API tools faq
paste
zzqq0103

Untitled

zzqq0103
Mar 17th, 2024
41
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 42.27 KB | None | 0 0
raw download clone embed print report
  1. #define _GNU_SOURCE
  2.  
  3. #include <endian.h>
  4. #include <errno.h>
  5. #include <fcntl.h>
  6. #include <setjmp.h>
  7. #include <stdbool.h>
  8. #include <stddef.h>
  9. #include <stdint.h>
  10. #include <stdio.h>
  11. #include <stdlib.h>
  12. #include <string.h>
  13. #include <sys/ioctl.h>
  14. #include <sys/mman.h>
  15. #include <sys/mount.h>
  16. #include <sys/stat.h>
  17. #include <sys/syscall.h>
  18. #include <sys/types.h>
  19. #include <unistd.h>
  20.  
  21. #include <linux/loop.h>
  22.  
  23. #ifndef __NR_memfd_create
  24. #define __NR_memfd_create 319
  25. #endif
  26.  
  27. static unsigned long long procid;
  28.  
  29. //% This code is derived from puff.{c,h}, found in the zlib development. The
  30. //% original files come with the following copyright notice:
  31.  
  32. //% Copyright (C) 2002-2013 Mark Adler, all rights reserved
  33. //% version 2.3, 21 Jan 2013
  34. //% This software is provided 'as-is', without any express or implied
  35. //% warranty. In no event will the author be held liable for any damages
  36. //% arising from the use of this software.
  37. //% Permission is granted to anyone to use this software for any purpose,
  38. //% including commercial applications, and to alter it and redistribute it
  39. //% freely, subject to the following restrictions:
  40. //% 1. The origin of this software must not be misrepresented; you must not
  41. //% claim that you wrote the original software. If you use this software
  42. //% in a product, an acknowledgment in the product documentation would be
  43. //% appreciated but is not required.
  44. //% 2. Altered source versions must be plainly marked as such, and must not be
  45. //% misrepresented as being the original software.
  46. //% 3. This notice may not be removed or altered from any source distribution.
  47. //% Mark Adler [email protected]
  48.  
  49. //% BEGIN CODE DERIVED FROM puff.{c,h}
  50.  
  51. #define MAXBITS 15
  52. #define MAXLCODES 286
  53. #define MAXDCODES 30
  54. #define MAXCODES (MAXLCODES + MAXDCODES)
  55. #define FIXLCODES 288
  56.  
  57. struct puff_state {
  58. unsigned char* out;
  59. unsigned long outlen;
  60. unsigned long outcnt;
  61. const unsigned char* in;
  62. unsigned long inlen;
  63. unsigned long incnt;
  64. int bitbuf;
  65. int bitcnt;
  66. jmp_buf env;
  67. };
  68. static int puff_bits(struct puff_state* s, int need)
  69. {
  70. long val = s->bitbuf;
  71. while (s->bitcnt < need) {
  72. if (s->incnt == s->inlen)
  73. longjmp(s->env, 1);
  74. val |= (long)(s->in[s->incnt++]) << s->bitcnt;
  75. s->bitcnt += 8;
  76. }
  77. s->bitbuf = (int)(val >> need);
  78. s->bitcnt -= need;
  79. return (int)(val & ((1L << need) - 1));
  80. }
  81. static int puff_stored(struct puff_state* s)
  82. {
  83. s->bitbuf = 0;
  84. s->bitcnt = 0;
  85. if (s->incnt + 4 > s->inlen)
  86. return 2;
  87. unsigned len = s->in[s->incnt++];
  88. len |= s->in[s->incnt++] << 8;
  89. if (s->in[s->incnt++] != (~len & 0xff) ||
  90. s->in[s->incnt++] != ((~len >> 8) & 0xff))
  91. return -2;
  92. if (s->incnt + len > s->inlen)
  93. return 2;
  94. if (s->outcnt + len > s->outlen)
  95. return 1;
  96. for (; len--; s->outcnt++, s->incnt++) {
  97. if (s->in[s->incnt])
  98. s->out[s->outcnt] = s->in[s->incnt];
  99. }
  100. return 0;
  101. }
  102. struct puff_huffman {
  103. short* count;
  104. short* symbol;
  105. };
  106. static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
  107. {
  108. int first = 0;
  109. int index = 0;
  110. int bitbuf = s->bitbuf;
  111. int left = s->bitcnt;
  112. int code = first = index = 0;
  113. int len = 1;
  114. short* next = h->count + 1;
  115. while (1) {
  116. while (left--) {
  117. code |= bitbuf & 1;
  118. bitbuf >>= 1;
  119. int count = *next++;
  120. if (code - count < first) {
  121. s->bitbuf = bitbuf;
  122. s->bitcnt = (s->bitcnt - len) & 7;
  123. return h->symbol[index + (code - first)];
  124. }
  125. index += count;
  126. first += count;
  127. first <<= 1;
  128. code <<= 1;
  129. len++;
  130. }
  131. left = (MAXBITS + 1) - len;
  132. if (left == 0)
  133. break;
  134. if (s->incnt == s->inlen)
  135. longjmp(s->env, 1);
  136. bitbuf = s->in[s->incnt++];
  137. if (left > 8)
  138. left = 8;
  139. }
  140. return -10;
  141. }
  142. static int puff_construct(struct puff_huffman* h, const short* length, int n)
  143. {
  144. int len;
  145. for (len = 0; len <= MAXBITS; len++)
  146. h->count[len] = 0;
  147. int symbol;
  148. for (symbol = 0; symbol < n; symbol++)
  149. (h->count[length[symbol]])++;
  150. if (h->count[0] == n)
  151. return 0;
  152. int left = 1;
  153. for (len = 1; len <= MAXBITS; len++) {
  154. left <<= 1;
  155. left -= h->count[len];
  156. if (left < 0)
  157. return left;
  158. }
  159. short offs[MAXBITS + 1];
  160. offs[1] = 0;
  161. for (len = 1; len < MAXBITS; len++)
  162. offs[len + 1] = offs[len] + h->count[len];
  163. for (symbol = 0; symbol < n; symbol++)
  164. if (length[symbol] != 0)
  165. h->symbol[offs[length[symbol]]++] = symbol;
  166. return left;
  167. }
  168. static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode,
  169. const struct puff_huffman* distcode)
  170. {
  171. static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13,
  172. 15, 17, 19, 23, 27, 31, 35, 43, 51, 59,
  173. 67, 83, 99, 115, 131, 163, 195, 227, 258};
  174. static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2,
  175. 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
  176. static const short dists[30] = {
  177. 1, 2, 3, 4, 5, 7, 9, 13, 17, 25,
  178. 33, 49, 65, 97, 129, 193, 257, 385, 513, 769,
  179. 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
  180. static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3,
  181. 4, 4, 5, 5, 6, 6, 7, 7, 8, 8,
  182. 9, 9, 10, 10, 11, 11, 12, 12, 13, 13};
  183. int symbol;
  184. do {
  185. symbol = puff_decode(s, lencode);
  186. if (symbol < 0)
  187. return symbol;
  188. if (symbol < 256) {
  189. if (s->outcnt == s->outlen)
  190. return 1;
  191. if (symbol)
  192. s->out[s->outcnt] = symbol;
  193. s->outcnt++;
  194. } else if (symbol > 256) {
  195. symbol -= 257;
  196. if (symbol >= 29)
  197. return -10;
  198. int len = lens[symbol] + puff_bits(s, lext[symbol]);
  199. symbol = puff_decode(s, distcode);
  200. if (symbol < 0)
  201. return symbol;
  202. unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
  203. if (dist > s->outcnt)
  204. return -11;
  205. if (s->outcnt + len > s->outlen)
  206. return 1;
  207. while (len--) {
  208. if (dist <= s->outcnt && s->out[s->outcnt - dist])
  209. s->out[s->outcnt] = s->out[s->outcnt - dist];
  210. s->outcnt++;
  211. }
  212. }
  213. } while (symbol != 256);
  214. return 0;
  215. }
  216. static int puff_fixed(struct puff_state* s)
  217. {
  218. static int virgin = 1;
  219. static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
  220. static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
  221. static struct puff_huffman lencode, distcode;
  222. if (virgin) {
  223. lencode.count = lencnt;
  224. lencode.symbol = lensym;
  225. distcode.count = distcnt;
  226. distcode.symbol = distsym;
  227. short lengths[FIXLCODES];
  228. int symbol;
  229. for (symbol = 0; symbol < 144; symbol++)
  230. lengths[symbol] = 8;
  231. for (; symbol < 256; symbol++)
  232. lengths[symbol] = 9;
  233. for (; symbol < 280; symbol++)
  234. lengths[symbol] = 7;
  235. for (; symbol < FIXLCODES; symbol++)
  236. lengths[symbol] = 8;
  237. puff_construct(&lencode, lengths, FIXLCODES);
  238. for (symbol = 0; symbol < MAXDCODES; symbol++)
  239. lengths[symbol] = 5;
  240. puff_construct(&distcode, lengths, MAXDCODES);
  241. virgin = 0;
  242. }
  243. return puff_codes(s, &lencode, &distcode);
  244. }
  245. static int puff_dynamic(struct puff_state* s)
  246. {
  247. static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5,
  248. 11, 4, 12, 3, 13, 2, 14, 1, 15};
  249. int nlen = puff_bits(s, 5) + 257;
  250. int ndist = puff_bits(s, 5) + 1;
  251. int ncode = puff_bits(s, 4) + 4;
  252. if (nlen > MAXLCODES || ndist > MAXDCODES)
  253. return -3;
  254. short lengths[MAXCODES];
  255. int index;
  256. for (index = 0; index < ncode; index++)
  257. lengths[order[index]] = puff_bits(s, 3);
  258. for (; index < 19; index++)
  259. lengths[order[index]] = 0;
  260. short lencnt[MAXBITS + 1], lensym[MAXLCODES];
  261. struct puff_huffman lencode = {lencnt, lensym};
  262. int err = puff_construct(&lencode, lengths, 19);
  263. if (err != 0)
  264. return -4;
  265. index = 0;
  266. while (index < nlen + ndist) {
  267. int symbol;
  268. int len;
  269. symbol = puff_decode(s, &lencode);
  270. if (symbol < 0)
  271. return symbol;
  272. if (symbol < 16)
  273. lengths[index++] = symbol;
  274. else {
  275. len = 0;
  276. if (symbol == 16) {
  277. if (index == 0)
  278. return -5;
  279. len = lengths[index - 1];
  280. symbol = 3 + puff_bits(s, 2);
  281. } else if (symbol == 17)
  282. symbol = 3 + puff_bits(s, 3);
  283. else
  284. symbol = 11 + puff_bits(s, 7);
  285. if (index + symbol > nlen + ndist)
  286. return -6;
  287. while (symbol--)
  288. lengths[index++] = len;
  289. }
  290. }
  291. if (lengths[256] == 0)
  292. return -9;
  293. err = puff_construct(&lencode, lengths, nlen);
  294. if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
  295. return -7;
  296. short distcnt[MAXBITS + 1], distsym[MAXDCODES];
  297. struct puff_huffman distcode = {distcnt, distsym};
  298. err = puff_construct(&distcode, lengths + nlen, ndist);
  299. if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
  300. return -8;
  301. return puff_codes(s, &lencode, &distcode);
  302. }
  303. static int puff(unsigned char* dest, unsigned long* destlen,
  304. const unsigned char* source, unsigned long sourcelen)
  305. {
  306. struct puff_state s = {
  307. .out = dest,
  308. .outlen = *destlen,
  309. .outcnt = 0,
  310. .in = source,
  311. .inlen = sourcelen,
  312. .incnt = 0,
  313. .bitbuf = 0,
  314. .bitcnt = 0,
  315. };
  316. int err;
  317. if (setjmp(s.env) != 0)
  318. err = 2;
  319. else {
  320. int last;
  321. do {
  322. last = puff_bits(&s, 1);
  323. int type = puff_bits(&s, 2);
  324. err = type == 0 ? puff_stored(&s)
  325. : (type == 1 ? puff_fixed(&s)
  326. : (type == 2 ? puff_dynamic(&s) : -1));
  327. if (err != 0)
  328. break;
  329. } while (!last);
  330. }
  331. *destlen = s.outcnt;
  332. return err;
  333. }
  334.  
  335. //% END CODE DERIVED FROM puff.{c,h}
  336.  
  337. #define ZLIB_HEADER_WIDTH 2
  338.  
  339. static int puff_zlib_to_file(const unsigned char* source,
  340. unsigned long sourcelen, int dest_fd)
  341. {
  342. if (sourcelen < ZLIB_HEADER_WIDTH)
  343. return 0;
  344. source += ZLIB_HEADER_WIDTH;
  345. sourcelen -= ZLIB_HEADER_WIDTH;
  346. const unsigned long max_destlen = 132 << 20;
  347. void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ,
  348. MAP_PRIVATE | MAP_ANON, -1, 0);
  349. if (ret == MAP_FAILED)
  350. return -1;
  351. unsigned char* dest = (unsigned char*)ret;
  352. unsigned long destlen = max_destlen;
  353. int err = puff(dest, &destlen, source, sourcelen);
  354. if (err) {
  355. munmap(dest, max_destlen);
  356. errno = -err;
  357. return -1;
  358. }
  359. if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
  360. munmap(dest, max_destlen);
  361. return -1;
  362. }
  363. return munmap(dest, max_destlen);
  364. }
  365.  
  366. static int setup_loop_device(unsigned char* data, unsigned long size,
  367. const char* loopname, int* loopfd_p)
  368. {
  369. int err = 0, loopfd = -1;
  370. int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
  371. if (memfd == -1) {
  372. err = errno;
  373. goto error;
  374. }
  375. if (puff_zlib_to_file(data, size, memfd)) {
  376. err = errno;
  377. goto error_close_memfd;
  378. }
  379. loopfd = open(loopname, O_RDWR);
  380. if (loopfd == -1) {
  381. err = errno;
  382. goto error_close_memfd;
  383. }
  384. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
  385. if (errno != EBUSY) {
  386. err = errno;
  387. goto error_close_loop;
  388. }
  389. ioctl(loopfd, LOOP_CLR_FD, 0);
  390. usleep(1000);
  391. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
  392. err = errno;
  393. goto error_close_loop;
  394. }
  395. }
  396. close(memfd);
  397. *loopfd_p = loopfd;
  398. return 0;
  399.  
  400. error_close_loop:
  401. close(loopfd);
  402. error_close_memfd:
  403. close(memfd);
  404. error:
  405. errno = err;
  406. return -1;
  407. }
  408.  
  409. static void reset_loop_device(const char* loopname)
  410. {
  411. int loopfd = open(loopname, O_RDWR);
  412. if (loopfd == -1) {
  413. return;
  414. }
  415. if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
  416. }
  417. close(loopfd);
  418. }
  419.  
  420. static long syz_mount_image(volatile long fsarg, volatile long dir,
  421. volatile long flags, volatile long optsarg,
  422. volatile long change_dir,
  423. volatile unsigned long size, volatile long image)
  424. {
  425. unsigned char* data = (unsigned char*)image;
  426. int res = -1, err = 0, need_loop_device = !!size;
  427. char* mount_opts = (char*)optsarg;
  428. char* target = (char*)dir;
  429. char* fs = (char*)fsarg;
  430. char* source = NULL;
  431. char loopname[64];
  432. if (need_loop_device) {
  433. int loopfd;
  434. memset(loopname, 0, sizeof(loopname));
  435. snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
  436. if (setup_loop_device(data, size, loopname, &loopfd) == -1)
  437. return -1;
  438. close(loopfd);
  439. source = loopname;
  440. }
  441. mkdir(target, 0777);
  442. char opts[256];
  443. memset(opts, 0, sizeof(opts));
  444. if (strlen(mount_opts) > (sizeof(opts) - 32)) {
  445. }
  446. strncpy(opts, mount_opts, sizeof(opts) - 32);
  447. if (strcmp(fs, "iso9660") == 0) {
  448. flags |= MS_RDONLY;
  449. } else if (strncmp(fs, "ext", 3) == 0) {
  450. bool has_remount_ro = false;
  451. char* remount_ro_start = strstr(opts, "errors=remount-ro");
  452. if (remount_ro_start != NULL) {
  453. char after = *(remount_ro_start + strlen("errors=remount-ro"));
  454. char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
  455. has_remount_ro = ((before == '\0' || before == ',') &&
  456. (after == '\0' || after == ','));
  457. }
  458. if (strstr(opts, "errors=panic") || !has_remount_ro)
  459. strcat(opts, ",errors=continue");
  460. } else if (strcmp(fs, "xfs") == 0) {
  461. strcat(opts, ",nouuid");
  462. }
  463. res = mount(source, target, fs, flags, opts);
  464. if (res == -1) {
  465. err = errno;
  466. goto error_clear_loop;
  467. }
  468. res = open(target, O_RDONLY | O_DIRECTORY);
  469. if (res == -1) {
  470. err = errno;
  471. goto error_clear_loop;
  472. }
  473. if (change_dir) {
  474. res = chdir(target);
  475. if (res == -1) {
  476. err = errno;
  477. }
  478. }
  479.  
  480. error_clear_loop:
  481. if (need_loop_device)
  482. reset_loop_device(loopname);
  483. errno = err;
  484. return res;
  485. }
  486.  
  487. uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
  488.  
  489. int main(void)
  490. {
  491. syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
  492. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
  493. /*offset=*/0ul);
  494. syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
  495. /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
  496. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
  497. /*offset=*/0ul);
  498. syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
  499. /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
  500. /*offset=*/0ul);
  501. intptr_t res = 0;
  502. memcpy((void*)0x20000040, "ext4\000", 5);
  503. memcpy((void*)0x20000000, "./file1\000", 8);
  504. memcpy((void*)0x20000280, "errors=remount-ro", 17);
  505. *(uint8_t*)0x20000291 = 0x2c;
  506. memcpy((void*)0x20000292, "nojournal_checksum", 18);
  507. *(uint8_t*)0x200002a4 = 0x2c;
  508. memcpy((void*)0x200002a5, "dioread_lock", 12);
  509. *(uint8_t*)0x200002b1 = 0x2c;
  510. memcpy((void*)0x200002b2, "grpquota", 8);
  511. *(uint8_t*)0x200002ba = 0x2c;
  512. memcpy((void*)0x200002bb, "noauto_da_alloc", 15);
  513. *(uint8_t*)0x200002ca = 0x2c;
  514. memcpy((void*)0x200002cb, "resgid", 6);
  515. *(uint8_t*)0x200002d1 = 0x3d;
  516. sprintf((char*)0x200002d2, "0x%016llx", (long long)0);
  517. *(uint8_t*)0x200002e4 = 0x2c;
  518. memcpy((void*)0x200002e5, "barrier", 7);
  519. *(uint8_t*)0x200002ec = 0x2c;
  520. memcpy((void*)0x200002ed, "data_err=ignore", 15);
  521. *(uint8_t*)0x200002fc = 0x2c;
  522. memcpy((void*)0x200002fd, "usrquota", 8);
  523. *(uint8_t*)0x20000305 = 0x2c;
  524. *(uint8_t*)0x20000306 = 0;
  525. memcpy(
  526. (void*)0x20001b00,
  527. "\x78\x9c\xec\xdd\xdf\x6b\x5b\xd7\x1d\x00\xf0\xef\xbd\xb6\xb2\xfc\x70\x66"
  528. "\x67\xdb\x43\x16\x58\x16\x96\x0c\x27\x6c\x91\xec\x78\x49\xcc\x1e\xb2\x0c"
  529. "\xc6\xf2\x14\xd8\x96\xbd\x67\x9e\x2d\x1b\x63\xd9\x32\x96\x9c\xc4\x26\x0c"
  530. "\x87\xfd\x01\x83\x31\xd6\x42\x9f\xfa\xd4\x97\x42\xff\x80\x42\xc9\x9f\x50"
  531. "\x0a\x81\xf6\xbd\xb4\xa5\xa5\xb4\x49\xfb\xd0\x87\xb6\x2a\x92\xae\xd2\xc4"
  532. "\x95\x62\x87\xc8\xbe\x60\x7f\x3e\x70\x7c\xcf\xb9\x57\xd2\xf7\x7b\x6c\x74"
  533. "\x75\xcf\xbd\xc7\xba\x01\xec\x5b\xa7\x22\xe2\x6a\x44\x0c\x44\xc4\xb9\x88"
  534. "\x18\xce\xd6\xa7\x59\xb9\xd6\x6c\x6c\xb4\x1f\xf7\xe8\xe1\xdd\xe9\x66\x49"
  535. "\xa2\xd1\xb8\xf1\x59\x12\x49\xb6\xae\xf3\x5a\x49\xb6\x3c\xd2\x7e\x4a\x1c"
  536. "\x8c\x88\xbf\x5d\x8b\xf8\x67\xf2\xc3\xb8\xb5\xb5\xf5\x85\xa9\x4a\xa5\xbc"
  537. "\x92\xb5\x4b\xf5\xc5\xe5\x52\x6d\x6d\xfd\xfc\xfc\xe2\xd4\x5c\x79\xae\xbc"
  538. "\x34\x31\x31\x7e\x69\xf2\xf2\xe4\xc5\xc9\xb1\xbe\xf4\x73\x24\x22\xae\xfc"
  539. "\xe9\xa3\xff\xff\xe7\xb5\x3f\x5f\x79\xeb\xb7\xb7\xdf\xbf\xf9\xc9\xd9\x7f"
  540. "\x35\xd3\x1a\xca\xb6\x3f\xd9\x8f\x7e\x6a\x77\xbd\xd0\xfa\x5d\x74\x0c\x46"
  541. "\xc4\xca\x4e\x04\xcb\xc1\x40\xb6\x2c\xe4\x9c\x07\x00\x00\xdb\xd3\x3c\xc6"
  542. "\xff\x49\x44\xfc\xaa\x75\xfc\x3f\x1c\x03\xad\xa3\x53\x00\x00\x00\x60\x2f"
  543. "\x69\xfc\x61\x28\xbe\x4e\x22\x1a\x00\x00\x00\xc0\x9e\x95\xb6\xe6\xc0\x26"
  544. "\x69\x31\x9b\x0b\x30\x14\x69\x5a\x2c\xb6\xe7\xf0\xfe\x2c\x0e\xa7\x95\x6a"
  545. "\xad\xfe\x9b\xd9\xea\xea\xd2\x4c\x7b\xae\xec\x48\x14\xd2\xd9\xf9\x4a\x79"
  546. "\x2c\x9b\x2b\x3c\x12\x85\xa4\xd9\x1e\xcf\xe6\xd8\x76\xda\x17\x36\xb5\x27"
  547. "\x22\xe2\x58\x44\xfc\x6f\xf8\x50\xab\x5d\x9c\xae\x56\x66\xf2\x3e\xf9\x01"
  548. "\x00\x00\x00\xfb\xc4\x91\x4d\xe3\xff\x2f\x87\xdb\xe3\x7f\x00\x00\x00\x60"
  549. "\x8f\x19\xc9\x3b\x01\x00\x00\x00\x60\xc7\x19\xff\x03\x00\x00\xc0\xde\x67"
  550. "\xfc\x0f\x00\x00\x00\x7b\xda\x5f\xae\x5f\x6f\x96\x46\xe7\xfe\xd7\x33\xb7"
  551. "\xd6\x56\x17\xaa\xb7\xce\xcf\x94\x6b\x0b\xc5\xc5\xd5\xe9\xe2\x74\x75\x65"
  552. "\xb9\x38\x57\xad\xce\xb5\xbe\xb3\x6f\x71\xab\xd7\xab\x54\xab\xcb\xbf\x8b"
  553. "\xa5\xd5\x3b\xa5\x7a\xb9\x56\x2f\xd5\xd6\xd6\x6f\x2e\x56\x57\x97\xea\x37"
  554. "\xe7\x9f\xba\x05\x36\x00\x00\x00\xb0\x8b\x8e\xfd\xf2\xfe\x7b\x49\x44\x6c"
  555. "\xfc\xfe\x50\xab\x34\x1d\xc8\x3b\x29\x60\x57\x24\xcf\xf3\xe0\x0f\x77\x2e"
  556. "\x0f\x60\xf7\x0d\xe4\x9d\x00\x90\x9b\xc1\xbc\x13\x00\x72\x53\xc8\x3b\x01"
  557. "\x20\x77\x5b\x9d\x07\xe8\x39\x79\xe7\xed\xfe\xe7\x02\x00\x00\xec\x8c\xd1"
  558. "\x9f\xf7\xbe\xfe\xef\xdc\x00\xec\x6d\x69\xde\x09\x00\x00\xbb\xce\xf5\x7f"
  559. "\xd8\xbf\x0a\x66\x00\xc2\xbe\xf7\xe3\x2d\xb6\xbf\xf8\xf5\xff\x46\xe3\xb9"
  560. "\x12\x02\x00\x00\xfa\x6e\xa8\x55\x92\xb4\x98\x5d\x0b\x1c\x8a\x34\x2d\x16"
  561. "\x23\x8e\xb6\x6e\x0b\x50\x48\x66\xe7\x2b\xe5\xb1\x6c\x7c\xf0\xee\x70\xe1"
  562. "\x47\xcd\xf6\x78\xeb\x99\xc9\xf3\xfd\xef\x30\x00\x00\x00\x00\x00\x00\x00"
  563. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xec\x63\x8d\x46\x12\x0d"
  564. "\x00\x00\x00\x60\x4f\x8b\x48\x3f\x4e\x5a\xdf\xe6\x1f\x31\x3a\x7c\x66\x68"
  565. "\xf3\xf9\x81\x03\xc9\x57\xc3\xad\x65\x44\xdc\x7e\xe5\xc6\x4b\x77\xa6\xea"
  566. "\xf5\x95\xf1\xe6\xfa\xcf\x1f\xaf\xaf\xbf\x9c\xad\xbf\x90\xc7\x19\x0c\x00"
  567. "\x00\x00\x60\xb3\xce\x38\xbd\x33\x8e\x07\x00\x00\x00\x00\x00\x00\x00\x00"
  568. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  569. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  570. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x7e\x7a\xf4\xf0\xee\x74\xa7"
  571. "\xec\x66\xdc\x4f\xff\x18\x11\x23\xdd\xe2\x0f\xc6\xc1\xd6\xf2\x60\x14\x22"
  572. "\xe2\xf0\x17\x49\x0c\x3e\xf1\xbc\x24\x22\x06\xfa\x10\x7f\xe3\x5e\x44\x1c"
  573. "\xef\x16\x3f\x69\xa6\x15\x23\x59\x16\xdd\xe2\x1f\xca\x31\x7e\x1a\x11\x47"
  574. "\xfa\x10\x1f\xf6\xb3\xfb\xcd\xfd\xcf\xd5\x6e\xef\xbf\x34\x4e\xb5\x96\xdd"
  575. "\xdf\x7f\x83\x59\x79\x51\xbd\xf7\x7f\xe9\xe3\xfd\xdf\x40\x8f\xfd\xcf\xd1"
  576. "\x6d\xc6\x38\xf1\xe0\x8d\x52\xcf\xf8\xf7\x22\x4e\x0c\x76\xdf\xff\x74\xe2"
  577. "\x27\x3d\xe2\x9f\xde\x66\xfc\x7f\xfc\x7d\x7d\xbd\xd7\xb6\xc6\xab\x11\xa3"
  578. "\x5d\x3f\x7f\x92\xa7\x62\x95\xea\x8b\xcb\xa5\xda\xda\xfa\xf9\xf9\xc5\xa9"
  579. "\xb9\xf2\x5c\x79\x69\x62\x62\xfc\xd2\xe4\xe5\xc9\x8b\x93\x63\xa5\xd9\xf9"
  580. "\x4a\x39\xfb\xd9\x35\xc6\x7f\x7f\xf1\xe6\xb7\xcf\xea\xff\xe1\x1e\xf1\x47"
  581. "\xb6\xe8\xff\x99\x6d\xf6\xff\x9b\x07\x77\x1e\xfe\xb4\x5d\x2d\x74\x8b\x7f"
  582. "\xf6\x74\xf7\xcf\xdf\xe3\x3d\xe2\xa7\xd9\x67\xdf\xaf\xb3\x7a\x73\xfb\x68"
  583. "\xa7\xbe\xd1\xae\x3f\xe9\xe4\xeb\xef\x9c\x7c\x56\xff\x67\x7a\xf4\x7f\xab"
  584. "\xbf\xff\xd9\x6d\xf6\xff\xdc\x5f\xff\xfd\xc1\x36\x1f\x0a\x00\xec\x82\xda"
  585. "\xda\xfa\xc2\x54\xa5\x52\x5e\x51\x51\x51\x51\x79\x5c\xc9\x7b\xcf\x04\x00"
  586. "\x00\xf4\xdb\xf7\x07\xfd\x79\x67\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  587. "\x00\x00\x00\x00\x00\x00\xfb\xd7\x6e\x7c\x9d\xd8\xe6\x98\x1b\xf9\x74\x15"
  588. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  589. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  590. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  591. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  592. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  593. "\x00\x00\x00\x00\xe0\x99\xbe\x0b\x00\x00\xff\xff\xf7\xa0\xd4\xed",
  594. 1204);
  595. syz_mount_image(/*fs=*/0x20000040, /*dir=*/0x20000000,
  596. /*flags=MS_REC|MS_NOATIME|0x100*/ 0x4500, /*opts=*/0x20000280,
  597. /*chdir=*/0x13, /*size=*/0x4b4, /*img=*/0x20001b00);
  598. memcpy((void*)0x200000c0, "./file1\000", 8);
  599. res = syscall(
  600. __NR_open, /*file=*/0x200000c0ul,
  601. /*flags=O_SYNC|O_NONBLOCK|O_NOCTTY|O_NOATIME|O_DIRECT|O_CREAT|0x2002*/
  602. 0x147942ul, /*mode=*/0ul);
  603. if (res != -1)
  604. r[0] = res;
  605. *(uint64_t*)0x20006940 = 0;
  606. *(uint32_t*)0x20006948 = 0;
  607. *(uint64_t*)0x20006950 = 0;
  608. *(uint64_t*)0x20006958 = 0;
  609. *(uint64_t*)0x20006960 = 0;
  610. *(uint64_t*)0x20006968 = 0;
  611. *(uint32_t*)0x20006970 = 0;
  612. *(uint32_t*)0x20006978 = 0;
  613. *(uint64_t*)0x20006980 = 0;
  614. *(uint32_t*)0x20006988 = 0;
  615. *(uint64_t*)0x20006990 = 0;
  616. *(uint64_t*)0x20006998 = 0;
  617. *(uint64_t*)0x200069a0 = 0;
  618. *(uint64_t*)0x200069a8 = 0;
  619. *(uint32_t*)0x200069b0 = 0;
  620. *(uint32_t*)0x200069b8 = 0;
  621. *(uint64_t*)0x200069c0 = 0;
  622. *(uint32_t*)0x200069c8 = 0;
  623. *(uint64_t*)0x200069d0 = 0;
  624. *(uint64_t*)0x200069d8 = 0;
  625. *(uint64_t*)0x200069e0 = 0;
  626. *(uint64_t*)0x200069e8 = 0;
  627. *(uint32_t*)0x200069f0 = 0x40000;
  628. *(uint32_t*)0x200069f8 = 0;
  629. *(uint64_t*)0x20006a00 = 0;
  630. *(uint32_t*)0x20006a08 = 0;
  631. *(uint64_t*)0x20006a10 = 0;
  632. *(uint64_t*)0x20006a18 = 0;
  633. *(uint64_t*)0x20006a20 = 0;
  634. *(uint64_t*)0x20006a28 = 0;
  635. *(uint32_t*)0x20006a30 = 0x4010;
  636. *(uint32_t*)0x20006a38 = 0;
  637. *(uint64_t*)0x20006a40 = 0;
  638. *(uint32_t*)0x20006a48 = 0;
  639. *(uint64_t*)0x20006a50 = 0;
  640. *(uint64_t*)0x20006a58 = 0;
  641. *(uint64_t*)0x20006a60 = 0;
  642. *(uint64_t*)0x20006a68 = 0;
  643. *(uint32_t*)0x20006a70 = 4;
  644. *(uint32_t*)0x20006a78 = 0;
  645. *(uint64_t*)0x20006a80 = 0;
  646. *(uint32_t*)0x20006a88 = 0;
  647. *(uint64_t*)0x20006a90 = 0;
  648. *(uint64_t*)0x20006a98 = 0;
  649. *(uint64_t*)0x20006aa0 = 0;
  650. *(uint64_t*)0x20006aa8 = 0;
  651. *(uint32_t*)0x20006ab0 = 0x810;
  652. *(uint32_t*)0x20006ab8 = 0;
  653. *(uint64_t*)0x20006ac0 = 0;
  654. *(uint32_t*)0x20006ac8 = 0;
  655. *(uint64_t*)0x20006ad0 = 0;
  656. *(uint64_t*)0x20006ad8 = 0;
  657. *(uint64_t*)0x20006ae0 = 0;
  658. *(uint64_t*)0x20006ae8 = 0;
  659. *(uint32_t*)0x20006af0 = 0x4000000;
  660. *(uint32_t*)0x20006af8 = 0;
  661. *(uint64_t*)0x20006b00 = 0;
  662. *(uint32_t*)0x20006b08 = 0;
  663. *(uint64_t*)0x20006b10 = 0;
  664. *(uint64_t*)0x20006b18 = 0;
  665. *(uint64_t*)0x20006b20 = 0;
  666. *(uint64_t*)0x20006b28 = 0;
  667. *(uint32_t*)0x20006b30 = 0x4000040;
  668. *(uint32_t*)0x20006b38 = 0;
  669. *(uint64_t*)0x20006b40 = 0;
  670. *(uint32_t*)0x20006b48 = 0;
  671. *(uint64_t*)0x20006b50 = 0x20006640;
  672. *(uint64_t*)0x20006640 = 0x200055c0;
  673. memcpy(
  674. (void*)0x200055c0,
  675. "\xd7\x0c\x1e\x77\x9f\xdf\x5a\xf4\x0d\x1e\xaf\xb9\x55\x45\xf0\xf0\x6d\xd9"
  676. "\x18\xb7\xef\xd1\x86\x0b\x52\x73\xaf\xc5\x97\xeb\x9d\x2b\x96\xcc\x4f\xfc"
  677. "\x88\x6a\xdf\x00\x0a\xda\x2c\x45\x38\x42\x02\x8d\xc9\xfe\x46\x4c\x83\x49"
  678. "\x36\x4e\x73\x3b\x1c\xb0\x11\x7f\xd2\xb6\x46\x1b\x65\x4a\xb3\x2f\xe2\xd4"
  679. "\x2a\xf8\xd9\x0e\x5a\xe9\xe3\xad\x03\x90\x99\x5f\xc2\x38\xfe\xb1\xd2\xdd"
  680. "\x90\x89\x72\xd5\x30\x70\x16\xce\x1d\x10\xbd\x9d\xd5\xfc\x3d\x1c\x83\xbd"
  681. "\x42\xf7\x32\x12\xca\x3c\x1a\xcc\xdd\x0b\x87\x07\xb6\x68\x61\x9d\x55\xfe"
  682. "\x3a\xa6\x6c\x3b\x47\x84\xbe\x2a\x51\x6d\x6c\x12\xd4\x1a\x58\xa7\xa9\xdf"
  683. "\xf7\x9c\xca\x25\xcb\x72\xe5\xcd\xec\x51\x65\x3d\xe7\x4b\xb8\x24\x59\x90"
  684. "\xe5\xdd\x08\xa1\x43\x7e\x1f\x71\xdb\x3b\xbd\xf7\xbc\x2e\x84\x0a\xbd\x7d"
  685. "\xc3\x48\x0d\x23\xa4\x28\xc2\xb6\xca\x07\x9c\x3d\xb7\x1e\xf3\x7b\xa2\x2c"
  686. "\x23\x59\xd0\xa9\x12\xea\xe3\x14\x29\xa6\xf0\x52\x53\x6d\x1d\xcb\xdc\x53"
  687. "\x5e\x2b\x96\x92\xe3\xe4\x12\xae\xf8\xcd\x3a\xa6\xbe\xec\x76\x18\x25\xe8"
  688. "\x8c\x0f\xe2\x36\xc2\xd2\x70\xb0\x08\xde\x26\xd7\x60\x8d\xdb\x81\x41\xed"
  689. "\xf8\x34\xc2\xa2\xa3\x76\xac\x00\x9c\x93\xc7\xcd\x88\xee\x60\xab\xb0\xa1"
  690. "\xcb\x0c\x23\xde\x1f\xd7\x9f\xd5\x84\x09\xa7\xbe\x67\x10\x2e\x12\x69\x1d"
  691. "\x70\x64\xd4\x95\x7d\xce\x72\x69\x1f\x16\x30\x1b\xf1\x23\x34\x8d\x96\x29"
  692. "\x5f\x54\x2e\xde\x74\x8e\x72\x44\x0d\xd2\x1a\x81\x41\x1a\x4c\x55\xa2\xe1"
  693. "\x5b\x5b\xf0\x92\x02\xbe\x5a\x95\x98\x98\xb1\xf0\x5c\x55\x15\xc4\xea\x33"
  694. "\xb1\x45\x2b\xe3\x36\x7d\x5b\x74\x85\xf4\xa6\xd7\xc0\xa1\x02\x56\x4f\xae"
  695. "\xbe\xb4\xa7\x76\x9a\x1c\xfe\xe8\x50\x9f\x78\x5f\x67\x52\xbe\xd9\x62\xcd"
  696. "\x6b\x04\x32\x63\x59\x40\x1f\x8c\x6f\x77\xf2\xb9\xd1\x7c\x13\x69\xec\x59"
  697. "\x12\xf7\x59\xc6\x58\x17\x6d\x44\x8a\x1d\x7c\x3c\xd0\xb9\x46\x3a\xd6\xce"
  698. "\x9b\x2e\x31\x6a\x13\xfe\x7f\xdd\x0e\x2d\x86\x6e\xd6\x67\x53\xc7\xab\xe9"
  699. "\x44\x33\xab\xd5\xe4\x21\xe4\x2a\xac\xa1\x6c\x62\xd5\xe4\x89\x04\x09\x62"
  700. "\xe0\x6d\x49\xbb\x62\xaf\x4d\x19\xa5\xf3\x16\xb9\x45\x14\x15\xe1\x38\x3b"
  701. "\x71\xd6\xd2\xc7\x48\x9c\xdc\x77\xd0\x2d\x8f\x7a\xeb\x67\x5d\xd8\x86\x2d"
  702. "\xe6\x3d\x00\x17\xc2\xec\x8e\xd3\x4e\x70\x0e\xcd\x6f\x9d\xb9\xb3\x8c\x27"
  703. "\x97\x14\x3b\xcc\x8f\x5e\x46\xd3\xe5\xe5\x64\x0d\x04\xe5\xdd\xbf\x19\x99"
  704. "\x54\x40\xbd\x01\x68\xae\x6d\xc4\x6e\xe9\x73\x12\x15\x36\xc8\x7a\xd0\xe7"
  705. "\xcd\x3f\xaa\xd4\x9f\xa1\xf4\xde\x42\xbe\xc1\x88\xa5\x2e\x0d\xb7\x67\xdf"
  706. "\xdb\xe6\x54\x13\x60\x31\x1c\xb9\x3b\xd9\x06\x9d\xe2\x09\xc2\xc3\x70\xfd"
  707. "\xe7\x4d\xc6\xb2\xa1\x48\xc2\x49\x98\xa2\xac\x0f\x17\xaa\x1e\xde\xc9\x99"
  708. "\xf9\xdf\x54\x2c\x2e\x2a\x65\x94\xa1\xf0\x14\x44\xb5\x88\xfd\x7a\xcd\xb4"
  709. "\xa4\x44\x27\xbe\x63\xdb\x9c\x8b\xc3\x4b\x65\xf2\xce\xbf\x8e\xaf\x72\x88"
  710. "\x61\xa1\x21\x6e\x79\x3e\x61\x38\x48\x94\xb4\xa0\x9c\x00\xca\x46\x52\xc9"
  711. "\xb3\x8f\x13\xa4\x46\x34\xf0\x23\x3e\x66\xd8\xf3\xc0\x28\x07\x44\xb8\x30"
  712. "\x19\xfe\xd8\xe4\xae\xa0\xe2\xbe\x62\x21\x74\x6d\xf1\xa6\x34\xa9\xc8\xa1"
  713. "\x24\xb9\x7c\x9f\xbe\xca\xca\xd6\x37\x7d\x8f\xe1\x0a\x16\xf7\x49\x3d\x84"
  714. "\x37\xc1\xb8\x61\x43\x68\x73\xba\x1d\x22\x46\x2f\x5f\xae\x5a\x08\xf7\x53"
  715. "\x40\x24\x2e\xbe\x79\xd0\xc2\x19\x18\xaf\xb7\xfa\xf2\x50\x5f\xb1\x50\x5c"
  716. "\x65\xf6\x65\xc3\x44\x3e\xd9\x1d\xb7\x34\x1f\x7a\x0c\x86\x16\xb5\x8c\x28"
  717. "\x4b\x6c\xfb\xd3\x8e\x66\x55\xaa\x37\x46\xf8\xa7\x01\xf3\xaa\x78\x3e\xfd"
  718. "\x32\xab\x99\x72\x4f\xf9\xc3\x4c\x8d\xca\xde\xa3\x63\x28\x56\x12\x09\x82"
  719. "\xe7\xdc\x50\x1f\x48\x5a\x3f\x20\xcc\x61\x40\x10\x16\x97\x6c\xe6\xdf\xdb"
  720. "\x65\xb3\xfc\xf6\xe5\x9a\x27\xf2\x0e\x11\xa9\x1f\x12\x1f\xb3\x3b\xc1\xf1"
  721. "\x9c\x7a\x8e\xd4\xb3\x8e\xba\x1e\x1e\x93\xd2\x60\xc1\x93\xac\xc4\x3f\x85"
  722. "\x96\xe1\xad\xef\x2b\xed\x8a\x01\xd5\x9e\xca\xda\x8f\xa4\x44\xd9\x4d\xc1"
  723. "\x55\x75\x99\x95\x72\x1c\xf9\xb6\x18\xc6\x40\x52\x91\xdf\x51\xd8\x66\x1c"
  724. "\x52\x6c\x8a\x28\x4d\xcf\x7c\xcb\xec\xca\x9e\x2d\x69\xd6\x57\xa2\x54\x0c"
  725. "\x7e\xe4\xf1\x80\xb8\x52\x89\x6b\x61\x96\xc5\xdf\xbd\x14\xf4\xcb\xde\x3e"
  726. "\xd5\xc5\x0e\xc1\x61\x2d\x25\x88\x4f\x3c\x78\xe1\x47\x34\x4e\xb1\xba\x09"
  727. "\x03\x12\xc6\xb2\x97\x89\xd5\x0a\xf5\xf7\x83\x4c\x55\x25\xb2\x1c\x8a\x6a"
  728. "\x27\x24\x16\xaa\xad\x22\x76\x7e\x6b\xcc\x2c\x86\x2c\x4e\x95\xb2\x8c\x92"
  729. "\x66\x3b\x6c\x88\x61\x30\xc1\xab\xbb\x31\x93\x7f\xef\xb2\x33\x92\x11\xb3"
  730. "\x48\x16\xe0\xb0\x9b\x20\x77\x4a\x4d\xd6\x82\x05\x09\xca\xf2\x4b\x17\xb8"
  731. "\xc8\xbd\xa0\xf0\x14\xe2\xff\x14\xf7\x20\x58\x8d\x03\xba\xa8\x3d\xf1\x2a"
  732. "\xb4\x0c\x06\x59\x99\x81\x41\x65\xce\xa8\x71\xe3\x30\x3c\xda\xad\xc9\x8f"
  733. "\x99\x23\x27\xdf\x4d\x05\xd4\x25\xdd\x4d\x50\x96\x2c\xbe\x10\xac\xe3\xb8"
  734. "\xc1\x57\x9c\x8c\xd0\x66\xd8\x8d\x6e\x54\x01\x04\x9c\xb1\xe7\xe8\x5e\xb4"
  735. "\x82\xbc\x52\x36\xe0\x8b\x71\xd1\x02\x85\xcb\x95\x3f\x8f\x5c\x12\x37\x75"
  736. "\x27\x4f\xc5\xea\xea\x9c\xa1\x22\x2b\x73\xd2\xaa\xbb\x6a\x74\xfd\x5f\x3c"
  737. "\x23\x85\x59\x7b\xc7\x12\xfc\x30\xd2\x68\xc0\xef\x38\x1f\x1b\x4d\xa6\xac"
  738. "\x88\xba\x86\xc3\x5f\x0c\xa8\x88\x52\xc2\x31\xe9\xae\x0d\x91\x3c\xb4\xf0"
  739. "\x7a\x5b\xfb\x94\x2b\x4b\xb1\xf2\xfe\x8a\x83\x53\xaa\x7a\x13\xbd\xe9\xb8"
  740. "\xd4\x70\xc6\xb9\xbd\xf8\x1d\x9a\x5b\x4c\x2f\xd2\x93\xad\x2c\x84\xc7\x96"
  741. "\x13\xa1\x87\x6e\x67\xba\xd1\x79\xd8\x44\x66\x19\xd6\x72\xc0\x9c\x60\x7d"
  742. "\xdb\x20\x9e\xa5\x02\xda\xf6\x4c\x11\xd3\x84\xc3\xac\x27\x90\x7d\xe4\x16"
  743. "\xf8\x26\xf6\xea\x6f\x7b\x9d\x7b\xe1\x05\x2e\xdd\x54\x8e\x28\x4d\xbc\x0f"
  744. "\xf0\xee\xca\xaf\xcf\x21\x28\xfd\x30\x8b\xf2\x0e\xfb\x47\x0e\x03\x56\x7a"
  745. "\xc6\x02\xd7\x87\x7d\xb9\xa3\x5c\x49\x7f\x8e\x05\x07\x9c\x04\xe2\xaf\xa0"
  746. "\xec\xf9\x76\x2a\xdf\x15\x5d\x05\x89\x34\xbe\xc0\xc1\x7c\x46\x7f\x59\x67"
  747. "\x07\xbb\x00\xeb\x89\x95\x3a\xa3\x98\x39\xaf\x0b\x2d\xa8\xa4\xe9\x9e\x1e"
  748. "\x16\x3c\x49\xb6\x45\x6e\x0f\xac\xb4\x2e\x2d\xd4\xa0\x91\xbb\x5a\x7d\x89"
  749. "\x7d\xa6\xd1\xda\x06\x53\x87\xc2\xb7\x38\x3f\xbf\xb0\x66\xfb\x02\x74\x2b"
  750. "\x26\x37\xd1\x3a\xf0\x72\xb0\xed\x11\x88\x87\x8f\xad\x16\x01\x3b\x62\xeb"
  751. "\x79\x8c\x1f\x5f\x95\xbe\x91\xec\x90\x4c\x9a\x6a\x71\x04\x56\x55\xdc\xc4"
  752. "\xf7\x23\x88\xb0\x50\x37\x1e\x2a\x3a\x53\x42\xdc\xea\xa8\xcb\x88\x3f\x64"
  753. "\xa7\xe5\xcc\x54\x1b\xc7\xd4\x75\xa4\x15\x6e\x31\x9d\x96\x9c\xaa\x04\x77"
  754. "\xd7\xdc\xe2\x88\x6d\xa4\xb3\x3d\x6b\x64\x2e\xbf\x7c\x1f\xce\x38\x4e\xc7"
  755. "\x4c\xa3\xd6\xf2\x04\x99\x1a\x7f\x8b\xca\x5e\x9b\xd2\xc5\xb3\x41\x9c\x58"
  756. "\x71\x51\x97\xe8\x3f\x52\x48\xf7\x5f\x15\x53\x25\x06\xbc\x8e\x6f\x08\x33"
  757. "\xb9\x5a\x34\xf4\xe7\xde\xf7\x94\xba\x47\x24\x78\xf0\xd7\x2f\x36\x50\xde"
  758. "\x4c\x61\xe2\xe4\xf1\x95\x18\xd9\x51\xf5\x1e\x36\x11\xad\xc2\x46\x0e\xe0"
  759. "\xa0\x45\x7b\x52\x85\x90\x8e\x8d\x35\x1d\xc9\x0f\xc9\xc7\xd4\x0a\x08\x70"
  760. "\x30\x7c\x02\x16\x3f\x4f\x68\xc5\xed\xf2\x0d\x03\x88\x92\x18\xcd\x4e\x9b"
  761. "\x6b\x85\xaa\xe2\xf1\xfa\x76\x34\x3b\x10\x22\x13\x9f\xe5\xe4\xd8\x27\xf4"
  762. "\xa2\xd0\xe6\x73\x87\x2d\x72\xb5\xe3\xd0\x55\x25\xcb\x16\x46\x99\x31\x05"
  763. "\x19\x5f\xca\xd1\x6e\xdd\x36\x35\x20\x43\x3e\xc5\xe2\x76\xeb\x80\x41\x56"
  764. "\x7b\xf5\xd4\xcb\x7d\x53\xe0\x10\x1e\x7a\x0e\xce\xf0\x07\x7d\x51\x57\x0f"
  765. "\xe5\x74\x40\x1e\x57\x29\xc7\xf4\x2c\x58\x2a\x03\xb2\x3b\x9b\xb4\x6f\x9a"
  766. "\xbc\xa4\x51\x47\x35\x90\x42\xc6\xfb\x6c\x99\x5a\xdc\x34\x8d\x98\xe3\xa3"
  767. "\x5a\xb1\xe9\xd5\x70\xd9\x46\x7c\xf6\x2f\xd7\x1e\x0b\x04\x33\x87\x35\x9b"
  768. "\xef\x17\xf1\x16\x39\xce\x59\xb8\x78\xbb\x5d\x02\xc9\xf1\xed\xf0\xcd\x7d"
  769. "\x36\x76\x48\xd9\x61\xad\x1d\xad\x34\x10\x4f\xa2\xda\x56\x0e\x41\x0a\xb8"
  770. "\xd4\xf0\xea\x78\x16\xa9\x9c\xc0\x03\x8e\x7d\xeb\x06\x81\x21\x2b\x40\x7b"
  771. "\x53\x99\x88\x44\xba\x58\xd8\x78\x72\x64\x44\x05\xc2\xdb\xdf\x8c\x80\xee"
  772. "\x7c\xb0\xbb\x0b\x1c\x65\xdd\x96\xec\x88\xd1\x6e\x38\x9f\xd3\xeb\x6b\x5a"
  773. "\x82\x01\xd1\x4a\xec\x65\x38\x9b\x0f\x2c\x96\x3b\xad\xf2\xa6\xd7\x66\x80"
  774. "\x3f\x2c\x7b\xfb\x92\xab\x24\x18\x3d\xbb\x11\xfc\xb3\xdc\xb0\x51\x35\x3b"
  775. "\xc4\xda\xe9\x08\xc0\x69\x2f\x15\xc1\x29\x62\x4d\x6f\xe9\x24\x27\x37\x1b"
  776. "\xa7\x45\xe7\x7d\x58\x2f\xa5\x9d\x22\x07\xb1\x20\x27\x1a\x3a\x96\xd0\x54"
  777. "\x54\xc4\x70\x84\xd5\x14\x51\xdc\xbb\x9a\x03\xa0\xe0\x46\x13\x96\xc5\x16"
  778. "\xba\x5a\x03\x4a\xea\xbc\xdf\x6a\x24\x45\x38\x76\xbd\x05\xc8\xba\xfd\x69"
  779. "\x39\xe4\xb3\xc4\x74\x62\xd1\x84\xef\xe4\xf2\xcd\x1a\xfa\xc8\x67\x32\x5c"
  780. "\x67\xb4\x15\x6f\xa9\xfe\xde\x19\xa6\x0e\x73\x86\xbf\x32\xbe\xb3\x27\x24"
  781. "\x49\xa9\x3e\x54\xdd\x01\x52\x62\x39\xe6\xaf\x99\x8b\xaf\x97\x26\xea\xd3"
  782. "\x06\xf2\x50\x0e\xe0\x17\xa9\x11\x6a\x02\xd7\x74\xb9\x55\xc4\xdd\xde\x3a"
  783. "\xda\xbd\x5e\xa6\x4f\x31\xd5\xea\x35\x55\xbb\xed\xe7\x84\x3a\x9b\x2b\xde"
  784. "\x62\x7d\x6a\x48\xfe\xcf\x68\x0e\xc3\x1f\xe8\x97\xfc\xc8\x2e\xfa\xb5\xa4"
  785. "\xff\x9b\xa4\x65\x3c\x84\xe2\x88\xad\xf3\x15\xdf\x53\x75\x0e\x8f\x32\x71"
  786. "\x63\x5f\xa6\x8e\xec\xcb\x20\xa5\x01\xa3\x01\xb1\xc8\xeb\xeb\x8f\x2f\xfb"
  787. "\x53\x54\x63\x20\xc5\x2a\x3d\xb9\xfc\x7a\x40\xf0\x00\xa8\x4a\x1a\x27\x41"
  788. "\x8f\x1f\x98\xee\x66\xff\x0a\x68\x84\x06\xd3\x5e\xf3\xe3\xde\x83\xe5\xab"
  789. "\x70\x80\xff\xcb\xf7\xd9\x96\x64\x70\xd8\x5a\xd9\x14\x83\x4e\x4b\xc5\xf0"
  790. "\xa3\x7e\x32\x24\xf0\x3c\x2d\xc6\x25\xbe\x85\xc9\x5c\x1b\xa7\xa3\xdd\x0c"
  791. "\x05\x2e\xb0\x62\x8d\x0c\xf5\x48\x06\xd5\xd4\x72\xe5\xfe\x81\x09\xff\x2b"
  792. "\x2b\xe9\x2d\xa6\xb9\x8e\xba\xe7\xc1\x13\x23\xca\x7b\xa3\xe5\x5c\x98\x98"
  793. "\x26\x54\xa3\xf0\x77\xcc\x59\xb3\x84\xb3\x74\x2d\xb6\x69\xf3\xc0\x1c\x08"
  794. "\x09\x66\x2f\x27\xd7\xc1\xc8\xfd\xf4\xea\x51\x3e\x7f\x5d\x52\xc4\xdc\xb9"
  795. "\x61\xa9\x90\xa2\xc5\x38\x83\x49\xe3\xc3\xf2\xcd\x02\x16\x56\xa6\xa5\x46"
  796. "\xe0\x99\xda\x2d\x7a\x94\x79\xa8\x17\x98\xfc\x6b\xec\xc9\xf9\x55\x80\x05"
  797. "\x04\x21\x08\x27\x36\x8e\xd4\xc3\x8d\x95\x91\xac\x58\x52\x6a\x8d\x20\x42"
  798. "\x31\xbe\x4a\xf9\x37\x6c\x75\x40\x38\x52\x3b\x8c\x65\xa1\x62\x28\xa2\x91"
  799. "\xc5\xf3\xd2\x8f\xd6\x94\x4b\xb1\x0b\x03\xc3\x33\xba\xa5\x3b\x4e\x10\x63"
  800. "\x8b\xf7\x6b\xfa\x08\x3e\xbf\x19\xb9\x70\x20\x91\x96\x70\x91\x3d\x4a\x7f"
  801. "\x68\x79\xee\x59\x8e\x7d\xac\xf8\xcf\x54\x2c\x36\x3f\xf0\xc9\xba\x02\x24"
  802. "\x5d\x89\xb4\xcc\x10\xc1\x23\x8f\x1c\x2a\xaa\xc9\xf7\x77\x67\x48\x81\xab"
  803. "\xc8\x45\xee\xc4\x30\xe8\x90\x40\x55\x18\xaa\x8e\xbf\xa8\x4e\xdd\x5b\xf5"
  804. "\x2d\x82\x6c\x74\x0f\x7d\xb6\xfd\x5b\xb7\x90\xb1\x53\xad\x73\x9d\xc7\x09"
  805. "\xa4\x9d\x68\x16\xe2\x77\x2a\xb2\x17\x0d\x53\xa5\xac\x01\x7a\x18\x27\xc3"
  806. "\x09\xbb\xa2\xf2\xb7\x81\xd0\xc5\xab\xc9\x33\x72\x30\x57\x74\xb6\x49\x6d"
  807. "\x6e\x37\xc7\x3b\x15\xc4\xe1\x66\x81\x61\xbe\x28\x94\x62\xf7\xf6\x9f\x78"
  808. "\x07\xbd\xb1\x63\x10\xb5\xed\x2b\xa9\x0a\x04\xba\xef\x39\x08\x9f\x71\xb3"
  809. "\x29\x4b\x1d\xcb\x8f\x92\x74\x46\xab\xed\x24\x2b\x05\xf9\x83\x67\xdb\xaa"
  810. "\xf4\x81\x57\x83\xb0\x42\xc2\xec\x53\xbd\xe0\xb4\x17\x47\x92\x72\x9a\x2c"
  811. "\xba\xf7\x23\x9c\x33\xdd\xcd\x5a\xda\x8d\x3e\xdd\xaf\xb6\xc6\xf0\x13\xe3"
  812. "\x11\x60\x70\x29\x67\x41\x9e\xf3\x94\x9d\x7d\x8b\xff\xcb\x91\x0c\x17\xde"
  813. "\xef\xf2\xc6\x21\xa3\x3c\xc6\x51\x66\x3d\xa7\x6b\xaf\xa2\x41\x7a\x10\x0c"
  814. "\x26\x81\xab\x6b\x01\x46\x15\x96\xc7\x0a\x64\x32\x28\x0c\xdd\xf8\xfa\x18"
  815. "\x4f\x62\xc6\xc5\xde\x1a\x94\x93\xed\x56\x3f\xa4\x44\x27\x84\xe6\x7e\x71"
  816. "\x54\xf3\x90\xd3\x7b\xc5\xce\x47\xd2\x71\xd5\xae\x8e\x07\xf3\x9d\x97\x18"
  817. "\xeb\xd7\x0e\x92\xde\x6f\xba\xf8\x45\x5d\x2a\x47\x09\x0c\x47\x62\xbf\x65"
  818. "\x18\xea\xba\x8c\x64\xd7\x5b\x2d\xb1\xbf\x3a\x0b\xbd\xaa\x2a\x64\x0d\x8b"
  819. "\x62\x3e\x7d\xda\x75\x81\x53\x62\xf2\xc5\x8d\x8e\x29\xf3\x10\xf9\x3b\x5f"
  820. "\x68\xe8\xae\xa5\x41\x6a\xc7\xaa\x62\x15\x41\x47\x09\xa7\xfa\x10\x22\x40"
  821. "\x42\x64\x7d\x05\x35\xe3\xe3\xb7\x2a\x1b\xe0\xd3\x0a\xc3\x92\xc8\x45\xda"
  822. "\xb5\x53\xd6\xf3\x3e\x9a\x99\x09\xa7\xc0\xea\x67\x0c\x2f\xa9\x93\x2e\xee"
  823. "\xd0\x36\xdc\x78\x95\x0b\x3d\x24\x38\x3c\x76\x6e\xfa\xa8\x38\x22\x5e\xf8"
  824. "\xdc\x9f\x7a\x4f\x0a\xa3\x95\xec\xad\x1c\xea\x88\xf9\x2a\x5a\xb6\x5b\x10"
  825. "\x73\xd0\xf2\xfa\x57\x2c\xf6\x96\x40\x44\xf6\x52\xe9\x0c\x9d\x45\xed\x4b"
  826. "\x01\x54\x13\x7c\x0a\x46\x66\xaf\x81\xb3\xb6\x73\x26\x65\x32\x52\xa7\x3d"
  827. "\xbc\x6d\x97\x96\x14\xe4\x56\x1d\xaa\x91\xb4\xb0\xa5\x86\xf2\x2e\xf2\x68"
  828. "\xce\xdf\xdc\xe4\xdc\x17\x5f\x22\x9a\x18\x16\x43\xf7\x09\x15\x3f\x45\x06"
  829. "\xb2\x93\x56\x0a\x44\x9d\x39\x03\x5d\x6c\x3c\x6c\x50\x45\xcb\x03\x39\x57"
  830. "\x8c\x74\xc1\x67\xfb\xc2\x30\xcb\xe3\x8d\xe8\x6e\x5c\x43\xc5\x4c\x4e\xba"
  831. "\x75\x53\x34\xe2\x89\x22\x7f\xd4\x18\x38\xd4\xf3\xb3\x06\x6d\xd8\x00\x2b"
  832. "\x09\x0c\x59\x24\x2a\x4a\x1e\x43\x10\x1d\x20\xe8\xef\xf0\x3a\xdc\x9c\x1d"
  833. "\xf7\x0b\x16\x24\xee\x7e\xbf\x1e\x7c\x97\x7b\xc1\x23\xc5\x03\x28\xa4\x32"
  834. "\xa2\xcd\xa4\x1b\xaf\x9e\x6c\x0b\xf1\xe4\xa0\x3c\x45\xf6\x07\x17\x4d\x9f"
  835. "\x77\xe8\x57\x38\x3c\xda\xdc\x81\x5a\x91\x64\x65\x3a\x9f\xd1\xbd\x74\x0a"
  836. "\xd1\x45\xd0\x5e\x8f\x27\xcf\x2c\x5a\x4a\x00\xac\xc7\xa8\x18\xf8\x87\xc2"
  837. "\xb0\xd6\x1b\x0b\x6c\x80\x81\xfd\x42\xe8\xe6\x03\xb5\x17\xe9\x78\xa3\xb8"
  838. "\x11\xe4\xec\x2c\xee\x6c\x29\xe9\xb9\xb0\xc1\xff\x45\x1a\x0c\x63\xbf\x1b"
  839. "\x99\x88\xaa\xf3\xad\xcd\xf5\xb7\xa4\x10\x04\xd4\xe0\xf3\x43\x9c\x1c\x11"
  840. "\x38\x2c\xd6\x1f\x9a\x26\x6d\x87\x83\x6a\x4c\x89\xb2\x64\x8a\xb0\x47\xb2"
  841. "\x09\xcf\xb2\x83\xb5\xd2\xa4\x9e\xa9\x5d\xa5\x20\x2b\xbe\x30\xd8\xc9\x42"
  842. "\x08\x94\x69\x66\x77\x9c\x50\x04\x1e\x5e\xbd\x1c\x44\xde\xfc\xc3\x52\x81"
  843. "\xc0\x67\xaf\x79\xcc\x00\x10\xe2\x10\xe3\x8a\x75\xc3\x0a\xc5\x4e\x8c\xc6"
  844. "\x81\x07\xf3\x05\x50\x36\xbf\x5c\xe4\xcb\x76\xf7\x98\xf7\x63\x73\xe1\xff"
  845. "\xe0\x06\xb2\x67\x01\x00\x44\xaa\x79\xf6\xbb\xf7\x71\xfa\xcf\xcd\x6c\x2d"
  846. "\x8e\xec\xae\x0a\xf1\xb1\x6d\x89\xee\x10\xe0\x30\x17\xc4\xe5\x79\x27\x10"
  847. "\x15\xc6\x7c\x70\x49\x00\x8f\xd9\xec\x60\xbe\x21\x29\x47\x69\x9a\x5b\x3c"
  848. "\x23\xb1\xb3\xbe\x15\x7b\x56\x17\x8a\x9d\x17\x76\xaf\xca\x23\xe9\x8a\xe1"
  849. "\x43\x39\xc5\x8f\x23\xe4\xbf\xf3\xc5\xf1\xf2\x70\x56\xf4\x30\xd6\xc9\x82"
  850. "\xdd\x1b\xe7\x4a\x59\x2d\xe7\xca\xe1\xd0\x1e\xf1\xa9\x50\x3c\x49\x31\xaf"
  851. "\x2d\x2e\x03\x16\xa3\xfb\xa6\x98\x34\x16\x8f\x1a\xaf\x18\x96\x82\x35\x7d"
  852. "\xcf\xe3\xef\x61\x95\x55\x17\x29\x2a\xac\x61\x50\x73\x49\x42\x33\xf2\x5e"
  853. "\xfa\xf7\x1b\x04\xaa\x79\xba\x17\x5f\x3a\xe3\xf5\x10\x2a\xe8\xf3\xc0\x4e"
  854. "\xcd\x86\xc6\xfc\x9e\xec\x3b\xb6\x75\xf0\xc7\xc7\x50\x46\x39\x5d\xf9\x79"
  855. "\x80\xff\xc9\x62\x48\xb6\xf2\xa4\xe9\xff\x50\xc8\x44\x02\xdd\x88\x57\xc8"
  856. "\x4b\xe1\xbb\xb1\x8f\x9d\xea\xc2\x02\x4d\x32\xd7\x4c\x76\x57\x07\x36\xc6"
  857. "\xe4\x06\x67\x40\xd0\xdf\xd4\x71\x45\x89\x27\x7c\x57\x99\xbb\xbe\x2d\x07"
  858. "\x66\xe7\x6d\x6e\x84\x99\x02\xc6\x2b\x6b\x98\x6c\xf3\xfd\x46\xb6\x05\x1c"
  859. "\x7a\x82\x5c\xc2\x4b\xe9\x58\x39\x42\x5c\xa1\xd2\x17\x77\x4b\xac\x73\x6e"
  860. "\xba\x48\xae\x62\xb9\x68\xda\x28\x65\x77\xfd\x20\x34\x78\x64\x09\x90\xe4"
  861. "\xb1\xc3\x4b\x38\x7d\x62\xba\x96\x38\x5f\xb8\xe1\x79\xaf\x0f\xf3\xa9\xc2"
  862. "\x91\x87\x33\xaf\xdf\x92\xb4\x41\x09\xa5\x19\x31\x66\x71\xb4\x7f\x51\xae"
  863. "\x38\x95\x3f\x80\x1e\xf0\x2b\x66\xc0\x22\x1a\xc4\xf4\xa4\xea\x71\x32\x1e"
  864. "\xab\xbb\xac\x27\xc7\xad\xfe\x80\x28\x85\x40\x14\xab\x67\xc4\x8a\xd7\xba"
  865. "\xf8\x49\x56\xf6\x54\xbb\x3d\x0c\x33\x54\xa3\xe2\xfb\x28\xfd\x02\x74\x67"
  866. "\x93\x50\xf3\x3e\x4b\x23\xfe\x92\xeb\xe1\x75\xd0\x33\x86\x25\xc6\x3c\x85"
  867. "\x00\xf5\x9c\x4c\x7a\x6b\x22\xb8\x1b\x1a\x52\xcf\xde\x03\x1d\x18\x65\xf1"
  868. "\xd1\x5f\x69\xec\xdc\xbb\x40\xef\x6f\xc1\x2f\xad\xd9\x5b\xdd\x68\x62\x24"
  869. "\xce\x9c\xcf\x28\x17\x2a\x61\xd8\x8c\x0c\x74\xe9\xfb\x98\x0d\x20\xa5\xc8"
  870. "\x85\xc8\xa5\xda\x49\xc9\x0f\x0f\x5f\x0a\x9d\x71\xc2\x00\x9e\x5f\x0e\x49"
  871. "\x09\xd9\xc6\x8e\xc9\xa2\xb4\x45\xb4\xd3\x3a\xa6\x06\x44\xbc\x38\xa3\x45"
  872. "\x74\x5f\xb0\x9d\xb7\x29\x3f\x15\xfa\xe1\xd5\x04\xa4\xc1\x05\x01\x8d\x68"
  873. "\x8c\x23\xbe\x0b\xf7\x72\x43\x64\x8d\x46\x63\x47\x7d\xd1\x98\xca\x1d\xe0"
  874. "\xdc\x72\xa4\xfe\xed\xa8\x4b\xfe\x4e\xe2\xea\x89\x0f\xab\xa2\xc9\xfa\x00"
  875. "\x7e\x18\x0d\x63\xa5\x54\x83\xe5\x26\x0b\x00\x2e\xba\x05\xb5\x9d\xde\xdb"
  876. "\xa6\xe0\xe8\xd0\x22\x08\x54\xc2\x40\xb7\x5a\x8a\xe1\x78\x49\x28\x28\xdc"
  877. "\xf4\xba\xa4\xa2\x6a\xbe\x25\xa3\x9d\x79\x8f\x96\x6b\x9a\x39\x5a\x77\x04"
  878. "\xb6\x10\x0b\x1d\x60\xb5\x77\xb7\xe7\x8e\xd9\xa2\x21\xfb\xcb\xa6\x0b\xec"
  879. "\x72\x77\xc9\x24\xb1\x68\x1e\x38\xa7\xcd\x4d\x95\xb3\xce\x01\x5a\x72\xb5"
  880. "\x3c\x44\x43\xe7\x5a\x37\x26\x6b\x80\x23\x86\x5b\x65\xb8\xa9\x78\x99\x47"
  881. "\x03\x04\x40\x80\xb0\xb2\x5f\x75\x6b\x68\x2d\x46\x1d\x98\x82\xe7\x44\x3b"
  882. "\x42\x93\x9c\x8b\x92\xb3\xc2\x2a\x35\x46\xa2\xa5\xfb\x95\x09\xa3\x93\x41"
  883. "\xfd\x25\xe4\x97\x50\x5c\x5d\x32\xb0\x71\xc5\x39\x43\x0d\xc8\xc0\xa5\x36"
  884. "\x95\x4a\xee\xb0\x6d\xee\x1a\xc1\x7b\x9e\x21\xbe\xbc\xa2\x17\xfe\xaf\xb0"
  885. "\x1b\x4b\x61\xba\xdf\x35\xf5\xf9\xe2\xa5\x92\x94\x88\x6d\x54\xb1\x62\x34"
  886. "\xb5\x25\x73\x34\x85\x28\xde\x3d\xec\xf6\x79\xa7\x31\x35\x9e\x22\x48\x67"
  887. "\xb2\x5d\x5d\xd4\x9a\x94\x93\xc7\x54\x28\x09\xbb\x30\xa3\x8b\x6a\xbd\xa3"
  888. "\xee\xc8\x1f\x01\x13\x85\xd2\x48\xb8\x7c\xc2\x87\xbf\xe3\x47\x46\x33\xe0"
  889. "\x80\x0f\x85\xc6\x72\xf4\xc6\x31\xaa\x28\x86\xa6\xab\x35\x6b\xcb\x5d\x32"
  890. "\x66\xe5\xc2\x80\x66\x40\x3a\xf1\xcb\xda\xed\x5d\xd2\xe5\x35\x21\x45\x85"
  891. "\x7d\xb3\x4d\xeb\x69\x10\x4c\x79\xa2\x10\x80\x6e\xbe\xc0\x71\x4f\xe7\xcd"
  892. "\xc1\x2b\xa3\x1f\x25\x3d\x0e\x5d\xbc\x6c\x59\xa2\x96\x0a\x18\xc7\x5d\x85"
  893. "\x43\xcf\x3e\xf8\x6d\xad\xef\x77\x2d\xc3\x63\x5a\xfd\x93\xea\xd0\x5d\x85"
  894. "\x0f\xe6\x14\xd7\xee\xc6\x45\xe6\xe0\x82\x41\x38\xb2\xff\x59\xfe\x07\x7e"
  895. "\xbd\x2d\x4c\x74\xa4\xfb\xc8\xd3\xe6\x36\x5e\x2a\xe6\x17\xe2\x99\x67\x88"
  896. "\x0b\x4d\x88\x0d\xa9\x59\xb1\x17\x23\x14\xf5\xbc\x17\x65\xdb\x5c\x19\xa0"
  897. "\xd7\x6f\xa1\x02\xb5\xb6\x4f\x86\x57\xad\x9b\x68\x65\x4d\x61\xa8\xbd\xd0"
  898. "\x51\x92\xc1\x26\xaa\x25\xab\xfc\xc4\x22\xbd\x87\x2b\xbe\x82\x9a\x04\x1c"
  899. "\x7c\xe3\x43\xc8\x9f\x91\x92\x68\x16\x17\xc4\xef\x05\xb4\x0e\xb0\xe0\x63"
  900. "\x22\xae\x43\x07\x2c\xd7\x8a\x12\xbb\x1b\xc0\x1f\x2b\x93\x89\x24\xb9\xce"
  901. "\x1c\x85\xec\xd0\x3f\xc5\x04\x63\x2b\xfc\x56\x51\xe8\x4b\x06\x9b\x22\x7a"
  902. "\xdd\x89\x56\x21\x1f\x8d\x81\x73\xef\x70",
  903. 4096);
  904. *(uint64_t*)0x20006648 = 0x1000;
  905. *(uint64_t*)0x20006650 = 0;
  906. *(uint64_t*)0x20006658 = 0;
  907. *(uint64_t*)0x20006b58 = 2;
  908. *(uint64_t*)0x20006b60 = 0;
  909. *(uint64_t*)0x20006b68 = 0;
  910. *(uint32_t*)0x20006b70 = 0x2000000;
  911. *(uint32_t*)0x20006b78 = 0;
  912. syscall(__NR_sendmmsg, /*fd=*/-1, /*mmsg=*/0x20006940ul, /*vlen=*/9ul,
  913. /*f=MSG_OOB*/ 1ul);
  914. memcpy((void*)0x20000180, "./bus\000", 6);
  915. syscall(__NR_open, /*file=*/0x20000180ul,
  916. /*flags=O_TRUNC|O_SYNC|O_NOATIME|O_LARGEFILE|O_DIRECT|O_CREAT|0x3e*/
  917. 0x14d27eul, /*mode=*/0ul);
  918. memcpy((void*)0x20000380, "/dev/loop", 9);
  919. *(uint8_t*)0x20000389 = 0x30;
  920. *(uint8_t*)0x2000038a = 0;
  921. memcpy((void*)0x20000140, "./bus\000", 6);
  922. syscall(__NR_mount, /*src=*/0x20000380ul, /*dst=*/0x20000140ul, /*type=*/0ul,
  923. /*flags=MS_BIND*/ 0x1000ul, /*data=*/0ul);
  924. memcpy((void*)0x20000400, "./bus\000", 6);
  925. res = syscall(__NR_open, /*file=*/0x20000400ul,
  926. /*flags=O_SYNC|O_NOCTTY|O_NOATIME|O_RDWR|0x3c*/ 0x14113eul,
  927. /*mode=*/0ul);
  928. if (res != -1)
  929. r[1] = res;
  930. syscall(__NR_sendfile, /*fdout=*/r[0], /*fdin=*/r[1], /*off=*/0ul,
  931. /*count=*/0x8000005cul);
  932. syscall(__NR_write, /*fd=*/r[1], /*data=*/0x20000100ul, /*len=*/0x208e24bul);
  933. syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x40305829, /*arg=*/0ul);
  934. return 0;
  935. }
  936.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!