn)) void doexit(int status)
{
volatile unsigned i;
syscall(__NR_exit_group, status);
for (i = 0;; i++) {
}
}

__attribute__((noreturn)) void fail(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
}

__attribute__((noreturn)) void exitf(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit(kRetryStatus);
}

static int flag_debug;

void debug(const char* msg, ...)
{
if (!flag_debug)
return;
va_list args;
va_start(args, msg);
vfprintf(stdout, msg, args);
va_end(args);
fflush(stdout);
}

__thread int skip_segv;
__thread jmp_buf segv_env;

static void segv_handler(int sig, siginfo_t* info, void* uctx)
{
uintptr_t addr = (uintptr_t)info->si_addr;
const uintptr_t prog_start = 1 << 20;
const uintptr_t prog_end = 100 << 20;
if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
(addr < prog_start || addr > prog_end)) {
debug("SIGSEGV on %p, skipping\n", addr);
_longjmp(segv_env, 1);
}
debug("SIGSEGV on %p, exiting\n", addr);
doexit(sig);
for (;;) {
}
}

static void install_segv_handler()
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}

#define NONFAILING(...) \
{ \
__atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
if (_setjmp(segv_env) == 0) { \
__VA_ARGS__; \
} \
__atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
}

#define BITMASK_LEN(type, bf_len) (type)((1ull << (bf_len)) - 1)

#define BITMASK_LEN_OFF(type, bf_off, bf_len) \
(type)(BITMASK_LEN(type, (bf_len)) << (bf_off))

#define STORE_BY_BITMASK(type, addr, val, bf_off, bf_len) \
if ((bf_off) == 0 && (bf_len) == 0) { \
*(type*)(addr) = (type)(val); \
} else { \
type new_val = *(type*)(addr); \
new_val &= ~BITMASK_LEN_OFF(type, (bf_off), (bf_len)); \
new_val |= ((type)(val)&BITMASK_LEN(type, (bf_len))) << (bf_off); \
*(type*)(addr) = new_val; \
}

static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
uintptr_t a2, uintptr_t a3,
uintptr_t a4, uintptr_t a5,
uintptr_t a6, uintptr_t a7,
uintptr_t a8)
{
switch (nr) {
default:
return syscall(nr, a0, a1, a2, a3, a4, a5);
}
}

static void setup_main_process()
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_IGN;
syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
install_segv_handler();

char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
fail("failed to mkdtemp");
if (chmod(tmpdir, 0777))
fail("failed to chmod");
if (chdir(tmpdir))
fail("failed to chdir");
}

static void loop();

static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
setsid();

struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 0;
setrlimit(RLIMIT_CORE, &rlim);

unshare(CLONE_NEWNS);
unshare(CLONE_NEWIPC);
unshare(CLONE_IO);
}

static int do_sandbox_none(int executor_pid, bool enable_tun)
{
int pid = fork();
if (pid)
return pid;

sandbox_common();

loop();
doexit(1);
}

long r[57];
void* thr(void* arg)
{
switch ((long)arg) {
case 0:
r[0] = execute_syscall(__NR_mmap, 0x20000000ul, 0x482000ul, 0x3ul,
0x10000000000032ul, 0xfffffffffffffffful,
0x0ul, 0, 0, 0);
break;
case 1:
r[1] = execute_syscall(__NR_socket, 0x2ul, 0x1ul, 0x84ul, 0, 0, 0,
0, 0, 0);
break;
case 2:
NONFAILING(*(uint32_t*)0x2047c000 = (uint32_t)0x849);
r[3] = execute_syscall(__NR_setsockopt, r[1], 0x1ul, 0x20ul,
0x2047c000ul, 0x4ul, 0, 0, 0, 0);
break;
case 3:
NONFAILING(*(uint16_t*)0x20000ff0 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20000ff2 = (uint16_t)0x204e);
NONFAILING(*(uint32_t*)0x20000ff4 = (uint32_t)0x100007f);
NONFAILING(*(uint8_t*)0x20000ff8 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20000ff9 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20000ffa = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20000ffb = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20000ffc = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20000ffd = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20000ffe = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20000fff = (uint8_t)0x0);
r[15] = execute_syscall(__NR_bind, r[1], 0x20000ff0ul, 0x10ul, 0, 0,
0, 0, 0, 0);
break;
case 4:
NONFAILING(memcpy((void*)0x20477000,
"\x90\x70\x3d\x6b\x7b\x32\x8d\x74\xcc", 9));
NONFAILING(*(uint16_t*)0x20477000 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20477002 = (uint16_t)0x204e);
NONFAILING(*(uint32_t*)0x20477004 = (uint32_t)0x100007f);
NONFAILING(*(uint8_t*)0x20477008 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20477009 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2047700a = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2047700b = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2047700c = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2047700d = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2047700e = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2047700f = (uint8_t)0x0);
r[28] = execute_syscall(__NR_sendto, r[1], 0x20477000ul, 0x9ul,
0x0ul, 0x20477000ul, 0x10ul, 0, 0, 0);
break;
case 5:
NONFAILING(memcpy(
(void*)0x2047a000,
"\x99\x21\x20\x19\xd2\x15\xda\xcd\xd2\x1f\x1d\x33\x47\x26\xa6"
"\x69\xec\xbb\x9e\x5d\x62\xb0\xad\x2d\xdf\x01\x38\xd9\xd8\x60"
"\x50\xf6\xa0\xed\x17\xd9\xda\x9a\x97\x37\x00\xbd\x6b\xc9\x30"
"\x7e\xcb\x6f\xe6\xd4\xb6\x2b\x09\x0f\x7c\x0d\x63\x45\xae\x24"
"\xe4\xca\xf3\xb0\x18\x70\x1d\x03\x71\x30\x74\x62\xe1\x13\x26"
"\x8c\x6a\x09\xd6\x32\xfd\xc0\x5a\xec\x0a\x4d\xc0\xca\x1c\x37"
"\xea\x72\xc9\xff\x65\xdd\x1a\xc3\x07\xf7\x66\xa5\xb3\xe9\x17"
"\x9d\x4d\x1f\x87\x12\x53\x5b\x5f\x0b\x59\x40\xb0\x5f\x99\x13"
"\x9c\x60\x01\x29\xb8\x39\x7c\x67\xe5\x50\xa7\x36\xb6\x82\x89"
"\x60\x86\xd3\x4e\x43\x66\x31\x97\x2c\x0e\x73\x5d\xec\x9c\x9b"
"\xdd\x8d\xba\x4f\xa9\x84\x23\x7f\x51\x35\x29\xd6\x8b\x75\xef"
"\xc8\xbf\x63\x5d\xe3\x00\xf6\x05\x82\xb7\x33\xc6\xf1\x9f\x5f"
"\xc4\xdf\x25\x01\x67\xf7\x48\x33\x7f\x74\xfe\x78\x28\xf5\xfb"
"\xf2\x02\xad\xc3\x68\x6f\xd1\xac\xf1\xbb\xcb\xd1\x1b\x3a\x9b"
"\x8e\x6c\xcd\x4e\x2e\x9e\x65\x34\x92\xd6\x22\x73\x99\x64\x62"
"\x65\xe9\x1a\x0d\x05\x2f\xf7\x70\x3d\x40\x9a\xcf\xfa\x40\x4f"
"\x6a\x7e\x5b\x12\xb7\x7c\x87\xc7\xf6\x48\x00\x1b\x59\xd6\x87"
"\x7a\xe7\x4d\x77\x63\x02\x3e\xac\xa2\xc3\xe3\x7c\x35\x40\x6f"
"\xc2\x3b\xc5\x67\x9c\xf3\xb0\xc6\x56\x36\x56\x7b\xbd\x7a\x37"
"\x58\x2b\x93\xee\xf6\xa1\x90\xad\xd7\x33\x89\x4d\xec\xf5\x9c"
"\x74\x42\x35\x31\xdb\x0c\x9c\xa8\x0c\x32\x0e\x1a\x72\x8e\x4f"
"\x78\x67\x5c\xf2\xa9\x6a\xbf\x58\xdf\xce\x7b\x08\xa1\xb8\x07"
"\x35\xee\x32\xf4\xc3\x2a\xb9\x61\x3c\xfb\x28\xa3\x2b\xe9\x41"
"\xa5\xeb\xf8\x84\x20\x03\x6c\x57\x7c\x81\x18\x1e\x46\xa4\x65"
"\xea\xb3\xa5\xc4\xfb\x65\xf4\x6f\xf5\xbb\x7a\xb4\x2c\x6c\x24"
"\xb0\x7d\xa0\x37\xe9\x83\x60\xbe\x14\x91\x1c\x7d\x12\xfd\x07"
"\x3d\xdf\xc9\x29\x6f\xa4\x93\x6a\x6a\x28\x60\xaa\xd8\x57\xaf"
"\xea\xa3\x05\xd4\x2d\x83\xf1\x74\xac\x63\xe6\x7f\x25\xc8\x4c"
"\xb1\xb9\xbd\x3e\xa4\x76\xab\xc3\x1c\xfb\xd9\x27\x3c\x72\xd2"
"\x77\x75\x90\x39\x4e\xbf\xe9\x6d\x6f\xe5\x05\x04\x98\x5a\x0c"
"\x38\x6d\xbb\xf2\x0a\x7c\xb9\x28\x5d\xac\xfc\x26\xd2\xef\x1e"
"\x72\xcb\xc0\xc9\xb2\xbb\x96\x15\xc0\xed\x3f\x2e\xbe\xbd\xb8"
"\xcc\x79\xa1\x0a\x95\xc5\xf5\xcc\xa4\x5f\x8c\xf1\xf5\xf6\xa0"
"\x47\x8c\x0f\x70\xab\x09\xeb\xf7\x5c\x92\xc0\xdc\x25\x98\x0f"
"\xcf\x52\xf8\x26\xdc\x8a\xa3\x5b\x94\x63\x69\x36\x9f\xb7\xab"
"\x56\xe7\x57\x0e\x2c\x4d\xb5\x5a\xe3\x3b\x43\x8f\x78\x97\x71"
"\xe0\xe5\x9c\x6c\x92\x2a\xdc\x47\xe3\x01\x6e\x01\x54\x9d\x53"
"\x11\x24\xea\xbc\xab\x11\x6a\xbc\xfd\x1e\x8f\x03\x7c\x70\x8a"
"\xfd\x82\x42\xd0\xb9\x03\x1c\x2d\x7f\xe0\x83\x13\x2e\xaa\x50"
"\x95\xa9\x6e\x00\x75\xb2\x72\x02\x7d\xc4\xb4\x5a\xe7\xee\xd0"
"\xae\x48\x32\x65\x0f\xd5\x21\x5d\x4b\xda\x7b\x0e\x10\x03\x70"
"\xfe\x09\x5e\xd8\x33\x1f\x2b\x8a\xf0\x28\xf6\xda\xe3\xc9\xcc"
"\x74\x84\x66\x22\x8c\x7d\x25\x4b\x5b\x95\x5c\x0d\x95\x55\x4f"
"\xc4\xa4\x25\x6d\xe9\x69\x67\x67\x4f\xd0\xa5\xe9\x47\x48\x87"
"\x21\x7a\x14\xa0\x25\x78\x4d\x53\x6f\x86\x1a\x82\x99\x7e\xad"
"\x4a\x87\x24\x4d\x85\x18\xfb\xb9\xed\xfa\x4a\xdf\x60\xa7\xda"
"\x11\xd2\x99\x72\x83\xda\x76\x8f\xe9\x75\xc3\x82\xd9\xf3\xea"
"\x44\x69\x38\x1d\x28\x79\x51\xec\x0d\x08\xf5\x81\x38\x61\x64"
"\xa4\xb3\x4d\xe9\xcc\x55\x06\xa7\xdd\xba\x52\x15\xe6\x79\x8d"
"\xb8\x3f\xc5\xa9\x81\x43\x52\x13\x42\x6a\x63\x03\x53\x71\xc5"
"\xeb\xcc\x2c\x2a\x66\x3d\xa5\x72\x53\xaf\x1b\x4d\xe3\xb0\x70"
"\x46\x2b\xca\x1d\x17\x85\x60\x74\xc8\x4f\x54\x40\x93\xb7\xe2"
"\xa7\x4f\x43\x95\x43\x98\x86\xa0\x6a\xc9\x5c\xfb\x5b\xb2\x6a"
"\x1e\x2b\xaa\xce\x10\x4c\x0a\x1f\x4f\x63\x1d\x4b\xab\x14\x3b"
"\x6a\x52\x3c\xb2\x00\xd7\x07\x21\x97\xaa\x95\x11\xa0\xd3\x36"
"\xe7\x74\x76\x85\xbd\x4f\x1f\x10\xfb\x85\xca\x03\x4d\x87\x74"
"\xb9\xb1\x25\xcc\x7c\x82\x1f\x24\x81\x78\x40\x37\x5c\x0b\xdb"
"\x25\xf2\x51\xb0\x03\x45\x87\xef\x99\xbf\x79\xe1\xc6\xf2\x07"
"\x89\xb2\xb3\x2b\x7e\x72\xd5\xd1\x10\xe6\xc4\xe8\xcd\x2c\xd5"
"\x67\x3a\xc7\x7a\xc6\xd9\x10\x8b\x4a\xbf\x78\xe6\xc9\x87\x87"
"\xbb\xfc\x56\xc1\x71\x5b\xbe\x01\xbf\x5a\x7c\x36\xa1\xf9\xb5"
"\xa1\x87\x5e\xde\x17\xb4\xbc\x61\xd1\xc3\x5a\xf8\x3a\x65\x41"
"\x26\x16\x02\x2a\x1b\xcc\xa7\x5a\x67\x80\x47\x32\xb1\xd4\xe4"
"\xd5\x79\xd6\xee\xb3\x0e\x8e\x2b\x04\xf4\x3e\x0e\xfe\xb7\x37"
"\xdd\x28\xf2\x30\x18\x3e\xd7\x6d\x8d\x1b\x53\xe4\xda\xb7\xf1"
"\xcf\xaf\x65\xf8\x96\xa5\x42\xd8\xf7\xf2\x23\xf6\x8c\x55\x40"
"\x4d\xf2\x81\x21\xc6\x4a\xf0\x09\x34\xcf\xd0\x4c\x5f\xe6\x80"
"\x50\xa2\xee\x63\x18\x1c\x59\x6b\xe7\x58\xe8\x6f\xed\x54\x78"
"\x00\xd4\xab\x6b\xf1\xf4\x77\x17\xf7\x63\xb1\xf7\x25\xc7\x11"
"\x00\xac\x4a\x6d\x68\x3c\xf0\x8f\xfa\xf0\xae\x17\x0e\x3e\xae"
"\x02\x9c\xe7\xab\xe8\x9d\xa1\x7c\x05\x42\x93\x75\x45\x15\x24"
"\xb8\x5e\x67\x45\xfe\x99\xed\x83\x18\xca\xe8\x02\x1f\xb4\x60"
"\x6c\x01\x7b\x99\x11\xfa\x6b\xcd\x50\xa9\x2b\x2c\x6f\x8a\xdd"
"\x44\x32\xc3\xd8\x69\x6c\x26\x05\xdb\x2e\x81\xa6\x8e\xb5\xfa"
"\xa9\x1a\x34\x95\xd6\xbe\xdb\x4b\xd5\x17\x4a\x5e\x02\xe3\x92"
"\xf1\x6e\x44\x5b\x92\x09\x5c\x59\x2d\xdf\xfe\xc6\x0c\x2e\x3c"
"\xaa\x2e\x4a\x18\x2b\x4b\x9d\x5e\x57\x72\x3d\xa3\x11\xa1\x2f"
"\xb0\x2d\x43\x69\x8f\x65\xce\xd8\xfd\xfb\x48\xf5\xd0\xe3\xa2"
"\xc7\xa5\x17\xbe\x78\xc6\x4c\x6e\xdd\x00\xd1\x79\x5e\x99\x64"
"\x21\xd9\x38\xb5\xb5\x08\x2f\xac\x5d\x2b\x62\x46\x76\xcc\xfa"
"\xb8\x2a\xf6\x81\xfe\xf1\xfb\xc9\x15\xd9\xc0\x76\x55\x68\x8f"
"\xfd\xae\x5f\xe3\x8a\xda\x5f\xb2\x17\xec\x03\x37\x13\x69\x99"
"\xee\xdf\x2d\xb8\x0b\xbc\xfc\x8d\xc3\x3e\x90\x19\x99\x78\x30"
"\x36\x4d\x4e\xdc\x45\xba\x48\x5a\x4a\x68\x46\xe0\x5c\x8b\x5e"
"\xdc\x26\xe6\x37\x39\xc9\xa8\xe8\xc4\x04\xaa\x59\x48\x1e\x9f"
"\xcf\x6d\x9a\xd3\x3b\x6c\x11\x63\xa4\x7e\xb9\x6c\x71\xe3\x28"
"\xdb\x4f\xc2\xdf\x35\x52\x45\x02\xc6\x10\x8a\x7a\x3d\x27\x87"
"\x0e\x3c\xd4\x82\x85\x3d\x58\xac\xa6\x28\xac\x22\x69\xff\x04"
"\x1b\x46\xa3\x84\xd5\x48\x10\x8c\x51\xee\x65\xd2\x97\x99\x1c"
"\x22\xd0\x76\xce\x44\xe0\xd2\xb7\xd9\xb3\x2c\x99\x0e\x3b\x15"
"\x61\x1e\xc4\x70\x55\xec\x5e\xfc\xc6\x97\xf7\xb7\xe6\xd1\x9f"
"\xc3\x39\xf9\x92\x16\x73\x48\xaf\x98\xf0\x22\xf2\xb3\xe1\x1a"
"\x57\x05\x4f\xea\xad\xeb\x77\x7d\x0e\x1f\xe0\x19\xaf\xd0\xff"
"\x6d\xad\xef\xec\xca\xf7\xc5\xb0\x34\x06\x28\x3d\x2c\x08\xe5"
"\x5c\x92\x59\xf5\xda\x5f\x54\x96\x9e\xd9\x10\x58\x49\x45\xc4"
"\xa9\x4b\xc4\xc2\xcd\x16\x9f\x77\xd9\x44\x5e\xbb\x4a\x67\x06"
"\xcb\x68\x6c\xca\xf2\x9e\x33\x31\x77\x72\x3a\x5a\x83\xf0\x9d"
"\xe0\x11\xa5\x58\x36\x43\x90\xdb\xfb\x81\x5d\x61\x70\xea\x36"
"\x10\x8c\x74\x9a\xf0\xe9\x88\x88\xa4\xaf\xf5\x93\x4b\x95\x48"
"\x65\x4f\x54\xe5\x7b\x8b\xb9\xf2\x15\x26\x2c\xde\xc5\x14\xc3"
"\x5e\x28\x11\xd4\xa9\xb5\x40\xc6\xb8\x52\x4f\x34\x99\x4e\x1b"
"\x59\xd3\xad\x6d\xef\x47\x91\xe7\x41\xa6\x39\x61\x1c\x03\x42"
"\x2e\x4f\xb9\xd4\x60\x4c\x78\x5f\xe0\xab\x13\xe0\xd1\x51\xb4"
"\xaf\x9e\xe7\x01\x1e\x6f\xb7\x11\xe6\xe8\x51\x58\x8c\x47\x97"
"\x75\xd8\x67\xe9\x4d\x7a\x16\x12\x7a\x38\x32\xdf\x4f\x61\xe8"
"\xcb\x43\xda\xf3\x17\x8c\x74\x54\xed\xbe\xa5\x3d\xce\xef\xfb"
"\x61\xf2\x28\x12\xd3\xf9\xc5\x22\x3a\x91\xad\x18\x39\x56\xdb"
"\xcc\x69\xed\x6f\x30\x5c\x4e\x94\x82\xc0\x1a\xf2\xcf\x86\x05"
"\xf5\x93\xfd\xd0\x0c\x19\xe8\x56\xc0\x0a\x67\xb7\x8b\x6e\xce"
"\xde\x35\x51\xbb\x5f\xc0\xa3\x17\x20\x92\x1d\x00\x2d\x13\x82"
"\xad\xd1\xc8\x6e\x13\x8d\x98\xaf\x88\x5e\x29\xf6\xbc\x82\x95"
"\xb5\x12\x92\xe3\xf2\x04\x10\x83\x55\x2c\xf6\x33\xa0\x15\xc0"
"\x44\xd3\xce\x5e\xb1\x0d\x56\x46\x61\xd0\x2f\xaf\xd4\x7b\x25"
"\x99\xee\xef\xd5\xbb\x4f\xa0\x11\x49\x63\x4f\x42\xb1\x84\xc0"
"\x25\x95\x87\x72\xf7\x22\xc5\x9c\xb8\x67\xc7\x4e\x30\x16\xa5"
"\x58\x08\xe7\x3e\x14\x88\xea\x27\xb2\xd5\x36\x8d\x8a\xb9\xbb"
"\x9d\xca\x35\xd6\x99\xa2\xd6\x9a\x17\xd3\xa1\xcf\xfa\x92\xf2"
"\xa3\x07\x86\x09\x61\xf6\x14\x2c\xb9\xfc\x5b\xa5\x8c\xfb\xb6"
"\xc3\x0f\x0b\x53\xf8\xf5\x76\x70\x5a\x57\x85\x31\x19\x9b\xa2"
"\x77\x4f\xec\xd2\x31\x46\xd1\x10\x21\xca\x9c\xf7\xae\x68\x0e"
"\x7a\x2e\xa5\x74\xc5\x86\xcf\x19\x76\x6f\xe1\xdf\x9d\x0e\xa9"
"\xe7\x2b\x74\x26\xf4\x50\x91\x1b\x1d\x16\xf4\x71\xc2\xb0\x0a"
"\xa4\x33\x9b\xad\xec\xd0\x82\x3b\x59\x44\xcb\x86\xf4\x2f\x6c"
"\x13\x9f\x78\xe5\xdc\x53\x23\x4d\xda\xc2\x31\x32\x78\xed\x97"
"\x18\x57\x41\x41\x4e\xb3\x70\xaf\x1f\xac\x59\x73\x5a\x56\x00"
"\xfd\x5b\x86\x26\xb2\x0c\x0e\xff\xca\xe9\x68\xbe\x2d\x2b\x55"
"\x74\x05\xbf\x62\x04\xe1\xf9\xe7\x68\xaa\x35\xf5\x5d\xad\xba"
"\x51\x7f\x58\x58\x73\x78\x42\x6e\xfc\x78\x99\xa6\xd0\x76\xac"
"\xd4\x3c\x2f\xd0\x3b\xc8\x72\x2f\xd3\x3c\x34\x5d\xa7\x39\x82"
"\x0e\x71\xfb\x87\xaa\x2c\xff\x15\xd5\x87\x51\x9a\x0d\xc8\xea"
"\x79\xc9\xed\xde\xe1\x09\x74\x12\x2c\x1a\xb6\xb7\xbc\x8e\xac"
"\x9a\x13\x1d\x50\xd5\xc1\x75\x7e\x89\x99\xa4\x60\xd7\x98\xf2"
"\x49\x75\xe3\x18\x49\x69\x8c\x4e\x27\x14\x87\x66\x53\x3e\xcc"
"\x3f\x36\x86\x72\xb8\xb8\x3d\x82\x35\xd9\x14\x7d\xcc\xfc\x3e"
"\xbf\xc0\xe3\xdb\xf6\x3d\xbb\xf5\x35\x30\x90\xf1\x33\xf6\x65"
"\x98\x6c\x02\xfb\x50\xcb\xcd\x0a\x41\xd9\xee\x87\x13\xfb\x1c"
"\x65\x3f\x15\x7e\x59\x72\x5a\xc4\x5d\xe3\x3a\x4d\xf6\xb8\x62"
"\x91\x0e\xdd\xd2\xd2\xdd\x6f\x11\x58\x76\x69\x58\x0e\x2c\xd2"
"\xa9\xea\x6b\xdb\x9f\x90\xab\xd5\x12\x43\xb3\x67\x58\x6a\x67"
"\x41\xbd\x9f\x7b\x76\x09\x6e\x59\x9f\xe6\x00\x99\xa2\xad\x63"
"\xd8\xd7\x37\x83\xf9\xb0\x71\x4a\xf9\x94\x10\x02\xf9\x0b\x4c"
"\xac\x81\xbb\x47\x39\xc7\x00\x35\x26\xd0\xba\xc9\x0a\xc2\x19"
"\xba\x94\xd1\x7a\x73\x44\x84\x7c\x03\x29\x84\x80\xf8\xd2\xd3"
"\x3b\x02\x14\xdd\x2d\xd7\xda\x61\xaa\xf6\x01\xe8\x58\x1f\xcf"
"\x14\x14\xa7\xcc\x92\x06\xf9\x7a\xba\x60\xd1\xb5\x25\x4c\x08"
"\xd7\xe5\xed\x30\xcf\xba\x41\x3e\xbc\x1c\x62\x14\x05\x0d\xfb"
"\xbe\x34\x52\x11\x0a\x1e\xcb\x9c\xbb\x9a\x41\xa7\x35\xfa\x80"
"\xe1\xca\x30\x26\xaa\x52\x63\x76\x96\xed\x85\x06\xe4\x9f\x2f"
"\x90\x89\x04\x6b\x98\x74\xe4\xd6\x9d\x72\xe3\x38\x34\x9e\x0d"
"\x7d\x98\x14\x52\x9e\x8c\x1f\xb3\xf6\xc6\x3a\xe9\x59\x47\x77"
"\xf7\x2b\x0f\x49\xa3\xf6\x9a\xf7\x3a\x55\xbd\x3b\xa1\x1f\x16"
"\xdb\x9d\xf5\x36\xf2\x09\x07\x6d\xcb\xd0\x65\x28\xde\x24\x00"
"\x22\x29\x34\xf2\x60\xf9\x9c\x3a\x10\x89\x54\xe6\x3d\xe7\x38"
"\x94\xc6\x95\x48\x40\x7e\x21\xea\xba\xbd\xe0\xfd\x28\x8e\x99"
"\x5d\x5e\x6b\xa8\xf1\x99\x3f\x7f\x08\xe2\x36\x55\x06\x00\xea"
"\xae\x1f\x29\xdf\x3e\xf4\x78\x2b\xe5\x57\x50\x6c\xff\x53\x7f"
"\xc1\x01\x09\x37\x75\x25\x97\x3d\x5a\xe0\xac\xab\xe6\x8a\x01"
"\x70\x3d\x08\x10\xb8\x32\x6d\x19\x11\xf4\x63\x00\xdc\x15\xc5"
"\x5b\xaa\xbf\x7d\x63\x32\x3a\xbc\xbf\x7d\x9e\xf2\x89\x87\x73"
"\x54\x63\xd1\xdd\x9b\x57\xea\xb1\x16\xec\x08\x57\x17\x8c\xd9"
"\x2c\x8d\xb5\xb1\x42\x3a\x88\xee\x73\x29\xf1\xc8\xaf\x54\x99"
"\x6f\x42\xb5\x1a\x9f\x22\x87\x14\x02\x4e\x87\x9e\x46\x93\x04"
"\x76\x36\xc4\x85\xd7\x57\xd6\x36\x3a\x95\x28\xa6\x31\x54\xf1"
"\x7e\x90\xd3\x5e\xd9\x1c\x9d\xe2\x5a\xba\x23\x98\x70\x85\x61"
"\xdf\xd0\x2c\xf0\xac\x3f\xa9\x23\x75\x0d\xde\x09\x4e\xb2\x56"
"\x54\xa6\xda\x55\x25\x86\x27\xa8\xae\xe9\x9c\x48\xf9\x94\x06"
"\xae\x88\x97\x4e\xb7\x30\xc1\x0d\x79\xa3\x38\xa2\x54\xdc\x1f"
"\x9c\x49\x42\x72\xf5\xc1\x0d\xf0\x0c\x78\x0c\x69\x3f\x7c\x57"
"\x56\xc0\x11\x9d\xfb\x86\xf6\x77\x32\xca\xc7\x76\x1e\x2f\x6a"
"\x75\x5b\x4a\x38\x44\x2f\xb9\x01\x7a\x03\xf5\x75\xfd\x64\x3e"
"\xb4\xac\x51\xbc\x36\xfd\xdd\xda\xc2\x89\x19\xf2\x93\xc8\xf8"
"\x69\x02\xee\x4b\x82\x23\xf4\xdb\x91\x3f\x3b\x90\x7f\x55\x7c"
"\xb1\x28\x3d\xbd\x35\x04\x9a\x3a\x0e\x22\x97\x52\x4b\xc3\xa3"
"\x2d\x14\x71\x14\x72\x68\xab\x7e\x2a\xfe\x9d\x9e\x0f\x8e\xee"
"\x35\x2d\x94\x3e\xcd\x05\x75\x34\xe5\x7a\x18\x50\x1e\x68\xa1"
"\x1b\xba\x92\x62\x70\xfe\x76\x50\x9e\x70\x15\x61\xc0\x31\x0b"
"\x1e\xee\xb4\xe3\xbd\xbb\x99\xc9\x72\x4f\x3b\x19\xf0\xf8\xb6"
"\xe7\x6a\xae\xa1\x59\x8a\x40\x2c\x65\xc8\x83\xe9\xc9\x77\x69"
"\x6f\x02\x43\x84\x9b\xe1\x84\xec\x24\xf4\xca\x12\xb9\x9c\x9e"
"\xc2\x98\x4d\xd6\x9a\x1f\x81\xe0\xe0\x27\x8f\x79\x58\xf5\xf8"
"\xe6\x79\x05\x0f\xd8\x72\xe9\xaf\x2f\x0e\xb9\x33\x45\x9a\xf1"
"\x2b\xe9\x01\x81\x8a\xdf\xaa\x85\x9d\x59\x2a\x93\x81\x23\xce"
"\x96\x56\x1b\xa8\xda\xee\x0a\x66\xd4\x7b\x9d\xe9\x52\x62\x86"
"\x51\xdc\xda\xd4\x9f\xac\x29\x61\x88\x3b\x86\xdb\xc1\x76\xa9"
"\xa4\x8a\x08\x97\xe1\xb7\x1e\xcb\x44\x68\xd9\x0b\xaa\x32\x1d"
"\x0e\x3d\xf1\x51\x6e\x8e\x7b\xcd\xa6\xfa\x21\xdb\x33\x4e\xa7"
"\xfb\x99\xb9\x6a\xc6\x1f\x98\xba\xba\x48\x89\x3d\xe8\x93\x12"
"\xd9\xca\xac\x1c\x91\x44\xb9\x25\xfa\xe9\x27\x24\x55\x58\xec"
"\x93\x52\xc3\xbb\x90\xf1\xec\xc6\x86\xe1\x45\x5b\xfe\xfe\xc8"
"\x30\x3b\xdb\xa2\x36\x8d\x58\xff\xbc\x08\x2e\x30\xcb\x5a\x44"
"\x75\x1c\xb6\x9a\x81\x85\x35\x2d\x2f\xaa\x84\xb1\x19\x32\x49"
"\x86\x19\x60\x69\xb6\x91\x2a\x4e\x05\xa1\xb4\x1d\x08\xa5\x0c"
"\xdb\x5f\x53\x5e\x0c\xb9\x3e\xef\x2e\xa9\x27\x46\x74\xb4\x8b"
"\x2f\xf1\xf5\x02\xf8\x79\x9a\x05\xc4\x0b\x99\xdf\xee\x36\x4b"
"\x7b\xee\xeb\x1b\x17\x42\x7c\x1b\x1a\x05\x71\x63\xe8\x7a\x98"
"\xf8\xdb\xed\x3d\x71\xae\x8b\x07\xa9\x6a\x0c\xa4\xbd\xfb\x14"
"\xaf\xcf\xba\xdc\x02\x96\x04\x5c\xe3\x8d\x24\x99\x19\x61\x4f"
"\x14\x7d\x4a\x6d\x7e\xd7\xd8\x0a\x5d\x8a\xf1\x98\x59\xfd\x93"
"\x69\xea\x5b\xe7\x56\x1b\xd5\x34\x1d\xa9\x2c\x92\x40\xf3\xf0"
"\x05\x17\x8f\x1d\x73\x88\xf4\xde\x42\x7c\x63\x39\xb0\x15\x45"
"\x98\x10\xd6\xee\x6d\xa7\x82\x06\x7b\xc0\x18\x17\xb5\x25\xd7"
"\xc5\x8c\x78\x1a\x8b\x2e\x6e\x0e\xee\xde\x7b\x28\x5e\x0e\xf0"
"\xc3\xc5\x31\x43\xd1\x9b\x9c\x57\xed\xe3\x51\x1b\xc0\xb0\x42"
"\xe4\xc7\x45\xb5\x6f\x45\x42\xed\x1f\x4e\x2b\x7f\x16\xbe\xbe"
"\x8d\x08\xcb\x94\x09\x3f\xcc\xa5\xef\xc5\xab\x66\x88\x33\x60"
"\x5e\xa0\xf1\xe3\x19\x5e\x73\xe5\xea\x93\x7b\x1f\x70\x4f\xcd"
"\x04\x41\x88\xdc\x4b\x57\xc1\x3e\x7a\x83\x15\x3d\x12\x07\x68"
"\x77\xa1\x01\xd3\x8f\xb8\xc1\xd2\xd7\x9b\x72\xb2\xc9\x3b\x20"
"\xd7\xd3\x50\xdf\x5c\x32\xf2\xd8\x45\x46\xcb\x2b\x30\x7b\x29"
"\x4b\xfc\x10\xfc\x37\x90\xd4\x2c\xec\x75\x87\x4a\xd0\x6d\x1f"
"\x82\xa8\x01\x50\x5d\xb8\x9c\xc0\x65\x8f\xac\x64\xa6\x04\x20"
"\x36\x3e\xa5\x21\x85\xbe\xfb\x62\x7b\x89\x50\x47\x2f\x8d\xbb"
"\x80\x75\x86\x0b\x6e\x41\x98\xc9\x6a\xba\xd8\x50\x09\x0c\x9e"
"\xf7\x9d\x30\x4a\x27\xb0\xe0\x9e\xc2\xfd\x1c\x1c\xd2\xb7\x22"
"\xe8\xfa\xb1\x4e\xdf\x49\xca\x37\xc4\x98\x9a\xb0\x93\x99\xce"
"\xff\xdb\x68\x64\x9b\xb3\x0e\x9a\x92\x6a\x6d\xce\x88\x67\xe9"
"\xf8\x6d\xa8\xcb\xab\x8c\xf2\x75\x09\x89\x17\xdb\x64\xc6\x5c"
"\xb3\x43\x2c\x1e\x07\x88\xd4\x5b\xf3\xa2\x80\x9b\x06\xa3\x65"
"\x16\xde\xc8\x81\xd9\x4d\x58\xdc\xaa\xc5\x8b\x17\xa1\x9c\x03"
"\xd9\x1a\xa1\xd7\x46\x14\xb9\x4d\xc6\xbb\xe4\x89\xfe\xfd\x08"
"\x3f\x35\x7f\x3d\x1e\x27\x3b\xb7\x15\xa1\x66\xc6\x56\x3b\xcb"
"\xef\xbe\xfc\x18\x0d\xe0\xa6\x9a\x2f\x44\x6f\xa9\x2d\xd6\x05"
"\xb4\x18\xe9\x20\x8a\xee\x62\x9f\x95\xe7\x4e\xca\xb4\xb5\xcd"
"\x5c\xae\xfd\x48\xf2\x54\x69\x6b\x3a\x4e\xba\x8a\x40\xa4\x80"
"\xf9\x8a\x53\xdf\x02\xff\x86\xf0\xe2\xc9\xd6\x5b\x3b\x34\x09"
"\x57\x6f\x42\x83\x4c\x33\xf0\x9d\xf6\xb3\x23\x46\x29\xed\x80"
"\x70\x35\x41\xb3\x06\x9e\x86\x58\xcb\xac\x43\x0b\x65\x64\xe5"
"\xeb\xc3\xb2\x89\xe5\xa3\x0f\x11\x5b\x80\x48\x7e\xba\x40\x6f"
"\xcb\x57\x47\xa7\xfe\x59\x3c\xf0\x0b\x60\x7c\xf5\x81\x98\x2b"
"\x2d\xe6\x66\x92\x3c\xa3\xe9\xb6\xf9\xd6\x04\xb1\x17\xa9\x47"
"\xec\x96\xe9\xb0\x41\xe1\x4f\xe3\x5d\x4e\x63\xec\x3f\x0e\x7d"
"\x38\xb7\x22\xa9\xb6\x63\x94\xad\xc9\x41\x08\x78\x8e\x47\x6b"
"\xd8\x59\xd7\x05\x02\x57\x5a\xba\xa8\x1e\x96\xd1\x51\xd8\xa0"
"\xc1\x43\xf5\x45\x4f\x1c\xef\xca\xa5\x04\x9d\x8a\xe4\x07\xd3"
"\x4d\x73\x83\xd7\x5c\xdf\x17\x26\x7b\xde\x90\x21\xcc\x94\xf6"
"\x7f\xcb\xcd\x17\x2b\xa7\xb7\x00\x63\xc1\x98\x64\x51\x0c\xa3"
"\xb0\x0e\x71\xba\x9b\xc4\x96\x89\x1c\x12\xb8\xac\x5c\x8f\x73"
"\x84\x2a\x28\x73\x33\x03\x27\x5a\x92\x04\xbb\x45\x93\xbd\x94"
"\x5b\x87\xfa\xd8\x8e\x7d\xd0\x88\x11\x97\x9f\x6b\xbc\x3b\xfb"
"\x74\xe4\xf8\x82\xff\xf0\x09\x12\xf7\x35\xb8\xa2\xcd\x64\x87"
"\x70\x53\x68\xed\xc9\xfe\x66\x23\xfe\x38\x8e\x03\x8f\xd1\xd1"
"\x30\x75\xe5\x73\x63\x23\x20\xb7\xe0\xe1\x85\xc6\x7c\x29\x98"
"\x2f\x83\xfc\x21\xe9\x61\xcf\xc6\xc5\xb7\x33\xb3\x64\x72\xb2"
"\x28\x18\x5a\x73\x30\xf2\xc5\x30\xfb\x36\x52\x66\xf9\x66\x33"
"\x48\x3c\xac\xef\x4b\x00\x72\x93\xa7\x51\xec\xd5\xeb\x0f\xb1"
"\x55\x29\x90\x51\x4c\xe5\xe9\x44\x44\x00\xf4\x75\xdf\xbc\x64"
"\xa5\xd3\xeb\xeb\xc7\x96\x74\x02\x9b\xc5\xcd\x56\xb8\x3d\x34"
"\xfb\x1c\x40\x6b\xf8\x6d\xfa\xb4\x45\xeb\x89\x89\x8f\xc6\x83"
"\xee\x44\xba\x9e\x60\x24\xd0\x19\xb5\xa0\xc2\xba\x81\x56\xc5"
"\x85\x54\x48\x63\xe8\x9d\xd2\x02\x60\xa4\xaa\x01\xd1\xdc\xa4"
"\x7a\xbc\xf2\x22\x2a\x44\x25\x85\xff\x5b\x0b\x05\xd7\x33\x92"
"\xb7\x68\x4c\x26\xea\xfa\x65\x86\x5a\x94\xec\x2a\xc2\x98\xec"
"\x5f\x91\x24\x94\xa3\x11\x93\xdc\x55\x9e\x31\xe9\x1f\x29\xea"
"\x37\x4e\xcf\xcf\xd5\xda\xb6\x23\x44\xe8\x4b\x8a\x72\x78\x03"
"\x13\x09\xc0\xcd\xe0\x29\xdd\x83\xbf\x48\xd7\xfb\x5b\x83\xe4"
"\x21\x28\x0e\x35\xbd\xc1\x41\x33\xde\x8f\xbf\x2e\xb7\xca\xe0"
"\x25\x28\x01\x29\x10\x62\xc2\x87\xea\x79\x53\xbc\x24\x92\xe0"
"\xc6\xc5\x13\x4f\x49\xbe\xde\xb3\x33\x35\x31\xfe\xbd\x8c\xfd"
"\xc0\x07\x08\x0b\x59\x0c\x53\xdf\xdc\x2e\xa4\xd8\x86\xe6\xe0"
"\x3a\x97\x5c\x47\x17\x82\x77\x3d\x3d\xc2\x8f\x27\xf6\x3e\x14"
"\x43\xe4\x7d\xb8\x81\xf9\x2a\x28\x97\x4f\x04\xe3\xde\x6e\x6b"
"\x7a\x13\x19\xef\x6e\x96\x3e\x1f\xb1\xc1\x48\x08\x16\xf8\x01"
"\x28\xaa\xa3\xf2\x6a\x82\xf4\x00\x18\x5b\xb4\x31\x40\x4f\x75"
"\x81\xf7\x00\x1f\xdd\x45\x1f\xa9\x94\xe7\x8c\x36\x55\x5e\xe0"
"\x1a\x0a\x1e\x2f\x13\x90\x6c\xc1\x21\xc8\xe2\x9e\xc5\x53\x46"
"\x9a\x06\x0b\x57\x57\x75\x74\x50\xdd\x3d\x37\x91\x1e\x79\x26"
"\x86\x79\xa7\x34\x6e\xa7\x1e\xd0\x5a\x12\xcc\xbb\x3e\x49\x13"
"\x4d\x02\x09\x90\xba\xad\x49\xd3\x61\x85\x8b\x46\x48\xba\x13"
"\x2d\x5c\xed\xf9\x76\x32\x92\xf5\x9b\x6c\x2d\xfe\xb4\x47\xf6"
"\xe2\x93\x0e\xac\xea\xe4\x52\x17\xe0\xcc\x18\x97\x38\xd6\xe0"
"\xbc\x6f\xf0\x11\xa9\xcd\xdc\x8f\xa7\x7c\x8d\x96\x80\x81\xcd"
"\x7d\x77\x4e\x24\x8e\xdd\x4c\x0d\x91\xd8\xcc\xfb\x4c\xdf\x38"
"\x3c\xba\x0c\x8c\x97\x07\x38\xb9\x83\xb4\x89\xc2\x9f\x31\xb6"
"\x04",
4096));
r[30] = execute_syscall(__NR_sendto, r[1], 0x2047a000ul, 0x1000ul,
0x20004000ul, 0x0ul, 0x0ul, 0, 0, 0);
break;
case 6:
NONFAILING(*(uint64_t*)0x2047a000 = (uint64_t)0x2047a000);
NONFAILING(*(uint32_t*)0x2047a008 = (uint32_t)0x10);
NONFAILING(*(uint64_t*)0x2047a010 = (uint64_t)0x2047afe0);
NONFAILING(*(uint64_t*)0x2047a018 = (uint64_t)0x1);
NONFAILING(*(uint64_t*)0x2047a020 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x2047a028 = (uint64_t)0x0);
NONFAILING(*(uint32_t*)0x2047a030 = (uint32_t)0x0);
NONFAILING(*(uint16_t*)0x2047a000 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x2047a002 = (uint16_t)0x204e);
NONFAILING(*(uint32_t*)0x2047a004 = (uint32_t)0x0);
NONFAILING(*(uint8_t*)0x2047a008 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2047a009 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2047a00a = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2047a00b = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2047a00c = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2047a00d = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2047a00e = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2047a00f = (uint8_t)0x0);
NONFAILING(*(uint64_t*)0x2047afe0 = (uint64_t)0x2032cfbc);
NONFAILING(*(uint64_t*)0x2047afe8 = (uint64_t)0x22);
NONFAILING(memcpy((void*)0x2032cfbc,
"\x9a\xc5\x2b\x7d\x1d\x37\x65\xf9\x4f\x3e\x01\xdc"
"\xc0\xe6\xe4\x65\xb6\xbf\xb4\x81\x7f\x29\xbd\xa2"
"\x56\xe9\x8c\x42\x23\xdb\x73\xb8\x80\xe1",
34));
r[52] = execute_syscall(__NR_sendmsg, r[1], 0x2047a000ul, 0x4000ul,
0, 0, 0, 0, 0, 0);
break;
case 7:
r[53] = execute_syscall(__NR_mmap, 0x201ff000ul, 0x800000ul, 0x5ul,
0x32ul, r[1], 0x0ul, 0, 0, 0);
break;
case 8:
r[54] = execute_syscall(__NR_listen, r[1], 0x7ffful, 0, 0, 0, 0, 0,
0, 0);
break;
case 9:
NONFAILING(*(uint32_t*)0x2047b000 = (uint32_t)0x0);
r[56] = execute_syscall(__NR_accept, r[1], 0x203acffful,
0x2047b000ul, 0, 0, 0, 0, 0, 0);
break;
}
return 0;
}

void loop()
{
long i;
pthread_t th[20];

memset(r, -1, sizeof(r));
srand(getpid());
for (i = 0; i < 10; i++) {
pthread_create(&th[i], 0, thr, (void*)i);
usleep(10000);
}
usleep(100000);
}

int main()
{
setup_main_process();
int pid = do_sandbox_none(0, false);
int status = 0;
while (waitpid(pid, &status, __WALL) != pid) {
}
return 0;
}

Attachment: .config
Description: Binary data